Skip Links

NASA network security torched

GAO says NASA has been successfully hit by cyber attacks 1,120 times in the past two years and significant holes still remain

By , Network World
October 15, 2009 04:54 PM ET

Network World - While NASA may be focused on keeping its manned space flight plans intact, apparently it has seriously neglected the security of its networks.

Watchdogs at the Government Accountability Office issued a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centers.

NetworkWorld Extra: 10 NASA space technologies that may never see the cosmos

Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. The GAO said NASA did not identify and authenticate users; restrict user access to systems; encrypt network services and data; protect network boundaries; and t and monitor computer-related events. The GAO said NASA networks and systems have been successfully targeted by cyber attacks 1,120 times in the past two years. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security, the GAO stated.

Because NASA’s high profile and cutting edge technology makes it an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying. Thus, it is vital that attacks on NASA computer systems and networks are detected, resolved, and reported in a timely fashion and that the agency has effective security controls in place to minimize its vulnerability to such attacks, the GAO stated.

The agency relies on computer networks and systems to collect, access, or process a significant amount of data that requires protection, including data considered mission-critical, proprietary, and/or sensitive but unclassified information. For example, the agency-wide system controlling physical access to NASA facilities stores personally identifiable information such as fingerprints, Social Security numbers, and pay grades.

In addition an application for storing and sharing data such as computer-aided design and electrical drawings, and engineering documentation for Ares launch vehicles is being used by 7 agency data centers at 11 locations. Accordingly, effective information security controls are essential to ensuring that sensitive information is adequately protected from inadvertent or deliberate misuse, fraudulent use, improper disclosure or manipulation, and destruction, the GAO stated.

Some of the issues the GAO found included:

• One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA’s Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved. Significantly, these were not isolated incidents since NASA reported 209 incidents of unauthorized access to US-CERT during fiscal years 2007 and 2008.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News