From Linked-In:

Do you honestly believe that anyone with the desire and ability to do this, doesn’t already know they are vulnerable? As for why the report was made public, it was requested by two Republican Congressman (so that they can most likely start actions that result in increased funding for one of, if not both, their committee’s) and as such, for them to state WHY they need more money, they have to have a reason. This report provides the reason. Public Relations is one way you can spur the electorate on enough to get funding approved for issues.

Would you prefer that these type of decisions and analysis’ were private from the citizens of the US?

From Linked-In:

Cyber attacks are difnitely a problem but my concern is that after 9/11 attack if they are considering finding out about other network systems which ar even more sophisticated than the cyber attack. These networks target individuals, follow them around and prepare them for future events. Most of the time the individual is not even aware of his or her participation in any type of terrorism activity. Thnk about nano technology, everything is to that scale now.

From Linked-In:

Vulnerabilities that a kept away from the public eye have a nasty tendency to be swept under the rug–easier that way. This creates the worst situation, where a security hole is unknown to the public (who thus can’t exert pressure to get it fixed) and remains open for an extended period of time allowing ample opportunity for an adversary to both discover this and exploit it.

From Linked-In: Often times an Ethical Hacker’s only “weapon” to get the Vunerable Party (VP) to make changes (spend money) is to give the VP time to make the fix with the promise to expose the issue if action isn’t taken. I believe this happens ALOT.

From Linked-In:

*

It is public knowledge that our air traffic control system is part of the critical infrastructure of the United States. We have known for a time that the system is indeed vulnerable on many levels. The system has required funding to be modernized and hardened against security threats.

Unfortunately, old vulnerabilities can be supplemented or supplanted by new ones during the modernization process. White hats and black hats know this. They also know that throwing more money at the air traffic control system is an exercise in futility if security is not a vital component of the system modernization efforts

Far better that the Inspector General sound the alarm now and publicly, rather than try keep hush-hush the not-so-secret knowledge of the sad insecure state of the US air traffic control system. Perhaps by doing so, the IG has done us a favor of providing an impetus to baking in security into the modernization program for the air traffic control system.

From Linked-In:

Well, this may very well be a “honey pot” trap. Its purpose is to attract attackers to target the system in order for the security dept. to backtrace the source. What the attackers are actually looking at would be a observed, contained and controlled environment in which access cannot go outside of the isolated system. This can expedite the search of dangerous attackers. I am saying this under the assumption that DOT is not stupid, but I could be completely wro

From Linked-In:

Ok, so add this to the national electrical grid, the major water supplies, and the fact that nuclear power plants rely on private security(not to say they are not qualified) and have little to no federal regulation for attact responses that differ from company to company. Why would this being made public make any difference. This Country has forgotten the message of 9-11 and we make public all discrepancies. This just adds fuel to the enemy fire that is sure to kick us sooner than later. As the Boy Scout motto states “BE PREPARED” as no one in the media is looking out for the interest of America , only their next Breaking News.

From Linked-In:

Given that the bad guys are constantly probing any and all systems, this may not actually have been news to them.

From ITACAdmin:

This is not new news. There are multiple GAO reports going back to the 1990s pointing out vulnerabilities in the FAA’s air traffic control system as well as their enterprise networks. For example:
http://www.gao.gov/new.items/d01171.pdf
http://www.gao.gov/archive/2000/ai00330t.pdf
http://www.gao.gov/archive/1998/ai98155.pdf

There are many more. Google is your friend.

From Linked-In:

Given the number of botnets, the amount of spam, and incredible quantities of other malware in the wild, I think it quite reasonable to make the following conclusion:

The bad guys are aware of these vulnerabilities and are actively working to exploit them.

Publishing the fact that these systems may be vulnerable is a distant, distant cry from publishing the nature and details of the vulnerabilities themselves. Publishing this simple fact can, in the end, regardless of how long it takes, have only one outcome, and a positive one at that: Mitigations will be put in place.

Why? Because of embarassment and GAO pressure.

The bad guys either know these systems are vulnerable or hope they are. Either way, they are, as I type this, working to exploit them. This sort of published report changes nothing – NOTHING – for the bad guys.

