If you already are nervous about flying, this column may not make you feel more comfortable. So let's get right to the point – according to a recent evaluation by the Government Accountability Office (GAO), the Federal Aviation Administration (FAA) suffers from security weaknesses in its information systems, including weaknesses in controls that are intended to prevent, limit and detect access to those systems.

Background

As most of us know, and as explained by the GAO, the FAA performs important functions designed to ensure "safe, orderly, and efficient air travel in the national airspace system." In performing its functions, the FAA must rely upon an extensive "array of interconnected automated information systems and networks that comprise the nation's air traffic control systems." These systems are mission critical as they supply information to air traffic controllers and flight crews to help "ensure the safe and expeditious movement of aircraft."

Interruptions of service by these information systems, as noted by the GAO, "could have a significant adverse impact on air traffic nationwide." And reading between the lines here, one is left with the conclusion that passenger safety potentially could be jeopardized by such interruption.

The GAO explains that it was tasked to evaluate how the FAA has implemented information security controls because such controls are "essential for ensuring that the nation's air traffic control systems are adequately protected from inadvertent or deliberate misuse, disruption, or destruction."

The Evaluation

The GAO concludes, as part of its evaluation, that the FAA "has made progress in implementing information security for its air traffic control information systems." However, the GAO "identified significant security weaknesses that threaten the integrity, confidentiality and availability of FAA's systems – including weaknesses in controls that are designed to prevent, limit and detect access to these systems." According to the GAO, the FAA "has not adequately managed its networks, software updates, user accounts and passwords, and user privileges, nor has it consistently logged security-relevant events." Feeling better yet?

If this were not enough, the GAO found that other FAA information security controls, encompassing physical security, background investigations, segregation of duties, and system changes, "exhibited weaknesses, increasing the risk that unauthorized users could breach FAA's air traffic control systems, potentially disrupting aviation operations." Certainly, the disruption of aviation operations sounds ominous.

The GAO reports that the FAA explained that the possibilities for unauthorized access are "limited." Of course, a better answer would be that such possibilities are "non-existent." The GAO evaluation states that the FAA has "initiatives underway to improve its information security" but notes that "further efforts are needed." The GAO reports that FAA weaknesses that need to be addressed include "outdated security plans, inadequate security awareness training, inadequate systems testing and evaluation programs, limited security incident-detection capabilities, and shortcomings in providing service continuity for disruptions in operations."

Get Moving

Hello – let's get on with it! It has been four years since 9/11, and every effort should have been and should be made to keep the skies safe for airline passengers, including efforts to shore up FAA information security systems. The expression "good enough for government work" cannot apply in this context.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at . To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to .

Disclaimer: This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.

Reprinted here with permission from USAToday.com.