the US space agency had 5,408 IT security ‘incidents’ in 2010 and 2011
A testimony delivered to the US House Committee on Science, Space, and Technology yesterday revealed that in March 2011 an unencrypted NASA notebook computer was stolen, resulting in “the loss of the algorithms used to command and control the International Space Station”.
The theft, documented in a report by NASA Inspector General Paul K. Martin, was one of several thousand breaches in IT security over the last two years.
NASA under fire
In his address, Martin established the five key IT challenges facing the US agency, including the shift to cloud computing and the slow rate of encryption for NASA laptops and mobile devices. For the latter issue, he highlighted that only one per cent of NASA’s mobile devices and laptops were encrypted compared to the Government-wide average of 54 per cent.
He notes that between April 2009 and April 2011, 48 devices were declared as lost or stolen within the agency, including the laptop containing the ISS data, which was reported in March 2011. Martin added: “Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs.”
Other sensitive data was also leaked due to a lack of standardised IT security controls. Excess shuttle IT equipment, including computers and hard drives, have to be put through ‘sanitization testing’ before they can be sold or be prepared for sale to the public. The report notes that one NASA centre released 10 computers that failed testing and may have contained sensitive information; while another four were confiscated by auditors as they were being prepared for sale.
Between 2010 and 2011, NASA reported 5,408 instances where unauthorised access was granted to sensitive computers or where malware was installed.
“These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives,” Martin said.
NASA said that such attacks affected thousands of computers and estimates the cost of damage to be around $7 million (£4.4m). While Martin reports that the agency is a “target rich” environment for attacks, he also mentions that it is the only one in the US government to regularly conduct intrusion investigations. NASA currently spends $1.5 billion (£940m) on IT annually, with $58 million (£36m) going towards security.
Due to NASA’s status as a “target rich” environment, it has become the focus of Advanced Persistent Threats (APTs). The report states that in the 2011 financial year, the agency was the victim of 47 APTs, of which 13 successfully gained access, stole data, modified sensitive information and/or uploaded hacking tools.
Among the attackers, various Chinese IP addresses were identified and, last November, six Estonians and a Russian were indicted as part of an FBI investigation concerning an international fraud scheme in which 135 NASA systems were affected.
How well do you know Internet security? Try our quiz and find out!