Mar 30 2009

An FAA plea for help?

Published by at 12:18 pm under Government,Hacking,Security Advisories

It’s not too often that we get an honest evaluation of the security of a corporate network let alone a government network.  But that’s exactly what David Bowen, the Federal Aviation Administration’s Assistant Administrator for Information Services and Chief Information Officer gave IT execs in Dallas last week.  In a very frank speech, he disclosed that the FAA has more Internet access points than they can manage, more systems than they can secure and generally a network that they know is insecure but don’t have the time and budget to do anything about. 

I doubt there are many security professionals that are surprised that the FAA network is insecure, but the sheer scope of what Mr. Bowen is facing is scary in the extreme.  They lost information on 45,000 employees in February and even though they deny that other systems, such as air traffic control, are affected, how can they know for certain when they have a network with so few security controls in place?  Unless there’s an air gap of some sort between the rest of the FAA systems and the air traffic control systems, the answer is they can’t.

This isn’t a rogue IT professional disclosing the dirty secrets of an organization, this is the CIO publicly admitting that he doesn’t have a handle on the security of his organization with full acknowledgment by his superiors.  You can read entire transcript of the speech on the FAA site, something you wouldn’t be able to do if the higher ups in the organization were trying to keep this from getting out.  To me that means that this isn’t just an admission of guilt, it’s a plea for help from Federal government to help supply the resources needed to secure his networks.

Statistically, flying is one of the safest ways to travel.  Usually when we hear about an airplane accident it’s because what happened was spectacular and unusual.  But if the FAA networks are really as insecure as Mr. Bowen is indicating, it’s not inconceivable that we could have a scene that looks like something out of a Die Hard movie at sometime in the not too distant future.  I don’t even think this is a case of crying wolf or exaggerating the potential consequences, I believe this a real threat we could face in the future if the FAA systems aren’t secured.

If you want a good place to spend TSA and Homeland Security money, I’m willing to bet securing the FAA network would be a lot better place to put it than making travelers take off their shoes when they’re trying to board a flight.  True, it wouldn’t be as flashy and noticable as taking away people’s pen knives and baby formula, but securing the computers that guide each and every flight taking place in the United States would save more lives than every shoe x-ray combined. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “An FAA plea for help?”

  1. idblackboxon 30 Mar 2009 at 2:32 pm

    How scary is this? I am never surprised in reading things like this, moreso with government entities. The general sentiment, “…but don’t have the time and budget to do anything about.” seems to be a default approach until something bad happens. Then miracles take place and all of a sudden, there truly is time and some kind of budget to make it work. It seems quite often, budgets and attention are always spent in the wrong areas until something bad happens. I have come to the conclusion that this is just the way the security industry works. Of course information security produces no real ROI, but neither do car alarms, smoke detectors or door locks.

  2. […] An FAA Plea For Help? – Network Security Blog […]

  3. Aaron Guhlon 31 Mar 2009 at 9:05 am

    One of my old colleagues used to always say regarding network security, “It isn’t if it will happen, it is when.” I totally agree with your last paragraph. The FAA needs to stop spending money on in-flight security measures and start budgeting to spend money on their security infrastructure. I see even here at my local airport spending going into x-ray scanners that can see clearly through clothing and onto the skin. A lot of good that will do if the computer network that supports it gets hijacked.

  4. FAA Teston 04 Oct 2009 at 9:34 am

    I agree with you Martin.I think Faa should more emphasize on their security infrastructure rather than spending money on i-flight security.

%d bloggers like this: