Is it really easy to hack NASA computers?

A NASA official recently stated that a stolen laptop contained algorithms used to control the International Space Station. This incident is one of many breaches of NASA's security that have occurred over the past two years.

|
NASA/Reuters
Nighttime view from the International Space Station shows the Atlantic coast of the United States. NASA recently admitted that the algorithms used to control the station were leaked through a stolen laptop.

Speaking before Congress on Wednesday, NASA's Inspector General admitted that an unencrypted laptop that was stolen last year contained codes for controlling the International Space Station.

This isn't the first report of a NASA device, such as a cell phone or a laptop, being compromised. Between 2009 and 2011 the agency reported the loss or theft of 48 devices, some of which housed personal employee information along with proprietary technical details and important financial data.

Yet this is only a small part of a much larger problem that has been troubling NASA for the past two years.

Last week, the investigative panel of House Committee on Science, Space and Technology held a hearing to examine NASA's exposure to cyberattacks and information theft. In a written statement to the committee, NASA's Inspector General, Paul K. Martin, told the panel that between 2010 and 2011, "NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its systems."

It's difficult to measure NASA's data security problems against those of other federal agencies. "NASA OIG is the only Office of Inspector General that regularly conducts international network intrusion cases," read Martin's statement. "[T]his fact could skew perceptions with regard to NASA’s relative rate of significant intrusion events compared to other agencies."

NASA is taking steps to guard its data, a task that is not proving easy. Perhaps the most fundamental impediment to NASA's security upgrade is the sheer size of the agency. Information in NASA is constantly cycling around 550 individual networks that span the globe. Hundreds of thousands of people, including NASA personnel, contractors, academics, and members of the public access and communicate through these networks.

NASA spends over $1.5 billion on information technology each year, $58 million of which is allotted for security.

The official charged with overseeing the activity of these networks – Chief Information Officer Linda Y. Curteon – lacks access to key information about it. What's worse, when the CIO does identify a problem, she does not always have the proper authority to deal with it.

NASA currently monitors its networks with a "snap-shot" model, where updates on security are only given every so often, much like a baby monitor that broadcasts only for a few minutes each hour. The time between updates is a window of opportunity for potential hackers. For years, NASA has been trying to adopt a continuous security model.

The loss or theft of NASA's mobile devices would not be such a threat to security if the agency knew what sensitive information was stored on them, and that the devices were encrypted. During the hearing, Martin stated that 99% of these devices were not.

These many problems have rendered NASA vulnerable to much more serious threats, such as large-scale, sophisticated cyber-attacks.

"The individuals or nations behind these attacks are typically well organized and well funded and often target high profile organizations like NASA," Martin said. There were 47 such attacks on NASA in 2011, 13 of which were successful. During one attack, intruders acquired the credentials of 150 employees who had access to NASA's systems. In another, attackers, operating from a Chinese-based IP address, gained access to key systems of the Jet Propulsion Laboratory and high-profile user accounts. "In other words," said Martin, "the attackers had full functional control over these networks."

NASA's internal investigations have suggested that the sophistication of cyber-attacks is increasing. Some have even involved large foreign companies and underground internet-service providers. The recent spate of thefts and intrusions seems to demonstrate that online criminals have begun to see NASA's vulnerabilities as opportunities.

[Editor's note: Due to an editing error, a draft version of this story was posted. It has since been replaced with the edited version.]

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Is it really easy to hack NASA computers?
Read this article in
https://www.csmonitor.com/Science/2012/0301/Is-it-really-easy-to-hack-NASA-computers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe