Congress Questions NASA on Cybersecurity EffortsSpace Agency Still a Prime Target for Hackers, Officials Say
Foreign and domestic hacking activity targeting the National Aeronautics and Space Administration, better known as NASA, continues to grow at a time when many staffers are working at home, space agency officials testified at a Friday congressional hearing where they were questioned about risk mitigation efforts.
In her opening remarks, Rep. Kendra Horn, D-Okla., chair of the House Science, Space and Technology Committee’s Subcommittee on Space and Aeronautics, pointed to a warning that former NASA CIO Renee Wynn issued in April about increases in hacking attempts that have targeted the agency since the COVID-19 pandemic led to a shift to staff members working at home (see: NASA: At-Home Workers Targeted by Hackers). At least 75% of NASA's civilian employees are now working from home, she said.
"Protecting NASA's IT and data during the pandemic demands vigilance," Horn said at the virtual hearing Friday. "However, NASA's cybersecurity challenges don’t begin and end with the COVID crisis. Multiple NASA [inspector general] and [Government Accountability Office] reports have identified weaknesses and ongoing concerns with NASA's information security. Further, they have ranked the issue as a top agency challenge."
One of those inspector general's reports, released in June, found that NASA continues to struggle with implementing agencywide cybersecurity policies despite spending about $2.3 billion on IT, networking and security technology in 2019 (see: NASA Still Struggling With Agency-Wide Cybersecurity Program).
More Hacking Attempts
NASA Inspector General Paul Martin testified at the hearing about the continuing surge in hacking attempts by nation-state threat actors as well as domestic hackers.
NASA’s treasure trove of intellectual property makes the agency a prime target, and with staff working remotely, hackers are intensifying their efforts, he said.
"NASA has vast troves of intellectual information capital that it has spent decades amassing. I think country actors are after that information - the innovations that NASA is so famous for around the world," Martin testified.
Martin noted that China is suspected of attempting to steal NASA data and intellectual property as well as personally identifiable information of employees.
"NASA is taking steps to secure its intellectual property and its networks from attacks both from China and from a series of other countries and also local hackers," Martin noted. "We have conducted a series of criminal investigations, and we work with the FBI and counterintelligence officials when we get leads on these issues."
While Martin did not reveal how many attacks have targeted NASA over the last six months, he noted that his office has conducted at least 120 investigations into various intrusions, distributed denial-of-service attacks and data breaches at the agency over the last five years.
Martin also noted that NASA has a "decentralized" culture, which makes implementing IT and security standards difficult. He said the space agency sometimes struggles with implementing agencywide standards and ensuring that all employees follow those rules.
"Our concerns with NASA IT governance and security are wide-ranging and long-standing," Martin said. "For more than two decades, NASA has struggled to implement an effective IT governance structure that aligns authority and responsibility commensurate with the agency’s overall mission."
Strains on Resources
Jeff Seaton, the acting CIO of NASA, testified that the stress placed on the agency's infrastructure during the pandemic has been exceptionally high. Pre-pandemic, about 12,000 employees each day attempted to connect to NASA's networks through VPNs; now, that number has increased to 40,000.
Seaton noted that NASA employees and contractors are also relying more on personal devices, such as laptops and smartphones, to help them complete their work. This has led to an increase in phishing attacks, with hackers looking for easy ways into the agency's network.
The acting CIO pointed out that NASA has recently enforced rules against using personal laptops for agency work and required employees and contractors to use mobile device management software when using personal smartphones for work purposes.
On Sept. 4, the White House issued Space Policy Directive 5, a directive that provides guidelines and practices for NASA and its partners to protect their satellite and ancillary systems and programs from cyberthreats.
NASA expects to carry out all those guidelines and practices soon, Seaton said. "The good news is that we see a lot of consistency with best practices that we are already implementing.”
Last week, the Justice Department announced that three Iranian nationals have been indicted on charges of hacking both satellite companies and aerospace firms (see: 3 Iranian Hackers Charged With Targeting US Satellite Firms).