NASA has a storied history in space travel and a reputation for astronomic awesomeness, but its efforts in IT – namely securing its networks from cyberthreats – leave much to be desired.
The latest stain in what’s quickly becoming a sullied IT legacy at NASA comes in a reveal by Federal News Radio, citing internal documents and unnamed senior IT officials at NASA. The story suggests NASA’s networks are filled with malware, unpatched for software vulnerabilities perhaps a million times over, and that the relationship between NASA executives and Hewlett Packard Enterprise (formerly Hewlett Packard) is strained beyond repair.
HPE holds a $2.5 billion contract called the Agency Consolidated End-user Services with NASA, in which it provides the space agency and its 10 centers desktop and mobile devices.
The story is worth a read.
A NASA spokeswoman rebuffed many of the claims, but failed to deny some of the most prescient, including whether NASA’s internal systems were actually secure following the government’s cyber sprint – which, of course, was the result of hackers breaching the Office of Personnel Management’s weak security systems.
Yet, for NASA, it’s sadly just the latest chapter for an agency that elevates its mission “to pioneer the future in space exploration, scientific discovery and aeronautics research” above everything else, including IT governance or basic cybersecurity hygiene.
Halfway through the contract’s 4-year base period at the time, the audit stated, “HP is performing poorly under the contract even after taking into consideration the agency's failure to establish sound performance metrics," attributing the statement to top NASA IT officials.
“In light of the criticality of the IT services provided under the ACES contract, NASA's decision on how to move forward will directly affect NASA's more than 17,000 employees and thousands of contractors,” the audit concluded.
The NASA IG audit made a great case for NASA shuttering the contract and starting over, but NASA didn’t listen. While issues with the ACES contract were plainly visible dating back to April 2013 and obviously continued, NASA officials picked up the contract’s first 3-year option anyhow. Not only that, but as the Federal News Radio story notes, NASA paid HPE $35 million “above and beyond” the scope of the contract with essentially nothing to show for it.
The space agency’s IT issues extend beyond cybersecurity and network security or any specific contract.
An IG report in 2013 found the agency’s decentralized approach to IT allowed the agency’s chief information officer control over about 10 percent of its IT budget. The lack of CIO authority meant CIOs couldn’t cancel bad contracts or attempt to usher in promising technologies.
The Federal Information Technology and Acquisition Reform Act, passed by Congress in 2014, was supposed to remedy CIOs’ lack of authority. Yet, over most of 2015, as agencies attempted to implement changes now called for by law, NASA struggled, becoming one of three agencies to earn an “F” in implementation report cards issued by the House Oversight and Government Reform Committee's IT subcommittee.
NASA is routinely among the best places to work in government, but based on its recent IT history, that axiom can’t be true for its IT and cybersecurity staff. And it certainly won’t be true for its C-suite executives and leadership if any portion of their space program is grounded by data-thieving or malicious hackers.