NASA reveals extent of malware infection and device loss, and admits CIO's capability is limited
NASA reveals extent of malware infection and device loss, and admits CIO's capability is limited

NASA has admitted that it experienced more than 5,000 cyber security incidents which resulted in the installation of malicious software and the theft of "export-controlled" and otherwise sensitive data.

In a published statement, Paul K. Martin, inspector general of NASA, said some of the breaches in 2010 and 2011 "may have been sponsored by foreign intelligence services seeking to further their countries' objectives".

He said: “These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives.

“Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7m.”

Martin also said that it was the victim of 47 advanced persistent threat attacks last year, 13 of which successfully compromised Agency computers. Martin said: “In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.”

He also admitted that an audit in December 2010 found computers and hard drives were being sold or prepared for sale, even though they still contained sensitive NASA data; one contained data "subject to export control restrictions".

Another audit (for between April 2009 and April 2011) saw NASA report the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorised release of sensitive data. Martin said the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station.

“Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files,” he said.   

Martin also said that of NASA's annual $1.5bn IT spend, approximately $58m was designated for security. He also identified the five most serious challenges in protecting its information and systems from inadvertent loss or malicious theft as: lack of full awareness of Agency-wide IT security posture; shortcomings in implementing a continuous monitoring approach to IT security; slow pace of encryption for NASA laptop computers and other mobile devices; ability to combat sophisticated cyber attacks; and transition to cloud computing.

Martin pointed to the chief information officer (CIO) as being responsible for developing IT security policies and procedures and implementing an Agency-wide IT security programme, yet said the CIO has "limited ability to direct NASA's mission directorates to fully implement CIO-recommended or mandated IT security programmes".

He also said that IT staff are responsible for implementing security controls on mission IT assets and report to the mission directorate and not the CIO – therefore the CIO does not have the authority to ensure that NASA's IT security policies are followed across the Agency.

Other IT security failings were highlighted, with Martin claiming that mission directorates often lack effective IT security, and only 24 per cent of applicable computers on a mission network were monitored for critical software patches.