First appeared in USA Today
It sounds like the plot of a campy science fiction flick:
Thieves steal a laptop containing the codes used to command and control the
International Space Station.
Except it happened.
The March 2011 theft of the unencrypted computer was one of
5,408 cybersecurity incidents — many foreign-based — the space agency reported
during the past two years, according to NASA Inspector General Paul Martin.
The incidents, which include the installation of malicious
software and unauthorized access to NASA systems, have caused disruptions and
cost taxpayers millions in missing equipment and repairs.
Some cases are clearly more serious than others, such as the
theft of space station algorithms, though there's nothing to indicate the ISS
was affected in any meaningful way.
"The threat to NASA's information security is
persistent and ever-changing," warned Rep. Paul Braun, R-Ga., who chairs a
House Science, Space and Technology subcommittee that conducted a hearing on
cybersecurity lapses Wednesday. "Unless NASA is able to continuously
innovate and adapt, their data systems and operations will continue to be in
danger.”
These incidents are among those the inspector general's
office says have taken place since 2010:
—Terra and Landsat-7, both Earth observation satellites,
"have each experienced at least two separate instances of interference
apparently consistent with cyberactivities against their command and control
systems."
—An unidentified NASA center released to the public 10
surplus computers connected to the space shuttle program that weren't properly
sanitized and may have contained sensitive data.
—Intruders stole credentials for more than 150 NASA
employees in one cyber attack, while another intrusion provided hackers access
to key information and user accounts at the Jet Propulsion Lab in Pasadena, Ca.
—A Texas man pleaded guilty last year to hacking NASA
computers, an incident that prevented some 3,000 registered users from
accessing oceanographic data collected by the agency.
Martin told the House panel the agency's vulnerability stems
from two issues: It's a high-profile target that generates plenty of
sought-after data, and it offers potential hackers a wide array of entry
points.
NASA manages approximately 3,400 websites — nearly half of
all the federal government's non-defense sites — and is home to some 176,000
individual e-mail addresses. Its assets include 550 information systems that
control spacecraft, collect and process scientific data, and enable NASA to
interact with colleagues and researchers in other agencies and universities
around the globe, according to Martin.
"There are many gates to guard," NASA Chief
Information Officer Linda Cureton told the House panel.
Sen. Bill Nelson, D-Fla., a member of the Intelligence
Committee who rode on the space shuttle, said that while the country's national
security computers are protected, he's concerned foreign hackers could
infiltrate government computers through a back door provided by NASA or another
non-defense agency.
"Of course it's worrisome," he said. "And
that's what we're working on."
NASA has made some progress addressing problems Martin and
his office have pointed out in the 21 audit reports his office has conducted
over the past five years. Of the 69 recommendations the inspector general has
made during that period, all but 18 have been fully addressed, officials said.
Martin said only 1% of the agency's laptops and other
portable devices have been encrypted to prevent easy deciphering, which he called
"very disturbing" given the highly sensitive nature of the
information stored on them. More than half of the computers used
government-wide are encrypted.
In addition, a risk assessment Cureton's office was supposed
to have completed by August 2011 won't be finished until June.
"We are determined to improve NASA's capability to
predict, prevent and effectively contain potential IT security incidents,"
she told lawmakers.
Cureton told the House panel the agency has taken a number
of steps, including accelerating encryption of NASA laptops. But she said
cybersecurity isn't taken as seriously as it should be because of
"culture" issues. And much of the sensitive information is managed
not by her office but by mission directorates.
Martin said Cureton's efforts have been hampered because she
doesn't control much of the budget devoted to improving cybersecurity.
"As we've all seen in Washington," Martin said,
"when you don't control the funding, you have a difficult time getting
folks' full attention."
