NASA hasn’t had a good track record when it comes to cybersecurity lately, as detailed in a lengthy statement from NASA Inspector General Paul K. Martin during a House hearing on Wednesday. In fact, Martin noted that NASA “reported a loss or theft” of 48 computers between April 2009 and April 2011 including a laptop that was stolen in March 2011 containing “algorithms used to command and control the International Space Station.”
That laptop, like 99 percent of NASA’s portable computing devices, wasn’t encrypted, according to Martin.
Martin didn’t elaborate under what circumstances the laptop was stolen or from where. NASA, for its part, released the following statement to TPM dodging the issue of the laptop theft and asserting that the International Space Station and its crew were never in any danger. As a NASA spokesperson wrote to TPM via email:
“NASA takes the issue of IT security very seriously, and at no point in time have operations of the International Space Station been in jeopardy due to a data breach. NASA has made significant progress to better protect the agency’s IT systems and is in the process of implementing the recommendations made by the NASA Inspector General in this area.”
But the case of the stolen laptop containing Space Station control codes is hardly the only cyber security issue plaguing NASA. In fact, the agency appears to be rife with security flaws. As Martin continued in his written testimony:
“Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs. Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files.”
The Constellation program is a NASA program to design a new series of spacecraft capable of returning humans to the moon and beyond. President Obama canceled the program in February 2011 due its significant cost overruns. The Orion program was a related effort to develop a new crew capsule for transporting astronauts that survived the budget cuts and has since been modified into NASA’s new plans for deep space exploration.
Staffers at the House Committee on Space, Science and Technology, which called the hearing to highlight Martin’s testimony, told TPM that the problem was one of governance within NASA, specifically turf wars between the individual mission directorates — those scientists in charge of the various experiments and space exploration projects at the agency — and NASA’s Chief Information Officer Linda Y. Curteon, who also testified at the hearing on Wednesday. Curteon said that NASA was working to act on the recommendations of the Office of the Inspector General and hoped to have new security measures implemented within the next three to five years.
But House staffers expressed their concerns to TPM that the individual mission directorates would be reluctant and arguably unwilling to cede any control or security management over to Curteon, given the current lax track record on cyber security.
Specifically, staffers told TPM that NASA is facing three types of threats: Outside software attacks, like those from would-be hackers and nation states, physical threats in the form of stolen property, and inside threats in the form of employees who are either not careful enough with their NASA data or are deliberately attempting to sabotage or steal from the agency.
As Martin warned: “NASA’s portfolio of IT assets includes more than 550 information systems that control spacecraft, collect and process scientific data, and enable NASA personnel to collaborate with colleagues around the world. Hundreds of thousands of individuals, including NASA personnel, contractors, academics, and members of the public use these IT systems daily and NASA depends on these systems to carry out its essential operations.”
More to the point, NASA alone controls almost half of the 1,400 plus “.gov” domains, and many mission directorates manage their own personal or quasi-professional websites outside of the official NASA domains, leading to more potential points of access for hackers and cyber attackers.
Separately but not unrelated: NASA in October 2011 confirmed that it had experienced “suspicious events” with an Earth-observing satellite, Terra AM, which an Air Force report theorized had been hacked by the Chinese, along with another government satellite.
Hill staffers said that they would continue probing into NASA to determine the best course of action for determining how to patch-up the agency’s myriad security issues, but expressed frustration over NASA’s lack of progress over the past year.