Code and Dagger

View Original

Watchdog Urges NASA to Up Its Cybersecurity Game

The U.S. government’s official watchdog is pressing NASA to make cybersecurity a priority, after the space agency saw a jump in attacks during the COVID-19 pandemic.

In a letter last week to NASA Administrator Bill Nelson, the Government Accountability Office said that one of two priorities for the space organization — in addition to “monitoring program costs and execution” — is “ensuring cybersecurity.”

“We have designated information security as a government-wide high-risk area since 1997 and subsequently expanded this high-risk area to include protecting cyber critical infrastructure and securing personally identifiable information,” the GAO letter [PDF] said.

The GAO said it had recommended back in July 2019 that NASA develop a risk assessment process. In response, NASA agreed, and said it would conduct an assessment by September 2021, GAO said.

That’s not to say that NASA isn’t aware of the threat. A report from NASA’s inspector general [PDF] in May noted that “attempts to steal critical information” from NASA “are increasing in both complexity and severity.” The report said that this year NASA has seen a doubling of phishing attempts and an “exponential” increase in malware attacks during the COVID-19 pandemic.

RELATED: CIA to Release New Sputnik Documents

The report also found that NASA wasn’t yet up to the task of defense, in part because of bureaucratic complexity.

“Although NASA has taken positive steps to address cybersecurity in the areas of network monitoring, identity management, and updating its IT Strategic Plan, it continues to face challenges in strengthening foundational cybersecurity efforts,” the report says. “We found that NASA’s ability to prevent, detect, and mitigate cyber-attacks is limited by a disorganized approach to Enterprise Architecture,” which the agency defined as “the blueprints for how an organization analyzes and operates its IT and cybersecurity.”

The civilian agency is also very public online, offering attackers what cybersecurity researchers call a large attack surface.

“Given its online presence of approximately 3,000 websites and more than 42,000 publicly accessible datasets, the Agency is highly vulnerable to intrusions,” the NASA IG report says, also noting that agency workers use more than 15,000 mobile devices and nearly 50,000 computers. The agency counted some 1,785 “cyber incidents” in 2020, actually a slight drop from 1,888 in 2019.

RELATED: On This Day: Russia, US Shake Hands in Space

In 2018 NASA’s Jet Propulsion Laboratory suffered a hack after a single unauthorized device was connected to JPL servers, allowing hackers into the network and access to NASA’s Deep Space Network array of telescopes.

The breach, as well as several less-severe incidents (including one in which a contractor used NASA networks to allegedly mine cryptocurrency), highlight a threat investigators have been warning about for years.

“Collectively, the OIG and the Government Accountability Office (GAO) have issued dozens of reports during the past 5 years identifying weaknesses in NASA’s information technology systems,” the report said.

It said the watchdogs had issued 73 recommendations, of which NASA implemented 46. It’s still working on the remaining 27.

[Do you have a tip or question for Code and Dagger? Send it along at CodeAndDagger@protonmail.com. Also, consider contributing to Code and Dagger on Patreon at Patreon.com/CodeAndDagger.]