From the U.S. Government Accountability Office, www.gao.gov Transcript for: Information Security and FAA Air Traffic Control Systems Description: Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology Related GAO Work: GAO-15-221: Information Security: FAA Needs to Address Weaknesses in Air Traffic Control Systems Released: March 2015 [ Background Music ] [ Narrator: ] Welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. It's March 2015. The Federal Aviation Administration relies on a vast array of increasingly interconnected systems and networks for air traffic control. Protecting these systems from internal and external threats is essential to ensuring safe, orderly, and efficient travel through our international air space. A team led by Greg Wilshusen, a director in GAO's Information Technology team, recently reviewed FAA's Information Security Program. GAO's Jacques Arsenault sat down with Greg to talk about what they found. [ Jacques Arsenault: ] What types of IT systems are involved in managing US Air Traffic Control? [ Greg Wilshusen: ] Well, Jacques it is a vast network of computer hardware, software, and telecommunications equipment. FAA operates over a hundred air traffic control systems to process and track air flights. These systems are highly automated, complex and they process a wide range of information, including radar, weather, flight plans, surveillance information, as well as navigation and landing guidance and also in flight communications between the ground and the air. [ Jacques Arsenault: ] So with all of these interconnected systems, what kinds of threats should FAA be protecting against? [ Greg Wilshusen: ] Well, the threats to FAA's Air Traffic Control Systems as well as all federal systems are evolving and growing. They include both intentional and unintentional threats. Unintentional threats are those such as software or programming errors or equipment failure that can disrupt operations and cause systems to malfunction. Intentional threats can come from a variety of sources, including terrorists, foreign nations, criminals, and insiders and these threats can also include advanced persistent threats, which are those from sources that have sophistication and sufficient resources to cause quite a bit of damage. In addition, the growing interconnectivity among different types of systems also presents opportunities for cyber-attacks. [ Jacques Arsenault: ] So let me ask you then: How well is FAA ensuring the security of these systems? [ Greg Wilshusen: ] Well, while FAA has taken a number of steps to secure these systems, significant security control weaknesses remain that threatening the agency's ability to adequately protect the air traffic control systems and the national air space system. For example, these weaknesses include those that are intended to limit and prevent unauthorized access to the systems and information that they process and these include, for example, unauthorized access to computer resources, protections of system boundaries, identifying and authorizing users in the level of access that they have to these systems and also auditing and monitoring security events on those systems. Additionally, short comings and boundary protection controls between less secure systems and those requiring additional levels of security could be strengthened as well. We noted that many of these weaknesses were the result or caused by FAA not fully implementing its information security program over these systems and that it had not adequately defined the roles and responsibilities of the different organizations within the department that had responsible for information security over the organization systems and as well as the air traffic control systems. [ Jacques Arsenault: ] So then, what recommendations is GAO making to FAA in this report? [ Greg Wilshusen: ] We are making several recommendations to FAA to improve its information security and its information security program over these air traffic control systems. We are recommending that it establish an integrated organizational wide approach to managing information security risk and ensure that risk management decisions align with the strategic plan and its mission. In addition we are making over 170 recommendations to address specific technical security control weaknesses that we identified in the systems that we reviewed. [ Jacques Arsenault: ] And finally, for airline travelers and for the public, what do you see as the bottom line of this report? [ Greg Wilshusen: ] Well, the bottom line as I see it is that the security over the systems that control air traffic within the national air space is critical, vital, and must be adequately protected. FAA needs to take additional steps to ensure that the security is appropriate and sufficient to accomplish that aim. [ Background Music ] [ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the next episode of GAO's Watchdog Report for more from the congressional watchdog, the U.S. Government Accountability Office.