FAA flying blind with IT systems?
- By Paula Shaki Trimble
- Sep 28, 2000
The Federal Aviation Administration seemingly was the last to know about
weaknesses in its computer systems and personnel clearances, making the
air traffic control system vulnerable to hacking.
Even after the General Accounting Office notified the FAA and recommended
specific actions, the agency did not fix its problems with conducting background
checks of information technology contractors and securing systems in a timely
fashion, Joel Willemssen, director of civil agencies information systems
at GAO, told the House Science Committee Wednesday.
GAO informed the FAA in December 1999 that the FAA had failed to conduct
background checks on contractors hired to remediate mission-critical systems
for the Year 2000 rollover, FAA Administrator Jane Garvey said in response
to questions about her knowledge of the "serious and pervasive" problems
addressed in GAO's review of the agency's computer systems.
After 10 months of review by GAO, the FAA still did not follow its own
security rules for contractor employees hired to conduct penetration testing
and vulnerability assessments of its systems, which provide air traffic
control services for the country. The air traffic control system helped
transport 670 million people last year, Garvey said.
"It should not require a congressional hearing for a federal agency
to realize that it needs to abide by its own security requirements. Unfortunately,
with FAA, that seems to be the case," House Science Committee Chairman F.
James Sensenbrenner Jr. (R-Wis.) said in his opening statement at the hearing,
"Computer Security Lapses: Should FAA be Grounded?"
Garvey said FAA chief information officer Daniel Mehan is responsible
for making sure the agency's systems are audited and that all background
checks of contractors are conducted with the Office of Personnel Management
Garvey said she is approaching computer security with the same vigor
as the Year 2000 problem, but unlike the millennium bug, computer security
will never be complete and is a larger problem.
"More needs to be done to establish the specific procedures and enforce
their importance through awareness and training," Willemssen said.