SCHUMER: NEW GAO REPORT REVEALS THAT FAA’S COMPUTER SYSTEM IS DANGEROUSLY VULNERABLE TO HACKERS, WHICH COULD LEAD TO SONY-LIKE TAKEOVER OF SYSTEM BY CYBER-CRIMINALS WHILE THOUSANDS OF PLANES ARE IN AIR; CALLS ON FAA TO EXPEDITIOUSLY IMPLEMENT ALL EXPERT-RECOMMENDED CYBERSECURITY UPGRADES
According to A GAO Report Released This Week, the FAA Is Highly Vulnerable to Hackers Because Agency Has Yet to Fully Implement System-Wide Upgrades to Computer Systems, Like Establishing Multiple Necessary Firewalls to Protect Against Unauthorized Intruders
According to A GAO Report Released This Week, the FAA Is Highly Vulnerable to Hackers Because Agency Has Yet to Fully Implement System-Wide Upgrades to Computer Systems, Like Establishing Multiple Necessary Firewalls to Protect Against Unauthorized Intruders
Schumer Urges That the FAA Quickly Implement All Cyber Security Safety Upgrades Recommended in GAO Report To Protect Against Growing Threat to Hacking of Air Traffic Control Systems - FAA Has Been Working to Implemented Some Recommended Changes
Schumer: What Happened At Sony Could Happen to FAA’s Control System
U.S. Senator Charles E. Schumer today urged the Federal Aviation Administration (FAA) to immediately implement a series of expert- recommended cyber security upgrades to national airspace computer systems that currently remain vulnerable to hackers. A Government Accountability Office (GAO) report released this week suggests significant security weaknesses within the FAA’s air traffic control systems and included 17 recommendations and 168 specific actions the FAA should take to improve security. Schumer urged the FAA to take swift and immediate action to rectify the weaknesses exposed in the GAO report, involving failure to secure its National Air Traffic Control System, failure to encrypt certain sensitive data, and failure to install important firewall protections and needed system upgrades in a timely manner. Without addressing these threats, Schumer highlighted the real risk that a Sony-like takeover of the FAA computer systems could occur without being detected, while thousands of planes and their passengers are in the air.
While the FAA has been working to implement some of the recommended changes, Schumer today said that, in light of the GAO’s findings, more must be done to prevent a Sony-like takeover of the system. Schumer is urging the FAA to fully implement system-wide upgrades to computer systems to prevent terrorists, criminals and other bad actors from hacking into the computer system.
“The recently released GAO report makes clear that the FAA computers have system-wide failings that leave the agency’s air traffic control systems vulnerable to hacking, which could expose sensitive aviation data or even shutdown the system while thousands of planes are in the air. We all saw what happened at Sony: one can only imagine the immediate risk posed by a hacking of the FAA’s air traffic control and computer systems, in addition to the national security risk posed if foreign nationals or terrorists get their hands on the FAA’s sensitive and encrypted data. The FAA should quickly implement changes based on the expert-recommendations from the GAO, like establishing multiple firewalls to protect against unauthorized intruders and make sure all software and servers are properly updated with the best possible technology,” said Senator Schumer.
In August 2013, the GAO began their report on the FAA’s security systems and potential threats to the National Airspace System (NAS). The GAO’s report was finalized earlier this year and the findings revealed major dangerous vulnerabilities in the FAA’s computer systems. Schumer noted that this is particularly concerning in light of the recent cyber attacks as well as the growing threat of terrorism. While the FAA is taking steps to address some of these recommendations, Schumer is urging the FAA to expeditiously implement all of the GAO’s recommendations to better protect our national airspace in the immediate future.
Specifically, Schumer outlined four major issues that the GAO report brought to light regarding security vulnerabilities that were present at the time of its report:
1) Overall security weaknesses within the FAA’s computer systems – According to the GAO report, the FAA failed to fully authenticate some users of its computer system and failed to encrypt certain sensitive data. The GAO has recommended that the FAA audit and monitor the system in an effort to detect possible intrusions. The report urged that the FAA require strong password controls for access and use of the computer system, which include special characters and expiration dates. Currently the FAA has not applied this policy to all of its systems. Also, Schumer said that the GAO report notes the FAA should do more to limit users’ ability to access information that they do not need for their jobs. Currently, the FAA allows account users on its system to access more information than is necessary. The FAA did not always encrypt authentication data when transmitting data across the network, and other systems did not always encrypt stored passwords using sufficiently strong encryption algorithms.
2) Failure on the part of the FAA to fully implement its own Information Security Program – Security policies and procedures outlined in the FAA’s own Information Security Program were not always followed. Specifically, incident report forms were not always complete. Furthermore, individuals with security responsibilities were not given proper training and security controls were not properly tested or monitored. Examples of this include:
a. 26 of the 35 IP-connected National Airspace System (NAS) systems did not provide security event logs to the person designated at the FAA to monitor the system.
b. When weaknesses were detected and actions were needed, often those actions were not completed in a timely fashion. For example, on 4 systems, there were 147 weaknesses detected by the FAA that needed action. Of those actions, 58 were not completed by their planned completion dates, and the planned completion dates for 50 had been extended from between 8 months to more than 3 years past the dates that they were originally scheduled to be completed.
c. The FAA did not always ensure that its employees and contractors took required information security training, including specialized security training and system-specific training, in a timely manner.
3) Inadequate updates and inadequate testing of servers and software – When changes to a system are made, National Institute of Standards and Technology (NIST) recommends that those changes be documented and analyzed for potential security impacts before they are approved an implemented. The GAO report notes that the FAA had, at times, failed to do this. In addition, certain FAA servers and network devices that support air traffic control systems have not been upgraded and certified with security patches in a timely manner. Some security patches that would have improved the system and were recommended for installation but had not been installed had been pending and left uninstalled for over 3 years.Additionally, the FAA has continued to use servers which had reached the end of their life and were no longer supported by the vendor.
4) An inadequate agency-wide security risk management process – According to the GAO, the FAA lacks a system-wide security management process to mitigate risk internally. This system is intended to manage risks, designate which employees are responsible for each type of threat, and more.
A copy of Senator Schumer’s letter to the FAA is available upon request.
###