FAA's Latest Security Challenge Is in Cyber Space, Not the Skies

By Joe Davidson
Wednesday, February 11, 2009

The mission of the Federal Aviation Administration is "to provide the safest, most efficient aerospace system in the world."

Fortunately, it does that better than safeguarding its computer system.

Last week, the FAA administrative computer server was hacked. Among the 48 breached files were two that contained the names and Social Security numbers of more than 45,000 employees -- almost the entire staff -- who were on the agency's rolls the first week of February 2006.

That's bad enough, but what also riles workers is the delay between the intrusion and the notice given them Monday.

"We were at risk, and nobody knew it," said Tom Waters, president of Local 3290 of the American Federation of State, County and Municipal Employees.

An FAA spokeswoman, Laura J. Brown, wouldn't comment on the delay or precisely when the breach occurred. She did say it took time "to determine exactly what information was stolen."

A letter from Lynne Osmus, the acting FAA administrator, to current and former employees says "medical information from the hacked files was encrypted and not identifiable." Brown said she didn't have details on what other data, including birth dates and home or e-mail addresses, might have been taken.

The FAA breach -- the air traffic control system was not compromised -- came a few days before Monday's announcement that President Obama has ordered a review of cyber-security activities throughout government.

"The national security and economic health of the United States depend on the security, stability and integrity of our nation's cyberspace, both in the public and private sectors," said John Brennan, assistant to Obama for counterterrorism and homeland security.

Focusing on national security, writ large, is good, but officials shouldn't overlook the individual security of federal workers and the rest of us whose personal information is housed in government databases.

While the FAA was hit this time, it certainly is not alone. Uncle Sam's main jobs database, USAJobs, which is run by Monster.com, was hacked last month.

The security of government computers has been deemed a "high-risk" area, by the Government Accountability Office. "Most agencies continue to experience significant deficiencies that jeopardize the confidentiality, integrity, and availability of their systems and information," the GAO said last month. "For example, agencies did not consistently implement effective controls to prevent, limit, and detect unauthorized access or manage the configuration of network devices to prevent unauthorized access and ensure system integrity."

In what might be an example of closing the barn door after the horses have bolted, Osmus told staffers: "We are moving swiftly to identify short-term and long-term measures -- procedural and technological -- to prevent such incidents from recurring."

Rep. Bennie Thompson (D-Miss.), chairman of the House Committee on Homeland Security, said "malicious actors" try to breach federal computers millions of times each year. "Unfortunately, sometimes the bad guys get in," he said. "We must work harder to improve our defensive posture."

The number of successful breaches is tough to quantify, according to a congressional expert on cyber security. "We only know what we can find," he said. "It's often kind of difficult to find out when you've been breached. It's only when hackers are sloppy that you find out."

That makes computer theft particularly scary. You know when someone steals your car or breaks into your house. But someone could take your personal information and you might not know you've been hit until, perhaps, your credit is ruined.

"I'm going to check all my credit reports consistently for a while," Waters said.

FAA officials are considering offering credit-monitoring services to workers. Officials also should provide identity theft insurance, if they can find a firm that will offer it after the fact.

Rian Wroblewski, a computer security consultant with RedTeamProtection.com, in New York City, said federal agencies could do a better job protecting information on computers.

"Most government information is not encrypted," he said. "It's just passed all over the place."

Contact Joe Davidson at federaldiary@washpost.com.

View all comments that have been posted about this article.

© 2009 The Washington Post Company