Cyber security flaws exposed at Washington, D.C. airports
The difficulty involved with reporting the issue to federal authorities raised additional concerns. The military cybersecurity specialist contacted the Department of Homeland Security shortly after reviewing the document. However, because the airports are classified as civilian facilities, his reporting was limited to a phone-based system developed as part of Secretary Janet Napolitano's "If You See Something, Say Something" campaign.
"DHS uses a multi-tiered system to accept reports. I am sure they are inundated with information, so the first line of operators are there simply to take down as much information as possible as it relates to the issue at hand," the specialist says. "From my experience, this first level had no technical expertise and was not there to evaluate as much as to simply record and report."
Two weeks after initially reporting the document, the specialist was contacted by TSA customer service representatives. Even after the specialist stated his position in the military and reiterated his concern over the information contained in the SOW, TSA officials informed him that they did not consider the document sensitive in nature. No further action involving the SOW was required, the TSA told him.
Responding to a separate inquiry months later, a TSA representative told Network World the matter was the responsibility of the MWAA, adding that "airports are responsible for airport security."
The military specialist who initially reported the security risks to the TSA says the inconsistency with which the two agencies responded revealed some "operational gaps and seams." These weaknesses are what adversaries often target when trying to launch an attack, "because it's usually at your seams where you're the weakest, as far as your staff is concerned," the specialist says.
Furthermore, the specialist expressed concern in the lack of oversight and accountability involving the document. The MWAA and many other airport authorities across the country regularly post similar SOW documents to the Internet. This one happened to be published with sensitive electronic security information that TSA agents either deemed harmless or counted on civilians to report. The document, as a result, was not altered until civilians contacted the responsible party directly.
After this chain of events, the specialist says the TSA would likely be held responsible by the U.S. public in the event the vulnerabilities in the SOW had been exploited. In this case, the specialist says, security should trump jurisdiction.
"If something were to happen because of a breach of the security at the airfield itself that led to items or personnel being introduced to an aircraft or something happening, I think the majority of the U.S. population would point their finger at the TSA and not at the MWAA," he says. "I understand where they're coming from because, when you look at the charter of the TSA, I don't think any time they're responsible for the physical security or the infrastructure of the airport. But most people don't get that differentiation."