NASA centers fail to report cyberattacks

NASA's inspector general told a Senate subcommittee last week that parts of the agency are failing when it comes to fending off and reporting hacker attacks, leaving the agency vulnerable to people who would steal or alter sensitive data.

Roberta Gross, IG for the agency, told the Senate Science, Technology and Space Subcommittee that simple actions - such as recruiting more workers who are attuned to information security issues and making sure NASA centers use the latest software security patches - can go a long way toward making the agency's networks more secure.

But she said broader problems, such as failures by NASA centers to report cyberattacks, remains an obstacle to better oversight of information security. Moreover, she said an internal NASA organ-

ization - NASA's Automated Systems Incident Response Capability - must improve its performance. "That [organization] has not been performing adequately," she said. Gross added that her office next month will issue a report on NASIRC's performance.

Gross' criticism comes in the wake of a recent cyberattack on two NASA centers. She confirmed to FCW that the attacks occurred in the past month, but she declined to reveal which NASA centers had been attacked or any details of the attack. Gross also told FCW that her office had not fully analyzed the attacks to determine the amount of damage they may have caused or how they might have been prevented.

She said NASA centers did not report the two recent cyberattacks to her office. Rather, staff members in her office learned about the attacks through "other ways," which she did not identify. She said alerting top NASA officials of attacks is one of the "low-cost, free things" that NASA centers can do to help leaders defend against and prevent attacks.

Gross told senators Thursday that keeping NASA leaders, including those in the IG's office, informed of cyberattacks is important because of the agency's decentralized nature. NASA is made up of several centers.

"This multiple-center approach leads to serious coordination problems, diminishes corporate oversight and leaves NASA partners more vulnerable," she said. "NASA is a vulnerable target because it depends heavily on IT and the Internet to support the operations it conducts at its field centers and other facilities across the United States and abroad."

Subcommittee chairman Sen. Bill Frist (R-Tenn.) agreed. "In many ways [NASA's dependence on the Internet] does invite potential internal abuse and external abuse," he said.

Cathy Cromley, director of federal marketing for Secure Computing Corp., stressed the importance of sharing information when systems are abused or hacked. "In not sharing information internally, NASA and the government as a whole cannot benefit from lessons learned," she said.

Keith Cowing, editor of NASA Watch, an independent World Wide Web site, said NASA's security problems stem from inconsistencies at the agency. "Despite all the arm-waving and so forth, they've never really had a consistent [information security] policy," he said.

According to Cowing, NASA has to struggle to balance the public's interest in accessing NASA information via the Web with protecting sensitive information. "It again goes back to the chief information officers at each respective center having different policies," he said. "Some centers just seem to go out of their way to make things public."


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.