The FAA reports a data breach, where employee personal information was accessed. Press reports suggest this is not an isolated problem.

Yahoo: Hackers broke into the Federal Aviation Administration's computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees.

The President released February 9th, Monday morning, at 12:00AM a cyber security review, and announced appointment of Melissa Hathaway before the FAA news broke on February 10th. Hathaway's appointment was announced on the 6th of February.

The appointments compare with Obama's campaign goal and the White House agenda: "Protect Information networks."

It's curious to compare the published reports on the FAA data breach with GAO report summaries. We believe FAA issued misleading statements to the public as a smokescreen from cursory FAA management follow-up of "closed" action items; and other problems with management oversight in the homeland security and intelligence community sectors.

1. Summary Conclusion

It appears the US government put a premium on gathering information, not in ensuring mangement was adequately meeting well-promulgated industry standards or legal compliance requirements. It's likely some of the secret DOJ OLC memos helped fuel this lax approach to auditing and legal compliance.

Below, we review the FAA's troubled relationship with the GAO, and the many findings suggest there are larger issues warranting public review. The issue isn't narrowly protecting information, but how the entrenched management problems related to the FAA security breach are indicative of other management problems related to privacy, intelligence gathering, and domestic intelligence gathering against Americans.

Followup

On top of the review, ask the FAA when was the last time they did an audit using these GAO guidelines. This would not be the first time the homeland security-connected IT personnel brushed off concerns about data breaches or unauthorized access.

NSA has relationships with acquisition programs to ensure software products are protected. Review the NSA findings within the FAA system program office, and review the FAA plans to meet the NSA data protection standards.

If the FAA failed to implement the GAO guidelines, it remains to be understood how this gap relates to what the FAA's software contractors are reviewing or missing. The same system management, oversight, and legal compliance system in place to ensure the FAA fully protects data is the same management system in place conducting FAA reviews of aviation.

NASA confused a key software variable in the 1999 Mars Orbiter crash. The same crew that is reviewing FAA software are likely the same contractors involved with FISA surveillance. People who appear to be cutting corners, or have inadequate legal compliance in the FAA area have a hard time arguing they're fully complying with FISA.

2. GAO Report

The FAA certified that the GAO finding-recommendation had been implemented:

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete the information systems security directives.

Agency Affected: Department of Transportation

Status: Implemented

Comments: FAA has issued security directives on its information systems security program, internet access points, internet services, software releases, and password administration. Additional directives are being developed and planned.

The "directive" appears to have not been followed or was incomplete. The question turns on whether DOT IG adequately reviewed the FAA certification to the GAO; and what follow-up compliance program (if any) was implemented and reviewed.

- How were the originally "closed" or "implemented" auditing findings reviewed on a periodic basis?

- Which FAA senior leadership personally reviewed the stated compliance program, and veritified (using what methods) that the "compliance program" met the requirements FAA said to GAO that it had met?

3. Reconsidering FAA Conduct since 1990s, and implications for HD-IC

The above suggests the FAA has misplaced priorities. Despite assurances of compliance, the FAA has shown itself to have made dubious representations.

The lessons should be broadly applied to what the US government has been promsing the public in the Homeland Defense and Intelligence Community (HD-IC) circles.

Indeed, now that FAA has proven itself incapable of ensuring that it's "compliance" program complies or adequately implements procedures, we need to go back through the old GAO reports and examine which other audit findings have also been ignored by FAA-DOT management, inadequately implemented, or inadequately reviewed by DOT IG.

Then we can apply those lessons to other questionable HD-IC conduct, and shed some light on the President's secret executive orders.

Information Security Management Practices

The GAO reports since the 1990s have reminded the public, Congress, and DOT of industry guidelines available to adequately safeguard computer resources. The gap between what the FAA was saying and what they are doing highlights these issues:

1. Where is the reconciliation table showing how the management practices have been adequately incorporated into the stress testing and periodic software security programs;

2. How many similar "industry practices" has the National Security Agency reviewed, certified as compliant; or has the NSA, as appears to be the case, put more emphasis on other areas, and let "low priority data requirements" fall through the cracks

Agencies have guidelines how to protect information systems:

GAO, 1997: (6) these management practices provide proven, practical methods for addressing the federal government's information management problems, maximizing benefits from technology spending, and controlling the risks of system acquisition and development efforts; (7) the challenge now is for agencies to apply this framework to their own technology efforts;

Staffing

Recall, Y2K-concerns prompted agency attention, and FAA did rely on foreign specialists to fill the gaps in the US software labor pool. Yet, today's revelation shows seven (7) years after 9-11, the US government still has no adequate program to ensure the gaps in the existing software development, testing, and security fields have been met.

