NASA Continues To Flunk Basic IT and Cybersecurity Rankings
Potential Personally Identifiable Information (PII) Compromise of NASA Servers
“On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised.”
Keith’s note: According to NASA HQ PAO the latest security breach at NASA does not affect people outside of NASA who may have interacted with NASA security. But people who work or used to work at NASA are at risk. So y’all can expect another “Dear NASA Employee” letter from the agency offering free credit monitoring services.
NASA’s performance in complying with Federal regulations governing IT and cybersecurity has been pitiful – especially during the tenure of NASA CIO Renee Wynn. Now there has been another security breach that affects all present and prior NASA employees – even those of us who left the agency decades ago. In the real world the person responsible for such pitiful performance would be fired.
Federal Information Security Modernization Act of 2014 (FISMA) – 2018 report
“Congress enacted the Federal Information Security Modernization Act of 2014 (FISMA) to improve federal cybersecurity and clarify government-wide responsibilities. The act is intended to promote the use of automated security tools with the ability to continuously monitor and diagnose the security posture of federal agencies, and provide for improved oversight of federal agencies’ information security programs. In particular, the act clarifies and assigns additional responsibilities to entities such as OMB and DHS.”
– Nov 2017 FITARA Scorecard
– NASA Totally Flunks FITARA Scorecard 2 Years In A Row (2016), earlier post
“There is a slightly goofy post at NASA CIO’s Open.NASA.gov (not findable on the NASA search engine) “NASA’s Approach to Implementing FITARA” from 10 March 2016 that opens with “My husband and I are planning a vacation to Disneyworld, an awesome destination for our five year old dreamer. How do we budget for such an grandiose trip?”, and then goes on to spout happy talk – with added IT word salad – about how seriously NASA takes FITARA. If only.”
Maybe it would be good if the heads of each department kept their servers at home in a bathroom closet, No wait….
Maybe they should hire the cyber security team from Starwood Hotels. No wait ….
Maybe they should hire the security team from the credit rating company Equifax. No wait …
Maybe they should hire the security teams from our largest universities on how they safeguard their research intellectual property. No wait…
Maybe they should hire the people who work at Under Armour. No wait ….
Or they could hire the cyber security team that safeguarded the UK healthcare system. No wait …
It feels like no one is good at this security thing. Cyber security is a significant expense. I’m wondering if the hackers are just better than they security people and security software or how much is it an unwillingness to pay the massive costs of IT security.
https://www.businessinsider…
I know NASA Watch is about NASA, but that summary slide gave nine out of 24 government agencies a ‘F’, so this doesn’t seem like a problem unique to NASA. I’m also concerned that none of the agencies on the chart got better than a ‘C’, although the chart may have left out agencies doing a good job of computer security. But the whole thing makes me uncomfortable. Is this the 21st century version of the Navy’s 1930s and early 1940s torpedo (un)reliability disaster?
New wrinkle, if you think exposing NASA personnel is bad: Due to the need to improve security, all non-NASA personnel coming to Centers to do work are being subjected to more detailed background checks that require a great deal more PII get handled than previously. So, are the people that are supposed to make sure that does not get mishandled or stolen the same people who messed up this time?
Can we finally get serious about this, actually dedicate the resources necessary, and enforce the rules fairly? It always seems like a directive comes from “on high” that this time we’re really going to fix problem X, but then as soon as they actually have spend money they don’t have or the fix becomes problematic for anyone with sufficient clout, it all falls apart.
And there are problems which result. For example, JPL missions have started having their all-hands science off campus. The science teams, in general, aren’t NASA or JPL employees. Getting everyone through the security requirements for a one-sided meeting twice a year is impractical. (And those requirements sometimes involved having an escort when you go to the bathroom.) Several projects have decided that this simply isn’t worth the effort. Of they hold meetings at hotels in the Pasadena area, rather than on campus. Of course renting the facilities costs more, and some of the locals don’t attend. (A five minute walk from you office to the meeting, for the one hour you’re needed is one thing. A half hour drive is a different thing.)
Help a non-NASA-related person get the picture? What about using some sort of video conferencing for these meetings? Does this obviate the security, or is there something i am missing? (the benefits of actually meeting people in person not withstanding of course).
I’m wondering what the security issues actually are: someone’s roving eyes observing a project left on a bench someplace? Or some equations on a blackboard? or a person ducking into some room someplace? Or an actual, physical (bomb) attack?
Honestly, some NASA-related people would like to know as well. For video or teleconferencing, NASA has a tendency to botch it. Part of that is technical and really incomprehensible for me. Part of it is social, and easier for me to understand. If a large majority of the people are in the room, the remote participants get left out. Presenters turn away form the microphone and point at things on the screen in ways which are only visible to people in the room. That sort of behavior doesn’t stop until a third or so of the audience are remote.
Other solutions are to have meetings off lab, or to only lock down certain buildings on lab. The former option isn’t great. Renting the facilities off lab is expensive. The locals can’t hop back and forth between their office and the meeting, based on the agenda. So they either skip a day or don’t get any work done during the parts of the meeting which don’t concern them. And the lab management may find off lab meetings embarrassing. It sort of implies they aren’t competent to host meetings.
High security for the buildings which need at, and none for others, works well for other organizations. SwRI in San Antonio does that, and it works pretty well. APL also tried it but the results were mixed. When they needed more office space, they built it outside the wall. Then some organizational changes forced the to move people and put security around part of the new buildings. JPL does have in interesting set of gates around their von Karman auditorium. It can either make it all open to anyone or only accessible from inside. But not a mix of the two, so that’s not too useful.
