In a hearing called by the House Subcommittee on Investigations and Oversight to examine the state of the National Aeronautics and Space Administration’s (NASA) information security on February 29th, NASA witnesses revealed that the Agency is facing challenges which could “result in significant financial loss, adversely affect national security, or significantly impair our nation’s competitive technological advantage”, or worse. NASA Inspector General Paul K. Martin, the first of the two witnesses, disclosed that “in 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems.”
Martin added that some of these intrusions “have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million.”
Additionally, between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property. In a particularly concerning case, a laptop stolen in March 2011 contained algorithms used to command and control the International Space Station. In response to a TPM inquiry about this stolen laptop, NASA asserted that the International Space Station and its crew were never jeopardized due to a data breach. TPM claims that e NASA was “dodging the issue of the laptop theft” in this response.
Whether or not NASA was dodging the issue of the laptop theft, NASA officials were very forthright in their testimonies to Congress about the scope and nature of the security challenges that the Agency is facing. Martin alarmingly admitted to Congress that the Agency has been slow to encrypt sensitive data on its notebooks and other mobile computing devices, “a widely recognized best practice and an action required by the Office of Management and Budget (OMB).” Yet the OMB estimates that only 54% of these devices are encrypted and in his testimony Martin stated that only 1% have been encrypted since February 2009.
According to Martin, the extensive reports and auditing conducted over the past 5 years by the Office of the Inspector General (IG), responsible for providing independent and aggressive oversight of NASA, have shown five reasons why the Agency is failing to protect itself from cyber security threats. First, there is a lack of full awareness of Agency-wide IT security posture; in other words the Chief Information Officer who is responsible for developing IT security policies and procedures and implementing an Agency-wide IT security program, does not actually currently have the authority to ensure that NASA’s IT security policies are followed across the Agency. The Subcommittee Staffers reportedly told TPM that individual mission directorates are reluctant and arguably unwilling to cede any control or security management over to the current CIO, Curteon, who also testified at the hearing, given the current lax track record on cyber security. If true, this makes this particular problem a concerning case of catch 22 – how is the CIO to implement the Agency’s IT security policies when individual mission directorates are unwilling to cede control?
The second reason for NASA’s security challenges is that there are shortcomings in implementing a continuous monitoring approach to IT security; NASA has struggled to transition from its “snapshot” approach for certifying the security of its IT systems to a continuous monitoring program. Third, NASA lags far behind other federal agencies in protecting data on Agency laptops, as previously discussed. Fourth, NASA is having trouble responding to sophisticated cyber attacks, such as advanced persistent threats (APTs); those groups that are particularly well resourced and committed to steal or modify information from computer systems and networks without detection. In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. Fifth, the Agency is facing IT security challenges in moving to cloud computing; an emerging form of delivering computing services by providing users with scalable, on-demand IT capabilities over the Internet.
NASA has made some progress in implementing IG recommendations to combat these security challenges. Martin concluded in his testimony that, “overall the OIG and NASA’s Office of the Chief Information Officer (CIO) have worked well together to improve NASA’s IT security. Of the 69 recommendations for improvement we made in our IT audit reports over the last 5 years, 51 have been closed after full implementation by the Agency. NASA continues to work toward implementation of the remaining 18, most of which stem from our more recent work.” However, despite the progress, what was also very clear from his testimony is that much more needs to be done given the five ongoing major cyber security challenges that the Agency is facing.
Kristina Olney is a dual U.S.-Australia citizen who returned to the States in 2009 as a fellow of the John Jay Institute for Faith, Society, and Law. After completing an internship on the House Foreign Affairs Committee in 2009, Kristina worked for the U.S. Commission on International Religious Freedom for two years and is now a subcontrator for McKinsey & Company.