The nation's air traffic control system may be susceptible to intrusion and malicious attacks because the Federal Aviation Administration didn't investigate dozens of foreign nationals hired to fix year 2000 computer problems, violating its own security policies, according to congressional investigators.
The FAA allowed foreign citizens -- including 36 Chinese nationals, as well as citizens of Pakistan, Ukraine, Britain and Ethiopia -- access to 15 of its 153 critical computer systems, according to a report issued by the General Accounting Office (GAO), the investigative arm of Congress. The report is available in Portable Document Format on the GAO Web site.
The GAO said one of the systems reviewed by the foreign citizens involved management of the country's air traffic.
"Because the FAA failed to follow its own policies, they have increased the risk that inappropriate individuals may have gained access to FAA's facilities, information or resources," said Colleen Phillips, supervisor of civil agencies information systems.
After being informed of the security problem by the GAO in early December, the FAA has since conducted the background checks it should have done initially, said FAA spokesman Eliot Brenner.
Brenner said the FAA's security policies don't always call for background checks to be done. He said in some instances a "risk assessment" could be performed, which would then determine whether a background check needed to be completed.
However, neither risk assessments nor background checks had been done for the foreign nationals.
The GAO investigated the FAA at the request of the House Committee on Science.
"The FAA has had real problems with computer security," said Jeff Lungren, a spokesman for the Science Committee. "And there has been a lot of talk in the tech community about security issues going on with Y2K remediation, so we thought it was worth it to investigate it. And looking at what we found, it justified the work."
On Dec. 20, the Science Committee had also asked the assistant to the president for national security affairs to determine whether other departments or agencies may have violated their internal security regulations and allowed improper access to critical infrastructure during Y2K remediation.