Judging from Federal News Radio’s Web traffic, a lot of people are wondering about cybersecurity at NASA. We don’t know yet if NASA will feel repercussions from our story on the agency’s seeming neglect of cybers. But Jason Miller’s reporting should make NASA brass figure out they need to do something.
The detail I found telling was how an external company, Security Scorecard, was able to see 10,000 pings to malware sites from within NASA for weeks or longer. It means whoever monitors networks and applications at NASA either failed to see or failed to so something about implanted threats. It reminds me of the pinging in the movie Alien, indicating something awful. With good security management, malware is easier to keep under control than the alien.
Maybe Sigourney Weaver should be appointed chief information security officer at NASA.
For those who like graphics, several cybersecurity company websites maintain scary, real-time maps of worldwide malicious cyber activity. Brian Krebs published a roundup of them a couple of years back. Cyber hack attempts are like televised soccer — no matter when you look, there’s a game on somewhere.
It’s not that NASA tech people don’t know about cybersecurity. They do. But they don’t seem to get attention from the program people, who, according to Jason’s sources, look at cyber as a computer-guy thing. They themselves are busy designing and launching Mars missions, and sophisticated satellites and probes. As management consultants would put it, NASA has a cultural issue.
An often repeated, and almost certainly apocryphal, story concerns President John F. Kennedy’s visit to Cape Canaveral and he asked a janitor what his job was. The janitor replied that he was helping put a man on the moon. I heard it repeated just the other day. Agencies pay contractors to tell them how to inspire their people to buy into the mission.
Perhaps NASA leadership thinks the cybersecurity people think that way. Probably they do. But because cybersecurity is an operational, intellectual property and safety concern, program managers should look at cybersecurity the same way they consider engine readiness or whether oxygen lines leak. For safety, mission managers lock down systems configurations some time before a launch. Nuclear power plants are equally stringent on maintaining known and unvarying configurations. Afterward, insiders say, the systems should be get the patches they didn’t get while locked down.
NASA also must fix the uncomfortable relationship it has with a contractor hired — for $2.5 billion — to manage its network end points. Its job is also to help put people on Mars.