NASA Still Struggling With Agencywide Cybersecurity ProgramIG Report Finds Agency's Infrastructure Remains Tempting Target for Hackers
A recent inspector general's report finds that NASA still struggles with implementing agencywide cybersecurity policies despite spending about $2.3 billion on IT, networking and security technology in 2019.
While NASA still has issues implementing better cybersecurity practices across the agency, the inspector general's report notes that the space agency's infrastructure remains a tempting target for hackers, and NASA needs to do more to protect its internal systems and data.
"Given NASA’s mission and the valuable technical and intellectual capital it produces, the information maintained within the agency’s IT infrastructure presents a high-value target for hackers and criminals," the inspector general notes in its report.
The Federal Information Security Modernization Act of 2014 requires federal agencies to develop, document and implement an agencywide information security program. It also allows inspector general offices to investigate the progress of these program and report back with their findings and make recommendations.
As part of its most recent report, NASA's inspector general assessed the effectiveness of the agency's system security and contingency plans, IT security handbooks and material, as well as issues relating to the agency's cybersecurity practices. The report found a lack of coordination and resources allocated to protecting certain systems.
As part of its investigation, the inspector general's office found that NASA continues to follow a number of weak security practices such as not updating applications to prevent malicious code from infecting systems. In addition, the space agency's information security personnel are not sufficiently aware of its security policies and procedures, according to the report.
The inspector general's report also notes that NASA's cybersecurity program does not have any action plans or strategies to mitigate security risk.
"NASA has not implemented an effective agencywide information security program," the report notes. "As a result, information systems throughout the agency face an unnecessarily high level of risk that threatens the confidentiality, integrity and availability of NASA’s information."
The inspector general's office offers nine recommendations to help NASA improve its cybersecurity program. The report notes that the agency has agreed with all the recommendations and will begin an implementation program. A spokesperson for NASA could not be immediately reached for comment.
The report lays out a number of cybersecurity recommendations.
These include ensuring that risk assessments of various IT systems are conducted and developing contingency plans if one of these systems is found vulnerable to a cybersecurity threat or has been attacked.
For example, the inspector general recommends implementing a better policies to enforce a requirement that the agency's risk information security compliance system should be used as the main repository to track all of NASA's hardware and software. RISCS is also used as the main tool help manage NASA's security program and it contains contingency plans for each system in case of a security incident.
"The issues we identified during this evaluation occurred primarily because the [Office of the CIO] does not consistently require the use of RISCS as the agency’s information security management tool," the inspector general's report notes.
While reviewing the agency common control system, "which aggregates and manages common controls across all Agency information systems," investigators found that 94 of 203 common controls were "other than satisfied, indicating they had been assessed as less than effective," according to the report.
The report notes that NASA's CIO had not taken any action to counter these deficiencies. The agency also lacks plans or documents to address known deficiencies.
"Failure to properly address these deficiencies increases the risk of exploitations that threaten the confidentiality, integrity, and availability of NASA’s information. For example, without controls in place to ensure that malicious code protection (e.g., anti-virus software) receives automatic updates, NASA information systems maybe vulnerable to new and emerging threats," the inspector general's report notes.
Training and Materials
During the audit of NASA's CIO office, inspector general investigators found that 27 of 45 IT governance documents had not been reviewed and approved in more than a year, and eight of them had not been reviewed in over three years. This is despite a policy mandating a review of IT security handbooks on an annual basis, the report notes.
Representatives of the CIO's office stated to investigators that they intend to re-engineer their review process in 2020, but they expressed concern about insufficient resources to complete this task.
"Failure to update agency policy and procedures in a timely manner increases the risk that NASA personnel will employ out-of-date information security practices,” the inspector general's report notes.
Prone to Hacking
Over the years, NASA has faced criticism over its security procedures and plans. In April, when the COVID-19 pandemic forced the U.S. federal government employees and contractors to work from home, NASA reported that it witnessed an increase in hacking that targeted its newly mobile workforce (see: NASA: At-Home Workers Targeted by Hackers).
An audit report by inspector general in 2019 found that over the course of 10 years, NASA's Jet Propulsion Laboratory, based in Pasadena, California, had been hacked numerous times, with individuals and nation-state actors stealing data concerning the agency's critical missions as well as other sensitive and proprietary information (see: NASA's Jet Propulsion Lab a Frequent Hack Victim: Audit).