Mar 30 2009
It’s not too often that we get an honest evaluation of the security of a corporate network let alone a government network. But that’s exactly what David Bowen, the Federal Aviation Administration’s Assistant Administrator for Information Services and Chief Information Officer gave IT execs in Dallas last week. In a very frank speech, he disclosed that the FAA has more Internet access points than they can manage, more systems than they can secure and generally a network that they know is insecure but don’t have the time and budget to do anything about.
I doubt there are many security professionals that are surprised that the FAA network is insecure, but the sheer scope of what Mr. Bowen is facing is scary in the extreme. They lost information on 45,000 employees in February and even though they deny that other systems, such as air traffic control, are affected, how can they know for certain when they have a network with so few security controls in place? Unless there’s an air gap of some sort between the rest of the FAA systems and the air traffic control systems, the answer is they can’t.
This isn’t a rogue IT professional disclosing the dirty secrets of an organization, this is the CIO publicly admitting that he doesn’t have a handle on the security of his organization with full acknowledgment by his superiors. You can read entire transcript of the speech on the FAA site, something you wouldn’t be able to do if the higher ups in the organization were trying to keep this from getting out. To me that means that this isn’t just an admission of guilt, it’s a plea for help from Federal government to help supply the resources needed to secure his networks.
Statistically, flying is one of the safest ways to travel. Usually when we hear about an airplane accident it’s because what happened was spectacular and unusual. But if the FAA networks are really as insecure as Mr. Bowen is indicating, it’s not inconceivable that we could have a scene that looks like something out of a Die Hard movie at sometime in the not too distant future. I don’t even think this is a case of crying wolf or exaggerating the potential consequences, I believe this a real threat we could face in the future if the FAA systems aren’t secured.
If you want a good place to spend TSA and Homeland Security money, I’m willing to bet securing the FAA network would be a lot better place to put it than making travelers take off their shoes when they’re trying to board a flight. True, it wouldn’t be as flashy and noticable as taking away people’s pen knives and baby formula, but securing the computers that guide each and every flight taking place in the United States would save more lives than every shoe x-ray combined.