Yet Another NASA IT Blunder
Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII)
“On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.”
Keith’s note: Look at the links below from the past several years. When things like this happen again and again you have to wonder whether the people entrusted with sensitive information – and/or the people who manage these individuals – are required to exhibit common sense in the performance of their duties. For that matter, you have to wonder if the people running NASA’s IT security actually know what they are doing. This advisory contains “changes and clarifications in NASA policy”. How many times do things like this have to happen before NASA finally figures out how to fix this obvious problem? Why was information like this on a laptop to begin with?
Lets just hope this laptop doesn’t contain any inappropriate emails to U.S. Army soccer moms or socialites …
– Stolen KSC Laptop Has Employee Personal Info On It (Update), earlier post
– NASA IT Security is a Mess – Stolen Laptops and Hacking JPL, earlier post
– OIG: NASA Information Security Does Not Fully Meet DHS Requirements, earlier post
– NASA OIG: Facilities and Spacecraft Vulnerable to Attack, earlier post
– OIG Finds Problems in NASA IT Management and Implementation, earlier post
– NASA OIG: Audit of Cybersecurity Oversight of [A NASA] System, earlier post
– GAO Cites Ongoing NASA IT Security Vulnerabilities, earlier post
Actually, one has to wonder if NASA employees are no being targeted and tailed for computer theft.
Also, we actually run a “secure” network inside a Moscow hotel for NASA employees working in Russia. One can logon to get email etc. Hmmm……
The problem is not too hard of a technical issue for NASA to handle. Rather, the agency is incapable of enforcing its own rules and regulations.
Keith, when you say the agency is incapable of enforcing its own rules and regulations you are being harsh. This sort of thing is like herding cats. I know, I have the tee shirt.
Having said that, the memo refers to ‘sensitive’ PII which definitely means the bad stuff – not just trivia with a name attached.
The bit about the PC being password protected but no full disk encryption sounds weasley as well. My reading: the files were not encrypted at all but they want to suggest they might have been. There are many scenarios in which ‘password protection’ on a laptop is not worth spit, whichever of the many meanings apply.
Hence the response.
What is considered to be PII covers a very broad range of information. Most of that information is fairly benign. I think it’s important to realize this is probably not the loss of crown jewels of data that you may be lead to believe it is.
That being said, with a work force ( including contractors ) measuring in the many tens of thousands, the occasional loss of a laptop containing information that is either PII or SBU is fairly likely. As the US Government requires that all losses are reported, it’s no wonder you see the occasional loss of a machine revealing the loss of data with some blanket classification.
If you are using this as a means to cast some sort of negative reflection on the security standards applied to laptops that’s probably not a sane thing to do.
FISMA requirements cover what data is and is not meant to be encrypted. As do the local interpretation of those requirements as set forth in the policies set up by first the national SOC, then local center SOC, and occasionally special project security teams. If there was a violation of protocol in regards to the proper handling of data that should be noted. Here it is not. So I think as usual this blog is taking an alarmist tone without cause.
“Alarmist”? Did you even read the memo? NASA has mobilized all the troops. You might want to read some of the other links. NASA has been told to fix this sort of thing for years. I doesn’t.
Full disk encryption is being deployed to laptops under the ACES contract now. Existing laptops in labs or ones that were acquired outside of ODIN/ACES are more of a problem. There is the requirement to encrypt them but nobody is quite sure how that will be pushed out to these non-contract machines.
This Data at Rest (DAR) encryption is also being pushed out to desktops & workstations which makes a lot less sense. Those machines are a lot less vulnerable to theft or loss than a laptop, and when you combine it with a weekend reboot policy (which can be waived) and the occasional random system reboot from “security” patches pushed out in the middle of the day it can cause real problems for people working from home since, unlike in the pre-DAR days, a DARed system won’t reboot without somebody available to put the DAR password in at the console.
A lot of well-meaning security policy seems to be set without regard to the collateral damage it causes.
Hi James; The agency is encrypting desktops and workstations “with sensitive data” in addition to laptops primarily to kill two birds with one stone.
NASA has previously had difficulty maintaining a 100% effective disk sanitization program – where disks on NASA machines are fully wiped of all sensitive data prior to being excessed to schools/charity/etc through auctions.
By fully encrypting all machines, the consequences of a disk not being wiped prior to excess become minimal-to-none, because a properly encrypted disk is functionally irrecoverable without a decryption key – which is the same end result santiization is supposed to achieve.
If it seems that NASA is pushing out policies without regard to collateral damage, please keep in mind that the agency is more or less in a lose-lose situation. They have spent years trying to accommodate all of the unique, special circumstances in the research and mission communities surrounding the DAR issue and the end result is things like this; A breach followed by a solid pounding in the press as to why other agencies can encrypt 100% of their systems so why can’t NASA?
The answer is that NASA can either encrypt them all and anger its own staff, or NOT encrypt them all and suffer the occasional press pounding. Looks like they’ve decided that the latter wasn’t working, so they’re ready to try the former.
From what I read, this breach does not sound like the result of “accommodating all of the unique, special circumstances in the research and mission communities” but rather somebody on the management side that had a lot of sensitive information on a system that could have been DARed without much impact.
It isn’t just the impact of a single policy that is the problem, it is the accumulation of the impact of a number of policies. Installing DAR on stationary systems doesn’t necessarily cause a crippling problem for teleworkers by itself, and neither does forcing a reboot. Combining the two does, as it puts systems in an unusable state until somebody gets to them to bring them back up. Waiving the automatic reboot helps minimize the impact, allowing you to do the reboot when there is somebody around to recover the system, but forcing mid-week reboots at random times and without warning breaks that system.
DAR makes sense for mobile systems, including lab systems. Forcing DAR on stationary systems just admits that the agency can’t or won’t enforce a proper policy for dealing with systems that we dispose of. These kind of fixes have all sorts of positive impacts when seen from a high level but nearly all of the negative impacts roll downhill to the end users who end up spending more and more of their time dealing with the collateral damage than getting actual work done.
James – you’re right that this breach (it seems) is the result of a person who should darn well have been encrypted at rest. But I was responding to your comment, in which you asked why desktops are included (I think I answered that), and to your other comment as to why the agency’s security directive doesn’t seem to take the needs of scientists/etc into account (collateral damage, you called it).
The honest answer as to why agency security directives either seem ineffective OR seem to hurt the employees is that sometimes, like the DAR initiative, it’s nearly impossible to accomplish the objective without at least some impact in one of those two areas.
Or, the people making policy are sufficiently detached from the people impacted by the policy that they don’t know what collateral damage there will be until after the rule goes into effect.
I see this article has been picked up by the BBC. Well done.
http://www.bbc.co.uk/news/t…