NASA Removes Public Access To Its Online Employee Directory (Update)

Keith's 18 Nov update: NASA wants to transmit their stuff to you. But they really don't want you to talk to their people about it.

Once upon a time - actually for more than a decade - you could go to people.nasa.gov to find out how to contact a government employee at NASA. Not any more. Here is what the site looked like on 28 October 2020. You used to be able to type in names and find out their email address and phone number. Now all you get is a statement that says "This site and its contents are no longer available. Visitors are encouraged to learn more about space and NASA's mission by visiting the NASA homepage. NASA employees visiting this site should refer to internal directory services for employee information."

I just got another response from NASA PAO to my five follow-up questions regarding the shutdown of NASA's online employee directory. In a nutshell they are afraid that letting people see email and phone numbers of government employees puts the agency at risk so that is now stopping. OK, phishing and scams are on the rise so you cannot fault them with being responsive to that. But many - most - other Federal agencies still let citizens, the media, other government employees, researchers, and congressional staff query their agency's websites to find employees. They will no longer be able to find the people who work on various NASA programs.

Instead, everyone outside of the NASA firewall will now have to go to a "Contact Page" at NASA with high level links to everything except a personnel search. Instead of finding the person you need you will have to hope that these generic links will send you some where where someone will decide that maybe you can contact someone else. Given the glacial speed at which it took CIO to fix simple errors in their own directory takedown you can imagine how slow it will be for NASA to get back to you when you are looking for someone. If they even respond, that is.

But OK, they have their "Contact" page. Is this Contact page mentioned at NASA.gov? Answer: It is a small little link at the lower right at the bottom of the home page where most people will never think to see it. How do you contact NASA if the Contact page itself is more or less hidden from view? Shouldn't it be a prominent link in all of the top menus? Seriously, doesn't NASA want to interact with actual human people while it blasts all the space stuff put on the Internet? NASA complains about not being able to do enough outreach and why people often do not understand what NASA does. So what does NASA do? It continues to shrink the ability for the public - the people who pay for the whole party - to interact with NASA. NASA's big cosmic radio is set on "TRANSMIT". It is never set on "RECEIVE".

We should all be concerned. This is another example of dumbing down NASA's public functionality and reducing overall transparency. Hopefully this will change after 20 January 2021.

NASA PAO Response:

1. Why am I still able to access that database via a rather elementary work around a day after I posted mention that the database is still accessible?

NASA Answer: The Lightweight Directory Access Protocol (LDAP) database is a service that enables secure email to be exchanged with our partners and other federal agencies. Reconfiguration is being implemented in phases in order to ensure sufficient testing is performed to not disrupt current operational services. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information.

2. Why are other Federal agencies not adopting your "industry standard" i.e. why are their employee directories still openly accessible by the public?

NASA Answer: With respect to other federal agencies, it is certainly up to them to determine what risks they face and how they will address those risks.

3. When was the determination made that long-standing publicly available information now presents a risk to NASA?

NASA Answer: When people.nasa.gov was established over 20 years ago, the risks of sharing internal official communication email addresses and phone numbers was significantly lower than it is today. Since then, internet-facing organizations have had to adapt to a vastly different threat environment by changing how they present and protect their services. Examples of these types of infrastructure service changes include transitioning to Secure HTTP servers, replacing passwords with multifactor authentication, and closing down insecure internet-facing services like NFS and telnet.

The NASA CIO team is working to strengthen cybersecurity across the agency, and this is part of that process. Spear phishing attacks, which are targeted email-based social engineering threats to an organization, are a very common form of attack. NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. You noticed that the main search page for the public directory was disabled. Additional changes are planned that will address other ways of obtaining this information. With respect to other organizations, it is certainly up to them to determine what risks they face and how they will address those risks.

4. Can you provide me with the specific "industry best practices" that NASA is using as a basis for this action?

NASA Answer: NASA is simply trying to prevent attackers from easily obtaining the information needed to facilitate these phishing attacks. Keith's note: in other words they actually do not have any standards even though they claim to be following them. I hope someone sends in a FOIA on this)

5. Are members of the media and general public at legal risk if they post information that can be readily accessed from this database or post the way in which this database can still be accessed by the public?

NASA Answer: The public may certainly access information that NASA makes publicly available. While the main search page for the public directory was disabled, additional changes are planned that will address other ways of obtaining this information. The public can find information about contacting NASA at: https://www.nasa.gov/about/contact/index.html

Earlier post

Keith's update: I received this response from NASA PAO just before midnight on Monday: "The reason for NASA's decision to restrict public access to the agency's employee directory is consistent with industry best practices to reduce potential cyberattacks and improve the overall cybersecurity posture of the agency. Internal directories of employee phone numbers and email addresses often are used by cyberattackers to conduct targeted email phishing and social engineering attacks against agency employees. These attacks put sensitive agency data and IT systems at increased risk of disclosure, damage, and compromise. Additionally, since the NASA directory contains information on several of our partners, including international partners, continuing to expose sensitive internal information increases risk to organizations outside of NASA. The agency has a responsibility to protect the people, data, and systems that are managed by NASA and its partners."

