Hacking isn’t a new problem; hackers, either individuals out for fun or organized groups out for financial or political gain, have been around for years. Some companies have more sensitive material, making them bigger targets for hackers. Including NASA. But the space agency has really lax security. With information ranging from employee identification materials to control codes for spacecraft in devices across the country, you’d think NASA would have all its information encrypted and well-protected, right? Well, it doesn’t. Not by a long shot.
Every year, NASA spends over $1.5 billion on IT-related activity, including about $58 million on IT security. Any computer linked to the NASA network, either in a NASA centre or a university, is under lock and key. But NASA still gets hacked.
The agency reported that it had been targeted with a sophisticated form of cyber attack known as advanced persistent threats. APTs come from well-funded and organized groups committed to stealing or modifying information from computer systems, and can retain a foothold in a system even after a security upgrade. In 2011 alone, NASA was the victim of 47 individual APT attacks, 13 of which successfully compromised agency computers. In one case, hackers stole credentials for over 150 employees, including access codes to sensitive information.
Part of the problem is incomplete security; in May 2010, only two-thirds of all computers on a given mission network were monitored for technical vulnerability. In 2010 and 2011, NASA reported 5,408 computer security incidents including the installation of malicious software and unauthorized access to its systems. Recovery from these incidents cost the agency about $7 million.
Another part of the issue is “unsanitized” hardware making its way from NASA to the public. In December 2010, four NASA centres were found to have released excess Shuttle IT equipment to the public that still contained sensitive data. At least ten unsanitized computers were released from one centre.
But the biggest problem is the increasing mobility of NASA information. More and more employees are using laptops and tablets, and NASA has been slow to implement full-disk encryption on these company issued mobile devices. Between April 2009 and April 2011, 48 mobile computing devices were lost or stolen from NASA employees.
In March 2011, an unencrypted NASA notebook computer was stolen and with it was lost the algorithms used to command and control the International Space Station. The subsequent investigation found that six computer servers associated with IT assets that control NASA spacecraft and contain critical data had vulnerabilities that could allow a remote attacker to take control of or render them unavailable.
The situation might be worse than that. NASA doesn’t have a way to measure the amount of sensitive data that’s exposed when employee’s mobile device is lost or stolen; no one checks what was backed up on the lost device so no one is sure what information has been compromised. Instead, the agency relies on the employee to report what was on the lost device. Other cases last year saw Social Security numbers and sensitive data on NASA’s Constellation and Orion programs recovered from stolen mobile devices.
And NASA is continuing to put its information at risk. As of February 1, 2012, only 1 percent of NASA issued laptops and mobile devices are encrypted.