While NASA may be focused on keeping its manned space flight plans intact, apparently it has seriously neglected the security of its networks.
Watchdogs at the Government Accountability Office issued a 53-page report pretty much ripping the space agency’s network security strategy stating that NASA has significant problems protecting the confidentiality, integrity, and availability of the information and variety of networks supporting its mission centres.
Specifically, NASA did not consistently implement effective controls to prevent, limit, and detect unauthorized access to its networks and systems. The GAO said NASA did not identify and authenticate users; restrict user access to systems; encrypt network services and data; protect network boundaries; and and monitor computer-related events. The GAO said NASA networks and systems have been successfully targeted by cyber attacks 1,120 times in the past two years. All of this despite the fact that the agency’s IT budget in fiscal year 2009 was $1.6 billion, of which $15 million was dedicated to IT security, the GAO stated.
Because NASA’s high profile and cutting edge technology makes it an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying. Thus, it is vital that attacks on NASA computer systems and networks are detected, resolved, and reported in a timely fashion and that the agency has effective security controls in place to minimise its vulnerability to such attacks, the GAO stated.
The agency relies on computer networks and systems to collect, access, or process a significant amount of data that requires protection, including data considered mission-critical, proprietary, and/or sensitive but unclassified information. For example, the agency-wide system controlling physical access to NASA facilities stores personally identifiable information such as fingerprints, Social Security numbers, and pay grades.
In addition an application for storing and sharing data such as computer-aided design and electrical drawings, and engineering documentation for Ares launch vehicles is being used by 7 agency data centres at 11 locations.