FAA exec offers blunt, scary assessment of its network security

FAA's David Bowen

It's not often you hear a highly placed IT executive dump on his own network security let alone a person entrusted with as much riding on such a systems as the Federal Aviation Administration.

"Literally, we're an unlocked door and a whole lot of open windows, no pun intended," said David Bowen,  the FAA's assistant administrator for Information Services and Chief Information Officer last week.  But that was just one observation Bowen offered up as a frank evaluation of the agency's security systems, citing numerous problems he and others are tasked with fixing.

Here is an excerpt from his speech to a group of fellow IT executives in Dallas last week:

We have too many known - and unknown - internet access points. We don't have consistent incident response from our Lines of Business. We have limited visibility and understanding of LOB network security. We only scan some websites now. As an agency, we need to put better controls in place to increase adherence to website development rules and architecture standards.

But it doesn't end there. We have what I'll call hobbyist IT shops, and hobbyist coding practices, and hobbyist security emphasis - or lack thereof.

Fully 75% of our servers are outside our data centers. FAA infrastructure in general is not set up or managed consistently. We have uncontrolled personal identification information everywhere. We have 149 external domain names here at the agency, and 323 internal ones. That's a lot of ground to cover. That's one of the reasons why - government-wide - that [Office of Management and Budget] is reducing the number of government internet access points. DOT is going to be allowed six - down from 41 - and we'll have three.

It doesn't stop there. We have 55,000 laptops and desktops. We have one wide area network but hundreds of local area networks. Literally, we're an unlocked door and a whole lot of open windows, no pun intended.

So where does that put us? We know one thing for sure:  what we're doing is not enough. We need to do more of the basics - with architecture, with controls, with incident response, with software patching. As I alluded to a moment ago, we need to do more things consistently. I'm talking about things like architecture, programming, infrastructure and procedures. And we need more toolsets, more skills and most of all, a cadre of talented, dedicated professionals to ensure that they're used correctly.

Our current way of working is too dangerous and too expensive and we can't afford to be either. Two, everyone's got to get involved. I'm talking about you, but I'm also talking about the messages you carry back. Three, we must get up to speed with new software, new procedures, new oversight, new responsibilities and new controls.

This is a call to action, and as public servants, it's time for us to step up. We need to move forward rapidly and increase the protection of our networks and the protection of our sensitive data. We need to do what's in the best interests of our constituents, the flying public and the taxpayers.

Brown went on to discuss problems with the government's travel site, Govtrip where he said an intruder  exploited a flaw in the website code. The hacker used a default password to gain access to a component of the website software to redirect users to another site.

"That site downloaded malicious code, which contacted another site. That site downloaded more malicious code. And worst of all, our activities to block Govtrip from headquarters IAP were inconsistent with those of other internet access points. If this had been a fire, I can't say that the place wouldn't have burned to the ground while we were trying to orchestrate the fire hoses," Brown said.

Again in February the FAA notified about 45,000 employees that one of its servers was hacked into and employee personal identity information was stolen.

The FAA was quick to say the server that was accessed was not connected to the operation of the air traffic control system or any other FAA operational system.  It did say two of the 48 files on the breached computer server contained personal information about more than 45,000 FAA employees and retirees who were on the FAA's rolls as of the first week of February 2006.

All of this is in the face of growing air traffic congestion and delays.  Of course these problems should not be placed at the door of the FAA,  airline practices and economic pressures play in here too. 

The security issues are more than troubling, however as the FAA rolls out its very high-tech system known as NextGen.  NextGen seeks to transform the  national air transportation system with new high-tech navigation and communications systems.  Security obviously needs to be a bigger part of the system. 

Layer 8 in a box

Check out these other hot stories

10 iPhone apps that could get you into trouble

Flying car takes to the sky

Identity theft leads to murder

3-D light system revolutionizes way fingerprints are taken

12 changes that would give US cybersecurity a much needed kick in the pants

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10