BY contrast, before Pearl Harbor, the United States mobilized. The public should reasonably ask, why, despite the catalyst of  9-11 and the foreseeable problems with excess production capacity, why there was no adequate plan to ensure the US government organized sufficient computer security personnel to address the FAA's data protection requirements:

What scope of software data protection requirements are not getting filled;

What reason, after 9-11, has the NSA and other agencies developed methods to continue hiring allied nationals who are supposedly "with" the US in the "war on terror"

How many nations has the NSA decertified because of trivial reasons, thereby ensuring necessary software development efforts cannot proceed

How many people have contractors or US government personnel falsely accused to protect their jobs, only to alienate the very people who might be in the position to constructively provide assistance

FAA was, at one time, not opposed to using foreign nationals to correct its software deficiencies:

GAO: Of 153 mission critical FAA systems that were remediated, 15 had foreign involvement, including Chinese, Ukranian, and Pakistani nationals.

With peace breaking out in Iraq and Afghanistan, is there a reason the FAA has not hired AlQueda or the Taliban to do it's software coding?

The current breach isn't the first time this has happened, or that there have been complaints:

IT examiner: This is a second instance of employee data being compromised. Waters said that earlier his union complained to the FAA and the inspector general of the Transportation Department about mailings to employees generated from information that seemed to originate in FAA files. He claims that nothing was done about it. Waters doesn't have a high opinion of the IT systems people, who, he says, "need to take a long hard look at themselves and their capabilities. This is malpractice in their world." he claims.

Now that the FAA's audit-reconciliation process appears broken, we need to re-examine (as was not done re 9-11) what other similar breakdowns exist. Going back to 1994, GAO reports FAA was spending money on computer systems, but what kind of software testing was done:

GAO: $2.3 billion for facilities and equipment;

Billions of dollars spent, but in 2008, encrypted personnel information is breached:

AP: Tom Waters, president of American Federation of State, County and Municipal Employees Local 3290, said FAA officials told unions representing agency employees at a briefing Monday that the second breached file with personal information contained encrypted medical information.

Timeliness Problems Raise Doubts About FAA Stated Actions

Above we've shown the GAO findings raised concerns which the FAA dubiously explained away. Similarly, the FAA's statements about timeliness are in stark contrast to what the GAO found. This raises doubts about whether the FAA statements today and what they are supposedly doing should be believed; or whether, as is more likely, the FAA is still fumbling around with "higher priority" problems:

GAO reports FAA was not timely:

GAO: "(6) further, FAA has not always acted quickly to implement corrective actions for the systems that have undergone risk assessments and penetration testing; (7) FAA has established an information systems security management structure, but does not yet have a comprehensive security program in place;"

This problem of glacial problem resolution continued:

AP: "These government systems should be the best in the world and apparently they are able to be compromised," said Waters, an FAA contracts attorney. "Our information technology systems people need to take a long hard look at themselves and their capabilities. This is malpractice in their world."

GAO: "(1) FAA's agencywide computer security program has serious and pervasive problems;"

FAA Media Relations Credibility Problem

FAA appears to have made dubious statements to the union about security compliance:

AP: Waters said FAA officials told union leaders the incident was the first of its kind at the agency. But he said his union complained about three or four years ago about an incident in which employees received anti-union mail that used names and addresses that appeared to be generated from FAA computer files.

The GAO findings suggest that as of 2000 FAA had not completed critical detection tests; and subsequent reports of additional non-compliance appear to have fallen on deaf ears:

GAO: "(9) FAA has not yet fully implemented an intrusion detection capability that will enable it to quickly detect and respond to malicious intrusions."

Lack of Confidence In FAA Management Response

Today's problem isn't narrowly the data breach, but whether, on the back of the previous questionable FAA statements, we should believe management is genuinely concerned about a trivial matter of employee data. This is the agency that moved slowly on flight security.

The question after 9-11 is to what extent the same incompetence continues, and to what extent the FAA, DHS, DOT, and HD-IC have used "war on terror" as a method to thwart public oversight of continuing reckless US government conduct.

The Union leadership reports they filed reports about the data breaches, but were not satisfied with the responses, if any:

AP: He said the union complained to the FAA and the Transportation Department's inspector general but no action was taken.

We need to find out why, given the FAA's apparent misleading statements about this incident, what's happened between 2000-2009.

FAA Policy Compliance Problem

These statements attributed to the FAA do not appear consistent with GAO findings that the FAA was glacial in responding to auditing concerns.

AP: The server that was accessed was not connected to the operation of the air traffic control system and there is no indication those systems have been compromised, the statement said "The FAA is moving quickly to prevent any similar incidents and has identified immediate steps as well as longer-term measures to further protect personal information," the statement said. The agency said it is providing a toll-free number for employees "who believe they may be affected by the breach."

