As NASA shifts priorities, officials need to keep eye on cybersecurity

Budget request calls for NASA to stop human flight programs, which includes this abort system being tested. NASA

Information security will continue to be a key challenge for NASA if it cancels human flight plans to pursue automated rocketry technologies and other robotic missions, according to computer security specialists.

President Obama's fiscal 2011 budget proposes the space agency drop the $3.5 billion Constellation program intended to return astronauts to the moon by 2020 and instead work with industry to build other technologies, including automated docking and robotic systems.

"I hope that NASA will avoid the temptation of integrating open, Internet communications into these programs," said Lynn McNulty, co-chairman of the government advisory board and outgoing director of government affairs at (ISC)2, an information security certification organization. "This introduces a new complexity of security issues into the NASA risk environment."

The agency has had success at securing previous unmanned missions to other parts of the solar system for many years, he added.

"In place of Constellation, the president's budget funds a redesigned and reinvigorated program that focuses on leveraging advanced technology, international partnerships and commercial capabilities to set the stage for a revitalized human space flight program for the 21st century," the budget states.

The proposal adds $6 billion to NASA's budget during five years to hasten work that had been sidelined while the agency was investing in Constellation. That work includes climate science, environmentally-friendly aviation and education.

Cristina Chaplain, director for acquisition and sourcing management at the Government Accountability Office, told a House panel on Feb. 3 that continuing weaknesses in information technology systems is a key issue the space agency faces, as it undergoes a dramatic change of direction.

During fiscal 2007 and 2008, NASA reported 1,120 security incidents in which malicious software was installed on its systems or intruders accessed sensitive information. Despite a security operations center the agency developed to prevent such episodes, "control vulnerabilities and program shortfalls" increase "the risk of unauthorized access to NASA's sensitive information, as well as inadvertent or deliberate disruption of its system operations," Chaplain's written testimony stated.

Such vulnerabilities make it possible for federal employees or contractors to disclose, alter or destroy sensitive data that could disrupt space missions, she added.

Many space policy professionals said they have not studied NASA's IT security posture, but some said they might start as NASA's new strategy unfolds. Officials at the American Institute of Aeronautics and Astronautics, an association for aerospace professionals, said the organization has not yet closely examined security problems. Nor has the National Space Society, which promotes citizens' interests in space policy. Officials at the Aerospace Industries Association said they are not aware of IT concerns among their constituents.

Officials at the Space Foundation, an advocacy group for all sectors of the industry, said they have been monitoring NASA congressional hearings, including Wednesday's session. "NASA has a lot on its plate and always has, and it has not been adequately funded to do what it needs to do," said foundation spokeswoman Janet Stevens, in trying to ascertain why security is an ongoing weakness for the agency.

In response to GAO's findings, NASA officials said the department is trying to incorporate many of the auditors' recommendations, such as conducting physical risk assessments, comprehensive security testing and deploying an adequate incident detection program.

"The deputy administrator also stated that NASA will continue to mitigate the information security weaknesses identified" by GAO, Chaplain testified. "The actions identified by the deputy administrator, if effectively implemented, will improve the agency's information security program."