FAA security office opens for business

The hundreds of facilities and the thousands of systems and personnel at

the Federal Aviation Administration can look like Mount Everest to someone

in charge of information security.

That's why the director of a new office to tackle information security

at the FAA is applying a systematic approach at the place where everything

comes together: each facility in the national airspace system.

By examining physical and personnel barriers, nationally deployed computer

systems and locally unique computer systems at each air traffic management

facility, Raymond Long hopes to plug the holes in the FAA's network that

may be at risk of intrusion.

In May, the FAA created the Office of Information Systems Security and

called upon Long, the former director of the FAA's Year 2000 Office, to

head the new office. Long is expected to apply experiences and lessons learned

during the Year 2000 effort to the security issue at FAA.

"This job is 10 times the magnitude of what Y2K [could ever be]," Long

said. "Y2K had a deadline, and the problem was well known. This one never

ends, and we have to create new technology to solve the problems."

The older mainframe systems used by the FAA have kept the critical data

used to control air traffic isolated from external systems. But the introduction

of new decentralized systems to modernize and automate air traffic management

also opens the agency's facilities to a greater risk of attack, Long said.

Long said he sees the information security initiative as primarily an

awareness effort to get agency workers focused on the issue. But the office

also has a systematic approach to certifying its systems as hacker-proof.

FAA chief information officer Daniel Mehan created the office in response

to Presidential Decision Directive 63, which was signed in May 1998. The

directive requires all federal agencies to develop plans and take steps

to protect their critical infrastructure.

Creating a central office is crucial in providing the big picture of

security across the agency, said Jean Boltz, a security expert at the General

Accounting Office. "Also, [the offices] can serve as a conduit to senior

management, a central focus point for issues like incident handling," she

said.

The FAA office has a budget for fiscal 2000 of $42.5 million and has

requested $87.3 million for 2001. Long said he expects another significant

increase for 2002.

A report by GAO in December 1999 found that the FAA's insufficient management

support, insufficient user training, and inadequate policy enforcement led

to its failure to comply with internal personnel security policies.

Added information system security isn't something that has proven to

be a necessity yet, but it is "better to be safe than sorry," said Randy

Schwitz, executive vice president of the National Air Traffic Controllers

Association.

A priority should be the host computer system, which is at the heart

of all en-route air traffic operations as well as personnel systems, Schwitz

said.

—Diane Frank contributed to this article.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.