FAA Moving Glacially On Core Policy

It defies reason to believe the FAA is moving quickly. FAA claims that they were moving "quickly" on trivial personnel records are not consistent with previous GAO found that FAA was not timely moving on issues related to core FAA policy:

GAO: "(4) in the area of facilities' physical security, FAA is making progress in assessing its facilities, but FAA has identified significant weaknesses, and numerous air traffic control (ATC) facilities have yet to be assessed and accredited as secure, in compliance with FAA's policy;"

It is a dubious proposition that FAA, today, is moving quickly on anything. Despite years of warnings and assurances, things fell through the crack. FAA has the appearance of a slow moving agency, when confronted a by a public relations disaster appears more adept at saying nice things not providing reasonable assurances, especially in light of the GAO findings.

4. Double Standard for US Government, Public

American citizens, if they were found to have breached any of the above requirements, could be investigated, subject to intrusive questioning, and threated with if not prosecuted.

Yet, the US government refused to prosecute personnel who attest they  have met agency requirements, but those attestations are invalid. The public should reasonably challenge the double standard between how government officials are oversee and how the American public is daily confronted.

Government Statements Given Undue Deference

One of the ideas of audits is to detect problems, and adjust. Yet, it appears there were multiple FAA certifications that things were fine, problems had been addressed, or there were not longer issues. The public has been getting dubious statements from the US government about whether they have or have not complied with minimum security requirements.

Public Has Unreasonable Burden of Proof

Yet, when the DOT contractors and security personnel challenge the public, the public is put in a "prove you're innocent to us"-position. The same should be applied to the FAA: DOT and other FAA-associated contractors, security personnel, and information aggregators should discuss:

- What information have they collected on the public;
- What provisions are there to safeguard this information;
- What methods have they used to disseminate this information;
- Does the public know how incorrect information is provided to non-government institutions including credit reporting agencies, employers, or other non-security personnel
- With this many problems with DOT being incapable of "implementing" security programs (which it falsely asserted had been "implemented") why should the public believe DOT has an adequate handle on claims about how private information on US citizens (not just FAA employees) is appropriately safeguarded, or that the data security promises are being met?

5. Questionable Management Certifications

Consider the long list of "implemented" promises related to issues directly touching the recent FAA security breach:

A. Directives Not Implemented As Certified

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete the information systems security directives.

Agency Affected: Department of Transportation

Status: Implemented

Comments: FAA has issued security directives on its information systems security program, internet access points, internet services, software releases, and password administration. Additional directives are being developed and planned.

---

B. Security Management Policies Not Implemented As Certified

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, fully implement and enforce all security policies.

Agency Affected: Department of Transportation

Status: Implemented

Comments: FAA is implementing its information systems security policies. Specifically, it is tracking security training of all key ISS personnel, proceeding to assess, certify and accredit information systems as secure, and its computer security incident response center is operational.

---

C. Ongoing Management Review of Training Courses Inadequate Despite Certifying "Implemented"

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of information systems security management, complete efforts to develop and implement new information systems security training courses.

Agency Affected: Department of Transportation

Status: Implemented

Comments: FAA has developed a series of security training courses. These include system certification and accreditation courses and information systems security officer training. Additionally, FAA is developing new courses to be offered in 2003.

---

D. Inadequate Management Assessment of Possible Security Breaches On All Systems, Despite Certifying "Implemented"

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, assess the effects of security breaches on all systems.

Agency Affected: Department of Transportation

Status: Implemented

Comments: FAA's Computer Security Incident Response Center now assesses reported security incidents and their impact on FAA.

---

E. Inadequate Contingency Planning To Mitigate Security Breaches, Despite Certifying "Implemented" (Unreliable Agency Public Statements)

GAO: Recommendation: The Secretary of Transportation should direct the Administrator, FAA, to, in the area of service continuity, enhance existing contingency plans to address potential systems security breaches.

Agency Affected: Department of Transportation

Status: Implemented

Comments: Under FAA's information systems security policy, system-specific contingency plans are required as part of the systems certification and authorization process. FAA reports that it has certified and authorized critical air traffic control systems.

6. Conclusion

DOT and FAA management have a problem. The public, GAO, and COngress have been promised after 9-11 there would be effective programs in place to apply the lessons. The record on information security is wanting.

The GAO identified issues to the FAA, which the FAA said were resolved. GAO identified many management-level issues which the FAA assured had been resolved. The GAO made recommendations to resolve specific security breaches. The FAA certified to the GAO that these recommendations had been implemented.

The public has been left the impression that the FAA and DOT have an adequate compliance program in place. Today's report undermines reasonable public confidence about the credibility of FAA attestations to auditors.

