FAA flying blind with IT systems?

The Federal Aviation Administration seemingly was the last to know about

weaknesses in its computer systems and personnel clearances, making the

air traffic control system vulnerable to hacking.

Even after the General Accounting Office notified the FAA and recommended

specific actions, the agency did not fix its problems with conducting background

checks of information technology contractors and securing systems in a timely

fashion, Joel Willemssen, director of civil agencies information systems

at GAO, told the House Science Committee Wednesday.

GAO informed the FAA in December 1999 that the FAA had failed to conduct

background checks on contractors hired to remediate mission-critical systems

for the Year 2000 rollover, FAA Administrator Jane Garvey said in response

to questions about her knowledge of the "serious and pervasive" problems

addressed in GAO's review of the agency's computer systems.

After 10 months of review by GAO, the FAA still did not follow its own

security rules for contractor employees hired to conduct penetration testing

and vulnerability assessments of its systems, which provide air traffic

control services for the country. The air traffic control system helped

transport 670 million people last year, Garvey said.

"It should not require a congressional hearing for a federal agency

to realize that it needs to abide by its own security requirements. Unfortunately,

with FAA, that seems to be the case," House Science Committee Chairman F.

James Sensenbrenner Jr. (R-Wis.) said in his opening statement at the hearing,

"Computer Security Lapses: Should FAA be Grounded?"

Garvey said FAA chief information officer Daniel Mehan is responsible

for making sure the agency's systems are audited and that all background

checks of contractors are conducted with the Office of Personnel Management

by March.

Garvey said she is approaching computer security with the same vigor

as the Year 2000 problem, but unlike the millennium bug, computer security

will never be complete and is a larger problem.

"More needs to be done to establish the specific procedures and enforce

their importance through awareness and training," Willemssen said.


  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/Shutterstock.com)

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected