United States: Too Many Weaknesses in FAA Information Systems

By Eric J. Sinrod
USAToday.com

If you already are nervous about flying, this column may not make you feel more comfortable. So let's get right to the point – according to a recent evaluation by the Government Accountability Office (GAO), the Federal Aviation Administration (FAA) suffers from security weaknesses in its information systems, including weaknesses in controls that are intended to prevent, limit and detect access to those systems.

As most of us know, and as explained by the GAO, the FAA performs important functions designed to ensure "safe, orderly, and efficient air travel in the national airspace system." In performing its functions, the FAA must rely upon an extensive "array of interconnected automated information systems and networks that comprise the nation's air traffic control systems." These systems are mission critical as they supply information to air traffic controllers and flight crews to help "ensure the safe and expeditious movement of aircraft."

Interruptions of service by these information systems, as noted by the GAO, "could have a significant adverse impact on air traffic nationwide." And reading between the lines here, one is left with the conclusion that passenger safety potentially could be jeopardized by such interruption.

The GAO explains that it was tasked to evaluate how the FAA has implemented information security controls because such controls are "essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction."

The GAO concludes, as part of its evaluation, that the FAA "has made progress in implementing information security for its air traffic control information systems." However, the GAO "identified significant security weaknesses that threaten the integrity, confidentiality and availability of FAA's systems – including weaknesses in controls that are designed to prevent, limit and detect access to these systems." According to the GAO, the FAA "has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events." Feeling better yet?

If this were not enough, the GAO found that other FAA information security controls, encompassing physical security, background investigations, segregation of duties, and system changes, "exhibited weaknesses, increasing the risk that unauthorized users could breach FAA's air traffic control systems, potentially disrupting aviation operations." Certainly, the disruption of aviation operations sounds omnious.

The GAO reports that the FAA explained that the possibilities for unauthorized access are "limited." Of course, a better answer would be that such possibilities are "non-existent." The GAO evaluation states that the FAA has "initiatives underway to improve its information security" but notes that "further efforts are needed." The GAO reports that FAA weaknesses that need to be addressed include "outdated security plans, inadequate security awareness training, inadequate systems testing and evaluation programs, limited security incident-detection capabilities, and shortcomings in providing service continuity for disruptions in operations."

Hello – let's get on with it! It has been four years since 9/11, and every effort should have been and should be made to keep the skies safe for airline passengers, including efforts to shore up FAA information security systems. The expression "good enough for government work" cannot apply in this context.

Eric Sinrod is a partner in the San Francisco office of Duane Morris, where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.