Expert: NASA’s Cybersecurity Flaws Leave Agency Exposed to International Threats

IG: Agency Tasked With Providing IT Security Was Ineffective For A Full Decade

Getty Images

A recent audit of cybersecurity management for the National Aeronautics and Space Administration (NASA) strongly criticized the agency for a lack of progress over the last decade in improving cybersecurity, leaving many assets of the space agency open to attack.

The audit highlighted a lack of internal cooperation when concluding that the agency's Security Operations Center (SOC), the main sub-agency tasked with providing cybersecurity throughout all of NASA, "lacks the key structural building blocks to effectively meet its IT security responsibilities."

"The SOC lacks authority to manage information security incident detection and remediation for the entirety of NASA's IT infrastructure," the audit found. As a result, "these shortcomings limit the SOC's capacity to effectively respond to cyberattacks and proactively protect NASA's IT assets."

NASA created the SOC in 2008 to provide computer security incident detection and response within a single sub-agency. Prior to that, many of the sub-agencies within NASA were responsible for their own cybersecurity, which created information silo problems.

The report did not point to any specific foreign powers or actors as threats, but Michael Listner, an attorney and the founder of the Space Law & Policy Solutions think tank, said the public and the Trump administration should view this audit at least partially through an international lens.

"We all know there's a current ban on any direct participation with China in outer space activities, and that's primarily because we don't want them to acquire our technology through the use of cooperation [exercises]," Listner said. "We all know that China's heavy into espionage, and these vulnerabilities could imply that there's a potential that China—if [NASA] doesn't get these fixed—China could exploit those and garner more information from our civilian space program."

"The rapidly evolving threat landscape against our IT systems and data requires constant diligence, and we recognize we still have opportunities for improvement," said Sean Potter, a media relations specialist with NASA. "Protecting, upgrading, and improving management of the IT infrastructure is and will remain a top agency priority."

As an example of how damaging a cyberattack could be, the IG's report pointed to the 2015 cyber theft of the personal information of millions of current, former, and prospective employees of the federal government from the Office of Personnel Management.

More relevant to the agency, but not mentioned in the audits, are reports from 2016 that alleged NASA's IT systems were riddled with malware, and software patches intended for the problem were inadequate and out of date.

The Inspector General reiterated several times that although the SOC was created a decade ago, little progress has been made towards centralizing IT security throughout the agency as was originally intended. And the audit said both the NASA IG's office and the Government Accountability Office have been warning about a lack of IT security for some time.

For example, a 2013 audit said, "For over 2 decades, NASA has struggled to implement an effective IT governance approach that appropriately aligns authority and responsibility commensurate with the Agency's overall mission."

The key recommendation from the current report suggests the many divisions within NASA sign charter agreements, which would address the SOC's "purpose, authority, and responsibilities." NASA officials agreed with the recommendation and said they hoped to have those agreements finalized by late September of this year.

The vulnerabilities could be all the more salient after the Washington Free Beacon reported last week that Congress is ordering the Pentagon to begin building "space-based missile interceptors," as a response to growing military threats from North Korea, Iran, and other nations.

While NASA and the Department of Defense are separate entities, there would also naturally be some information sharing between the two.

"Cape Canaveral is actually a DOD facility; it's run by the Air Force," Listner noted.

"But NASA uses the facilities for its purposes. And even though NASA isn't affiliated with the DOD, they have relationships. So chances are, their systems are at some point shaking hands. And if there's a vulnerability in one NASA computer, that might open up a vulnerability to the DOD."

Just over a month ago, Jim Bridenstine was sworn in as NASA's new administrator; Listner said he could push the agency to shore up some of the IT weaknesses identified.