​Computer virus infected FAA system, agency admits

Reuters/Gary Cameron
The Federal Aviation Administration’s computer system was compromised in February, the FAA now admits, after malicious software spread via email across an internal network.

A spokesperson for the FAA confirmed to NextGov this week that a “known virus” had been discovered on an “administrative computer system” earlier this year, but that a subsequent investigation concluded that the potential impact of the intrusion was a far cry from catastrophic.

“After a thorough review, the FAA did not identify any damage to agency systems,” agency spokeswoman Laura Brown told Nextgov in an article published on Monday.

Nevertheless, the agency’s admission comes merely weeks after a leading US lawmaker urged the FAA to adopt enhanced protective measures in the cybersphere amid a wave of recent high-profile hacks and an unflattering government audit.

“If the Sony hacking was bad, imagine how much worse the hacking of the FAA computer system could be with thousands of planes in the air,” Sen. Chuck Schumer (D-New York) warned during a press conference last month, the New York Post reported. “Sophisticated terrorists could even steer planes into one another. The threat of a cybercriminal taking over this system makes your stomach sink.”

Schumer’s call for action came as a response to a Government Accountability Office probe that identified “significant security control weaknesses” within the FAA’s air traffic control system.

According to NextGov’s Aliya Sternstein, news of the cyberattack surfaced in recent days when it was casually mentioned towards the bottom of an April 2 presolicitation notice published by the FAA on the Federal Business Opportunities website.

The FAA had planned to award a contract to a Virginia-based consulting firm that would authorize the company to provide “Cyber Security Management Center (CSMS) Security Operations Center (SOC) support services” to the agency, the notice acknowledged, but a previously unannounced intrusion had put matters up in the air.

“Due to a recent cyber-attack, the FAA requires additional planning time to determine the impact to the competitive procurement requirements,” the notice reads in part.

The GAO’s audit of the FAA’s air traffic control system released in March acknowledged that the agency had established a steering committee to provide risk management functions with regards to cyber, but had “not fully established the governance structure and practices to ensure that its information security decisions are aligned with its mission.”

"These include weaknesses in controls intended to prevent, limit, and detect unauthorized access to computer resources, such as controls for protecting system boundaries, identifying and authenticating users, authorizing users to access systems, encrypting sensitive data and auditing and monitoring activity on FAA's systems," the report said.

“The excessive interconnectivity between [the National Airspace System] and non-NAS environments increased the risk that FAA’s mission-critical air traffic control systems could be compromised.”

According to Brown, the FAA spokesperson, “the agency immediately took steps to block and contain the virus and clean any affected computers” after learning of the recent compromise, which she said was confined solely to the administration network.