FAA computers at risk of cyberattacks, report says

The Federal Aviation Administration’s air traffic control systems are not being adequately protected from cyber terrorists who could hack into the computer systems used to direct flights, a new report said.

Congress’ top watchdog, the Government Accountability Office, released a 42-page report Monday that found the agency had taken steps to protect its computer systems from cyber threats, but it said that “significant security control weaknesses remain.”

“These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data, and auditing and monitoring activity on FAA’s systems,” the report said.

The GAO wrote that the security lapses exist because the FAA did not fully implement its agency-wide information security program required by a 2002 law, and the agency’s information security strategic plan had not been updated since 2010.

“These shortcomings put [national airspace] systems at increased and unnecessary risk of unauthorized access, use, or modification that could disrupt air traffic control operations,” the report reads.

The GAO did not publish specific examples of security lapses. A separate document, which details specific vulnerabilities and identifies 168 actions for improvement, has been classified.

The GAO made 17 recommendations for improvement to the FAA including full implementation of the agency-wide security program, increased training, establishing multiple firewalls to protect against unauthorized intruders and better record-keeping procedures to allow those monitoring data to better detect hackers.

The FAA agreed with the GAO’s recommendations and detailed plans to improve security management, including creating a cybersecurity steering committee that would develop an agency-wide comprehensive cyber-risk management strategy.

“The Agency is fully cognizant of the vital requirement to secure the National Airspace System cyber environment as part of the nation’s critical infrastructure,” Keith Washington, the Acting Assistant Secretary for Administration, wrote in the agency’s two-page response letter.