Paul Martin, NASA’s inspector general has reported to Congress that NASA’s computer system has been successfully hacked 13 times within the last year. Martin reported that the more severe cases resulted in the hackers gaining “full functional control” of important systems. This is despite NASA’s attempt to improve cyber security by spending $58 million of its $1.5 billion budget on cyber security.
NASA’s security policies have come under heavy criticism within recent years and things haven’t got much better over the last two years as it has been revealed that they suffered 5,408 computer incidents in 2011 and 2012. This is undoubtedly a major concern for everyone associated with NASA as such incidents have resulted in malicious malware being installed or unauthorised access to their systems which could have had disastrous consequences.
Martin stated that “Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7m.”
One of the more concerning successful hacks that has taken place resulted in the hackers taking control of the systems at NASA’s Jet Propulsion Laboratory. NASA’s cyber security team managed to trace the IP addresses back to China. Another serious hack resulted in the hackers obtaining the credentials for 150 workers which could have resulted in critical data being stolen or deleted.
Martin commented on these events and declared “In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.”
Despite NASA’s attempts to improve their cyber security by spending a vast amount of money and improving security loopholes that had been highlighted in security audits, the overall cyber security status isn’t at the level where it should be. Martin has identified that one of the more pressing security issues that needs to be addressed is the large amount of data that is kept on laptops unencrypted. Martin reported that only one percent of laptops/portable devices have been encrypted.
Martin stated “Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.”
There are still obvious major flaws with NASA’s current cyber security setup. With the vast amount of money that they have spent in an attempt to improve their cyber security, this demonstrates that they are striving to make improvements. However, they are badly lagging behind other government agencies at the moment and it will take time until their whole infrastructure becomes much more secure.
Linda Cureton, NASA’s Chief Information Officer stated “Since NASA’s infrastructure is worldwide; the agency is striving to achieve a risk-based balance between security, system operability, and user requirements. While demanding a culture of security awareness, NASA will continue to improve the defense of our IT security posture and build security into the System Development Life Cycle (SDLC) of our IT solutions and everyday work habits.”