Stolen NASA laptop had Space Station control codes
And no encryption for supervillains to crack
A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee.
NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was stolen in March 2011, which "resulted in the loss of the algorithms used to command and control the ISS".
Martin also admitted that 48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA's Constellation and Orion programmes.
The actual number of missing machines could be much higher, because the agency relied on staff to 'fess up when their notebooks were lost or stolen and admit what information was on them.
"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," Martin told the Subcommittee on Investigations and Oversight.
The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues, but the government might want to remember that its own cybersecurity has had "mixed success".
"Many of the technologies developed and utilised by NASA are just as useful for military purposes as they are for civil space applications. While our nation’s defense and intelligence communities guard the ‘front door’ and prevent network intrusions that could steal or corrupt sensitive information, NASA could essentially become an unlocked ‘back door’ without persistent vigilance," warned Subcommittee chairman Paul Broun.
As well as facing the continuous disappearance of unencrypted staff laptops, NASA is also subject to increasingly sophisticated cyber attacks, Martin told the hearing.
"In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems," he said.
"These incidents spanned a wide continuum: from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives."
He said the intrusions had disrupted mission operations, had resulted in the theft of sensitive data and had cost the agency more than $7m.
Chairman Broun said that since the inspector general's last report on IT security at NASA, the agency had taken steps to follow the IG's recommendations, but said it still needed to do more.
“Despite this progress, the threat to NASA’s information security is persistent, and ever changing. Unless NASA is able to constantly adapt – their data, systems, and operations will continue to be endangered," he said. ®