GovernmentExecutive.com

The investigative arm of Congress says the Federal Aviation Administration's control system is vulnerable to a cyberattack -- a scenario that could trigger chaos in the air given there are more than 7,000 airplanes flying at any one time over the United States.

The Government Accountability Office report (GAO-05-712), released Monday, said the FAA has set up an agency-wide information security program to address previously identified security weaknesses, but has yet to fully establish an information security program to effectively protect its vast network of computers and communications equipment.

"The agency's ability to fulfill its mission depends on the adequacy and reliability of its air traffic control systems," the report noted. The FAA is charged with managing the nation's airspace to ensure safe, orderly and efficient air travel for the millions of flights every year.

Air traffic exceeded 46 million flights and 647 million passengers last year, and thousands of military and commercial aircraft traverse the United States at any given time, according to the FAA.

GAO found FAA's computer network remains exposed to disgruntled former employees and sophisticated hackers. The investigators found the agency is not adequately managing its networks, system patches, user accounts, passwords and user privileges.

It also operates with outdated security plans, does not sufficiently test and evaluate programs and was not meeting standards for training employees to detect security breaches. More than 36,000 employees work at the agency.

House Government Reform Committee Chairman Tom Davis, R-Va., whose panel requested the report, urged the FAA to move quickly to strengthen its computers.

"Given the ever-evolving nature of cyber threats, and the thought of someone with malicious intent accessing FAA's IT systems, complacency is not an option," said Davis.

The FAA responded that the "implications of the findings in this report should be tempered by the understanding that individual system vulnerabilities are further mitigated by system redundancies and separate access controls that are built into the overall air traffic control system architecture."

GAO countered that the FAA's complex air traffic system relies on several interconnected systems and as a result, the identified weaknesses "may increase the risk to other systems."

GAO also found weak physical security around air traffic control towers and other FAA facilities. That, GAO said, puts the agency at "increased risk of unauthorized system access, possibly disrupting aviation operations."

More than 480 air traffic control towers manage and control the airspace within about five miles of an airport, directing departures and landings as well as ground operations on taxiways and runways, said GAO.

The report included a dozen recommendations to bolster the FAA's IT and physical security, including making risk assessments, testing and evaluating critical control systems, blocking Internet access to sensitive information and deploying intrusion detection technology for exposed parts of the computer network.

COMMENTS

• If anyone believes that terrorists don't already know this information, they haven't been paying attention. They know we're not prepared and that DHS has done nothing to improve our security for the past four years. Just go to any airport and see the stupidity of TSA. They can just walk around looking at chemical storage plants and see there's no security. All they have to do is watch the government stumble and fumble in response to natural disasters to know that there's no way we could respond to a dirty bomb or other major attack on this country. They know our attention is on Iraq and that our borders are unsecured. We aren't giving them any ideas they don't already have. GovExec.com reader Posted November 9, 2005 8:00 AM
• Great, now we're telling the terrorists how to harm us! Instead of giving our enemies ideas, a little restraint should be called for. The media used to think of the repercussions of their actions, and refrained from putting out information harmful to our national security. I guess today anything goes, as long as it leads to higher ratings. What's next, telling everyone how vulnerable our ports are? Oh, that's already been done. Then how about how easy it would be to paralyze our telecommunications networks? Oh, that's been done too? Our pipelines? Done. Refineries? Also covered already. Nuclear plants? Water supplies? Food Supplies? Done, done and done! Thanks to our own people, our enemies are not lacking for targets, nor for the methods and means to destroy us. GovExec.com reader Posted September 28, 2005 3:48 PM
• I get concerned when too often I come across "news stories" like this one. If the terrorist hackers haven't already figured out where we are vulnerable, why we just tell 'em. I think I'll drive too. GovExec.com reader Posted September 28, 2005 10:55 AM