There is a reasonable basis to question whether the FAA management has, as would be reasonably expected, to conduct periodic reviews to ensure that the closed actions items were adequately resolved.

Putting aside the GAO reports, the question turns on what other DOT assurances made. This data breach shows that despite repeat findings and FAA assurances, the data protection requirements were not met. This raises questions about what other information-related standards and requirements have ore have not been met.

There is a serious gap between what the FAA promised, and what the FAA was doing. The DOT IG has yet to explain why findings from the 1990s have continued; and what DOT oversight problems existed in the wake of the dubious FAA assurances to the GAO.

The public should reasonably review the implications of this problem: What other promises, assurances, or protocols does the FAA or DOT, but are not being adequately audited; and how are these gaps being explited:

Official Policy of Not Documenting Misconduct In Email To Avoid Creating Adverse Evidence

A. Which security protocols do DOT or DHS-related security personnel have to meet, but the auditors have not discovered how contractors are engaging in illegal detentions, searches of American citizens?

Illegal Methods To Acquire Private Information For Improper Purposes

B. What information has DOT or DHS collected, what assurances were made about safeguarding that information; but how have DOT or DHS contractors actually provided that information to third parties outside US government control

US Government, HD-IC Non-Cooperation To Ensure Data Validity

C. What method does the public have to timely ensure that false information based on DHS or DOT contractors is removed from the system

Dubious Shield of Terrorism Undermines Public Support

D. To what extent are false accusations by DHS or DOT-connected personnel, contractors at the federal, state, or local level being used to pretextually start "terror related investigations" without adequate oversight

Circular Reasoning To "Justify" Illegal, Intrusive Intelligence Gathering Against American Citizens

E. To what extent are "terror-related investigations" -- which do not find any adverse information -- given additional investigative resources because the investigators "just know" that the "reason" they can't find any evidence is because the "person is hiding it"? This is circular reasoning to justify abuse of innocents at Guantanamo.

The FAA data breach shows the FAA cannot adequately meet the promises it made to the GAO. The question is which other US government "assurances" to the courts should be turned on its head. It remains to be seen how many other promises the US government has made to American citizens which defy government practices and the US constitution.

7. Recommendations

The public should share information, outside Congress and the courts, related to similar questionable practices in the Homeland Defense-Intelligence Community (HD-IC):

Misrepresentations To Mask Official Misconduct

- What supposed "legal compliance programs" have HD-IC asserted to the courts that they are fully meeting as a method to reduce settlement agreements, or paint the picture that an incident is an anomoly; but, in fact, there are management policies which condone false statements, false accusations against the public, or improper employee-contractor conduct during official investigations?

- What methods exist to ensure DHS-DOT-connected contractors, security personnel, or others involved with infrastructure protection do not get the impression that they can misrepresent the details of an "incident" to distract attention from their illegal activity or security breaches?

Obstruction of Justice

- What methods does the FBI have to review whether statements from DHS-DOT-related security personnel, contractors at the federal, state, or local level are not misrepresenting the details of a "security incident"?

Methods To Detect Government, Contractor Fraud In Deteriorating Economic Conditions

- What method with the new AG and President used to ensure there is a proper balancing, outside the court, on whether to believe "accusations" by personnel who have a heightened interest in this economic crisis to deflect attention from their misconduct, maintain job security, and create problems for others?

"Terror Threat" As An Ongoing Excuse To Violate Constitution

- How many times has DHS-DOT-related contractors or security personnel used a "terror related investigation" has the pretext to confront what they believe are auditors who have detected evidence of agency misconduct, security breaches, or other questionable conduct warranting contract termination?

Official Misrepresentations To Thwart 1983 Actions

- To what extent are legal counsel adequately incorporating evidence of dubious DHS-DOT-related contractors' statements within 42 USC 1983 claims, and impeaching contractor "witnesses" who have attempted to deflect attention from their improper conduct?

Intimidation: Targeting Outside Detection of Officials Misconduct

- How often does the US government, DOT-DHS contractors, or other security personnel use "terror related investigations" as a smokescreen to target American citizens who are aware of security breaches, illegal activity, or improper contractor conduct?

Lessons from US in Iraq: Improper Deference To US Government, Contractors Over Civilians

- To what extent are DOT-DHS security contractors using "terror related investigations" as a shield to hide files, employees, or other evidence from court review or possible witness impeachment when conducting discovery DOT-DHS assaults on American constitutional rights?

- Does President Obama plan to allow DHS-DOT-related "terror related investigations" to be a shield to discovery when American citizens attempt to understand how employees have misrepresented information during official investigations to deflect attention from their misconduct, security breaches, or non-authorized disclosure of sensitive information?