This is the first of a series of articles on Space Security. In the article series, we will look at the current strengths and weaknesses of NASA's cyber security efforts.
The above video was taken on April 17, 2013 at Wallops Flight Facility during the Antares NASA Social launch event. In it, Deputy Administrator Lori Garver discusses the importance of Cyber Security and NASA.
NASA was criticized in 2009 by the Government Accountability Office (GAO) for having security vulnerabilities in key networks, despite important progress in securing their computer systems.
According to the report:
Although NASA has made important progress in implementing security controls and aspects of its information security program, it has not always implemented appropriate controls to sufficiently protect the confidentiality, integrity, and availability of the information and systems supporting its mission directorates. Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. For example, it did not always sufficiently (1) identify and authenticate users, (2) restrict user access to systems, (3) encrypt network services and data, (4) protect network boundaries, (5) audit and monitor computer-related events, and (6) physically protect its information technology resources.After reviewing the report, the Deputy Administrator concurred with its findings and set forth a plan to improve:
In providing written comments on a draft of this report (reprinted in app. IV), the NASA Deputy Administrator concurred with our recommendations and noted that many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information technology management and IT security program deficiencies. In addition, she stated that NASA will continue to mitigate the information security weaknesses identified in our report. The actions identified in the Deputy Administrator’s response will, if effectively implemented, improve the agency’s information security program.The full report can be read on the GAO website, report GAO-10-4.
But has NASA improved their security on the ground?
While NASA employees were unable to provide me any specific details of their cyber security program, some information about the program is available online.
The first stop is NASA's Office of the Chief Information Officer (CIO). On the CIO's webpage, a list of all relevant NASA security documentation can be found. These documents are all dated and given report numbers. While the actual documents are not available online, the titles are provided.
A total of thirty-three IT Security Handbooks are listed on the site, with all handbooks having an effective date of 2010 or later, most of which are dated in 2012 or 2011. Several of the handbooks are based upon FIPS 199 which helps enable agencies to meet FISMA requirements.
So from a policy standpoint, NASA is showing definite signs of improvement.
But what about raw numbers? What about the actual number of security incidents at NASA?
According to the GAO report, NASA reported 1,120 security incidents that resulted in the installation of malicious software on their systems or unauthorized access to sensitive data in FY 2007 and FY 2008.
Flash forward to a Threat Post article from March 2012. In FY 2010 and FY 2011, NASA reported 5,408 similar security incidents.
At first glance, this sharp increase appears to reflect poorly on NASA. However, it is important to take into account that this is reported incidents, and not actual incidents. It is quite likely that prior to improving their security posture, NASA was experiencing just as many, if not more security incidents, and they just didn't know it due to inadequate monitoring. Fact of the matter is, NASA is still playing "catch up" with their cyber security program. Based upon the documents listed on their website, NASA has the framework in place for a robust cyber security program, it just needs to take the time to make sure all of its employees and contractors have complied with their personal responsibility to enforce the program.
Stay tuned for the next article on Space Security, coming soon!