Reports reveal weaknesses in systems security at State, FAA

AND COLLEEN O'HARA (ohara@fcw.com)

A test of computer systems security at the State Department and the Federal Aviation Administration revealed pervasive weaknesses that could threaten the operation of the agencies, according to reports released today during hearings before the Senate Governmental Affairs Committee.

At the request of the committee, the General Accounting Office began a large-scale investigation of computer security problems at the largest federal agencies. To test the security systems at State and the FAA, GAO tried to penetrate security systems and access data contained on computer systems at both agencies.

Although some of the findings remain classified, GAO found that the FAA is "ineffective in all critical areas included in our security review." This includes physical security at air traffic control (ATC) sites, operational systems information security for ATC systems, future systems modernization security, and management structure and policy implementation.

The FAA was criticized for only assessing three out of 90 operational ATC computer systems to determine system threats, vulnerabilities and safeguards. In addition, only one of the nine operational ATC telecommunications networks has been analyzed. "Without knowing the specific vulnerabilities of its ATC systems, the FAA cannot adequately protect them," the GAO report said.

The penetration tests at State demonstrated that the department's computer systems and the data contained within them, "are very susceptible to hackers, terrorists or other individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses," according to the report.

Not only has the FAA fallen short in protecting its current systems, but future ATC systems are also at risk. The FAA does not consistently include well-formulated security requirements in specifications for new ATC modernization systems as required by FAA, the GAO said. It also does not have the well-defined security architecture or security standards needed to ensure a secure ATC network.

The Transportation Department recognizes that facility, systems and data security are critical elements in the FAA's management of the ATC systems, according to GAO. However, DOT did not agree that FAA's management of computer security has been inappropriate or that ATC systems are vulnerable to the point of jeopardizing flight safety.

Investigators gained access to State's networks through dial-in connections to modems without any knowledge of the systems or without any passwords. Having gained access, investigators could have modified, stolen, downloaded or deleted data, shut down services and monitored network traffic such as e-mail, according to the report.

In addition, investigators were able to circumvent State's internal network security controls and access sensitive data such as international financial information, travel arrangement and employee performance appraisals.

In a written response to GAO, State officials said that its chief information officer is beginning to address the "lack of central focus for information systems security" detailed in the report. State officials also agreed to formalize and document risk management decisions and to correct the technical weaknesses defined in the GAO report.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.