FAA security office opens for business
- By Paula Shaki Trimble
- Jun 19, 2000
The hundreds of facilities and the thousands of systems and personnel at
the Federal Aviation Administration can look like Mount Everest to someone
in charge of information security.
That's why the director of a new office to tackle information security
at the FAA is applying a systematic approach at the place where everything
comes together: each facility in the national airspace system.
By examining physical and personnel barriers, nationally deployed computer
systems and locally unique computer systems at each air traffic management
facility, Raymond Long hopes to plug the holes in the FAA's network that
may be at risk of intrusion.
In May, the FAA created the Office of Information Systems Security and
called upon Long, the former director of the FAA's Year 2000 Office, to
head the new office. Long is expected to apply experiences and lessons learned
during the Year 2000 effort to the security issue at FAA.
"This job is 10 times the magnitude of what Y2K [could ever be]," Long
said. "Y2K had a deadline, and the problem was well known. This one never
ends, and we have to create new technology to solve the problems."
The older mainframe systems used by the FAA have kept the critical data
used to control air traffic isolated from external systems. But the introduction
of new decentralized systems to modernize and automate air traffic management
also opens the agency's facilities to a greater risk of attack, Long said.
Long said he sees the information security initiative as primarily an
awareness effort to get agency workers focused on the issue. But the office
also has a systematic approach to certifying its systems as hacker-proof.
FAA chief information officer Daniel Mehan created the office in response
to Presidential Decision Directive 63, which was signed in May 1998. The
directive requires all federal agencies to develop plans and take steps
to protect their critical infrastructure.
Creating a central office is crucial in providing the big picture of
security across the agency, said Jean Boltz, a security expert at the General
Accounting Office. "Also, [the offices] can serve as a conduit to senior
management, a central focus point for issues like incident handling," she
The FAA office has a budget for fiscal 2000 of $42.5 million and has
requested $87.3 million for 2001. Long said he expects another significant
increase for 2002.
A report by GAO in December 1999 found that the FAA's insufficient management
support, insufficient user training, and inadequate policy enforcement led
to its failure to comply with internal personnel security policies.
Added information system security isn't something that has proven to
be a necessity yet, but it is "better to be safe than sorry," said Randy
Schwitz, executive vice president of the National Air Traffic Controllers
A priority should be the host computer system, which is at the heart
of all en-route air traffic operations as well as personnel systems, Schwitz
—Diane Frank contributed to this article.