Tuesday, March 6, 2012

Cybersecurity Is Necessary for NASA


First appeared in USA Today
It sounds like the plot of a campy science fiction flick: Thieves steal a laptop containing the codes used to command and control the International Space Station.

Except it happened.

The March 2011 theft of the unencrypted computer was one of 5,408 cybersecurity incidents — many foreign-based — the space agency reported during the past two years, according to NASA Inspector General Paul Martin.
The incidents, which include the installation of malicious software and unauthorized access to NASA systems, have caused disruptions and cost taxpayers millions in missing equipment and repairs.

Some cases are clearly more serious than others, such as the theft of space station algorithms, though there's nothing to indicate the ISS was affected in any meaningful way.

"The threat to NASA's information security is persistent and ever-changing," warned Rep. Paul Braun, R-Ga., who chairs a House Science, Space and Technology subcommittee that conducted a hearing on cybersecurity lapses Wednesday. "Unless NASA is able to continuously innovate and adapt, their data systems and operations will continue to be in danger.”

These incidents are among those the inspector general's office says have taken place since 2010:

—Terra and Landsat-7, both Earth observation satellites, "have each experienced at least two separate instances of interference apparently consistent with cyberactivities against their command and control systems."

—An unidentified NASA center released to the public 10 surplus computers connected to the space shuttle program that weren't properly sanitized and may have contained sensitive data.

—Intruders stole credentials for more than 150 NASA employees in one cyber attack, while another intrusion provided hackers access to key information and user accounts at the Jet Propulsion Lab in Pasadena, Ca.

—A Texas man pleaded guilty last year to hacking NASA computers, an incident that prevented some 3,000 registered users from accessing oceanographic data collected by the agency.

Martin told the House panel the agency's vulnerability stems from two issues: It's a high-profile target that generates plenty of sought-after data, and it offers potential hackers a wide array of entry points. 

NASA manages approximately 3,400 websites — nearly half of all the federal government's non-defense sites — and is home to some 176,000 individual e-mail addresses. Its assets include 550 information systems that control spacecraft, collect and process scientific data, and enable NASA to interact with colleagues and researchers in other agencies and universities around the globe, according to Martin.

"There are many gates to guard," NASA Chief Information Officer Linda Cureton told the House panel.

Sen. Bill Nelson, D-Fla., a member of the Intelligence Committee who rode on the space shuttle, said that while the country's national security computers are protected, he's concerned foreign hackers could infiltrate government computers through a back door provided by NASA or another non-defense agency.

"Of course it's worrisome," he said. "And that's what we're working on."

NASA has made some progress addressing problems Martin and his office have pointed out in the 21 audit reports his office has conducted over the past five years. Of the 69 recommendations the inspector general has made during that period, all but 18 have been fully addressed, officials said.

Martin said only 1% of the agency's laptops and other portable devices have been encrypted to prevent easy deciphering, which he called "very disturbing" given the highly sensitive nature of the information stored on them. More than half of the computers used government-wide are encrypted.

In addition, a risk assessment Cureton's office was supposed to have completed by August 2011 won't be finished until June.

"We are determined to improve NASA's capability to predict, prevent and effectively contain potential IT security incidents," she told lawmakers.

Cureton told the House panel the agency has taken a number of steps, including accelerating encryption of NASA laptops. But she said cybersecurity isn't taken as seriously as it should be because of "culture" issues. And much of the sensitive information is managed not by her office but by mission directorates. 

Martin said Cureton's efforts have been hampered because she doesn't control much of the budget devoted to improving cybersecurity.

"As we've all seen in Washington," Martin said, "when you don't control the funding, you have a difficult time getting folks' full attention."