In the wake of last year’s Sony hack, lawmakers and security contractors have warned that increasingly sophisticated cyber attacks threaten national security, but a government watchdog said that a critical piece of US infrastructure is vulnerable to even the most elementary of malicious actors.
The computer systems used by the Federal Aviation Administration to control the nation’s 19,000 airports and 600 air traffic control towers is at risk of “unauthorized access, use, or modification that could disrupt air traffic control operations,” according to a report published Monday by the Government Accountability Office (GAO).
Part of the problem, the report found, is one more associated with careless email users than those overseeing the safety of millions.
“Certain servers and applications supporting [national airspace] systems did not implement sufficiently strong password controls,” the GAO reported. “As a result, FAA is at increased risk that accounts could be compromised and used by unauthorized individuals to access sensitive information or systems.”
The weak operational security has left the FAA with “significant security control weaknesses” leaving restricted systems vulnerable and the agency’s compliance with federal guidelines in doubt—it is required, by law, to implement information security safeguards that meet a national standard.
The report additionally found that the FAA is below federal standards on securing data through encryption.
“Attackers could compromise accounts or intercept, view, and modify transmitted data, thereby threatening the confidentiality, integrity, and availability” of the nation’s airspace, the GAO warned.
The report detailed several other security failures at the FAA, including insufficient “audit and monitoring” systems, and inadequate training for cyber security personnel, which increased the likelihood that employees “may not recognize and respond appropriately to potential security threats and vulnerabilities.”
When many of these problems were identified at the FAA, the agency struggled to resolve them. The GAO reviewed 147 “planned actions” to address security weaknesses, and found that the FAA only resolved 58 of them within the planned completion date. Another fifty had their completion dates extended between eight months and three years.
While the current cyber-security debate in Washington is centered on information-sharing legislation that will allegedly help the government and private sector snuff out threats, in the FAA’s case, the problem is a lack of money.
“One reason that original deadlines are often missed is that the programs lack sufficient resources and funding to address weaknesses by their original due dates,” the GAO said, touching on a concern held by a number of federal agencies amid several years of austerity induced by sequestration.
The FAA concurred with the GAO’s technical recommendations to improve cyber security. There were more than a dozen suggestions. A classified version of the report included nearly 170 more recommendations, and was distributed to lawmakers who had made the initial inquiry about the topic.
GAO claimed the full report included “sensitive security information and must be protected from public disclosure.”
In January, portions of a different report about vulnerable information technology systems at John F. Kennedy International Airport were also kept secret. As The Sentinel reported, the Department of Homeland Security Inspector General who authored the findings, John Roth, pushed back on the secrecy, saying the details of the report “posed no threat to transportation security.”
“Over-classification is the enemy of good government,” he added.