I submitted these follow-up questions:

1. Why am I still able to access that database via a rather elementary work around a day after I posted mention that the database is still accessible? [Update the database no longer responds]
2. Why are other Federal agencies not adopting your "industry standard" i.e. why are their employee directories still openly accessible by the public?
3. When was the determination made that long-standing publicly available information now presents a risk to NASA?
4. Can you provide me with the specific "industry best practices" that NASA is using as a basis for this action?
5. Are members of the media and general public at legal risk if they post information that can be readily accessed from this database or post the way in which this database can still be accessed by the public?

Keith's update: I made a request for a comment to PAO yesterday. No word from NASA PAO. Meanwhile the NASA Employee Directory still works even thought they think it is offline (Shh! I'm not sure that the CIO experts know this).

Keith's note: Once upon a time - actually for more than a decade - you could go to people.nasa.gov to find out how to contact a government employee at NASA. Not any more. Here is what the site looked like on 28 October 2020. You used to be able to type in names and find out their email address and phone number. Now all you get is a statement that says "This site and its contents are no longer available. Visitors are encouraged to learn more about space and NASA's mission by visiting the NASA homepage. NASA employees visiting this site should refer to internal directory services for employee information."

NASA has taken that search function offline. Now it is harder for taxpayers, researchers, the news media - and other government employees - to find the people who work for you at this government agency. So much for transparency at NASA. Let's Make Space Great Again, I guess. Ordinarily a pointless decision like this would be something you'd blame the NASA CIO for. But I suspect that the reason is possibly a little more sinister given the post-election personnel decisions mandated upon Federal agencies by a vindictive White House.

Of course the IT geniuses at NASA think that simply by deleting some text for a search box from a webpage you can make the backend database inactive and/or unavailable. Guess again. Remember now: these are supposedly NASA's top cybersecurity experts at work here. Try clicking on this search string for NASA CIO Jeff Seaton. Go ahead - click on it:

https://people.nasa.gov/people/search?firstName=jeffrey&middleInitial=&lastName=seaton&email=&phone=

https://s3.amazonaws.com/images.spaceref.com/news/2020/seaton.sm.jpg

Larger image

Shazam - this search result still comes back. "Seaton, Jeffrey E. Email jeff.seaton@nasa.gov 202.358.1824". So much for whatever the NASA CIO was trying to accomplish - but we already knew the CIO shop was amateur hour from decades of OIG and GAO reports, right? Or maybe this was initiated above their pay grade. If you have any inquires the search result page says "For Site Inquires: Nasa-DL-People-Inquiries@mail.nasa.gov".

Keith's 18 Nov update: : NASA took the backend database down. - if you go to this link you now get

This people.nasa.gov page can't be found No webpage was found for the web address: https://people.nasa.gov/people/search?firstName=jeffrey&middleInitial=&lastName=seaton&email=&phone= HTTP ERROR 404

Meanwhile, the NIH Enterprise Directory is still online - as is the NOAA Staff Directory, the NSF Staff Directory, the NIST Staff Directory, various Department of Transportation Staff Directories, the USGS Employee Directory, the HHS Staff Directory, etc. It's all still there folks - except for NASA.

But wait: this oldie but goodie at JPL from a decade ago is still online with all kinds of broken retro fun. And LaRC has several old ones online here and here. GSFC lets you search everyone from their Science and Exploration Directorate here while the GSFC Procurement Operations Division lists everyone here. And everyone at GISS can be found here. Then there's the NASA Planetary Data System phone book with names and phone numbers for people all over the place. And so on. You get the point.

I have asked NASA PAO for a comment on why this site has been removed from public access. Hopefully this stupid decision will be reversed during the afternoon of 20 January 2021. Stay tuned.

Keith's update: And then there is this option to access this database:

  • submit to reddit





.
The Founders Effect - Now available
Canadian Space  Directory
SEOPS - Slingshot and Equalizer Cubesat Deployer
Support SpaceRef, NASA Watch and the Astrobiology Web on Patreon.






Monthly Archives

About this Entry

This page contains a single entry by Keith Cowing published on November 18, 2020 10:21 AM.

Boeing's Sloppy Procurement Behavior was the previous entry in this blog.

The NASA Worm Is Back. Actually, It Never Really Left. is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.