Speech

IT/ISS Conference

Good morning, and thank you, Mike [Brown].It’s a pleasure to be here an open what appears to be our most successful conference ever. The theme of this conference is “The Window to the Future,” and as I look through the Window to the Future, I get very concerned. This conference is a perfect opportunity to address some very serious issues.

From my perspective, we’re here because America is at war. I’m not talking about Afghanistan or Iraq. I’m not talking about the war on drugs or the war on poverty. All of those are going on right now, but they’re not why we’re here.

We’re here because deliberate and calculated attacks on America’s cyber backbone are being carried out in methodic, chilling detail. The bad guys want in, and they’re testing every door and window to do it. They’re even willing to dig a tunnel or two — or 20. And, they’re having some success

Let’s not kid ourselves. We have a responsibility to protect the safety and security of this great nation in general, and its aviation industry in particular. The purpose of this conference is to underscore that responsibility.

We’re talking about a set of circumstances here that, frankly, we hoped would never really happen. But that’s the very kind of thing you have to prepare for in all walks of life. Unexpected, undesirable and troublesome scenarios aren’t just limited to government computer systems.

Consider the story of Maurizio Seracini. He’s a Ph.D. from U-C San Diego, and he’s a determined guy. He’s been on one particular hunt for 30 years. Thirty years chasing one thing.

He’s searching for a mural painted in the city of Florence by Leonardo da Vinci. The mural depicts the Battle of Anghiari. We only know what this mural looks like from sketches and drafts found in da Vinci’s notebooks — because no one knows where the original is. Well, almost no one.

This work of art has been called the most beautiful, the most classic representation of Renaissance art. The experts in the art world say that this particular piece changed the course of Western art. Some call it more beautiful than the Sistine chapel.

So, a little self-disclosure here. I’ve been a fan of Leonardo DaVinci since I was a kid. Those of you who have been in my office have seen the DaVinci self-portrait hanging there, with aviation-related sketches from his notebooks. DaVinci’s artwork is valued in the millions. Priceless is a word you hear a lot when da Vinci’s name comes up. Getting your hands on one of these is a very big deal. The art world is interested. The government in Florence is interested. So, of all the things to spend a lifetime chasing, I suppose something this valuable, something this mysterious — well, why not? 

Before we go too much further, let me provide some background information about the origins of the artwork. The timeline here is the sixteenth century. This battle scene was painted on a fresco. It was supposed to be on a wall opposite another work being done at the same time by some other guy named Michelangelo. But, as it turns out, the tandem masterpieces weren’t meant to be. Michelangelo was called to Rome by the Pope. Da Vinci, who rarely completed anything he started, headed off to work for the King of France.

So now there’s a building in Florence with lots of unfinished masterpieces. Another artist — Vasari — is brought in. Vasari is a fan of da Vinci, calling the unfinished fresco “most excellent and masterful for its marvelous treatment of figures in flight.” Whatever Vasari decided, those are his murals on display in that building. Whatever DaVinci did is gone. Art historians want to know — Did Vasari paint over da Vinci’s work? Did he rip it down? What happened to DaVinci’s work ?

This is where Dr. Seracini comes in. As he’s studying the place where the da Vinci mural was last seen, he takes a close look at Vasari’s mural. Way up in the corner, out of sight unless you’re standing on a ladder, he comes across an inscription painted on a flag in the mural. Cerca trova. Just two words. Two words that in Italian mean:  seek, you will find.

Seracini is a bio-engineer by trade. He’s also a pioneer in forensic art analysis. Seracini wonders:  Was Vasari taunting historians, or was he leaving a clue? Was he telling historians that he would never, ever destroy a masterpiece? Seracini found out almost immediately by using a radar scan that the Vasari mural is on a wall that’s covering another wall, with a one-inch air gap in between. What’s the reason for that, and what’s on the back wall? 

Remember, we’re not talking about the da Vinci code novel. This is an actual historic site in Florence. Everything in the place is a treasure. The Vasari fresco that’s visible isn’t a da Vinci, but it is a 450-year old classic piece of artwork that cannot be damaged. So how do you get underneath the art to see what’s on the wall behind it?

Bring in the high-tech stuff. Seracini is going to radiate one wall with a high-energy neutron beam that he hopes may reveal the da Vinci mural for the first time in 450 years.

For those of you who want to know how this cliffhanger ends, I’ve got bad news. We don’t know yet. Seracini’s not done, yet, but we may know by the end of the year.

