Federal Aviation Administration Vulnerable to Cyberattacks
A U.S. senator says the Federal Aviation Administration (FAA) is in dire need of a security upgrade. Without major changes to the agency’s computer systems, it will remain vulnerable to attacks from hackers, foreign governments, and terrorist organizations, according to Senator Chuck Schumer, a Democrat from New York.
The FAA is responsible for the country’s network of air traffic controllers through the National Air Traffic Control System and security breach could spell disaster for U.S. air travel, he said. Schumer based his comments on findings by the Government Accountability Office (GAO), the agency responsible for auditing and monitoring the federal government’s various organizations, according to the New York Daily News.
Weaknesses in Air Traffic Control
“If they were able to hack the system, thousands of planes could be in the air unguided. Sophisticated terrorists could even steer planes into one another,” Schumer said.
In January, the GAO issued a scathing 46-page report detailing the security failings it found at the FAA in a document titled “FAA Needs to Address Weaknesses in Air Traffic Control Systems.” The GAO listed 168 different actions that the FAA should take to better protect itself from a malicious breach.
The FAA relies on the National Airspace System (NAS), a critical component of the nation’s transportation infrastructure, according to the GAO report. “Given the critical role of the NAS and the increasing connectivity of FAA’s systems, it is essential that the agency implement effective information security controls to protect its air traffic control systems from internal and external threats," according to the report.
Congress asked the GAO to review the FAA’s information security program to evaluate the extent to which it had effectively implemented information security controls to protect its air traffic control systems. The GAO said that it reviewed FAA policies, procedures, and practices and compared them to the relevant federal law and guidance and assessed the implementation of security controls in FAA systems.
Increased and Unnecessary Risk
According to the report, the GAO found significant weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on the FAA’s systems.
Additionally, the report found major shortcomings in the way that the agency maintained its boundary protection controls between less-secure systems and those vital to the NAS. The GAO accused the FAA of failing to implement an agency-wide information security program, as required by the Federal Information Security Management Act of 2002. According to the report, the FAA has not sufficiently tested its security controls to determine if they were operating as expected.
“Until FAA effectively implements security controls, establishes stronger agency-wide information security risk management processes, fully implements its NAS information security program, and ensures that remedial actions are addressed in a timely manner, the weaknesses GAO identified are likely to continue, placing the safe and uninterrupted operation of the nation’s air traffic control system at increased and unnecessary risk,” the GAO wrote in its report.
The FAA, for its part, does not seem to be resisting the GAO’s recommendations, saying that it agrees with the course of action laid out in the report.