Last week the Wall Street Journal’s Homeland Security reporter Siobham Gorman filed a report that has received very little attention, but which points out so many problems within the federal government, including problems that I had in DHS and that most departments and agencies suffer. The report also highlights the increasing vulnerability of the federal government to cyber attacks, the next frontier of terrorism.
I fly in excess of 100,000 miles per year on United Airlines. Occasionally I fly on private aircraft, too. That’s just me. Consider these statistics from the National Air Traffic Controllers Association:
On any given day, more than 87,000 flights are in the skies in the United States. Only one-third are commercial carriers [like United Airlines]. On an average day, air traffic controllers handle 28,537 commercial flights (major and regional airlines), 27,178 general aviation flights (private planes), 24,548 air taxi flights (planes for hire), 5,260 military flights and 2,148 air cargo flights (Federal Express, UPS, etc.). At any given moment, roughly 5,000 planes are in the skies above the United States. In one year, controllers handle an average of 64 million takeoffs and landings.
For every one flight you see listed on an airport monitor, two you don’t see show up on air traffic controllers’ screens. It would take approximately 7,300 airport terminal monitors to show all the flights controllers handle in a single day and approximately 460 monitors to show the number of flights being handled at any one time.
That is a lot of airplanes in the air at any one time.
But we can all rest assured that all of the air traffic controllers are doing everything they can to keep us safe. Except that, they have outdated equipment, not enough controllers, and hackers from around the world and in our own country are constantly attacking the Federal Aviation Administration’s (FAA) systems.
So what did the Wall Street Journal report? Let’s take a look.
The FAA Inspector General released a report last Wednesday (May 6, 2009) which cited a cyber attack on the FAA’s computer systems that “partially shut down air-traffic data systems in Alaska” and the FAA’s attempts to modernize its systems are “introducing new vulnerabilities that could increase the risk of cyber attacks on air-traffic control systems.
So the FAA is under attack at the same time it’s trying to modernize its systems and that modernization itself is increasing the FAA’s (and thus the flying public’s) vulnerability to cyber attacks.
The FAA has “administrative” networks (for email, data, et al) and “operational” networks (ATC, flight controllers et al) and those in charge at the FAA claim that the systems are separate. Yet, the Inspector General (IG) identified more than 763 “high risk” vulnerabilities in the administrative networks that could provide hackers a path to the sensitive operational systems.
The natural tendency of those in charge of different departments and agencies is to defend their employees, programs and systems. No one wants to be accused of a faulty system that’s subject to vulnerabilities. So, we shouldn’t be surprised by this response of the FAA spokeswoman: “We have specific orders that prohibit them [the administrative and operational networks] from being connected.
Orders?
That’s all? Orders? Well, that’ll certainly stop the hackers, won’t it? I can see the hackers sitting in Moscow, Beijing or San Francisco just laughing at that statement.
Those administrative systems only control items such as air-traffic flow, electric power, flight and weather data for the pilots. Yeah, I don’t care if the pilots know any of that stuff, do you? But it gets worse. According to Tom Kellermann of Core Security Technologies the “integrity of the data on which ground control is relying can be manipulated, much as seen in ’24.’”
The IG also found that when cyber attack intrusions were detected they weren’t necessarily addressed quickly by the FAA. For example it found 50 unresolved incidents that had been open for more than three months “including critical incidents in which hackers may have taken over control” of the FAA’s operations wing.
The Wall Street Journal report and the IG’s report caught my attention not only because it is one more example of the cyber warfare attack on the United States, but it also outlines the underlying problems inside the federal government: turf wars, impediments to adoption of new technologies because of outdated procurement rules, an unwillingness to admit to systemic problems in one’s department, lack of accountability, and Congressional oversight that is nominal or parochial or overbearing.
Whether it’s my United pilot landing on this runway at Anchorage, or Customs & Border Patrol inspecting cargo or cars coming across our borders, or FEMA trying to get water and ice through flood waters, we need the best technology we can get. Procurement offices, congressional overseers, inspectors general, all of us, need to find ways to speed adoption of new technologies.
Otherwise, we’ll miss the runway or a hacker will steer us into the mountain.
See the Wall Street Journal’s report here.
