NASA took some lumps from Congress and its inspector general over the security of its technology systems. But if there is a silver lining to the Hill lashing, the message that the space agency needs to do a better job securing their systems got through loud and clear.
The best way to measure the impact of the hearings is to look at what the NASA centers are doing outside of Washington. For example, Mike Bolger, the Kennedy Space Center chief information officer, made encrypting all laptops a much larger priority this year.
“There is an agency plan to get our laptops encrypted by the end of the year,” Bolger said. “At Kennedy, we had about 500 laptops encrypted and those were users who self identified they had sensitive information on there. Unfortunately, that didn’t work for us.”
NASA has had more than 5,000 computer security breaches in the last two years, according to Inspector General Paul Martin. One of the biggest losses: command codes for the International Space Station. Those codes were on an unencrypted laptop that was stolen in March 2011. Martin detailed the losses to the House Science subcommittee on Investigations and Oversight.
While the Kennedy Space Center was not specifically mentioned in Martin’s testimony, Bolger said laptops will receive hard disk encryption and logical access controls using secure identity cards under Homeland Security Presidential Directive-12.
At the same time, Kennedy is going through a hardware refresh of laptops and desktops under NASA’s I3P contract. Bolger said the confluence of these events is making it easier to improve the overall security of their systems.
“We are aggressively rolling out new seats about 400 a month and we are giving them new software. For PC-based people, it’s Windows 7 and Office 2010, and on the Mac side, it’s Office 2011,” he said. “Any time we step up to a new operating system and also to a new office automation suite like Office 2010, we have to make sure all the third party applications that we are running will be compatible with those. In some instances, we do find we have to upgrade those applications along the way. At the same time, a lot of those applications were being upgraded by the vendors anyway and we might not have been able to move the most recent version of that application if we’d had stayed on Windows XP or 2007.”
Along with new hardware and software, Bolger is kicking off a pilot to let employees use their own smartphone or tablet devices on the network.
The BYOD initiative is just in the early stages, but a group of 5 or 6 executives will lead an effort to test mobile device management tools, find 20-25 people for the pilot and develop policies, including those dealing with any legal concerns and whether the agency could provide stipends to employees.
“I get stopped regularly by people who want to know why they can’t use their own device or why do I have to carry two devices in cases where we have given them a BlackBerry or iPhone,” Bolger said. “We want to investigate what is in the realm of possible here.”