Congress asks GAO to investigate NASA cybersecurity
WASHINGTON — The bipartisan leadership of the House Science Committee has asked the Government Accountability Office to investigate NASA’s cybersecurity activities amid growing concerns about hacking of government computer systems.
In a May 27 letter, the top Democrats and Republicans of the committee requested the GAO investigate the “cybersecurity risks to the sensitive data” associated with major NASA programs. That includes comparing NASA’s activities to leading cybersecurity practices and identifying additional practices the agency should adopt.
The letter did not identify any specific NASA cybersecurity breach or other event that prompted the request for the review, but rather longstanding concerns about the agency’s vulnerabilities. “The extent to which these ongoing weaknesses have impacted the agency’s ability to protect its most sensitive data, especially data tied to its major space development projects and spacecraft and human spaceflight operations, is not well understood,” the members wrote in the letter.
NASA’s Office of Inspector General (OIG) has regularly reviewed, and criticized, NASA’s approach to information technology management in general and cybersecurity in particular. In its most recent cybersecurity report, released May 18, it warned of growing cybersecurity threats to the agency.
“Attacks on NASA networks are not a new phenomenon, although attempts to steal critical information are increasing in both complexity and severity,” the OIG report concluded. It stated that phishing attempts more than doubled and malware attacks increased “exponentially” during the move to remote work caused by the pandemic.
“The cyber threat to NASA’s computer networks from internet-based intrusions is expanding in scope and frequency, and the success of these intrusions demonstrates the increasingly complex nature of cybersecurity challenges facing the Agency,” the report stated. Those threats, as described in the report, range from coordinated attacks by Chinese hacking groups to a NASA contract employee who installed software on agency computers to mine cryptocurrency.
The OIG report criticized the agency for a “disorganized” approach to information technology management, such as funding redundant services. NASA also prioritizes cybersecurity for some key programs, like the International Space Station, “leaving cybersecurity for other mission systems as a secondary concern.”
The Science Committee leadership, in their letter to the GAO, suggested that their request for a study was also prompted by cybersecurity issues elsewhere in the federal government. “Recent, sophisticated cybersecurity attacks on multiple Federal government systems that went undetected for months underscore the importance of having robust processes in place manage cybersecurity risks related to NASA’s sensitive data,” they wrote.
That includes what is known as the “SolarWinds” hacking of both government and private-sector computer systems by what cybersecurity analysts believe was a hacking group affiliated with Russian intelligence. Those hackers last year compromised software developed by a company called SolarWinds that handles network management. That gave hackers access to the computer networks of SolarWinds’s customers, including several major companies and federal agencies.
“SolarWinds was a big wakeup call,” said Kathy Lueders, NASA associate administrator for human exploration and operations, when asked about cybersecurity at NASA during a May 25 meeting of the National Academies’ Aeronautics and Space Engineering Board and Space Studies Board.
She didn’t elaborate on specific steps NASA took in the wake of the SolarWinds hack, but emphasized the importance the agency placed on cybersecurity. “This has absolutely been a major focus area for us over the last four to five years.”
One problem is dealing with companies and use of commercial assets, whose cybersecurity vulnerabilities can become ways to get around NASA’s cybersecurity defenses. “It’s a big worry for us,” she said. “We’ve got to figure out how to be able to do this and protect ourselves, while still being on the cutting edge.”
The letter to the GAO was signed by Reps. Eddie Bernice Johnson (D-Texas) and Frank Lucas (R-Okla.), chair and ranking member, respectively, of the full House Science Committee, and Reps. Don Beyer (D-Va.) and Brian Babin (R-Texas), chair and ranking member, respectively, of the space subcommittee.