Sen. Charles Schumer urged the Federal Aviation Authority (FAA) to implement recommendations given by the U.S. Government Accountability Office (GAO) in a report that found that multiple security holes in the country's air control systems are susceptible to being exploited by malicious hackers.
On Sunday, the New York Democrat said he feared that the weaknesses in the FAA's cybersecurity make them vulnerable to hacking similar to the major cyberattack launched on Sony Pictures' network last year. He said such an attack on the U.S.' national airspace system could expose troves of sensitive aviation data or even bring down the entire air traffic control system and cut off communication with planes in the air.
"Chaos would result. The potential damage is enormous. And even worse, sophisticated terrorists could get control of this system and actually direct planes into one another," Schumer said in an interview with WCBS 80. "Money should be no object - I don't think it'll be that expensive - nor should any other logistical barrier."
Judging from what hackers were able to do when they breached Sony Pictures' network, leaking online huge amounts of sensitive data such as unreleased motion pictures, employee salaries, and embarrassing executive emails, Schumer surmised that a similar attack on the FAA's system could possibly lead hackers to control planes and steer them toward one another.
"We all saw what happened at Sony; one can only imagine the immediate risk posed by a hacking of the FAA's air traffic control and computer systems," Schumer said in a press release.
Last week, the GAO released the conclusion of an investigation it launched in August 2013 into the FAA's cybersecurity system. And while the agency found that the FAA has implemented steps to improve its air traffic control systems, the GAO says "significant security control weaknesses remain."
Among the vulnerabilities cited in the FAA's system include weak control for protecting system boundaries, authenticating users, authorizing user access, encrypting data, and auditing and monitoring activity. The GAO also says the FAA did not fully implement its agency wide information program, which aims to provide security awareness training to all FAA personnel and contractors.
The GAO recommends that the FAA improve training, implement security testing, identify and fix security issues within a prescribed timeframe, established clear defined roles for officials and divisions, and develop a better record-keeping system to monitor all traffic passing through the system.
The GAO also sent the FAA a separate document containing 138 specific security problems to address. For purposes of keeping the FAA's network safe, the GAO will not make this document public.
"Until FAA establishes stronger agency-wide information security risk management processes, fully develops its national airspace system information security program, and ensures the remedial actions are addressed in a timely manner, the weaknesses that we identified are likely to continue, placing the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk," the GAO says [pdf].
Photo: U.S. Army Corps of Engineers | Flickr