Uproar Over FAA Computer Hacking

The mission of the Federal Aviation Administration is “to provide the safest, most efficient aerospace system in the world.”

Fortunately, it does that better than safeguarding its computer system.
Last week, the FAA administrative computer server was hacked. Among the 48 breached files were two that contained the names and Social Security numbers of more than 45,000 employees -- almost the entire staff -- who were on the agency’s rolls the first week of February 2006.

That’s bad enough, but what also riles workers is the delay between the intrusion and the notice given them late Monday.

“We were at risk and nobody knew it,” said Tom Waters, president of the American Federation of State, Local and Municipal Employees Local 3290.

An FAA spokeswoman, Laura J. Brown, would not comment specifically on the delay or precisely when the breach occurred. She did say it took time “to determine exactly what information was stolen.”

A letter from Lynne Osmus, the acting FAA administrator, to current and former employees says “medical information from the hacked files was encrypted and not identifiable.” Brown said she did not have details on what other data, including birth dates and home or e-mail address, might have been taken.

The breach of FAA’s administrative computer -- the air traffic control system was not compromised -- came just a few days before Monday’s announcement that President Obama has ordered a 60-day review of cyber security activities throughout the government.

“The national security and economic health of the United States depend on the security, stability, and integrity of our nation’s cyberspace, both in the public and private sectors,” said John Brennan, assistant to the president for counterterrorism and homeland security.

Focusing on national security, writ large, is good, but officials should not overlook the personal security of federal workers and the rest of us whose personal information is housed in government databases.

While the FAA was hit this time, it certainly is not alone. Uncle Sam’s main jobs database, USAJobs, which is run by Monster.com, was hacked last month.

The security of government computers has been deemed an area of “high-risk,” by the General Accounting Office. “Most agencies continue to experience significant deficiencies that jeopardize the confidentiality, integrity, and availability of their systems and information,” the GAO reported last month. “For example, agencies did not consistently implement effective controls to prevent, limit, and detect unauthorized access or manage the configuration of network devices to prevent unauthorized access and ensure system integrity.”

In what might be an example of closing of the barn door after the horses have bolted, Osmus told staffers: “We are moving swiftly to identify short-term and long-term measures -- procedural and technological -- to prevent such incidents from recurring.”

Rep. Bennie G. Thompson (R-Miss.), chairman of the House Committee on Homeland Security, said "malicious actors" try to breach federal computers millions of times each year. "Unfortunately, sometimes the bad guys get in,” he said. “We must work harder to improve our defensive posture.”

One congressional expert in the field, said attempts to break into government computers are in the millions each year. Like other congressional staffers, he would not allow his name to be used because elected officials on Capitol Hill like to get all the ink.

The number of successful breaches is a tough number to quantify, according to a congressional expert on cyber security, who spoke on background. “We only know what we can find,” he said. “It’s often kind of difficult to find out when you’ve been breached. It’s only when hackers are sloppy that you find out.”

That makes computer theft particularly scary. You know when someone steals your car or breaks into your house. But someone could take your personal information and you might not know you’ve been hit until, perhaps, your credit is ruined.

“I’m going to check all my credit reports consistently for a while,” Waters said.
FAA officials are considering offering credit monitoring services to employees. Officials also should provide identity theft insurance, if they can find a company willing to offer it after the fact.

Rian Wroblewski, a computer security consultant with RedteamProtection.com in New York City, said federal agencies could do a better job of protecting information on computers.

“Most government information is not encrypted,” he said. “It’s just passed all over the place.” In many cases, he added, breaches are not publicly reported. “I just think it’s swept under the rug,” he said. “I think the problem is much greater than reported.”

Contact Joe Davidson at federaldiary@washpost.com

By Eric Pianin  |  February 10, 2009; 7:00 PM ET
Previous: FAA Employee Database Hacked | Next: Air Traffic Controllers' Union Upset About FAA Computer Breach


The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company