FAA flagged for weak security on drone data

Federal Aviation Administration databases for drone flights – which include personal ID information about registered users and authorization for flight plans near airports – lack “adequate security” controls, according to a new federal watchdog report. 

The report released this week by a Transportation Department inspector general found that the two cloud-based databases – the DroneZone and the Low Altitude Authorization and Notification Capability system – include “sensitive data” provided by the general public “including personally identifiable information.”  

However, the FAA “has not effectively ensured that databases have adequate security – including privacy – controls,” according to the 29-page report released Wednesday. The report also state the lack of security controls puts the databases at risk of being compromised.

Both databases were created by the FAA in response to Congress directing the agency in 2012 to develop a plan to safely integrate drones – or unmanned aircraft systems – into the National Airspace System. 

The so-called DroneZone is a registration service for about 1.5 million operators, and the LAANC is an automated system that authorizes registered UAS users to fly their drones near airports.

The IG report was launched to determine whether the FAA’s drone registration system has the proper security controls and recovery procedures if service is disrupted.

The report also concluded that the FAA has authorized DroneZone operations without conducting a comprehensive assessment of its security controls since its start in 2015. 

In addition, the agency’s failure to adequately monitor the security controls and use of the unauthorized cloud systems “increases the risk of the systems being compromised,” the report also concluded. 

The agency, in fact, failed to show that 24 of 26 privacy controls were assessed to protect DroneZone users’ personal identifiable information, the report also found.   

The report, signed by Kevin Dorsey, the Transportation Department’s acting assistant inspector general for Information Technology Audits, includes 13 recommendations including a “comprehensive assessment” of both databases’ security controls.

The report was delivered to the FAA on March 5. The agency responded April 1, saying it concurs with all of the recommendations and providing appropriate actions and completion dates, the IG report also states.