NASA security is so bad they lost controls to the space station; why is no one fired?
Successful breaches range from one-time hacks to long-term foreign intelligence spy-ins
If you were a thriller-movie evil genius who wanted to take over the world by threatening to destroy it using secret superweapons based in an ultracool, visually arresting but still unassailable superfortress, what would your first step be?
You'd look for a really cost-efficient way to achieve that goal. (Evil is very budget-conscious, especially after spending so much on hideouts under extinct volcanoes, in the Arctic, under the ocean and in other inaccessible places – hideouts that were blown up one sequel after another, leaving the Organization for Evil underwater [ahem] on its elaborate-lair mortgages.)
You want cost-effective? You don't build your own superfancy superfortress, you steal one built by someone else.
One like, say, the International Space Station, built by the U.S. and a host of other countries for reasons that emphasize scientific advancement and peaceful cooperation (they were all too broke to build one themselves).
Security on an international scientific and military space base would be a huge issue. The door is sure to be locked.
So you would steal the key. From NASA. It should be easy.
NASA pwned so bad it doesn't know how bad it's pwned
In March, 2011, a laptop containing the algorithms to unlock control systems on the ISS and control the spacecraft was stolen – one of 5,408 computer security lapses, many of which may have been sponsored by foreign intelligence services, according to a report on NASA security given to Congress yesterday by Paul Martin, NASA's Inspector General.
Poor security cost NASA $7 million in lost mission preparedness and the loss of restricted data on during 2010 and 2011 but still suffered far too many breaches of its data security, some of which put both national security and the individual security of NASA employees at risk, Martin told the House committee on Science, Space and Technology.
The 5,408 incidents counted only successful attempts to hack or install malicious software on NASA systems.
One good reason was that only 62 percent of NASA servers were monitored to identify the kind of technical flaw on which most hacking exploits are based; only 24 percent were monitored to make sure all their patches were up to date.
Within the thousands of successful penetrations were 47 long-term malware-enabled attacks specifically designed to remain undetected while using illicit access to steal sensitive data, Martin told the House.
Thirteen of those succeeded in penetrating NASA servers, in one case allowing hackers to steal credentials and personally identifiable information on 150 NASA employees – data that could be used to create fake real or digital IDs that would allow more intruders access to NASA's systems, Martin's report said.
One attack on NASA's Jet Propulsion Laboratory that was launched from an IP address in China, "gained full access to key JPL systems and sensitive user accounts. The attackers had full functional control over these networks," Martin's report said.
Martin didn't quantify the ultimate impact of the lost data on national security, but did say NASA is slipshod in many of its security procedures.
Particularly egregious is NASA's habit of throwing old hard drives away in dumpsters without erasing them and allowing 48 unencrypted mobile devices containing potentially sensitive data to be lost or stolen from NASA employees.
NASA IT infrastructure is playground for supervillain superschemes
Between losing control of the networks at JPL and paractically giving away the keys to the International Space Station, NASA is just asking to be taken over and used as the weapon in a world-destroying evil plan featuring any number of live-action and animated supervillians in everything from "James Bond" to "X-men" to "Mission Impossible" to "Oceans One Billion" (the Chinese version of the George Clooney/Brad Pitt "Oceans" franchise).
None of which is actually that funny, however ridiculous it seems to lose the codes that would let a single superspy sneak on board a space station and take it over.
The point Martin was making is that NASA cares very little about security and does it very badly, despite its incredibly high international visibility, the sensitivity of much of the data in its systems and the tight links to U.S. military systems intruders could use to build on their successes.
The laptop stolen laptop and the ISS coded it contained, for example, were completely unencrypted, which is like labeling each of the keys on your ring to make illicit entry more convenient for the burglar who finds them.
NASA's IT Security vision "calls for integrated, secure and efficient information technology … Over the next three to five years the objectives of the vision include the ability to improve NASA's capability to predict, prevent and effectively contain potential IT security incidents," NASA CIO Linda Cureton told Congress in her own written testimony, which appears to be simultaneously claiming NASA already did all the security enhancing things the Inspector General's office recommended and that NASA was about to launch changes specifically to answer those recommendations.
Neither way matters much.
If NASA has already done all the things OIG thinks it should, it did them badly enough to not even be able to slow the Chinese down.
If it is about to do those things it at least recognizes it has been slipshod in its approach to security in the past.
The whole U.S. government has a well-deserved reputation for being really bad at IT security. Even the U.S. military is pretty bad at it. It doesn't serve much purpose to keep bashing federal agencies for not having the budgets or political will to fix their own security weaknesses. Security is secondary to what they do, which isn't an excuse, but is a mitigating factor.
NASA and the Pentagon, on the other hand, depend so heavily on IT, on digital data, on computer-controlled complex systems, robots, satellites and other cutting-edge technology that the technology and the IT security that protects it, has to be considered a core competency. Doing it badly directly affects the ability of the whole organization to fulfill its mission.
Potentially losing control of the International Space Station could put a huge trophy in the hands of a foreign government. It could also become a death trap for astronauts and a kinetic-energy bomb for anyone able to remotely shut off its environmental systems, open its doors or maneuver it into crashing into the Earth.
That doesn't make losing the keys any more colorful as the point of an anecdote; it makes losing them a lot less funny to anyone who worries about the destructive capacity of anything falling 250 miles to Earth.
Doing IT security so badly for so long, especially when you absolutely know better and don't even question the need to keep all your sensitive data safe from foreign intelligence services, means something far more damning for NASA than it would for the Dept. of Labor.
At NASA poor security isn't a joke, it's a threat to national security
NASA gets a pass from many people for its occasional flubs, because it's doing more exciting and innovative things than any other agency of the federal government.
If it were doing those things in a way that made its astronauts or the general public unsafe, NASA would be loudly and instantly criticized.
Poor IT security is one of the things that make both astronauts and the general public unsafe by raising the risk there will be (or someone will cause) a catastrophic accident, or someone who penetrated NASA and sat around for months looking for interesting data to steal uses that data to build systems of its own to outshine or outshoot the Americans in their own area of strength.
Losing the control codes to the ISS is funny and ironic in a slightly painful, shamefaced way.
Losing control of NASA is a crime – one with global implications and no mitigating circumstances.
It's one that has to be fixed immediately by IT and security people other than those responsible for getting NASA into the fix it's already in.
They should be fired and escorted off the property. It will improve NASA's security, and the IT people who are dismissed will be able to get jobs easily, probably as uniformed minions building complex automation systems with self-destruct capability in the caldera of an extinct volcano.
I'm sure the pay is good.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.