But that’s not why I told you about da Vinci and the lost mural. Let me recap. We have something very, very valuable, something hidden from the naked eye. We have very smart people who are willing to spend decades of painful, laborious research to find what they’re looking for. They work at night so as not to be disturbed. They have the backing of wealthy individuals and governments. They use high-tech equipment and techniques to find what they’re looking for. They will stop at, literally, nothing until they get what they want.

Does anyone see a parallel here?

As I said at the opening, we are indeed at war. And you and I are on the front lines. There’s the sentiment that says, “My network didn’t get hacked. I followed the protocols. My firewall is intact.”  Well, that’s right up there with laughing at the hole in the other end of your boat. When the FAA gets hacked, we all get hacked. Each one of us. We have a choice: we can be unsung heroes or we can be scapegoats. I know which option I prefer.

There are warning signs all around us. The IG has pointed out vulnerabilities in our web infrastructure that’s tied to our air traffic systems. The IG also spotted vulnerabilities in our medical information systems. We’re still looking into that.

The President’s also getting involved. He’s appointed a special group to meet and recommend improvements to the government’s IT security and Mike Brown is on this representing the DOT. A group of government and commercial organizations also have gotten together, on their own, to develop new ways of protecting the government’s infrastructure.

Clearly, there’s a problem. Look at Govtrip. This isn’t a mystery. The intruder exploited a flaw in the website code. He used a default password to gain access to a component of the website software to redirect users to another site.

That site downloaded malicious code, which contacted another site. That site downloaded more malicious code. And worst of all, our activities to block Govtrip from headquarters IAP were inconsistent with those of other IAPs. If this had been a fire, I can’t say that the place wouldn’t have burned to the ground while we were trying to orchestrate the fire hoses.

So what have we learned? We have too many known — and unknown — internet access points. We don’t have consistent incident response from our Lines of Business. We have limited visibility and understanding of LOB network security. We only scan some websites now. As an agency, we need to put better controls in place to increase adherence to website development rules and architecture standards.

But it doesn’t end there. We have what I’ll call hobbyist IT shops, and hobbyist coding practices, and hobbyist security emphasis — or lack thereof.

Fully 75 percent of our servers are outside our data centers. FAA infrastructure in general is not set up or managed consistently. We have uncontrolled personal identification information everywhere. We have 149 external domain names here at the agency, and 323 internal ones. That’s a lot of ground to cover.That’s one of the reasons why — government-wide — that OMB is reducing the number of government internet access points. DOT is going to be allowed six — down from 41 — and we’ll have three.

It doesn’t stop there. We have 55,000 laptops and desktops. We have one wide area network but hundreds of local area networks. Literally, we’re an unlocked door and a whole lot of open windows, no pun intended.

So where does that put us? We know one thing for sure:  what we’re doing is not enough. We need to do more of the basics — with architecture, with controls, with incident response, with software patching. As I alluded to a moment ago, we need to do more things consistently. I’m talking about things like architecture, programming, infrastructure and procedures. And we need more toolsets, more skills and most of all, a cadre of talented, dedicated professionals to ensure that they’re used correctly.

So we’ve got a leg up there, because I see a lot of talent in this room — FAA employees who are willing to take accountability and FAA vendors and their staffs who are willing to help out. . Clearly, IT security is everyone’s concern. And the FAA is at the forefront.

Over the duration of this conference, a few messages are going to be hammered home again and again and again. One, it’s no longer business as usual. Our current way of working is too dangerous and too expensive and we can’t afford to be either. Two, everyone’s got to get involved. I’m talking about you, but I’m also talking about the messages you carry back. Three, we must get up to speed with new software, new procedures, new oversight, new responsibilities and new controls.

I opened with a story about artwork, and how diligent people are busy searching to recover a masterpiece. Well, with what we know about the hacking into FAA computers, we’re dealing with the same kind of zeal, the same kind of technology and the same kind of firepower. The threats to our system are very real, and the goal of these people is not just to make life miserable with identity theft.

Let’s remember why we’re here. This is a call to action, and as public servants, it’s time for us to step up. We need to move forward rapidly and increase the protection of our networks and the protection of our sensitive data. We need to do what’s in the best interests of our constituents, the flying public and the taxpayers. We to need pledge ourselves to commit that a similar situation will never happen to the FAA again. It’s going to take time, effort, dedication and money, but most of all commitment from all of us here. This conference is the place where it all starts, so let’s make the most of this opportunity.