Congressional Testimony Reveals Security at NASA Lacking

Friday, March 02, 2012



Paul K. Martin, Inspector General National Aeronautics and Space Administration (NASA), provided testimony to the House Committee on Science, Space, and Technology Subcommittee on Investigations and Oversight that revealed the agency is lacking key controls to ensure the protection of sensitive information and critical systems.

"Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our Nation’s competitive technological advantage. Even more troubling, skilled and committed cyber attackers could choose to cause significant disruption to NASA operations, as IT networks are central to all aspects of NASA’s operations," Martin testified.

Specifically, the testimony addressed issues with:

• Lack of full awareness of Agency-wide IT security posture
• Shortcomings in implementing a continuous monitoring approach to IT security
• Slow pace of encryption for NASA laptop computers and other mobile devices
• Ability to combat sophisticated cyber attacks

Martin noted that the structure and mission of NASA presents unique challenges to securing sensitive networks as compared to other government entities. The highly valuable technical information the agency administers combined with the necessity to provide access to third parties makes the task of blocking illegal intrusions all the more difficult.

"NASA’s statutory mission to share scientific information presents unique IT security challenges. The Agency’s connectivity with outside organizations – most notably non-governmental entities such as educational institutions and research facilities – presents cybercriminals with a larger target than that of many other Government agencies," Martin said.

The agency's systems are under nearly constant attack, some initiated by lone operators seeking to bolster their hacking "street creds" by means of high level security breach, and others most likely conducted by state-sponsored entities with the intent of exfiltrating valuable technological data.

"In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems. These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives. Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million," Martin explained.

At issue in protecting NASA's networks is a lack of clear mission directorates addressing adequate security protocols resulting in the inability of the agency to implement consistent information security control protocols.

As an example, Martin noted that "a May 2010 OIG audit found that only 24 percent of applicable computers on a mission network were monitored for critical software patches and only 62 percent were monitored for technical vulnerabilities."

The agency has also been negligent in introducing standards for mobile device encryption, with a rate of implementation that lags far behind overall government rates.

"In its fiscal year (FY) 2010 report to Congress on FISMA implementation, the OMB reported a Government-wide encryption rate for these devices of 54 percent. However, as of February 1, 2012, only 1 percent of NASA portable devices/laptops have been encrypted," Martin testified.

The lack of encryption on mobile units is a serious issue for NASA, as the agency reported the loss of nearly fifty devices over a two year period which contained everything from personally identifiable information to classified data for highly sensitive operations.

"The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," Martin said.

Not surprisingly, NASA is also a favored target for sophisticated attacks using Advanced Persistent threat tactics which also resulted in the loss of sensitive and classified data.

"In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorized access to NASA systems," Martin stated.

The most serious of the APT events showed evidence that Chinese hackers successfully infiltrated systems at the agency's Jet Propulsion Laboratory, a critical research facility for the defense industry.

"Our ongoing investigation of another such attack at JPL involving Chinese-based Internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts. With full system access the intruders could: (1) modify, copy, or delete sensitive files; (2) add, modify, or delete user accounts for mission-critical JPL systems; (3) upload hacking tools to steal user credentials and compromise other NASA systems; and (4) modify system logs to conceal their actions. In other words, the attackers had full functional control over these networks," Martin said.


Possibly Related Articles:
Data Loss Encryption Attacks Advanced Persistent Threats NASA Network Security Controls Congress National Security hackers Testimony Exfiltration Paul K. Martin
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.