Audit scorches DOT security
- By Paula Shaki Trimble
- Oct 02, 2000
Information security weaknesses at the Federal Aviation Administration pale
in comparison to the network vulnerabilities discovered at other Transportation
Department administrations, according to a report released last week by
DOT's Office of Inspector General.
"I think FAA's in better shape than the rest of the department — considerably
better shape," said Kenneth Mead, DOT's inspector general, speaking to the
House Science Committee Sept. 27. The committee was examining security problems
in computers used for air traffic control as well as failures to comply
with FAA policies requiring background checks for employees and contractors
given access to the systems.
The General Accounting Office informed the FAA in December 1999 that
the agency had failed to conduct background checks on contractors hired
to test and fix mission-critical systems for the Year 2000 rollover, said
FAA Administrator Jane Garvey during the hearing. Professional hackers hired
later to test the security of critical information technology systems also
did not receive proper clearance.
In response, the FAA, under the direction of DOT's chief information
officer, completed thousands of security clearances for IT contractors,
and audited and fixed IT security problems in systems at all FAA facilities.
FAA's efforts to improve computer and personnel security could set an example
for the rest of the agency, Mead said.
During a nine-month review of computer networks at DOT headquarters,
the IG found serious weaknesses in the agency's firewall security and lax
enforcement of Internet security requirements specified by DOT's CIO. The
IG found that unauthorized users within and outside the agency could access
private Web sites.
However, of the computers the investigators were able to penetrate,
none were at the FAA or the U.S. Coast Guard, where DOT's most critical
systems are located. George Molaski, DOT's CIO, said he is trying to get
the resources allocated at the departmental level to assist the smaller
administrations in implementing the required security systems and policy.
Molaski has asked for an additional five IT security personnel at headquarters
in the department's $1.1 million budget request for fiscal 2001.
Although Transportation Secretary Rodney Slater has strived to create
a unified DOT, some of the Transportation administrations "still believe
it's the wild, wild West and they can do what they want," Molaski said.
"Security changes the dynamic because we're all tied to the same backbone,
and a vulnerability on one [administration] affects all the other [administrations]."
As a result, Molaski is trying to centralize the backbone infrastructure
for all telecommunications networks under the CIO office. He plans to require
certification of any system that will be connected to the telecommunications
network to keep it from becoming contaminated by less secure systems.
"Not having the operational responsibility for that [infrastructure],
the best we can do is put out the policy and hope the [administrations]
follow it," he said.
One issue that must still be resolved is the ability of the CIO to enforce
information security policies, said Joel Willem-ssen, director of civil
agencies information systems at GAO. As security programs are implemented,
GAO will monitor whether enforcement is effective, he said.
DOT will pay particular attention to the threat from internal unauthorized
use, particularly of financial systems, Molaski said. Employees who embezzled
funds through stolen passwords — including one who embezzled $600,000 from
DOT — were prosecuted, according to the IG's report.