Information Security News mailing list archives
FAA Still Hasn't Plugged Computer Security Holes
From: InfoSec News <isn () C4I ORG>
Date: Wed, 14 Jun 2000 13:52:21 -0500
http://www.computeruser.com/news/00/06/14/news7.html By: David McGuire, Newsbytes June 14, 2000 In recent years, thousands of outside contractors, many of them foreign nationals, have been allowed access to the Federal Aviation Administration's critical computer systems without having to undergo background checks, a government report released Tuesday said. While the report concludes that the FAA is taking steps to address the gaping security hole, the agency is saddled with a backlog of security checks that it doesn't expect to complete for several months. Requested by Science Committee Chairman James Sensenbrenner, R-Wis., and ranking Democrat Ralph Hall, D-Texas, the General Accounting Office report on FAA computer security outlines a history of lax personnel practices at the agency, particularly in the area of outside contractors. "Our air traffic control system now is unacceptably susceptible to computer tampering due to the FAA's breakdown in computer security procedures," Sensenbrenner said in a statement Tuesday. The lapses are particularly galling " because this committee and others have repeatedly stressed to the FAA the threat cyber-terrorism presents to our air traffic control system," he added. The first indication that the FAA was not adhering to strict security practices came last year when the agency completed its Y2K remediation efforts in a surprisingly short period, Science Committee staffer Jeff Lungren said Tuesday. When the Science Committee asked the FAA if it had performed security checks on all of the Y2K contractors hired to fix the agency's air traffic control and other systems, the FAA revealed that it did not have a system in place for performing such checks. In December, the GAO released a report on the gaffe, which was followed by more questions about the FAA's overall dealings with outside contractors. In response to the December report, the FAA beefed up its personnel security practices, announcing its intention to perform "compliance audits" in July of this year. Still, Tuesday's report recommends that the FAA be more aggressive in training its employees on security protocols. The report also suggests that the FAA develop a "quality assurance process" to oversee its personnel security activities. "We acknowledge the report, we agree with the recommendations and already we've taken steps to implement some of the suggestions that the GAO offered," FAA spokesperson Tammy Jones said Tuesday. The Science Committee had intended to hold a hearing on the FAA's computer security practices on Wednesday, but a scheduling problem caused them to postpone, Lungren said. A copy of the GAO report can be downloaded at http://www.gao.gov/cgi-bin/getrpt?AIMD-00-169 ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- FAA Still Hasn't Plugged Computer Security Holes InfoSec News (Jun 15)