The Federal Aviation Administration failed to conduct security checks on dozens of foreigners hired to fix Y2K problems in sensitive computer systems used for air traffic control, congressional investigators said yesterday.
The General Accounting Office, the investigative arm of Congress, said it found that the FAA had violated its own security policy by allowing its contractors' foreign employees, who had not received background checks, to be involved in repairing 15 of 153 critical computer systems.
Citizens of Ukraine, Pakistan, Britain and Ethiopia were given access without proper checks, as were 36 Chinese who performed Y2K reviews on eight critical systems, including one involved in air-to-ground communications.
"By not following sound security practices, FAA has increased the risk that inappropriate individuals may have gained access to its facilities, information or resources," said Joel C. Willemssen, GAO director for civil agencies' information systems, in a report to the House Science Committee, which had asked the GAO to investigate how much the FAA relied on foreign nationals for Y2K preparedness.
The nation's air traffic systems were placed at greater risk to people wishing to make faulty or harmful changes in the computer code, Willemssen said. One of the systems reviewed by the foreign citizens helps manage the flow of air traffic across the nation.
After the investigators issued a draft report in early December, the FAA started the background checks that should have been conducted at the outset, said spokesman Eliot Brenner. The checks are almost complete and have revealed no security problems, he said.
"We didn't follow our procedures," Brenner said. "It was pointed out to us. We fixed it immediately and the system worked."
None of the computer systems involved is classified, and none experienced Y2K problems, Brenner said. He said the FAA is reviewing its software contracts to find out why the security checks were not conducted earlier and plans to issue a report by the end of the month.
The FAA's policy requires background checks on all FAA and contractor employees. The agency's Y2K Program Office told the investigators that it didn't know about the requirement, the GAO said. The FAA unit also was unaware if the agency or the contractors had performed background checks on any of the contractor employees, including foreigners.
The contractors, Primeon Inc. and Computer Generated Solutions Inc., were not given direct access to the FAA's computers but were sent copies of the program codes on computer disks, the investigators said. The contractors had to sign agreements requiring them to return or destroy all copies of the program codes.
But the investigators warned that "copies of the code could be sold and/or reviewed to identify system weaknesses that could later be exploited."
Brenner said the FAA's contractors are well known to government agencies and have years of experience and reliability.