After reviewing the document, Koot asked for a second opinion from a senior-level U.S. military cybersecurity specialist and former leader of a military Red Team that challenged government systems to identify weaknesses.
Though he only agreed to speak on the condition of anonymity, the specialist says the document contained "exactly the type of open source information that the team and I were always looking for in order to lay the groundwork for targeting of a system."
Others agree. After reviewing the SOW, Scot Terban, who performs penetration testing, incident response, forensics, and information security auditing at an aerospace company, says "all you'd need to really set up a nice hacking attack on Reagan and Dulles is in there." That includes the number and location of surveillance cameras, the operating systems used at the airports, the types of switching, routing and networking hardware used, network logic diagrams and data flows, and the locations of RFID readers.
"It is also important to note that in this document set, they state that the work being done will allow for access to the codes for the airport facilities," Terban says. "So once in [the] clear, the attacker would have access to pretty much the keys to the kingdom at both airports."
To better understand what the information contained in the SOW could be used for from an attacker's perspective, an experienced hacker familiar with penetration testing and the techniques employed in undermining network security systems was consulted. Given the sensitive nature of the information, the source preferred to remain unnamed.
The hacker explained that anyone launching an attack could spend months gathering the necessary information. With the SOW, "someone decided to do all this work for me," he says.
The difficulty involved with reporting the issue to federal authorities raised additional concerns. The military cybersecurity specialist contacted the Department of Homeland Security shortly after reviewing the document. However, because the airports are classified as civilian facilities, his reporting was limited to a phone-based system developed as part of Secretary Janet Napolitano's "If You See Something, Say Something" campaign.
"DHS uses a multi-tiered system to accept reports. I am sure they are inundated with information, so the first line of operators are there simply to take down as much information as possible as it relates to the issue at hand," the specialist says. "From my experience, this first level had no technical expertise and was not there to evaluate as much as to simply record and report."
Two weeks after initially reporting the document, the specialist was contacted by TSA customer service representatives. Even after the specialist stated his position in the military and reiterated his concern over the information contained in the SOW, TSA officials informed him that they did not consider the document sensitive in nature. No further action involving the SOW was required, the TSA told him.
Sign up for Computerworld eNewsletters.