FAA computers at risk from insiders?

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

FAA computers at risk from insiders? Updated 7:55 AM ET June 15, 2000

by Robert Lemos, ZDNet News

New report says Federal Aviation Administration is still not protecting its systems against personnel with inadequate security clearance.

If mechanical failure and pilot error are not enough to worry the paranoid air traveler, now a government report concludes that computer attacks by FAA contractors could also be a major problem.

According to a report by the U.S. General Accounting Office on the computer security of the Federal Aviation Administration released this week, inadequate background checks of private contractors leave the National Airspace System open to computer attacks.

"Failure to adequately protect these systems, as well as the facilities that house them, could cause nationwide disruption of air traffic or collisions," said the report.

The report had been requested by U.S. Reps. F. James Sensenbrenner Jr., R-Wis., and Ralph M. Hall, D-Texas, and follows a similar report -- with similar findings -- published in December 1999.

Background checks lacking

The report notes that the FAA believes any risk of attack to be extremely low, even though it has not completed background checks of contractors with access to its estimated 435 critical information systems.

The report cited one example in which 36 mainland Chinese nationals escaped any sort of background check, even though they had reviewed the source code of eight of 435 critical systems.

The reasons for the lax security quoted by the report would sound familiar to any corporate network security administrator today.

"Key factors contributing to the FAA's failure to comply with its policy on personnel security were," the report said: 1. Insufficient management support, 2. Insufficient user awareness and training on personnel security, and 3. Inadequate policy enforcement activities.

The GAO made recommendations to the FAA administrator to improve the agency's security controls and to identify the risk of malicious attacks on critical systems to offset any security threat.

The FAA agreed with the recommendations.


-- Martin Thompson (mthom1927@aol.com), June 15, 2000

Moderation questions? read the FAQ