Mar 4, 2015 · 1 minute

A report from the Government Accountability Office has criticized the Federal Aviation Administration for not making sure the air traffic control system is as secure as possible.

The FAA's transgressions are many: Its employees sent sensitive information over insecure connections, it failed to upgrade its systems to fix known security vulnerabilities, and it continued to use some systems even after their manufacturers stopped supporting them.

The GAO's report described many other problems. Here are some of the most damning:

[The FAA] did not always sufficiently test security controls to determine that they were operating as intended; resolve identified security weaknesses in a timely fashion; or complete or adequately test plans for restoring system operations in the event of a disruption or disaster. Additionally, the group responsible for incident detection and response for NAS systems did not have sufficient access to security logs or network sensors on the operational network, limiting FAA's ability to detect and respond to security incidents affecting its mission-critical systems.
The GAO says in a summary of its report's findings that this places "the safe and uninterrupted operation of the nation's air traffic control system at increased and unnecessary risk." Everyone who flies in the US is trusting a wildly insecure system.

Between this and the State Department's inability to eject hackers from its systems, it's hard to believe someone hasn't yet managed to cripple the country's infrastructure. These agencies are practically asking for someone to screw over their vulnerable networks.

It's no wonder companies are starting to take things into their own hands. (Not that they're much better about making sure their systems are up-to-date.) Evidence that the US has focused too much on offense and not enough on defense just continues to mount.

[illustration by Brad Jonas]