NASA data breach highlights agency cybersecurity problems
WASHINGTON — A cyberattack that may have compromised information about current and former NASA employees is only the latest sign of ongoing information security problems that have plagued the agency for years.
In a Dec. 18 memo to NASA employees, Bob Gibbs, assistant administrator for the office of human capital management, said that the agency was investigating a “possible compromise” of NASA servers first detected in October. Those servers, he said, stored personally identifiable information about NASA personnel, including Social Security numbers. The memo was first published by NASA Watch.
“NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals,” Gibbs wrote, saying that process would take time. “The ongoing investigation is a top agency priority, with senior leadership actively involved.”
The scope of the data breach is unclear, but Gibbs said in the memo it could affect both current NASA civil servants as well as those who joined or left the agency, or transferred between centers, as far back as July 2006. He said that when it knows who has been affected, NASA will contact them to provide more information including providing identity protection services. Systems related to the operation of NASA missions were not compromised, he added.
“Our entire leadership team takes the protection of personal information very seriously,” Gibbs wrote. “Information security remains a top priority for NASA.”
However, NASA’s cybersecurity efforts have been criticized for years by its own Office of Inspector General (OIG), who has noted in a series of reports shortfalls in overall information technology (IT) management as well as security issues in particular.
“Through its audits, the OIG has identified systemic and recurring weaknesses in NASA’s IT security program that adversely affect the Agency’s ability to protect the information and information systems vital to its mission,” the office stated in its latest semi-annual report, dated Oct. 31.
In May, the office published an audit of NASA’s Security Operations Center (SOC), a facility at the Ames Research Center in California established in 2008 to deal with security threats to NASA IT systems. That audit found several problems with the center, ranging from high management turnover to a lack of formal authority to manage information security issues for some parts of the agency.
“Since its inception a decade ago, the SOC has fallen short of its original intent to serve as NASA’s cybersecurity nerve center,” the inspector general concluded in its report. “In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.”
NASA concurred with the report’s recommendations, such as creating a formal charter for the center and changing the structure of the contract for the center. In most cases, though, NASA did not estimate completing their implementation until some time next year.
An October 2017 report by the inspector general on overall IT management issues at the agency also raised concerns, citing limited insight by NASA’s Office of the Chief Information Officer into agency IT systems that are funded and managed primarily by field centers and mission directorates. “This lack of authority and visibility over the majority of the IT budget limits the Agency’s ability to consolidate IT expenditures, realize cost savings, and drive improvements in the delivery of IT services,” that report concluded.
Those problems extended to cybersecurity. “Lingering confusion about security roles coupled with poor IT inventory practices continues to negatively impact NASA’s security posture,” that report stated.
The 2017 report recommended, among other issues, that NASA give the official responsible for cybersecurity at the agency, formally known as the Senior Agency Information Security Officer (SAISO), more authority to manage IT security for systems run by centers and mission directorates.
NASA only partially agreed with that recommendation, stating that it “disagrees that dispersed responsibilities implicitly weaken the SAISO position” who, it argued, “has full authority over NASA’s cybersecurity.”