Serious Weaknesses Put State Department and FAA Operations at Risk
T-AIMD-98-170: Published: May 19, 1998. Publicly Released: May 19, 1998.
- Full Report:
Pursuant to a congressional request, GAO discussed its work on computer security, focusing on the results of its recent reviews of the Department of State and the Federal Aviation Administration (FAA).
GAO noted that: (1) the dramatic increase in computer interconnectivity and the popularity of the Internet are offering government agencies unprecedented opportunities to improve operations by reducing paper processing, cutting costs, and sharing information; (2) at the same time, however, malicious attacks on computer systems are increasing at alarming rates and are posing serious risks to key government operations; (3) in conjunction with GAO's financial statement audit focus and high-risk reviews, this work has revealed a disturbing picture of the government's lack of success in protecting federal assets from fraud and misuse, sensitive information from inappropriate disclosure, and critical operations from disruption; (4) State relies on a variety of decentralized information systems and networks to help it carry out its responsibilities; (5) GAO's tests demonstrated that State's computer systems and the information contained within them are susceptible to hackers, terrorists, or other unauthorized individuals seeking to damage State operations or reap financial gain by exploiting the department's information security weaknesses; (6) FAA's air traffic control (ATC) computer systems provide information to air traffic controllers and aircraft flight crews to ensure safe and expeditious movement of aircraft; (7) failure to adequately protect these systems, as well as the facilities that house them, could cause nationwide disruptions of air traffic or even loss of life due to collisions; (8) GAO found that FAA was not effectively managing physical security at ATC facilities; (9) furthermore, GAO found that FAA did not know if other facilities were similarly vulnerable because it had not assessed the physical security controls at 187 facilities since 1993; (10) FAA was also ineffective in managing systems security for its operational systems and was in violation of its own policy; (11) additionally, FAA had not been effectively managing systems security for future ATC modernization systems; (12) FAA's management structure and implementation of policy for ATC computer security was not effective; (13) GAO found that many problems contribute to agencies' difficulties in successfully balancing the tradeoffs necessary to establish effective computer security; and (14) the organizations with superior security programs managed their information security risks by implementing a continuing cycle of monitoring business risks, maintaining policies and controls, and monitoring operations.