In terms of the actual security risks, I’ve never heard a satisfactory answer. The only, really good reason I’ve heard is the fact that test facilities are occasionally rented out to private companies, and those companies have industrial espionage concerns. But that only applies to specific and isolatable buildings.
Export control and ITAR regulations are another justification. And scientists are not get good about erasing whiteboards after meetings or worrying about which documents are lying around on their desks. But that shouldn’t be an issue for US citizens or resident aliens.
Physical security was discussed after 9/11. The space program is a national prestige thing, and therefore a potential target for a terrorist attack. But I don’t think many people found that convincing. Most NASA facilities are basically a bunch of office buildings and unspectacular looking labs. That’s just not the sort of eye candy that attracts terrorists. A launch pad at KSFC would be different, but some place like Goddard? The popular reaction would be,“NASA does something in Maryland? Really? If it’s important why haven’t I heard about it before?”
As at least one of the denizens herein will point out, SwRI is Private Enterprise (though guided by the requirements that come along with gov grants).
Which describes much (most?) of the security paranoia in our country nowadays. Having just returned from 10 days in tropical Mexico, however, I would have to say that airport security – IF you have Global Entry – is hugely better though every bit as invasive.
Off-topic, but your post reminded me of so many positive, pro-NASA memories, I hope Keith will allow:
I think I have mentioned that in my younger days I attempted to visit every NASA Center, with a selfie in front of the facility sign to prove it; and if that’s not nerdy I sure don’t know what it. Of course, selfies didn’t become “the thing” until much much later.
JPL was special.
I visited there before the craziness over security (and then, sadly, once after); we twice attended the lovely open houses they had, back in the day; feted by scientists and secretaries alike. It was absolutely glorious!
One had the sense that, in a few cases, those working there would rather be doing something else than entertaining Joe Citizen. But that was the exception, and even then, with a little prodding, any scientist or engineer I could manage to corner would wax enthusiastic over her work (sadly, mostly “his” in those days).
Models of current spacecraft were in the auditorium. I’m pretty sure I remember being surprised at the size of the Cassini model, especially when realizing it was not a replica but scale model. Galileo, too, was represented by a model.
The courtyard (near auditorium) held small tableaux representing various projects. I was early in my professional career as. Landscape Architect then, but appreciated the sophistication of the outdoor spaces. I hope they have survived.
There were of course the Voyagers, then 15-odd years into the mission, and prominent everywhere, including models (auditorium again).
Less prominent but every bit as interesting were various smaller projects being displayed. There was (memory stretched a bit here) a line of offices, all opening to an outdoor hallway in the manner of a motel. some were open, some had easels setup outside, making passages tricky, and fabulous.
One included the study of Mars touchdown with ballutes that I found intriguing, (devices which appear to be making some sort of comeback, at least according to the SpaceTime podcast).
I came away both times feverish with excitement, and, sure, pride, in what was happening there.
Visitors could wander just about anywhere; a few places were Off Limits. Access was controlled with – you guessed it! – signs! Oh dear! Imagine relying on embarrassment for security!
At the time, they had some very large cyro tanks up on the hillside that I never did learn much about, nor contents. The simulated Mars environment (name of which escapes me and Google seems like cheating), too, was prominent.
Great memories. And the fact that others can’t have the same experience is just a big f*cking heartbreak that brings me back to the thrust of your post – security nowadays so often either over-reaches, or misses the mark, or is just dumbed down, or all of the above.
We have
given uplost so much.Arguably, FITARA is a bad idea writ large. Forget for the moment that it will be/is being implemented by people who are more interested in getting their tickets punched to advance to upper management jobs in industry or government, rather than achieving NASA”s mission. Forget that a “one size fits all” architecture is literally insane in an agency when Center responsibilties and portfolios vary so widely. Just think, instead, about the most recent data breach. Do you really want the same architecture in every cloud/Center/application? Just how easy to do want to make it for bad actors?
I could go on about the continual adoption of “solutions” that work well on one of the three standard platforms described in agency standards docs, but not the other two. (It’s OK, they’ll make everyone use the same — porous — platform.) I could go on about the good, practical sense of outsourcing desktops and laptops for “business” applications and the loony tunes attempts to apply the same purchasing tools to scientific and engineering workstations. But it really doesn’t matter what they try to implement. The people who actually make missions happen will be working round this nonsense every step of the way, not because they enjoy being speed bumps, but because they have to, in order to insure mission success.
Its hard to know what their letter grade scale really means. Looks like it is graded on a curve from the traditional scale where a “C” is 70-79% of the grading criteria. It is so easy to skew grading criteria and feed people some letter that socially means something yet statistically is a white-wash. Either-way, looks like all of them are remedial at best and should be either fired or docked pay.
We (often) see reports like this, not only in the government, but more widely as well, where the reader is left to wonder: “exactly how did the bad guy get in?”
Credit cards at Marriott, or other cases as well. I realize that these systems are very large, and they are very complex, often front ends to deeply complex DB applications. Still in a general sense there are a limited number of ways that *any* system is breached: socially, of course, but also more technical approaches like various overflow techniques.
There are also, broadly speaking, a limited number of ways that systems are protected. Maybe I’m really bitching about journalists who either do not know or have insufficient time/space to explain the case. In the end though I wonder the apparent deluge of hacks have in common.