Paul Martin, NASA’s Inspector General, gave written testimony in a House committee earlier this week detailing the security threats faced by their IT infrastructure. The thrust of the document is that NASA needs to double down on cybersecurity but, naturally, needs more money to do so.
Their IT budget is $1.5 billion, but of that only $58 million was spent on security. Considering the enormous network of datacenters, laptops, operations centers, and research labs scattered around the world, this may not be nearly enough. As it is, in the last two years NASA has been hacked thousands of times. In one instance, the hackers gained full access to some NASA systems and credentials for 150 employees.
NASA counted 5,408 security breaches where some access was given or malicious software was installed. In 2011 alone they had 47 attacks they described as “advanced persistent threats,” serious attacks by well-funded “individuals or nations.” Of those, 13 succeeded, and one attack based in China gained complete access to Jet Propulsion Laboratory (JPL) systems — read, write, delete, add and delete users, modify logs, everything.
Furthermore, they have lost dozens of laptops. And while government-wide, more than half of laptops are encrypted, NASA has yet to implement encryption as standard practice. The result: only one in a hundred NASA laptops is encrypted.
People in security are likely shaking their heads. Encryption of employee laptops and total isolation of root access is something even a small business should be trying to do, to say nothing of a major government entity with enormous amounts of sensitive data.
And that’s the point of this report: Martin is saying that NASA is the target of very serious hackers, and their approach to security is wildly out of date. They also are working hard to bridge the gap between security and control and the benefits of cloud computing.
Martin describes the need essentially for modern security: thin clients and cloud computing, a top-down administration of security, 21st-century standards like encryption and password regulations, and a general move to a “continuous monitoring approach,” the way modern IT should be. They’ve addressed dozens of security issues and implemented many real improvements to their systems, but it’s a good example of a organization totally reliant on technology, yet unable to move as quickly as the threats they face. For tech and research entities, agility is becoming more important yearly, and NASA hopes to convince the House of that.
Here’s the testimony in full: