Computer Security

The nationwide demand for skilled programmers to cope with the Year 2000 computing problem has raised questions about whether key organizations, such as the Federal Aviation Administration (FAA), have resorted to using foreign nationals for Y2K remediation. Of 153 mission critical FAA systems that were remediated, 15 had foreign involvement, including Chinese, Ukranian, and Pakistani nationals. FAA was unable to provide any information on the individuals who did code remediation for four of its 153 computer systems. With regard to code review, 20 key mission-critical systems have been, or are in the process of being, reviewed by two contractors who use foreign nationals. One code contractor employed 36 mainland Chinese nationals, while the other employed one Canadian national. FAA did not perform background searches--investigations or checks--on all of its contractor employees, as required by its policy. This situation increased the risk that inappropriate persons may have gained access to FAA's facilities, information, or resources. As a result, the air traffic control system may be more vulnerable to intrusion and malicious attacks. GAO recommends that FAA improve its security controls, identify the risk of malicious attacks on its critical systems, and mitigate that risk. FAA agrees with GAO's recommendations and is moving to implement them.

GAO noted that: (1) FAA policy requires system owners and users to prepare risk assessments for all contractor tasks, and to have background investigations conducted for all contractor employees in high-risk positions; (2) FAA also requires more limited background checks for moderate- and low-risk positions; (3) FAA's mission-critical systems requiring year 2000 repairs--including some of the most important systems supporting the air traffic control system--were remediated by a mix of FAA and contractor employees and, in the case of commercial-off-the-shelf products, by the product vendors; (4) while FAA did not maintain detailed information on individuals assigned to perform year 2000 code remediation, FAA compiled some of this information in response to GAO's request; (5) in doing so, FAA identified instances where foreign nationals, employed by contractors, performed year 2000 code remediation activities; (6) of 153 mission-critical systems that were remediated, 15 had foreign national involvement--including Chinese, Ukrainian, and Pakistani nationals; (7) FAA was unable to provide any information about the individuals who performed code remediation for 4 of the 153 systems; (8) with regard to code reviews, 20 key mission-critical systems have been, or are in the process of being, reviewed by two contractors who have foreign national employees; (9) one code review contractor employed 36 mainland Chinese nationals while the other employed one Canadian national; (10) FAA, however, did not perform background searches on all of its contractor employees, as required by policy; (11) the agency did not perform risk assessments and was unaware of whether it or the contractor had performed background searches on all the contractor employees, including the foreign nationals; (12) during GAO's review, GAO found instances where background searches of foreign nationals were not performed; (13) FAA's failure to perform risk assessments, its lack of complete information on whether background searches were performed, and the fact that some foreign nationals did not undergo background searches have increased the risk that inappropriate individuals may have gained access to FAA's facilities, information, or resources; and (14) as a result, the air traffic control system may be more susceptible to intrusion and malicious attacks.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: