FAA chief admits computer security lapses

Under tough questioning from House Science Committee Chairman James Sensenbrenner, R-Wis., Federal Aviation Administration Administrator Jane Garvey Wednesday acknowledged her agency has experienced serious security lapses but assured lawmakers she has "a degree of confidence" the public is safe. Garvey's remarks to the committee were prompted by a General Accounting Office report released Wednesday showing the agency is vulnerable to hackers and has failed to address serious weaknesses in its computer security programs. The biggest vulnerability was the agency's failure to conduct adequate security background checks on senior staff and thousands of contractors that had been working on the agency's computer security networks, the GAO report said. "The FAA has allowed unknown and unchecked contractor personnel, including foreign nationals from countries that harbor ill will to our own, access to some of FAA's most sensitive computer systems and software," Sensenbrenner said. "This egregious oversight, which violates FAA's own security policies-not to mention every tenet of good computer security practice-has increased the risk of intrusion and attack to our nation's aviation control system. This is inexcusable." Garvey said as soon as her agency was made aware of the security lapses, the agency immediately focused on addressing the problems, and she promised to have the security background checks completed on all contractors by next spring. She blamed the security weaknesses on a lack of accountability within the FAA. Since the GAO's report, the FAA has moved to make one person accountable for keeping security clearance checks up to date on staff and contractors. "We learned some lessons…the single biggest point being that lack of accountability," she said. "This will clearly be a continuing challenge for us." In acknowledging the FAA's problems, Garvey said she has no knowledge that any foreign country gained entrance into the FAA's computer systems. But she declined to specify if hackers have gotten into the FAA's systems. Kenneth Mead, inspector general at the Transportation Department, offered to hold a private briefing with lawmakers about the specific methods the FAA is using to repel intruders and to give more details about possible hacking attacks of the agency's computer systems. Among the problems the GAO highlighted in its report: Officials failed to inspect and secure a number of air traffic control facilities, and access to the facilities was not being regulated adequately. The agency also had made little progress in assessing its operating systems and therefore did not know how vulnerable many of its systems were to attack. Of the 350 headquarters employees with high-level clearances, 75 were overdue for investigations, and one employee had not been investigated since 1973, the report said. Garvey said that among the thousands of contractors for whom the FAA has since conducted background security checks, 25 were found to be "unacceptable." The systems the contractors were working on have been checked for security lapses and none had been found.