GAO Sees FAA Air Traffic System at RiskLawmakers Want FAA to Explain How It Will Fix Problems
The leaders of Congressional committees that oversees the Federal Aviation Administration expressed concern about an audit that shows "increased and unnecessary risk" of the systems that control air traffic in the United States.
"We cannot risk undermining our investments in NextGen air traffic control modernization by leaving critical systems ... and our telecommunications infrastructure open to intrusion by nefarious actors," says the letter to FAA Administrator Michael Huerta and Transportation Secretary Anthony Foxx from Sens. John Thune, R-S.D., and Bill Nelson, D-Fla., chairman and ranking member of the Commerce, Science and Transportation Committee.
The senators say they want the FAA to account for how it's implementing recommendations from the Government Accountability Office to remediate the problems.
At a March 3 hearing of the House Transportation and Infrastructure Committee, Ranking Member Peter DeFazio, D-Ore., questioned Huerta about the audit. Huerta told the panel that he is "actively focused" on GAO recommendations and the agency has "remediated a very significant number of the technical findings already."
Agency Head: Swiftly Remediating Problems
"We've been proactive in identifying other potential actions to enhance the cybersecurity posture of our national airspace system as well as the agency as a whole," Huerta said. "And, we've been working with our other government partners - those, like we, have technology-based organizations - to ensure that we're using best practices. It's something I'm very committed to and very concerned about. We're remediating this as quickly as we can."
The GAO contends significant security control weaknesses exist that threaten the FAA's ability to ensure the safe and uninterrupted operation of the national airspace system, or NAS. GAO identifies the weaknesses to include controls intended to prevent, limit and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data and auditing and monitoring activity on FAA's systems. Additionally, GAO says, shortcomings in boundary protection controls between less-secure systems and the operational NAS environment increase the risk from these weaknesses.
FAA Claims 'Safest' Aerospace System
In response, a senior Transportation Department official acknowledges the problems detailed by a GAO audit, though he stopped short of characterizing the air traffic control and other agency systems as placing passengers and crew at risk.
"The Federal Aviation Administration currently provides the safest, most efficient aerospace system in the world," Keith Washington, acting assistant transportation secretary for administration, writes in a response to the GAO audit. "The agency is fully cognizant of the vital requirements to secure the national airspace system cyber environment as part of the nation's critical infrastructure."
According to the report, the FAA failed to implement its agency-wide information security program as required by the Federal Information Security Management Act, the law that governs federal government IT security.
In addition, the report says, the FAA's implementation of its security program was incomplete. GAO cited the following examples: The FAA didn't consistently and sufficiently test security controls to determine that they operated as intended, resolve identified security weaknesses in a timely manner or complete or adequately test plans to restore system operations in the event of a disruption.
Linking Mission with IT Security
GAO says the group responsible for incident detection and response for NAS did not have sufficient access to security logs or network sensors on the operational network. That, in turn, limited the FAA's ability to detect and respond to security incidents affecting its mission-critical systems.
Auditors say the FAA failed to fully establish an integrated, organization-wide approach to manage information security risk that's aligned with its mission, which is partly to blame for the systems' vulnerabilities. FAA had established a cybersecurity steering committee to provide agency-wide risk management but it didn't establish a governance structure and employ practices to ensure that security decisions aligned with the agency mission. For instance, the GAO says, the FAA didn't clearly establish roles and responsibilities for NAS. Furnishing another example, GAO says the FAA hadn't updated its information security strategic plan to reflect significant changes in the NAS environment, such as increased reliance on computer networks.
GAO offered - and the FAA accepted - 17 recommendations to implement fully its information security program and establish an integrated approach to managing information security risk. The auditors caution that not doing so would place "the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk."