Congress Questions the FAA on Cyber Security Controls

The Federal Aviation Administration is addressing cyber security lapses that threaten routine operation of the U.S. national airspace system (NAS), Administrator Michael Huerta told Congress on March 3. Huerta defended the agency’s approach one day after the Government Accountability Office (GAO) released a report containing 17 recommendations and 168 specific actions the FAA should take to improve information security.

“First and foremost, the system is safe,” Huerta told the House aviation subcommittee. Many of the recommendations “have already been mitigated and we’re working closely with [the GAO] to continue to focus on them.” Huerta said he has directed the FAA’s existing Cyber Security Steering Committee to address the deficiencies the GAO flagged. “I’ve asked them to provide oversight on behalf of the agency on a risk-based approach as we address each of these recommendations—they’re not all equal,” he said.

The GAO’s so-called performance audit, released on March 2, warned that “significant security control weaknesses” identified within the FAA’s sprawling network of hardware, software and communications equipment threaten its ability to fulfill its mission of safely and efficiently managing the airspace system. “These include weaknesses in controls intended to prevent, limit and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data and auditing and monitoring activity on FAA’s systems,” the report states. Among recommendations, the GAO calls for FAA contractor staff to complete annual security awareness training.

The FAA now relies on more than 100 ATC systems to process and track flights, about one-third of which use Internet Protocol (IP)-based networking technology, the GAO found. Under the agency’s NextGen ATC modernization, the FAA will increasingly use IP technology to communicate over interconnected networks, bringing increased risk. “[I]ntegrating critical infrastructure systems with information technology networks provides significantly less isolation from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats,” the GAO said. In a footnote, the congressional watchdog agency said it is conducting a separate review of NextGen information security requirements, which it plans to release later this year.

The FAA fundamentally lacks strong, agency-wide information security risk management processes, the GAO said. While acknowledging that the FAA has already formed the cyber security steering committee that Huerta mentioned in his remarks to the House subcommittee, the GAO found that its “roles and responsibilities remain unclear,” and that officials with the agency’s Office of Information and Technology and Air Traffic Organization “continue to disagree on who should be responsible for the security of NAS systems.”

During the House hearing, U.S. Rep. Peter DeFazio, D-Ore., said he couldn’t recall any other report with as many as 17 recommendations and 168 corrective actions, making him “very gravely concerned.” DeFazio asked Huerta if moving to a cloud-based computing framework in which data is stored and accessed over the Internet poses further risk. The move “raises an important question,” Huerta responded. “As we have transitioned our national airspace system from what’s largely been a closed system to an IP-based system, where we’re buying services from the private sector, we have to ensure that we’re using private-sector best practices to ensure that we have the appropriate cyber controls in place.”