The big deal about this story is that the FAA was being held up as an example when it was breached.
The Federal Aviation Administration was doing such a good job at protecting data in its computer systems that the Office of Management and Budget chose it in January to be one of four agencies to guide other federal agencies in their cybersecurity efforts.
Just a month later, FAA officials had to admit that hackers breached one of the agency’s servers, stealing 48 files. Two of the files contained information on 45,000 current and former FAA employees, including sensitive information that could potentially make them vulnerable to identity theft.
Nothing too shocking there. We all know that nothing is perfect and that is why defense in depth is a necessary approach. The authors try to put this another way.
The security breach, although significant and potentially far reaching, is not necessarily a reflection on FAA’s security measures. Rather, it demonstrates the problems of securing federal computer systems and difficulty in evading every potential attack.
Why is it not a reflection? I say that it is, but it also demonstrates the problems of securing systems, as well as the problems of holding someone up as an example of secure practices. The OMB might have considered the FAA a leader, but a comment after the article highlights a different picture:
The Personally Identifiable Information (PII) should not have been archived (the data stolen was from 2006) without the SSNs being removed, it should have been encrypted, it should not have been on a Dev Server (it was being used for developing applications), it should have never been connected to a public network, and it should never have been released to anyone as a “test file”. All of these things were a violation of DOT orders, FAA orders, and federal law. The rules were in place to protect the data, but they were ignored/violated.
If the comment is accurate, the FAA made several clear mistakes that should have been caught internally, and the OMB was too lenient in their assessment of progress.