Says What Happened At Sony Could Happen To The Agency

In a letter to FAA administrator Michael Huerta, U.S. Senator Charles E. Schumer has urged the agency to "immediately" implement a series of expert-recommended cyber security upgrades to national airspace computer systems that currently remain vulnerable to hackers.

A Government Accountability Office (GAO) report released last week suggests significant security weaknesses within the FAA’s air traffic control systems and included 17 recommendations and 168 specific actions the FAA should take to improve security. Schumer urged the FAA to take swift and immediate action to rectify the weaknesses exposed in the GAO report, involving failure to secure its National Air Traffic Control System, failure to encrypt certain sensitive data, and failure to install important firewall protections and needed system upgrades in a timely manner.

Without addressing these threats, Schumer (pictured) highlighted what he says is the real risk that a Sony-like takeover of the FAA computer systems could occur without being detected, while thousands of planes and their passengers are in the air.

“The recently released GAO report makes clear that the FAA computers have system-wide failings that leave the agency’s air traffic control systems vulnerable to hacking, which could expose sensitive aviation data or even shutdown the system while thousands of planes are in the air. We all saw what happened at Sony: one can only imagine the immediate risk posed by a hacking of the FAA’s air traffic control and computer systems, in addition to the national security risk posed if foreign nationals or terrorists get their hands on the FAA’s sensitive and encrypted data. The FAA should quickly implement changes based on the expert-recommendations from the GAO, like establishing multiple firewalls to protect against unauthorized intruders and make sure all software and servers are properly updated with the best possible technology,” Schumer said.

Specifically, Schumer outlined what he sees as four major issues that the GAO report brought to light regarding security vulnerabilities that were present at the time of its report:

• According to the GAO report, the FAA failed to fully authenticate some users of its computer system and failed to encrypt certain sensitive data. The GAO has recommended that the FAA audit and monitor the system in an effort to detect possible intrusions. The report urged that the FAA require strong password controls for access and use of the computer system, which include special characters and expiration dates. Currently the FAA has not applied this policy to all of its systems.
• Also, Schumer said that the GAO report notes the FAA should do more to limit users’ ability to access information that they do not need for their jobs. Currently, the FAA allows account users on its system to access more information than is necessary. The FAA did not always encrypt authentication data when transmitting data across the network, and other systems did not always encrypt stored passwords using sufficiently strong encryption algorithms.
• Failure on the part of the FAA to fully implement its own Information Security Program – Security policies and procedures outlined in the FAA’s own Information Security Program were not always followed. Specifically, incident report forms were not always complete. Furthermore, individuals with security responsibilities were not given proper training and security controls were not properly tested or monitored. Examples of this include 26 of the 35 IP-connected National Airspace System (NAS) systems did not provide security event logs to the person designated at the FAA to monitor the system. When weaknesses were detected and actions were needed, often those actions were not completed in a timely fashion.
• According to the GAO, the FAA lacks a system-wide security management process to mitigate risk internally. This system is intended to manage risks, designate which employees are responsible for each type of threat, and more.

(Image from file)

FMI: www.schumer.senate.gov