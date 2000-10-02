WASHINGTON

The Federal Aviation Administration (FAA) continues to face harsh criticism in Congress for failing to do background security checks on many of its contract workers, some of whom were hired to conduct penetration testing of the agency's computer systems.

The FAA's computer security practices were again faulted in a report by the General Accounting Office (GAO) that was released last week at a House Committee on Science hearing. The report - the third issued on the matter by the GAO since late last year - reiterated allegations that the FAA is at risk of "undue exposure to intrusions and malicious attacks on its facilities, information and resources."

At the hearing, James Sensenbrenner (R-Wis.), chairman of the Committee on Science, charged that the FAA is putting national security at risk by not performing appropriate background checks on foreign nationals hired from countries that "harbor ill will" toward the U.S. "These unknown individuals have been allowed to gain knowledge about FAA's sensitive computer codes and systems," Sensenbrenner said.

He added that the "most shocking" security lapse by the agency has been its use of contractors without security clearances to test the potential for hackers penetrating the FAA's systems. "These are the people who are using their best efforts to try to penetrate the system," he said.

FAA administrator Jane Garvey acknowledged the problems cited by the GAO and said the agency is correcting them. But she also told the committee that air traffic control systems are safe and have numerous built-in redundancies that could thwart attacks. "We believe we have a very strong and a very secure system," she said.

Still Needs Improvement

An earlier GAO report, released in the spring, said the FAA had made progress on improving its computer security policies and procedures since an initial review was done last year. But, the GAO added, the FAA still needs to do more, including the completion of required background checks "for a substantial number of contractor employees."

Like its predecessor, the report released last week acknowledged the progress the agency has made but said many areas of concern remain. For example, the report said the FAA's own penetration testing and vulnerability assessments "demonstrate significant areas of weakness."

But the report, citing security concerns, didn't disclose details about where those problems lie. The Committee on Science may hold a closed-door hearing in the future to get more specific information from the GAO.

At last week's hearing, Kenneth Mead, inspector general at the U.S. Department of Transportation (DOT), testified that the FAA's air traffic control system is "relatively immune" from outside attacks because of its physical isolation from the rest of the agency's computer applications. But, Mead added, the current level of security may be undermined by the FAA's massive program to modernize the mainframe-based air traffic control system.

Under that $1 billion-plus project, Mead said, the systems that manage air traffic control will be linked to administrative systems at the FAA, possibly opening them up to wider access. "Until the FAA gives assurances that this integrated network won't compromise data security, we don't think the FAA should go forward with that plan," he said.

Mead cited vulnerabilities with DOT systems not run by the FAA as evidence of systemic problems with open systems. For example, a team reviewing security at the DOT was able to gain access to 270 computers via an Internet connection, Mead said. Another 900 systems were deemed to be vulnerable to attack by insiders, he added.