WASHINGTON — A shift to remote working caused by the coronavirus pandemic has created new cybersecurity challenges for NASA, agency officials said at a Sept. 18 House hearing.
NASA effectively closed all its field centers in March, limiting access to essential employees. While NASA has since allowed some more personnel to return to work on site, such as those that need to work on mission-critical systems that cannot be done remotely, the vast majority of agency employees continue to work remotely and are expected to do so for months to come.
That has had a major impact on NASA’s information technology (IT) systems. “During the pandemic, the demands and expectations placed on NASA’s IT infrastructure have been incredibly high,” said Jeff Seaton, NASA’s acting chief information officer (CIO), during a hearing of the House space subcommittee on NASA cybersecurity issues.
He noted that, at times during the pandemic, 90% of employees were teleworking. Use of the agency’s virtual private network system, which provides secure access to NASA IT systems for remote users, increased from a pre-pandemic peak of 12,000 users a day to nearly 40,000 a day now.
That increase in remote work poses cybersecurity issues for an agency that has long struggled to adequately secure its networks from attacks from both nation-states and individuals. Paul Martin, NASA inspector general, noted at the hearing that his office has released 16 audit reports with 72 recommendations addressing cybersecurity and related issues in the last five years.
The pandemic, and increased use of remote work, has exacerbated those problems. “During this period, NASA has experienced an uptick in cyber threats,” Martin said, such as a doubling in “phishing” attempts, or forged emails that attempt to make recipients reveal passwords or other sensitive information to enable cyberattacks.
Employees not used to teleworking, and also dealing with other stresses created by the pandemic, can be particularly vulnerable to such attacks. “Novice users and novice experiences create vulnerabilities,” said Diana Burley, vice provost for research at American University. “Employees are working under duress. COVID-19 continues to drive economic instability, health-related concerns, anxiety and confusion. Employees are worried about meeting their basic needs and are less likely to attend to seemingly lower priorities like cybersecurity.”
These new problems come amid long-running issues about the agency’s approach to cybersecurity and IT in general. “Our concerns with NASA IT governance and security are wide-ranging and long-standing,” Martin said. “For more than two decades, NASA has struggled to implement an effective IT governance structure that aligns authority and responsibility commensurate with the agency’s overall mission.”
That includes, he said, the “decentralized nature” of IT governance where the individual field centers have wide latitude regarding IT infrastructure and security with limited control by the agency’s CIO. NASA also allowed employees to connect their personal devices, such as computer and smartphones, to internal networks.
Seaton, who became acting CIO after the retirement of Renee Wynn in April, said NASA has been taking steps to address governance and security issues. NASA only allows personal devices on the network if they have special software installed to enable secure access. “For almost a decade now, we’ve been working to integrate and operate as a cohesive unit,” he said of the agency’s IT management.
Martin agreed NASA had made some progress. “Overall, I think they’re making incremental improvement. They’re heading in the right direction,” he said. “I think we’re very, very cautiously optimistic.”
The hearing came two weeks after the White House issued Space Policy Directive 5, which covers space-related cybersecurity issues and outlines best practices for agencies to follow. Seaton said NASA was still reviewing the directive, but did not see any major issues with it. “The good news is that we see a lot of consistency with best practices that we are already implementing.”
“It sounds like NASA is making progress, but that, as the authorizing committee, we want to ensure that you have sufficient authorities and funding capabilities to have strong cybersecurity practices and protocols in place,” Rep. Kendra Horn (D-Okla.), chair of the subcommittee, said at the end of the hearing.
That hearing took place virtually, with members and witnesses participating by videoconference from their offices or homes. That went smoothly, although Rep. Brian Babin (R-Texas), ranking member of the subcommittee, initially had problems connecting. “We have three computers here. We couldn’t get on,” he said. “I got on with my telephone. Any way we can do it.”