GAO Not Impressed By FAA IT Security

    September 27, 2005
    WebProNews Staff

Security through obscurity isn’t the best model for keeping attackers out of the country’s aviation computer systems.

A Government Accountability Office report (GAO-05-712) to Congress on information security and the FAA found that while progress has been made, many issues need to be resolved. The report said controls over air traffic control systems need to be improved.

“A key reason for the information security weaknesses…is that the agency had not yet fully implemented its information security program to help ensure that effective controls were established and maintained,” the 37 page report said.

GAO listed in the report the kinds of security management lapses found at three airports and FAA headquarters: “The agency has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events.”

Those findings in a publicly traded business would probably incur the wrath of shareholders as well as the SEC. As a government agency, FAA will now have to wait and see how urgently Congress prods it on the security issue.

The air traffic control systems in use contain proprietary software and specialized code. FAA officials claim risks to the system are limited due to their specialized design. GAO countered in its report by claiming these designs “cannot fully protect them from attacks by disgruntled current or former employees who are familiar with these features, nor will they keep out more sophisticated hackers.”

David Utter is a staff writer for WebProNews covering technology and business. Email him here.