The Federal Aviation Administration skips key background checks on workers, leaves open known security holes, doesn’t even use passwords sometimes and has inadequate firewalls, the report says.
The air-traffic control system hasn’t been successfully attacked, but at least one hacker has broken into an FAA e-mail server. And a year after identifying holes in one FAA system, contractors found the agency had not fixed them, the report says.
The agency has plenty of policies on security, but doesn’t implement them, the report said. The FAA mandates background checks and sometimes doesn’t perform them; has a policy on security awareness which it doesn’t fully implement; and hasn’t been reporting all breaches in physical security, for example.
“They get a huge thumbs down” for not following their own policies, said security expert Kevin Poulsen, editorial director at securityfocus.com, a Web site for security-minded technology professionals.
In testimony before the House Science Committee today, FAA head Jane Garvey acknowledged the agency’s problems and said she launched a new information security policy in June to speed up changes.
“I am confident that the changes that we have put into place and the new policies that we have developed ensure that this issue receives the priority attention that it deserves,” Garvey said.
This isn’t the first time the General Accounting Office has blasted the FAA. Today’s findings follow reports in May 1998 and December 1999 identifying many of the same problems.
Critical Systems
The FAA runs the nation’s air-traffic control facilities, which route thousands of planes a day. The agency also establishes safety standards for airports and planes, though it doesn’t directly manage them.
“Ytcracker,” who broke into FAA systems three times in 1999, agrees the agency has serious problems. The 17-year-old from Colorado was convicted of computer crime and criminal mischief in May for more than 40 electronic break-ins. He hasn’t yet been sentenced.
“The vulnerabilites that we discovered were months old and should have been patched immediately,” he wrote in an e-mail to ABCNEWS.com.
Ytcracker said he’d broken into an FAA e-mail server last year, but that didn’t think anyone had successfully accessed an ATC computer for malicious purposes. Ytcracker himself would just alter Web site front pages to reflect his presence and leave.
The FAA is moving many of its systems from old, custom-built technology to new programs built on common standards, which may make them even more vulnerable if proper security policies aren’t in place, Garvey said.
“Because the older … elements were unique, and less inter-connected, they are, to some extent, less vulnerable to attack,” she said.
Murky Backgrounds
Of 21 contractors who had performed agency-sanctioned hacking attacks on FAA systems, only two got the requisite strict background checks, the GAO report says. The agency’s background-search database was missing 14 contractors entirely.
“The bad news is, yes … many of them haven’t been subjected to background checks,” Poulsen said. “The good news is that they have 21 contractors performing penetration tests.”
The FAA also did inadequate checks on 36 Chinese nationals who worked on the agency’s Y2K readiness project, the report says.
The agency has done better with background searches on federal employees. Only 1 percent were missing background investigations. But 21 percent of their employees with Top Secret clearances were overdue for new background checks, which are supposed to be done every five years, the report said. One employee’s last check occurred in 1973.
The FAA told the GAO on Monday that the reinvestigations would be processed.
Policies, Not Procedures
The agency has established paper policies encouraging information security, but hasn’t taken much action, according to the report. The agency’s new security policy “primarily focuses on roles and responsibilities of various groups within FAA” rather than listing actions to make the agency secure, the report said.
And the FAA isn’t even complying with the policies it does have. The agency has a security awareness program, but “several system assessments stated that system administrators had received minimal, if any, training and, as a result, were unaware of system weaknesses,” the report says.
FAA officials told the GAO that it was “too sensitive” to say how many facilities haven’t received the proper training — and that incenses security expert Poulsen.
“There’s nothing that galls me more than an organization that uses the need for computer security as an excuse to cover up your own incompetence,” he said.
Garvey said the FAA was making progress, and that the agency would work to improve further.
“I believe that we have put into place a structure for information system security that is vigilant,” she said.