From CNN:

[Fair use, for educational purposes]

FAA admits failing to do initial background checks on Y2K contractors January 5, 2000

"WASHINGTON (AP) -- Dozens of non-U.S. citizens hired to fix Y2K problems for the Federal Aviation Administration (FAA) were given access to sensitive computer systems used for air traffic control without undergoing security checks, congressional investigators say."

"The FAA violated its own security policies by allowing its contractors' non-U.S. employees, who had not received background checks, to be involved in repairing 15 of 153 critical computer systems, according to a report issued Tuesday by the General Accounting Office (GAO), the investigative arm of Congress."

"Among those given access without proper checks were 36 Chinese citizens who performed Y2K reviews on eight critical systems, including one involved in air-to-ground communications. Other non-U.S. citizens given access came from Ukraine, Pakistan, Britain and Ethiopia."

[SNIP] "The extent of access unscreened individuals had to the air traffic control system merits serious attention by the White House and others responsible for ensuring the security of sensitive computer systems on which we all rely," said Wisconsin Rep. F. James Sensenbrenner, Republican chairman of the House Science Committee. The panel had asked the GAO to investigate the extent to which the FAA relied on non-U.S. citizens for Y2K preparedness."

"The FAA's security failure put the nation's air traffic systems at greater risk to people wishing to insert faulty or deliberately harmful changes into the computer code, said Joel C. Willemssen, the GAO's director of civil agencies information systems."

"One of the systems reviewed by the non-U.S. citizens helps manage the flow of air traffic across the nation."

FAA: No security problems found

"After being informed by the investigators in early December of the security lapse, the FAA has now nearly completed the background investigations that should have been conducted initially, said chief FAA spokesman Eliot Brenner. So far, the checks have turned up no security problems, he said."

"We didn't follow our procedures," Brenner said. "It was pointed out to us. We fixed it immediately and the system worked."

"None of the computer systems involved were classified and none experienced Y2K problems, Brenner said. He added that the agency's air traffic control system is protected by multiple layers of security."

"The FAA says it is reviewing all its software contracts to discover why some initially failed to conduct the security checks, and the agency plans to issue a report by the end of the month, Brenner said."

"The FAA's policy requires background checks of all FAA and contractor employees. The agency's Y2K Program Office told the investigators it didn't know about the requirement, the GAO said. The FAA also was unaware of whether the agency or the contractors had performed background checks on any of the contractor employees, including non-U.S. citizens."

Honor system

"The contractors, Primeon and Computer Generated Solutions Inc., were not given direct access to the FAA's computers. Instead, the FAA sent them copies of the program codes on computer disks through express mail, the investigators said. The contractors had to sign agreements requiring them to return or destroy all copies of the program codes."

"But the investigators warned that "copies of the code could be sold and/or reviewed to identify system weaknesses that could later be exploited."

"Brenner said the FAA's contractors were well known to government agencies and had years of experience and reliability."

"On December 20, Sensenbrenner sent a letter to National Security Adviser Sandy Berger, expressing concern that other agencies might have also violated security rules while rushing to repair Y2K problems."

-- Deb M. (vmcclell@columbus.rr.com), January 06, 2000

Answers

"On December 20, Sensenbrenner sent a letter to National Security Adviser Sandy Berger, expressing concern that other agencies might have also violated security rules while rushing to repair Y2K problems."

This entire story, especially the above quote is IMHO extremely serious. Time will tell for sure, but it would appear that we have gotten lucky!

-- Duke1983 (Duke1983@aol.com), January 06, 2000.

Better to be secure but not fix it?

-- Servant (public_service@yahoo.com), January 06, 2000.

i scrutinize the background of a cleaning lady far more carefully than this!! And I have far less to lose....

-- Kenin Marble (kenin17@yahoo.com), January 06, 2000.

Servant,

It's not an "either/or" type of situation. Remediation should ALWAYS have security issues in mind.

I work for State Gov't - yesterday we had a gentleman in who changed our network (our old one was NOT Y2K compliant, and though we could work, there were always problems with printing, system crashes, etc...) to an off-site server. While he was busy working on my computer, we discussed Y2K. He stated that when he was doing remediation for the State, security was EXTREMELY tight - background checks, cars/briefcases searched, etc...

You see, security should NEVER be exchanged for quality - EVER. The U.S. has too many enemies who would love to exploit and weaknesses we develop. We may not pay the piper now, but the tab will still be there...

-- Deb M. (vmcclell@columbus.rr.com), January 06, 2000.

The pentagon's background check computer was down. What to do?

-- Hokie (Hokie_@hotmail.com), January 06, 2000.

They COULD have run them through the WHITE HOUSE background check system......

Oh right, that went down in 1992.

-- jes a chucklin ol footballer (nighttr@in.lane), January 06, 2000.

Why bother sneaking in and stealing information when you can more easily purchase it through the Clintons?

Wondering,

Frank

-- Someone (ChimingIn@twocents.com), January 06, 2000.