From Linked-In:
Your sadly giving your government too much credit, I have worked around the highest levels of government and it is scary when one see’s how this democracy works, I am not dismissing your opinion just expressing another of mine

Fronl Minked-In:

ATC network support is just one of the critical infrastructures that needs better cyber protection strategies, procedures and technologies. This is a good example of the catastrophic risks that entities face when designing, providing or deploying high tech solutions. If something goes badly wrong, are the plaintiffs going to sue the government? Way too hard as well as time and money consuming for the plaintiff’s bar. It is so much easier to go after the designer, service or technology supplier. “Deep Pockets”, we have all heard about them – well here is a good example.

For those organizations that provide services, technologies, ideas etc. relating to homeland security, including cyber protection, we thank you for betting your entire enterprise on the hopes that nothing will ever go wrong. If you think that there would never be a company would hold back deploying technologies that could stop a terror event because of liability fears, you are sadly wrong, very wrong. They have and will continue to do so unless they can get SAFETY Act protection. If you are a stockholder or the owner of these companies, what would your position be if they were betting the entire enterprise (liability wise) on less than say 0.5% of total revenues?

What is the solution? – The SAFETY Act or, “The Support Anti-Terrorism by Fostering Effective Technologies Act of 2002”. By utilizing this law, organizations can protect themselves from huge liabilities and at the same time, deploy more technologies or services to stop the truly terrorist catastrophic events without fear of runaway lawsuits.

Anyone involved in Homeland Security / Anti-terrorism needs to have some familiarity with the SAFETY Act. If not for yourself, for your company, clients, suppliers and the public at large. It is way too important!

Going back to the ATC / FAA issue, UPI.com just did an article on the president, cyber security and the SAFETY Act titled “Obama needs to back SAFETY Act on cybersecurity”

http://www.upi.com/Security_Industry/2009/04/09/Obama-needs-to-back-SAFETY-Act-on-cybersecurity/UPI-26391239288290/

There is also an article on the NFL’s recent SAFETY Act approval in USA Today and April’s Security Director News.

http://www.usatoday.com/news/nation/2009-03-09-safety-act_N.htm

http://www.securitydirectornews-digital.com/securitydirectornews/200904/

It is very important to understand that the comments I made about the NFL and SAFETY Act for Security Director News conceptually apply to any industry or organization type including FAA/ATC firewall and network security providers.

A quick (sort of quick) SAFETY Act Primer for those unfamiliar with this remarkable Federal law follows.

From Linked-In:

Any entity that buys, uses, installs, integrates, deploys, designs, manufactures, supplies, distributes, advises on, or is otherwise involved in, homeland security related products, technologies or services in any way, whether for yourself or others, does so at an extraordinary liability risk. Because of this catastrophic risk, management has a fiduciary responsibility to explore the very broad immunities, liability caps, defenses and other protections that could potentially be afforded them under the SAFETY Act. It is critical to know if, and how, your organization can benefit from this Federal law.

You do not have to be the actual manufacturer, developer or seller of the products, technologies and/or services to benefit. In fact, just by using someone else’s SAFETY Act approved products and/or services, you can benefit greatly.

The SAFETY Act is a little known and often misunderstood piece of legislation that can protect an entity from the truly “enterprise threatening” liability they could face following a terrorist event. This liability can come from an attack on their own facilities or an attack on a third party where products, technologies, advice or services were provided. The Act’s protection can apply to a physical attack on persons or property or to acts of cyber-terrorism that cause physical and/or financial harm.

The SAFETY Act was enacted by Congress as a part of the Homeland Security Act of 2002 (Public Law 107-296). SAFETY Act is actually an acronym for the section of the Homeland Security Act titled the “Support Anti-terrorism by Fostering Effective Technologies Act”.

The Act’s purpose is to ensure that the threat of potential liability suits does not limit or deter the development, manufacture, deployment, use or commercialization of products, technologies, procedures, software, system integration, advice and/or services that could prevent or mitigate a terrorist attack.

