The Wall Street Journal, by way of Siobhan Gorman, reports that "Civilian air-traffic computer networks have been penetrated multiple times in recent years, including an attack that partially shut down air-traffic data systems in Alaska, according to a government report."

The concerns are reiterated on the website of congressman Tom Petri.

But the notion that the FAA could allow (direct or indirect) internet access to flight control systems is dubious. What could be the reasons behind this publication? Let's examine some hypotheses.

• Genuine concern - Some security breaches to non-critical systems are blown out of proportion, but are made public in genuine concern for FAA IT security as it relates to national security
• Fearmongering - Fan the flames of the security hype, easing the adoption of new laws, allowing the government draconian control over internet infrastructure
• Cover story - An attempt to set up a new myth, providing plausible deniability for anomalies surrounding military exercises on 9/11

Or, of course, a combination of the above. I find that some strange memes are inserted into the WSJ article that attempt to associate this story with 9/11 in multiple wrather dubious ways. Notice how the WSJ article provides links to pre-2001 IT security assessments. Why is that? Maybe no assessments have been done since? Does the author want us to reconsider if FAA computers might have been hacked on 9/11? Not only is it customary in IT to strictly separate critical systems from public internet access, but in governmental organizations security measures are very strict. That is not to say exotic security breaches do not occur, but even these are very, very unlikely to evolve into catastrophic disruption of critical government infrastructure. This is reiterated by an FAA spokesperson:

Ms. Brown rejected the report's conclusions that hackers could get into critical air-traffic operational systems through administrative systems.

"It's not possible to use the administrative and mission support network to access the air-traffic control network," she said. "We have specific orders that prohibit them from being directly connected."

A little further, a real world example is cited:

Last year, hackers of unspecified origin "took over FAA computers in Alaska" to effectively become agency insiders

These must have been some brilliant hackers to have come from "unknown origin", with the extensive ip address logging in place in governmental IT infrastructure. At least they could have said where the incoming ip addresses originated from, although the attacking hosts could of course have been used as intermediary proxies. By proclaiming "unknown origin", no further questions have to be asked who was responsible for the attack, yet the scare level of the story is equally effective. If what happened is exactly as reported, it begs the question: was there ever risk of access to ATC-systems?

If, by now, the Wall Street Journal still has not bought you into the terrorists-hacking-our-skies extravaganza, they make a final attempt by citing a terrifying 24-like scenario:

Tom Kellermann, a vice president at Core Security Technologies, a cybersecurity company, likened the threats cited by the report to the television show "24" in which terrorists hack into and commandeer the FAA's air-traffic control system to crash planes. "The integrity of the data on which ground control is relying can be manipulated, much as seen in '24,'" he said

Right. Hollywood, but for real this time. I certainly don't deny that IT-infrastructure, including even military, can be vulnerable, and some hackers have astonishing claims to fame. (The controversial Falun Gong satellite 'hack' comes to mind) However, I find the strategic timing, technical plausibility and the carefully constructed scare tactics to be dubious, to say the least. The Wall Street Journal attempts to plant seeds in the minds of the reader, stringing 24, 9/11, the FAA and cyberterrorism into a toxic propaganda mixture, where catastrophic technological fairy tales serve to shift blame, and to usher in new laws, further threatening freedom in cyberspace.

The message: hacking equals terrorism, the internet is a threat where state sponsored cyberterrorists run amok, crashing commercial airplanes into the ground remotely, 24-style. And maybe, just maybe, they want you to believe this Hollywood nonsense could happen now, or even on 9/11, not by the military who actually had access, but by perpetrators tapping away quietly on a laptop keyboard in Afghanistan, via satellite uplink. This is where I change the channel.

From the Wall Street Journal
Read letter requesting oversight hearing on addressing issues raised in the report
2000 GAO Report on FAA Computer Security
1998 GAO Report on FAA Information Security

By SIOBHAN GORMAN

WASHINGTON -- Civilian air-traffic computer networks have been penetrated multiple times in recent years, including an attack that partially shut down air-traffic data systems in Alaska, according to a government report.

The report, which was released by the Transportation Department's inspector general Wednesday, warned that the Federal Aviation Administration's modernization efforts are introducing new vulnerabilities that could increase the risk of cyberattacks on air-traffic control systems. The FAA is slated to spend approximately $20 billion to upgrade its air-traffic control system over the next 15 years.

The increasing reliance of modernized systems on the Internet "is especially worrisome at a time when the nation is facing increased threats from sophisticated nation-state sponsored cyber attacks," wrote Assistant Inspector General Rebecca Leng.

"We are working on developing security architecture for that whole system," said FAA spokeswoman Laura Brown. "We have identified it as an issue we need to focus some attention on, and we're doing that."

Security tests identified 763 "high risk" vulnerabilities that could allow hackers access to administrative systems, which could then provide a path to more-sensitive operational systems, the report said.

Ms. Brown rejected the report's conclusions that hackers could get into critical air-traffic operational systems through administrative systems.

"It's not possible to use the administrative and mission support network to access the air-traffic control network," she said. "We have specific orders that prohibit them from being directly connected."

The Wall Street Journal reported last month that an Air Force air-traffic control system had been compromised, alarming intelligence officials who feared that such an attack could be used to interfere with air-traffic systems.

Most of the known penetrations of FAA systems involved administrative networks that manage air-traffic flow and electric power, as well as email systems and internal and external Web sites, the report said.

The nature of one 2006 attack is a matter of dispute between the inspector general and the FAA. The report says the attack spread from administration networks to air-traffic control systems, forcing the FAA to shut down a portion of its traffic control systems in Alaska. Ms. Brown said it affected only the local administrative system that provides flight and weather data to pilots, primarily of small aircraft.

Last year, hackers of unspecified origin "took over FAA computers in Alaska" to effectively become agency insiders, and traveled the agency networks to Oklahoma, where they stole the network administrator's password and used it to install malicious codes, the report said. These hackers also gained the ability to obtain 40,000 FAA passwords and other information used to control the administrative network, it said.

In February, another cyber break-in yielded the personal information of 48,000 current and former agency employees.

"The threat of hackers interfering with our air-traffic control systems is not just theoretical; it has already happened," said Republican Rep. Tom Petri of Wisconsin, one of the lawmakers who requested the report. "We must regard the strengthening of our air-traffic control security as an urgent matter."

Tom Kellermann, a vice president at Core Security Technologies, a cybersecurity company, likened the threats cited by the report to the television show "24" in which terrorists hack into and commandeer the FAA's air-traffic control system to crash planes. "The integrity of the data on which ground control is relying can be manipulated, much as seen in '24,'" he said.

Most critical infrastructure, such as the electric grid, have developed links between administrative and operational control systems that indirectly link the control systems to the public Internet, intelligence officials said.

The report warned that the FAA isn't well equipped to detect intrusions into its computer system, noting that it has detection sensors at only 11 of its 734 facilities across the country. All of those detectors are placed on administration or "mission support" systems, with no detectors on any of its operational systems, giving it little visibility into potential problems with operational networks, the report said.

When intrusions are detected, they aren't addressed quickly enough, the report said. Fifty unresolved incidents had been open for more than three months, it found, "including critical incidents in which hackers may have taken over control" of computers within the FAA's operations wing.

The FAA "is identifying and fixing weaknesses," Ms. Brown said, such as scanning software for potential vulnerabilities.
—Christopher Conkey contributed to this article.

Write to Siobhan Gorman at siobhan.gorman@wsj.com