NASA systems and data vulnerable to hackers, malicious employees

NASA networks contain security weaknesses that open up highly sensitive personal and scientific data to hackers, possibly affecting space missions, federal auditors said.

The Government Accountability Office, in a report released on Thursday, found that NASA centers failed to restrict access to legitimate users. Also, the NASA centers that GAO audited had not applied a critical patch for a program bug on a number of outside applications, and the agency's e-mail systems allowed file attachments that could be harmful.

"As a result, increased risk exists that an attacker could exploit known vulnerabilities in these applications to execute malicious code and gain control of or compromise a system," the report states.

The number of malicious code attacks -- 839 -- that NASA reported for fiscal 2007-2008 was the highest of any federal agency, accounting for more than a quarter of the total attacks directed at agencies during that period. "NASA's high profile makes the agency an attractive target for hackers seeking recognition, or for nation-state sponsored cyber spying," GAO added.

Following a request from congressional committees, GAO examined several NASA facilities between November 2008 and October 2009 to evaluate the adequacy of the space agency's information security controls that protect networks supporting the agency's missions, such as exploration systems and space operations.

Three centers the audit agency assessed did not always restrict access to sensitive files or prevent improper remote access. Therefore, networks were at a higher risk of allowing users to "gain inappropriate access to computer resources, circumvent security controls, and deliberately or inadvertently read, modify or delete critical mission information," GAO officials stated.

Separately, NASA acknowledged that one facility reported the theft of a laptop containing data subject to International Traffic in Arms Regulations, which cover permanent and temporary export, as well as temporary import of defense articles and services. In February, the department found that 82 NASA devices had been communicating with a malicious server, most likely in Ukraine, since January.

The specific vulnerabilities that GAO identified include a lack of effective passwords, coding of sensitive data, monitoring of security-relevant events, and physical security. Two centers did not require users to create long passwords and users did not need any passwords to access certain network devices. In addition, passwords were not encrypted, or converted into a secret code.

"A malicious individual could guess or otherwise obtain user identification and passwords to gain network access to NASA systems and sensitive data," auditors stated.

The Jet Propulsion Laboratory in Pasadena, Calif., a contractor-operated facility supporting NASA's efforts to explore the Moon and Mars, did not require contractors to deploy major parts of its information security program. And the contract does not cite the oversight roles of the agency's administrator, chief information officer or its senior agency information security officer.

"NASA faces a range of risks from contractors and other users with privileged access to NASA's systems . . . since contractors that provide users with privileged access to agency/entity systems, applications and data can introduce risks to their information and information systems," the report states.

The California lab taps into the so-called Deep Space Network, which provides critical communications and tracking for multiple spacecraft, as well as a network of radio antennae in California, Spain and Australia that ensures that most spacecraft have a relay facing them as the Earth turns.

GAO recommended NASA follow several steps to tighten controls and deploy a comprehensive information security program. In response to a draft of the report, NASA officials said they agreed with the recommendations and are working to mitigate weaknesses.

"While NASA generally concurs with the GAO recommendations, I would like to note that many of the recommendations are currently being implemented as part of an ongoing strategic effort to improve information security management and IT security program deficiencies," NASA Deputy Administrator Lori Garver wrote in a letter to GAO. "The ubiquitous use and reliance on IT at NASA," mixed with rapidly changing new technologies, make the "timeline for improving IT management and security a complex, multiphase and multiyear undertaking."

Rep. Bart Gordon, D-Tenn., chairman of the House Science and Technology Committee, which asked for the audit, said in a statement, "The committee takes this issue very seriously. . . . We have already held three hearings on cybersecurity this year and are in the process of moving cybersecurity legislation. However, regulation and legislation alone will not suffice. Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities."