FAA breach heightens cybersecurity concerns

Incident demonstrates that even agencies that put in security controls are still vulnerable

The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts.

Just a month later, FAA officials had to admit that hackers breached one of the agency’s servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft.

The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA’s security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack.

“Every agency is living through the same problems,” but most are being less forthcoming about reporting them, said Alan Paller, director of the SANS institute. “FAA should get kudos for rapid action. Slamming them shows a complete lack of understanding about the state of security in federal agencies.”

The FAA incident is “just proof of the fact that we need to fundamentally look at the way we have architected our technology,” said Howard Schmidt, a former top cybersecurity adviser in the Bush White House and now president of the Information Security Forum. “When you start looking at organizations that really work hard and have really good people – I know the guys over there, they are really professional and they are really good – but yet to have something take place just shows how that no matter how secure you are you fundamentally still are at risk.”

As one of four shared-services providers for certification and accreditation under the Information Systems Security Line of Business, FAA employees will audit and test other agencies’ security measures and either certify them as sound or offer advice on improvements.

Security breaches have plagued the government for years, and reports suggest they are increasing even though agencies are taking steps to strengthen information security.

President Barack Obama has ordered a review of the government’s cybersecurity plans, programs and activities. Although the order, also issued earlier this month, was not connected to the FAA breach, it shows that cybersecurity remains an important concern for the government.

A new report from the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) adds even more fuel to the fire. The report listed 18,050 cybersecurity incidents in agencies in fiscal 2008, compared to 5,144 in fiscal 2006.

Agencies have reported a steadily increasing number of incidents since 2006, partially because hackers have greater access to malicious software they can use to attack and partially because agencies have improved their incident detection and reporting, said Mischel Kwon, US-CERT director.

“Both parts of the story are true,” she said. “There is an increase in malicious events, and there is an increase in capabilities to detect those malicious events.”

The number of breaches is probably higher, she said. US-CERT relies on agencies to file reports on breaches, as the Federal Information Security Management Act (FISMA) requires.

Cyber threats have become more serious as adversaries learn the value of stolen personal information, said Marty Linder, a senior member of the technical staff at Carnegie-Mellon University's Computer Emergency Response Team. Whether the actual frequency of attacks is increasing or agencies are simply becoming better at detecting them is harder to know for certain, he added.

The FAA incident serves to illustrate that unless everyone in an agency understands security risks and takes them seriously, systems are vulnerable, Paller said.

“The IT and security shop did it right," he said. "They couldn’t stop all attacks, but they, unlike most agencies, actually found the problem. The user groups, on the other hand, had some files with personally identifiable information” left in a vulnerable location.

Most of the files that the hackers copied contained useless test data, according to FAA officials. It remains unclear if the server also coincidentally contained old sensitive data or if agency employees were using real information in a test environment. The compromised records were from 2006, according to FAA officials.

Patrick Forrey, president of the National Air Traffic Controllers Association, said he believes the hacked FAA server had been largely unused for a couple of years, and as a result, FAA “did not update the security protection software on it.” The attackers might have tried to penetrate several different servers before finding a vulnerable one, he said.

Michael Markulec, chief operating officer of Lumeta, which makes a network visibility and network mapping product, said agencies need to understand their networks, identify critical cyber-related assets, protect data at the heart of the network, and continue to monitor and manage networks. FAA is one of its customers.

“The side I think our government really needs to work on with the cybersecurity review is understanding where our critical assets are and providing a defense-in-depth kind of strategy,” he said. “Critical assets, critical information, personal information, credit card information, [Internal Revenue Service] information, security clearance information cannot sit at the edge of the network.”

The entire government is fighting the cyber threat, Paller said. China is widely suspected of launching subtle cyberattacks, and other hackers, including common identity thieves, also target government computers.

Some data breaches have come from apparent carelessness. The Navy and Government Accountability Office inadvertently posted sensitive personal information on publicly accessible Web pages. Other data breaches occurred because agency employees lost laptop computers or someone stole them.

In many cases, a data breach doesn’t result in data being compromised. The Veterans Affairs Department agreed in January to pay a $20 million settlement over a laptop that was stolen from an employee's home in 2006, in one of the early high-profile cases. Although there was never any sign that someone misused the personal data of veterans stored on it, the agency agreed to compensate those who had paid for credit-monitoring services or suffered emotional distress. Some of the settlement will go to attorneys’ fees and as a donation to two charities serving veterans.

