NASA’s cyber woes continue to mount. New reports by the agency’s inspector general and a private company, called Security Scorecard, both highlight the struggles around management and the controlling of malware on their network.
The NASA IG found the space agency has weaknesses in continuous monitoring management, configuration management and risk management.
“We believe that weaknesses in these areas stem from missing requirements related to the agency’s information system security program,” auditors say. “NASA lacks an agencywide risk management framework for information security and an information security architecture. In our judgment, this condition exists because the Office of the CIO has not developed an information security program plan to effectively manage its resources. In addition, the office is experiencing a period of transition with different leaders acting in the senior security officer role, which has caused uncertainty surrounding information security responsibilities at the agency level. As a result, we believe NASA’s information security program could be improved to more effectively protect critical agency information and related systems.”
The IG said NASA has made progress over the last five years, but more is needed.
At the same time, Security Scorecard continues to highlight the vulnerabilities in NASA’s network.
The company issued a report on the U.S. government’s cybersecurity — it includes federal, state and local governments —and found NASA was the worst among all 600 organizations it surveyed.
“NASA’s scores ranged from mid-level ‘C’ to mid-level ‘D’ scores since October 2015, nearing the top of the ‘C’ range in the month of February 2016,” the report stated. “However, their scores dropped by 10 percent before the data breach in mid-February was reported and dropped further, dipping into the ‘D’ range, after the breach. Since then, there have been slight improvements to their cybersecurity but they still have the lowest score among government organizations since the first week of March.”
Security Scorecard, which looks at public internet traffic to connect malware traffic between its hosts and victims, said NASA continues to struggle with a large number of malware signatures over the past 30 days, including secure sockets layer certificate issues, insecure open ports and misconfigured email sender policy frameworks, which could lead to email spoofing.
“Secondary threat indicators include defacement mentions on hacker sites, at-risk credentials, usage of an end-of-service product, and vulnerability to high severity Common Vulnerabilities and Exposure (CVEs),” the report stated. “This has led to NASA scoring an ‘F’ in the following factors: IP reputation, network security, patching cadence, and a ‘C’ in domain name security health and password exposure.”
When asked about Security Scorecard’s report, a NASA spokeswoman said the agency “does not comment on unsolicited analysis and reports from private sector, for-profit entities.”
A source told Federal News Radio that while the malware infections may be beaconing out from networks NASA runs, they aren’t necessarily the agency’s data, systems or even networks.
The source said the traffic is coming from E-roots, which routes all dot-gov domain traffic. NASA runs one of 13 internet root services worldwide.
A Security Scorecard spokeswoman said someone from the company was not available to talk about the latest report.
Still, this is the second time in the last three months that Security Scorecard, which does little to no federal business, highlighted concerns with NASA’s network.
In the first report from February, the company said it found 10,000 instances of malware communicating from NASA’s network with known hosts. That report was part of my month-long investigation that revealed NASA had hundreds of thousands, if not millions, of unpatched or out-of-date patches on desktop systems.
Jake Olcott, vice president of business development for BitSight, a cybersecurity company that looks at internet data to help organizations assess risk and security performance, said the IG highlighted long-standing problems at NASA and that could lead to biggest problems found in the Security Scorecard report.
“This is a governance challenge for them just like any company that has a lot of business units and lot of individual operating business units,” said Olcott, who focused on cybersecurity during his time on Capitol Hill, where he worked as a staff member for the House Homeland Security Committee and the Senate Commerce, Science and Transportation Committee. “There is a challenge in creating a structure for cybersecurity and cyber oversight. The way things are structured today, NASA has CIOs and CISOs for all of its different labs and centers, and then it has a CIO and CISO at headquarters. That makes the governance model challenging. You see the same thing with the private sector trying to implement a similar set up with varying amounts of success.”
Olcott said NASA is a federated model so headquarters doesn’t have the command and control authority it needs, and at the end of the day, it is trusting business units to operate in a cybersecure manner.
Olcott said for any organization, oversight is a critical function to motivate behavior.
“This is not just a NASA challenge, but one for every federated organization,” he said. “If nobody is held accountable for things, including cyber, the status quo will continue.”
That idea of holding the agency more accountable is starting to get through to Congress.
The Senate Commerce Committee continues to follow NASA’s oversight. A spokesman for the committee said it “continues oversight efforts and to review information related to cybersecurity challenges.”
And the Senate Appropriations Committee included language in its fiscal 2017 spending bill about the space agency’s cyber efforts.
“The committee’s recommendation includes the full request for the Agency information technology services to support shifting NASA’s IT model to one that enhances cybersecurity with strong governance and strong information security practices,” the Senate report said.
The committee passed the Commerce, Justice, Science spending bill April 21.
As the evidence builds that NASA’s cyber posture needs rapid improvements, and the attention continues to increase from Capitol Hill, new CIO Renee Wynn would be better served by her staff to begin a more public campaign to fix these problems. Otherwise, NASA will follow in the footsteps of the departments of Education and Veterans Affairs, and the Office of Personnel Management where CIOs get blamed for sins of the past, and executives put on the hot seat before angry lawmakers.