FAA Still Hasn't Plugged Computer Security Holes

[InfoSec News <isn () C4I ORG>]

http://www.computeruser.com/news/00/06/14/news7.html

By: David McGuire, Newsbytes
June 14, 2000

In recent years, thousands of outside contractors, many of them
foreign nationals, have been allowed access to the Federal Aviation
Administration's critical computer systems without having to undergo
background checks, a government report released Tuesday said.

While the report concludes that the FAA is taking steps to address the
gaping security hole, the agency is saddled with a backlog of security
checks that it doesn't expect to complete for several months.

Requested by Science Committee Chairman James Sensenbrenner, R-Wis.,
and ranking Democrat Ralph Hall, D-Texas, the General Accounting
Office report on FAA computer security outlines a history of lax
personnel practices at the agency, particularly in the area of outside
contractors.

"Our air traffic control system now is unacceptably susceptible to
computer tampering due to the FAA's breakdown in computer security
procedures," Sensenbrenner said in a statement Tuesday. The lapses are
particularly galling " because this committee and others have
repeatedly stressed to the FAA the threat cyber-terrorism presents to
our air traffic control system," he added.

The first indication that the FAA was not adhering to strict security
practices came last year when the agency completed its Y2K remediation
efforts in a surprisingly short period, Science Committee staffer Jeff
Lungren said Tuesday.

When the Science Committee asked the FAA if it had performed security
checks on all of the Y2K contractors hired to fix the agency's air
traffic control and other systems, the FAA revealed that it did not
have a system in place for performing such checks.

In December, the GAO released a report on the gaffe, which was
followed by more questions about the FAA's overall dealings with
outside contractors.

In response to the December report, the FAA beefed up its personnel
security practices, announcing its intention to perform "compliance
audits" in July of this year. Still, Tuesday's report recommends that
the FAA be more aggressive in training its employees on security
protocols.

The report also suggests that the FAA develop a "quality assurance
process" to oversee its personnel security activities.

"We acknowledge the report, we agree with the recommendations and
already we've taken steps to implement some of the suggestions that
the GAO offered," FAA spokesperson Tammy Jones said Tuesday.

The Science Committee had intended to hold a hearing on the FAA's
computer security practices on Wednesday, but a scheduling problem
caused them to postpone, Lungren said.

A copy of the GAO report can be downloaded at
http://www.gao.gov/cgi-bin/getrpt?AIMD-00-169

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".