Speaking before Congress on Wednesday, NASA's Inspector General admitted that an unencrypted laptop that was stolen last year contained codes for controlling the International Space Station.
This isn't the first report of a NASA device, such as a cell phone or a laptop, being compromised. Between 2009 and 2011 the agency reported the loss or theft of 48 devices, some of which housed personal employee information along with proprietary technical details and important financial data.
Yet this is only a small part of a much larger problem that has been troubling NASA for the past two years.
Last week, the investigative panel of House Committee on Science, Space and Technology held a hearing to examine NASA's exposure to cyberattacks and information theft. In a written statement to the committee, NASA's Inspector General, Paul K. Martin, told the panel that between 2010 and 2011, "NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems."
It's difficult to measure NASA's data security problems against those of other federal agencies. "NASA OIG is the only Office of Inspector General that regularly conducts international network intrusion cases," read Martin's statement. "[T]his fact could skew perceptions with regard to NASA’s relative rate of significant intrusion events compared to other agencies."
NASA is taking steps to guard its data, a task that is not proving easy. Perhaps the most fundamental impediment to NASA's security upgrade is the sheer size of the agency. Information in NASA is constantly cycling around 550 individual networks that span the globe. Hundreds of thousands of people, including NASA personnel, contractors, academics, and members of the public access and communicate through these networks.
NASA spends over $1.5 billion on information technology each year, $58 million of which is allotted for security.
The official charged with overseeing the activity of these networks – Chief Information Officer Linda Y. Curteon – lacks access to key information about it. What's worse, when the CIO does identify a problem, she does not always have the proper authority to deal with it.
NASA currently monitors its networks with a "snap-shot" model, where updates on security are only given every so often, much like a baby monitor that broadcasts only for a few minutes each hour. The time between updates is a window of opportunity for potential hackers. For years, NASA has been trying to adopt a continuous security model.
The loss or theft of NASA's mobile devices would not be such a threat to security if the agency knew what sensitive information was stored on them, and that the devices were encrypted. During the hearing, Martin stated that 99% of these devices were not.
These many problems have rendered NASA vulnerable to much more serious threats, such as large-scale, sophisticated cyber-attacks.
"The individuals or nations behind these attacks are typically well organized and well funded and often target high profile organizations like NASA," Martin said. There were 47 such attacks on NASA in 2011, 13 of which were successful. During one attack, intruders acquired the credentials of 150 employees who had access to NASA's systems. In another, attackers, operating from a Chinese-based IP address, gained access to key systems of the Jet Propulsion Laboratory and high-profile user accounts. "In other words," said Martin, "the attackers had full functional control over these networks."
NASA's internal investigations have suggested that the sophistication of cyber-attacks is increasing. Some have even involved large foreign companies and underground internet-service providers. The recent spate of thefts and intrusions seems to demonstrate that online criminals have begun to see NASA's vulnerabilities as opportunities.
[Editor's note: Due to an editing error, a draft version of this story was posted. It has since been replaced with the edited version.]