FAA breach heightens cybersecurity concerns

Incident demonstrates that even agencies that put in security controls are still vulnerable.

The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts.

Just a month later, FAA officials had to admit that hackers breached one of the agency’s servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft.

The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA’s security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack.

“Every agency is living through the same problems,” but most are being less forthcoming about reporting them, said Alan Paller, director of the SANS institute. “FAA should get kudos for rapid action. Slamming them shows a complete lack of understanding about the state of security in federal agencies.”

The FAA incident is “just proof of the fact that we need to fundamentally look at the way we have architected our technology,” said Howard Schmidt, a former top cybersecurity adviser in the Bush White House and now president of the Information Security Forum. “When you start looking at organizations that really work hard and have really good people – I know the guys over there, they are really professional and they are really good – but yet to have something take place just shows how that no matter how secure you are you fundamentally still are at risk.”

As one of four shared-services providers for certification and accreditation under the Information Systems Security Line of Business, FAA employees will audit and test other agencies’ security measures and either certify them as sound or offer advice on improvements.

Security breaches have plagued the government for years, and reports suggest they are increasing even though agencies are taking steps to strengthen information security.

President Barack Obama has ordered a review of the government’s cybersecurity plans, programs and activities. Although the order, also issued earlier this month, was not connected to the FAA breach, it shows that cybersecurity remains an important concern for the government.

A new report from the Homeland Security Department’s U.S. Computer Emergency Readiness Team (US-CERT) adds even more fuel to the fire. The report listed 18,050 cybersecurity incidents in agencies in fiscal 2008, compared to 5,144 in fiscal 2006.

Agencies have reported a steadily increasing number of incidents since 2006, partially because hackers have greater access to malicious software they can use to attack and partially because agencies have improved their incident detection and reporting, said Mischel Kwon, US-CERT director.

“Both parts of the story are true,” she said. “There is an increase in malicious events, and there is an increase in capabilities to detect those malicious events.”

The number of breaches is probably higher, she said. US-CERT relies on agencies to file reports on breaches, as the Federal Information Security Management Act (FISMA) requires.

Cyber threats have become more serious as adversaries learn the value of stolen personal information, said Marty Linder, a senior member of the technical staff at Carnegie-Mellon University's Computer Emergency Response Team. Whether the actual frequency of attacks is increasing or agencies are simply becoming better at detecting them is harder to know for certain, he added.

The FAA incident serves to illustrate that unless everyone in an agency understands security risks and takes them seriously, systems are vulnerable, Paller said.

“The IT and security shop did it right," he said. "They couldn’t stop all attacks, but they, unlike most agencies, actually found the problem. The user groups, on the other hand, had some files with personally identifiable information” left in a vulnerable location.

Most of the files that the hackers copied contained useless test data, according to FAA officials. It remains unclear if the server also coincidentally contained old sensitive data or if agency employees were using real information in a test environment. The compromised records were from 2006, according to FAA officials.

Patrick Forrey, president of the National Air Traffic Controllers Association, said he believes the hacked FAA server had been largely unused for a couple of years, and as a result, FAA “did not update the security protection software on it.” The attackers might have tried to penetrate several different servers before finding a vulnerable one, he said.

Michael Markulec, chief operating officer of Lumeta, which makes a network visibility and network mapping product, said agencies need to understand their networks, identify critical cyber-related assets, protect data at the heart of the network, and continue to monitor and manage networks. FAA is one of its customers.

“The side I think our government really needs to work on with the cybersecurity review is understanding where our critical assets are and providing a defense-in-depth kind of strategy,” he said. “Critical assets, critical information, personal information, credit card information, [Internal Revenue Service] information, security clearance information cannot sit at the edge of the network.”

The entire government is fighting the cyber threat, Paller said. China is widely suspected of launching subtle cyberattacks, and other hackers, including common identity thieves, also target government computers.

Some data breaches have come from apparent carelessness. The Navy and Government Accountability Office inadvertently posted sensitive personal information on publicly accessible Web pages. Other data breaches occurred because agency employees lost laptop computers or someone stole them.

In many cases, a data breach doesn’t result in data being compromised. The Veterans Affairs Department agreed in January to pay a $20 million settlement over a laptop that was stolen from an employee's home in 2006, in one of the early high-profile cases. Although there was never any sign that someone misused the personal data of veterans stored on it, the agency agreed to compensate those who had paid for credit-monitoring services or suffered emotional distress. Some of the settlement will go to attorneys’ fees and as a donation to two charities serving veterans.

FAA’s Cyber Security Management Center discovered that agency’s break-in. Its personnel were investigating unusual activity in an administrative server when it became evident that hackers had broken through the defenses, said Lynne Osmus, acting FAA administrator, in a letter to employees dated Feb. 9.

FAA said it notified law enforcement authorities, and they are investigating the data theft.

FAA’s director of the Office of Information Systems Security and chief information officer did not respond to requests for comment.

Forrey criticized FAA for waiting a week before notifying the union that the personal information of its members had been breached. “The FAA needs to demonstrate some level of commitment in order to regain the trust of its employees, who rightly feel violated and now have been placed in extreme vulnerability to identity theft and harm,” Forrey said.

FAA should give its employees identification numbers rather than use their Social Security numbers, he added. The unique number would identify the employee, whose Social Security number would be on file somewhere but not widely recorded in various systems.

One senator who has been actively trying to strengthen provisions of FISMA is Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee's Federal Financial Management, Government Information, Federal Services and International Security Subcommittee. Carper has made information security one of the priorities for his subcommittee, as, he said, it should be for agencies and the Obama administration.

“The most recent data breach at the Federal Aviation Administration is yet another disturbing example of the risks we face as a nation,” Carper said in a prepared statement. “Every day we see criminal syndicates and nation-states stealing sensitive information from our government and private networks at an alarming rate. The consequence of a successful attack against an agency as important as the FAA should be obvious.”

Based on its timely response, FAA demonstrated that it has a response plan, but it could improve its information protection through better monitoring of security controls to understand what’s happening with their data, said Mike Rothman, senior vice president of strategy at eIQnetworks.

“But it is difficult to prevent all unauthorized access,” he said.

OMB published detailed guidance in May 2007 for agencies to protect personally identifiable information, respond to unauthorized access and implement a breach notification policy. The Privacy Act and FISMA require agencies to safeguard personally identifiable information and report incidents of potential or actual breaches.

FAA will provide free credit monitoring for a year through the Experian Triple Advantage program, said Laura Brown, an FAA spokeswoman. The agency has provided a toll-free number for employees and posted frequently asked questions on its employee Web site.

“Every employee who was affected will get a letter with specific instructions about how to access the free credit monitoring service,” Brown said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.