NASA Cybersecurity: An Examination of the Agency’s Information Security
Nasa’s testimony at House of Representatives hearing reveals massive cyber spying attacks
Thank you for the opportunity to testify at today’s hearing. The Office of Inspector General (OIG) is committed to providing independent and aggressive oversight of the National Aeronautics and Space Administration (NASA), and we welcome this opportunity to discuss the status of the Agency’s efforts to protect its information technology (IT) resources.
My testimony today highlights five issues that we believe, based on our extensive audit and investigative work, constitute NASA’s most serious challenges in the admittedly difficult task of protecting the Agency’s information and systems from inadvertent loss or malicious theft. These challenges are:
• Lack of full awareness of Agency-wide IT security posture;
• Shortcomings in implementing a continuous monitoring approach to IT security;
• Slow pace of encryption for NASA laptop computers and other mobile devices;
• Ability to combat sophisticated cyber attacks; and
• Transition to cloud computing.
By way of background, NASA’s portfolio of IT assets includes more than 550 information systems that control spacecraft, collect and process scientific data, and enable NASA personnel to collaborate with colleagues around the world. Hundreds of thousands of individuals, including NASA personnel, contractors, academics, and members of the public use these IT systems daily and NASA depends on these systems to carry out its essential operations.
NASA spends more than $1.5 billion annually on its IT-related activities, including approximately $58 million for IT security. However, because IT networks for many NASA programs and projects are often bundled with funding for the underlying mission, these figures may not represent the full cost of NASA’s IT investments.
Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nation’s competitive technological advantage. Even more troubling, skilled and committed cyber attackers could choose to cause significant disruption to NASA operations, as IT networks are central to all aspects of NASA’s operations. NASA is a regular target of cyber attacks both because of the large size of its networks and because those networks contain information highly sought after by criminals attempting to steal technical data or compromise NASA networks to further other criminal activities. Moreover, NASA’s statutory mission to share scientific information presents unique IT security challenges. The Agency’s connectivity with outside organizations – most notably non-governmental entities such as educational institutions and research facilities – presents cybercriminals with a larger target than that of many other Government agencies.
In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems. These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives. Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million. To put these findings in context, however, NASA OIG is the only Office of Inspector General that regularly conducts international network intrusion cases, and this fact could skew perceptions with regard to NASA’s relative rate of significant intrusion events compared to other agencies.
Because of NASA’s status as a “target rich” environment for cyber attacks, the OIG devotes substantial resources to overseeing NASA’s efforts to protect its IT systems. Over the past 5 years, we have issued 21 audit reports containing 69 IT-related recommendations. In addition, OIG investigators have conducted more than 16 separate investigations of breaches of NASA networks during the past few years, several of which have resulted in the arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia.
Through our audits and investigations, we have identified systemic internal control weaknesses in NASA’s IT security control monitoring and cybersecurity oversight. The second part of my testimony will focus on the most significant findings from our oversight work that present the greatest challenges to NASA in protecting its IT assets.
To download full testimony click here: HHRG-112-SY21-WState-PMartin-20120229 (1)