Four dozen high-tech computing devices disappeared from the offices of NASA over a two-year span, including one laptop that contained the code needed to command the International Space Station.
No big deal, guys!
A laptop with the algorithm used to control the ISS was one of 48 gizmos and gadgets that NASA either reported lost or stolen between April 2009 and April 2011, the agency’s inspector general, Paul Martin, tells the House Committee on Science, Space and Technology. Although the incidents date back to nearly three years ago, Martin has only now informed Congress of the accidents. They are discussed in a written statement he authored and published this week under the title “NASA Cybersecurity: An Examination of the Agency’s Information Security.”
For the Cliff Notes version, we’ve got you covered. Information security at NASA: not so good.
Over the course of ten pages, Martin makes mention of what he says are five issues that NASA believes, based on their “extensive audit and investigative work,” make up NASA’s “most serious challenges in the admittedly difficult task of protecting the agency’s information.”
For starters, we suggest putting a damn lock on the safe.
Martin goes on to list those challenges as including a “lack of full awareness of Agency-wide security posture,”“shortcomings in implementing a continuous monitoring approach to IT security” and the “slow pace of encryption.” Also, however, he adds that one “challenge” in particular, is the ability to handle a sophisticated cyber attack.
Now, what separates a sophisticated cyber attack from a stupid, simple-minded one is something Martin would have to extrapolate on a bit more. But in regards to losing four dozen mobile computing devices — well, keeping a close eye on those things isn’t rocket science. And if it was, you’d expect NASA of all agencies to be able to handle it, wouldn’t you?
According to the congressional testimony, NASA spends around $1.5 billion each year on IT-related activities, which includes approximately $58 million on IT security. And while the statement acknowledges that losing sensitive information could “adversely affect national security,” Martin makes note that lapses have caused concern time and time again. He also admits that security within the agency is not up to snuff, while at the same time revealing that NASA is a “regular target” of such attacks.
The 48 missing mobile devices isn’t the biggest number in the report, though. In 2010 and 2011, reveals the report, NASA reported over 5,400 incidents where either malicious software was found on computers or unauthorized users were granted access to the agency’s systems. For the sake of pointing out the significance of how spectacular of a security flaw this is, we will publish this line as a standalone statement:
NASA SUFFERS OVER 5,000 SECURITY BREACHES A YEAR ON A SYSTEM THAT IS IN CHARGE OF GIANT, SPACE-SURFING MISSILES.
You would only assume that if they can land a man on the moon, surely they could install a copy of McAfee Antivirus.
Those problems, adds the report, have indeed caused the disruption of mission operations and is estimated to have costs NASA $7 million in just one years’ time. In their defense, however, the agency has issued 21 audit reports during the last five years, which have spawned 69 IT-related recommendations. Whether or not they followed through with those, however, is anyone’s guess. Regardless, Martin does make note that the agency has identified that there is indeed “weakness” in regardless to its IT security. That, you see, is something you shouldn’t have to admit to. Over the span of just ten pages, the word “weakness” appears four times.
One of those weaknesses is indeed the ability to monitor mobile devices that are lost. The damage, reveals the report, has been not just the loss of the code used to command and control the International Space Station (that one-million-pound hunk of machinery that NASA allocated $72.4 billion towards), but also Social Security numbers and other sensitive data.
Don’t worry too hard, though. NASA says that eventually they will able to remediate these issues. It’ll take a bit of work though. "Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," reads Martin’s report.
And if you were wondering, “risk” appears an average of twice-per-page in the report.