The Act provides unprecedented immunities, liability protections, caps and other incentives for approved entities who use, supply, design, manufacture, provide or are otherwise involved in preventing, deterring, mitigating, responding to or recovering from a terrorism event.

SAFETY Act is very broad in scope as to what terrorism related identification, prevention, response, mitigation or recovery can be protected under the law. It can include anything that is designed, developed, modified or procured for preventing, detecting, identifying, or deterring acts of terrorism as well as responding to or limiting the harm such acts might otherwise cause.

SAFETY Act protection can apply to things you provide to others, as well as things you buy, use or do for your own facilities to protect people and property including cyber protection. These things do not have to be exclusively dedicated to anti-terrorism, they can have multiple functions. Examples that have both terrorism and non-terrorism elements include access control systems or procedures, security cameras, firewall software as well as a vast range of other “technologies”, including:

o Products
o Services
o Procedures
o Processes
o Advice
o Technology
o Software
o Network or Cyber protection
o Other forms of intellectual property

From Linked-In:

Your competitors, absent their own SAFETY Act approval, cannot possibly provide their customers with this level of immunity or buy enough terrorism insurance to compensate others for losses arising from a serious e-terrorism event.

In today’s geo-political environment, demonstrating that the SAFETY Act affords customers total immunity from potentially catastrophic terrorism related liability is overwhelmingly compelling. Customer consideration of this “no-cost” immunity protection will likely outweigh many other issues and considerations aside from the day-to-day operational safety, efficiency and reliability.

If your SAFETY Act protected products or services represent or address a significant portion of your customer’s, subcontractor’s or supplier’s liability exposure, it is very possible they can save money on their insurance by selecting your product or service over one that does not afford them such protection.

More and more procurements, in both the private and governmental sectors, require SAFETY Act consideration, designation or eligibility. This trend is expected to increase and is actually addressed in a recent change to the Federal Acquisition Regulations or “FAR”.

Sorry to be so “windy” but I am passionate about this law and its benefits to everyone except perhaps the plaintiffs’ bar..

Enjoy the free advice

From Linked-In:

To be perfectley honest any serious attacker will know this stuff already. There has often been debate about discussing vulnerabilities in the public domain and this sometimes the only way people get motivated to fixing them. There a numerous flaws in critical infrastructure systems and there has been for years I am not sure we are being told anything we dont already know.

FromLinked-In:

One question comes to mind… Who benefits from mass hysteria?
The Freedom of Speech also includes the Right to stay Silent. Exciting the masses is a common way to benefit for organization, the medical community, people against something.
So, was this really what the report said? The original article states that new vulnerabilities are being introduced that could increase risk… Anything can introduce risk. Living is a risk. The article was from the Wall Street Journal. Anything coming through the media should be scrutinized. Look past the bad and find the good things. The media likes to incite “riots”

From Linked-In:

If the DOT is issuing a report on Federal Aviation Administration’s air traffic modernization, the bad guys already know about the vulnerablility.

Cyber criminal oganizations recruit the best.

Security through obscurity does not work.

I read the DOT IG report. It was shocking on several levels.
I already knew from GAO reports, and an annual report from Congress, that government computer systems are a disaster area from a cyber security perspective.

Remember all the VA breaches? They had been getting an “F” for cyber security for years before the parade started. I lost count of how many breaches … scores?

Places that are supposed to be protecting us from this stuff, like Dept of Homeland Security & the Pentagon, been getting such low scores, that recent stories detailing what’s getting stolen should be no surprise.

It is one thing to beat the drum that a particular agency needs to fix cyber security, to keep reminding legislators and the public that we have this disaster waiting to happen.

It is another thing to publish a report that says there are hundreds of sites, of which only 11 are protected from intrusion, list the 11 sites, and what exactly is protected.

Oh yes, I am sure the professional hackers, terrorists, enemy nations (North Korea, Iran), somewhat hostile or sometimes hostile nations, they all knew this long before the report came out. But now we have an e-army of me-too amateurs to worry about, and less sophisticated trouble makers can join in.

The only way to protect the systems might be to deny e-privacy to 100% consumer users of the Internet. Could that be what is in the heads of some people who approve such reports?