NASA's CIO Anticipated The Laptop Theft
Protecting and Safeguarding NASA Information and Information Systems (page 6), IT Talk, July-September 2012, NASA CIO
“What if this article was the national headline across the United States? Is NASA protecting and safeguarding its information and information systems? Is it possible to protect and safeguard information and information systems 24/7?”
Keith’s note: Well, it happened. No fancy cyber break-ins occurred. No massive network failure was at fault. Nothing complicated or deliberate happened – the sort of stuff where overt high-tech protection and safeguards would be called into play. Instead, a NASA employee was dumb enough to leave an agency laptop with sensitive information in her car such that it could be stolen. And that laptop had a substantial amount of personal information on 10,000 or more NASA employees that the CIO’s office was inept enough to allow to be on a laptop taken out of NASA in the first place.
The CIO’s own official publication openly talked about what might happen if the theft of a NASA laptop with “10,000 employees private information” became “an actual NASA Headline”. But instead of focusing on the real world where people can and will do dumb things, the CIO focused only on all the complicated technological threats to NASA’s IT. The CIO utterly ignored simple human behaviors that could be just as damaging as a cyber attack if not dealt with. Other than than a memo (2 weeks after the theft) to employees announcing an emergency disk encryption program and a half-hearted attempt to assist employees in case of identify theft, the NASA CIO has done absolutely nothing to address the core issues at hand. And now the NASA CIO cannot even bear to mention this situation on her own website – with the exception, of course, of this hypothetical article written months before the event.
Black Swan IT events are always pumped up and promulgated by “experts” as high tech skull duggery when in fact it usually human error that occurs. And it happens over and over again. We never learn. We always fear the worst from the intruder we don’t know and it is usually ourselves instead. Sigh…. So go ahead and have super duper password security when anyone can call help desk and get access despite security policy and procedures to prevent such a thing happening. It happens all the time.
Exactly. “NASA” = Never A Simple Answer.
As someone mentioned in one of the other comment threads on the laptop loss, there are apparently shared laptops floating around with sensitive PII on them and however they’re set up they share a password (very bad system design) and there’s probably a written down password that travels around with the computer (and probably has to be changed every 3 months, further increasing the need to pass it around). The best full disk encryption in the world won’t help if the password is written on the bezel of the laptop.
I would hope that sooner than later all data will be stored in secure cloud storage with nothing on the device we carry around.
…..and where most of the IT equipment(server boards, etc.), routers and switches are made in China. Big Grin.
After the US sold a 747 to China as the president’s personal aircraft and bugged every part of it, including the bedroom, it’s difficult to see how we could complain if the favor were returned. However I haven’t seen evidence of anything so crude. The real threat to US security is no secret; it’s the fact that we are losing our high-tech manufacturing sector and the well-paying jobs and exports that sustain the middle class.
Perhaps if NASA can identify ways to assist the US civil aerospace industry to become more competitive in commercial and export manufacturing, we can prevent the loss of this sector as well and help to preserve the national income we need to afford the luxury of human spaceflight.
This is the right idea. Industry also has much more stringent rules on network and data security but at a very high price. In addition to HD encryption, only company provided machines may connect to networks, all software has to be on an approved list, all network traffic is monitored including emails. NASA employees routinely chuckle at their industrial counterparts as they use their personal machines for official and unofficial business at joint NASA/industry meetings while the industry guys are making do with five year old hardware and software. If and when the NASA CIO clamps down, there will be howls of oppression.
James,
I’m not convinced that we can yet equate cloud with secure, and I have to wonder how long it will be before we honestly can. Some things in computing / software happen very fast. Others seem to take a long time to get done properly, and it’s not necessarily the important things that get done quickest (rather the more profitable things).
Once cloud storage is more widely used it’ll just be a matter of time before they figure out ways to break into it. There are no final solutions.
Steve
Nothing is absolutely secure, but remote server storage is already more secure than carrying data around on your laptop.
True enough. Of course, the problem isn’t so much the laptop as the person on the end of it.
I have a laptop, I develop software and work for a company that sells products to government contractors. The hard drive is encrypted and If I lost my laptop, it would be remotely wiped. At least that is what our IT people tell us. I have never lost my laptop.
Doug,
The ability to remotely wipe a laptop sounds like a great Idea, assuming it doesn’t get done by accident. I’ve never lost my laptops either, but I’m the only one who ever uses mine. I wonder how much of the NASA problem/attitude is because some of them are (supposedly) shared. I think it still comes down to the individual; some people simply have never learned the necessary mindset for treating equipment and data properly , but then again, it’s not exactly a school course, so it comes down to either (un)common sense or company training, even though to some of us the concepts seem obvious.
Steve
The stolen laptop is not what is costing NASA money. Every NASA user is required to forget their 14-character password and memorize a new one every 60 days, because IT administrators apparently cannot protect the password hashes on their own authentication servers and assume the hackers need 61 days to crack the hash. So we are safe if we are forced by the system to memorize a new password every 60 days. Yet DAR cannot use domain authenication and consequently every laptop login requires two passwords, both of which have to be updated but which are not the same because one is user-specific and the other is system-specific. Users cannot keep email in the cloud for access when away from the office because they only get 400Meg on the server, about a dime’s worth of space, because NASA wants to save money. So they must spend hours every week, at a cost of hundreds of dollars in employee time, sorting through emails to figure out what to delete. Of course you can store gigabytes on your desktop, but it isn’t accessible unless you are at your desk, even though gigabytes of files are automatically duplicated on a cloud backup server. Contractors with decades of experience have to contract out IT support to other contractors, so that correcting the spelling on a website requires a work order and actually using a computer for laboratory research is cumbersome or impossible.
That kind of password policy just begs humans to write it down and shove it inside the laptop case for easy access. It’s not a brilliant human factors move.
..error..
Of course that problem could be avoided if we had cloud storage easily accessible off center. Or just an encrypted partition to store sensitive data, so the laptop could use domain authentication. Or effective communication between users and administrators _before_ IT policies are implemented to discuss whether proposed IT policies are really appropriate. We have had operational systems fail because the user could not remember or sucessfully enter the password.
Keith;
Just a thought here, but I find the timing of this very interesting. NASA as is all gov’t agencies are facing severe cutbacks come Jan 1st. How convenient that critical data as personal data goes missing/stolen? What better way to ensure your dept. doesn’t suffer too greatly when the ax falls than to have an isuse such as this happen. That laptop isn’t missing/stolen, it’s sitting in a vault right now nice & secure with NO personal data what so ever on it.
I had my Gov laptop encrypted in august like the policy stated to be done by Sept. they were 2 months too late. a head needs to roll.
So. They anticipated it (almost down to the exact number!). Yet they permitted it to happen, in the most inane and avoidable way. And now we learn that they lost hard-copy as well as electronic copies of the personal information they were supposed to be safeguarding. And what do we get? A weak monitoring effort. Piecemeal information dragged from reluctant officials when they have no choice but to reveal it. Continued silence as to whether there were any consequences to the culpable individual (certainly there were none to the responsible managers). And a weak, mealymouthed semi-apology. I am deeply disappointed in the Agency and disgusted by its leadership (or leack thereof) on this issue.