NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008, according to a report issued Thursday by the Government Accountability Office. And, the GAO reports, National Aeronautics and Space Administration systems remain vulnerable despite the establishment of a security operation center last year to deter such incidents.
"The control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations and services," wrote Gregory Wilshusen, GAO's information security issues director, in a report cosigned by GAO Chief Technologist Nabajyoti Barkakati. "They make it possible for intruders, as well as government and contractor employees, to bypass or disable computer access controls and undertake a wide variety of inappropriate or malicious acts. As a result, increased and unnecessary risk exists that sensitive information is subject to unauthorized disclosure, modification, and destruction and that mission operations could be disrupted." GAO cited a NASA report that said the number of malicious code attacks - 839 - was the highest experienced by any of the federal agencies, which accounted for more than one-quarter of the total number of malicious code attacks directed at federal agencies in 2007 and 2008. GAO cited an official at the U.S.-CERT as saying NASA's high profile makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying.
GAO has performed an invaluable service to NASA by identifying weaknesses and recommending needed improvements."
Congressional investigators offered a number of security incidents to illustrate NASA's IT system vulnerabilities, including some this year in which the space agency reported unauthorized access to sensitive data. According to GAO:
One center reported the theft of a laptop containing data subject to International Traffic in Arms Regulations. Stolen data included roughly 3,000 files of unencrypted International Traffic in Arms Regulations data with information for Hypersonic Wind Tunnel testing for the X-51 scramjet project and possibly personally identifiable information. Another center reported the theft of a laptop containing thermal models, review documentation, test plans, test reports, and requirements documents pertaining to NASA's Lunar Reconnaissance Orbiter and James Webb Space Telescope projects. The incident report does not indicate whether this lost data was unencrypted or encrypted or how the incident was resolved.
"Significantly," GAO said, "these were not isolated incidents, since NASA reported 209 incidents of unauthorized access to U.S.-CERT during fiscal years 2007 and 2008."