"The control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services," wrote Gregory Wilshusen, GAO's information security issues director, in a report cosigned by GAO Chief Technologist Nabajyoti Barkakati. "They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted."
GAO cited a NASA report that said the number of malicious code attacks - 839 - was the highest experienced by any of the federal agencies, which accounted for more than one-quarter of the total number of malicious code attacks directed at federal agencies in 2007 and 2008. GAO cited an official at the U.S.-CERT as saying NASA's high profile makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.
Reacting to GAO's findings, House Science and Technology Committee Chairman Bart Gordon, D.-Tenn., sees NASA's IT vulnerability woes as being emblematic of the cybersecurity problems federal agencies face, despite the passage of a dozen major IT security laws in as many years, the increased attention given by the Clinton and Bush administrations on cybersecurity and $7 billions in annual spending to safeguard IT systems. "Regulation and legislation alone will not suffice," Gordon said in a statement. "Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities. GAO has performed an invaluable service to NASA by identifying weaknesses and recommending needed improvements."
Congressional investigators offered a number of security incidents to illustrate NASA's IT system vulnerabilities, including some this year in which the space agency reported unauthorized access to sensitive data. According to GAO:
One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA's Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved.
"Significantly," GAO said, "these were not isolated incidents, since NASA reported 209 incidents of unauthorized access to U.S.-CERT during fiscal years 2007 and 2008."
Here's another intrusion, according to the GAO report:
One center was alerted by the NASA SOC (security operations center) in February 2009 about traffic associated with a Seneka Rootkit Bot. In this case, NASA found that 82 NASA devices had been communicating with a malicious server since January 2009. A review of the data revealed that most of these devices were communicating with a server in the Ukraine. By March 2009, three centers were also infected with the bot attack.
In October 2007, a total of 86 incidents related to the Zonebac Trojan were reported by NASA centers. This particular form of malware is capable of disabling security software and downloading and running other malicious software at the whim of the attacker. U.S.-CERT reported in January 2008 on NASA's ongoing problems with Zonebac and other malware infestations and recommended that the agency employ consistent patching and user education practices to prevent such infections from occurring.
"These attacks can result in damage to applications, data, or operating systems; disclosure of sensitive information; propagation of malware; use of affected systems as bots; an unavailability of systems and services; and a waste of time, money, and labor," GAO said.
GAO, the investigative arm of Congress, noted that the space agency made important progress in implementing security controls and others aspects of its information security program. Still, GAO said, NASA hasn't always applied proper controls to adequately safeguard the confidentiality, integrity and availability of the information and systems supporting its mission directorates and failed to implement consistently effective controls to prevent, limit and detect unauthorized access to its networks and systems.
GAO cited the following shortfalls, with NASA failing sufficiently to identify and authenticate users, restrict user access to systems, encrypt network services and data, protect network boundaries, audit and monitor computer-related events and physically protect its information technology resources. GAO also said weaknesses existed in other controls to appropriately segregate incompatible duties and manage system configurations and implement patches.
"A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively," Wilshusen and Barkakati wrote.
NASA, they said, hasn't consistently assessed information security risks; developed and documented security policies and procedures; included key information in security plans; conducted comprehensive tests and evaluation of its information system controls; tracked the status of plans to remedy known weaknesses; planned for contingencies and disruptions in service; maintained capabilities to detect, report, and respond to security incidents; and incorporated important security requirements in its contract with the Jet Propulsion Laboratory.
GAO recommended that the NASA administrator take steps to mitigate control vulnerabilities and fully implement a comprehensive information security program. In commenting on a draft of this report, according to the GAO audit report, NASA concurred with GAO's recommendations and stated that it will continue to mitigate the information security weaknesses identified.
The Senate and House committees with NASA oversight requested the audit, directing the GAO investigators to determine whether NASA has implemented appropriate controls to protect the confidentiality, integrity and availability of the information and systems used to support NASA's mission directorates and assess its vulnerabilities in the context of prior incidents and corrective actions. To do this, GAO said, it examined network and system controls in place at three centers; analyzed agency information security policies, plans, and reports; and interviewed agency officials. Many NASA systems and networks are interconnected through the Internet, and may be targeted by evolving and growing cyber threats from a variety of sources.