FAA: That's Because We're Using Older, Customized Equipment

Is the FAA adequately protecting its information systems from cyber attack? If you ask the General Accountability Office, the answer is a resounding "nope."

"FAA has made progress in implementing information security for its air traffic control systems by establishing an agencywide information security program and addressing many of its previously identified security weaknesses; however, it still has significant weaknesses that threaten the integrity, confidentiality and availability of its systems -— including weaknesses in controls that are designed to prevent, limit and detect access to those systems," a new GAO report is quoted as saying.

Government Computer News reports the FAA has responded by admitting there are areas of weakness, saying its equipment is older and highly customized and therefore much more difficult to protect from cyber-attacks.

Still, the investigative arm of Congress said there are several things the FAA can address:

• update old security plans
• improve security awareness training
• improve testing and evaluation programs

The FAA said it would take the GAO report under advisement, but said the report itself doesn't truly reflect the state of security at the nation's air traffic control facilities.

That evoked a raised eyebrow from the chairman of the House Government Reform Committee, which asked for the GAO report. "Given the ever-evolving nature of cyberthreats and the thought of someone with malicious intent accessing FAA’s IT systems, complacency is not an option," said Rep. Tom David (R-VA).

FMI: www.gao.gov/new.items/d05712.pdf