NASA Officials Detail Cybersecurity Breaches

by

A laptop stolen from NASA last year was unencrypted and contained command and control codes for the international space station, the agency’s inspector general told a congressional panel Feb. 29.

In testimony before the House Science, Space and Technology investigations and oversight subcommittee, NASA Inspector General Paul K. Martin said the notebook computer stolen in March 2011 “resulted in the loss of the algorithms” used to control the space station. This particular laptop, Martin said, was one of 48 NASA notebooks and mobile devices stolen between April 2009 and April 2011.

Some of these thefts resulted in the leak of sensitive data “including export-controlled, personally identifiable information, and third-party intellectual property,” as well as Social Security numbers and data on NASA’s Constellation and Orion programs, Martin said.

The actual number of stolen and compromised devices could be higher because NASA relies on employees to report incidents.

In 2011, NASA was the target of 47 advanced persistent threats, 13 of which successfully compromised NASA computers, according to Martin.

These attacks were among 5,408 incidents in 2010 and 2011 that resulted in unauthorized intrusions or malware being planted on NASA systems and cost the agency an estimated $7 million.

“These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives,” Martin said.

One of these “skill-testing” hacks involved a 20-year-old Romanian hacker who tapped into a server at NASA’s Goddard Space Flight Center in April.

”Some of these intrusions have affected thousands of NASA computers, caused significant disruptions to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data,” Martin testified.

As of Feb. 1, only 1 percent of NASA portable devices and laptops had been encrypted.

“Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,” Martin said.

NASA Chief Information Officer Linda Cureton said the agency has taken “aggressive action” over the past year to address the cybersecurity shortcomings identified by the NASA inspector general.