FAA’s Cyber Security Management Center discovered that agency’s break-in. Its personnel were investigating unusual activity in an administrative server when it became evident that hackers had broken through the defenses, said Lynne Osmus, acting FAA administrator, in a letter to employees dated Feb. 9.

FAA said it notified law enforcement authorities, and they are investigating the data theft.

FAA’s director of the Office of Information Systems Security and chief information officer did not respond to requests for comment.

Forrey criticized FAA for waiting a week before notifying the union that the personal information of its members had been breached. “The FAA needs to demonstrate some level of commitment in order to regain the trust of its employees, who rightly feel violated and now have been placed in extreme vulnerability to identity theft and harm,” Forrey said.

FAA should give its employees identification numbers rather than use their Social Security numbers, he added. The unique number would identify the employee, whose Social Security number would be on file somewhere but not widely recorded in various systems.

One senator who has been actively trying to strengthen provisions of FISMA is Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. Carper has made information security one of the priorities for his subcommittee, as, he said, it should be for agencies and the Obama administration.

“The most recent data breach at the Federal Aviation Administration is yet another disturbing example of the risks we face as a nation,” Carper said in a prepared statement. “Every day we see criminal syndicates and nation-states stealing sensitive information from our government and private networks at an alarming rate. The consequence of a successful attack against an agency as important as the FAA should be obvious.”

Based on its timely response, FAA demonstrated that it has a response plan, but it could improve its information protection through better monitoring of security controls to understand what’s happening with their data, said Mike Rothman, senior vice president of strategy at eIQnetworks.

“But it is difficult to prevent all unauthorized access,” he said.

OMB published detailed guidance in May 2007 for agencies to protect personally identifiable information, respond to unauthorized access and implement a breach notification policy. The Privacy Act and FISMA require agencies to safeguard personally identifiable information and report incidents of potential or actual breaches.

FAA will provide free credit monitoring for a year through the Experian Triple Advantage program, said Laura Brown, an FAA spokeswoman. The agency has provided a toll-free number for employees and posted frequently asked questions on its employee Web site.

“Every employee who was affected will get a letter with specific instructions about how to access the free credit monitoring service,” Brown said.

About the Authors

Ben Bain is a reporter for Federal Computer Week.

Mary Mosquera is a reporter for Federal Computer Week.

Reader comments

Thu, Feb 26, 2009 saguaro2010

Even more dangerous than these breaches is the lack of productivity of federal workers due to computer issues in the middle of a depression. Perhaps we should fire all civil service except the top layer that has a secure Blackberry and save billioms. Lets get the big picture here.

Tue, Feb 24, 2009

The Personally Identifiable Information (PII) should not have been archived (the data stolen was from 2006) without the SSNs being removed, it should have been encrypted, it should not have been on a Dev Server (it was being used for developing applications), it should have never been connected to a public network, and it should never have been released to anyone as a "test file". All of these things were a violation of DOT orders, FAA orders, and federal law. The rules were in place to protect the data, but they were ignored/violated. There are both civil and criminal provisions in the Privacy Act that need to be prosecuted.

Mon, Feb 23, 2009 John Rosengarten Silicon Prairie (West of Chicago)

There is no single solution to these issues. The failure of these systems is not because the middle level managers are incompetent, its because high-level management does not provide resources.As a technical manager, I go to my management and request time to do security baselining and they tell me that clearing printer jams and managing user accounts is more important. We try to review logs and then get slammed for not completing the mandated (but apparantly unread) government reports. Government needs to either provide leadership to agencies to actually take the time to do sleuthing or do the job of policing the internet themselves. I have to fight management to do any security work and often have to do it on my own time. There is no financial incentive for my management to actually find any wrongdoing, time spent looking at logs is regarded as a waste. Unfortunately, some bean counters think that a dollar not spent on security is somehow 'saved'. Meanwhile, foreign criminals are reading our mail, probing our servers and stealing anything they want! We knew that the Bush administration only cared about the superficial appearances of security, but we hope that the new administration cares more about truely addressing the national needs to secure our data systems.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above