Governance & Risk Management , IT Risk Management
Report Urges NASA to Improve Cybersecurity Risk ManagementGAO Offers Recommendations to Improve Space Agency's Cyber Protections
A government watchdog is urging NASA's administrator to make multiple improvements to its cybersecurity and risk management policies to counter threats to the space agency's network infrastructure and data, according to a report released this week.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In a letter sent to NASA Administrator Bill Nelson, the Government Accountability Office is urging the space agency to implement three specific recommendations to improve security, including conducting an organizationwide cybersecurity risk assessment, developing an inventory of systems used to store data and establishing which agency workers have responsibility for cybersecurity and IT management.
"We have designated information security as a governmentwide, high-risk area since 1997 and subsequently expanded this high-risk area to include protecting cyber critical infrastructure and securing personally identifiable information," the GAO report notes. "Accordingly, federal agencies need to take urgent actions to ensure that they have programs in place to protect their information technology systems and sensitive information against increasing cyber risks."
For its part, NASA has agreed with the three main recommendations outlined in the GAO letter and is looking to begin implementing two of them by the end of this year, according to the letter, which is dated June 21 but was officially released this week.
The GAO report comes after NASA's inspector general released a report in May that found the space agency is increasing a target of cyberthreats and that the number of security incidents has increased since the COVID-19 pandemic started in March 2020.
The inspector general's report notes that NASA is currently attempting to secure 3,000 websites across the agency as well as 42,000 publicly available data sets.
"This year in particular NASA has experienced an uptick in cyberthreats: phishing attempts have doubled and malware attacks have increased exponentially during the COVID-19 pandemic and the concomitant move to telework for much of the NASA workforce," according to the inspector general's report. "The agency’s cybersecurity challenges are further exacerbated by the number and variety of IT devices at NASA and the sheer volume of data the agency maintains."
Over the last four years, the inspector general found that NASA has reported about 6,000 attacks against the agency's infrastructure, including phishing campaigns and malware planted on devices. In addition, the supply chain attack and cyberespionage campaign against SolarWinds and its customers should encourage NASA to develop better cyber defenses.
"Attackers are not only developing new techniques to evade security, but threats - such as spam, phishing, and malware - are growing in complexity and precision. The importance of having a robust defense against such attacks was highlighted by the SolarWinds breach," according to NASA inspector general.
The GAO letter details three specific recommendations for NASA to implement to improve cybersecurity:
- NASA leaders should apply the proper assignment codes to agency employees as outlined in the National Initiative for Cybersecurity Education - NICE - framework to ensure that the space agency knows which workers have specific responsibility for cybersecurity and IT management and which ones do not.
- NASA's administrator should conduct an agencywide risk assessment. The GAO has been urging the agency's leadership to conduct this type of assessment since July 2019, according to the letter.
- NASA needs to develop a time frame to create an inventory of electronic information systems used to store agency records, the letter notes.
While NASA agreed with all three recommendations, the agency plans to complete only two of them by the end of the year. The letter notes NASA is working to ensure all employee codes are in line with the NICE framework by November, and that it has started planning for an agencywide risk assessment in April - a process that should be complete by September.
NASA also noted that it has started the process of conducting the inventory of agency storage systems, but did not give a specific date for when that will be completed, the letter notes.
Erich Kron, security awareness advocate at security and consulting firm KnowBe4, notes that while these GAO recommendations might seem basic, government agencies, including NASA, often lack the resources and personnel to ensure that cybersecurity practices are followed.
"Many of these critical government organizations struggle with the cost of these assessments, the manpower required to perform them and the cost of the mitigations once the vulnerabilities are identified," Kron says. "This has always been a struggle in public sector organizations and will continue to be one for the foreseeable future."
John Bambenek, threat intelligence advisor at security firm Netenrich, notes that conducting a risk assessment is an essential cybersecurity function and it should not take years to do.
"It’s hard to justify why it takes years to get one done, however, you simply can’t have an intelligence security program if you don’t know what your actual risks are," Bambenek says. "The slowness of federal agencies in doing the basics means they’ll remain vulnerable to attackers."
NASA and Cyber
Over the years, various watchdog reports and audits have detailed security issues within NASA. In 2019, the space agency's Jet Propulsion Laboratory was the subject of an inspector general's report that found attackers had repeatedly stolen valuable data - including launch codes and flight trajectories for spacecraft (see: NASA's Jet Propulsion Lab a Frequent Hack Victim: Audit).
Another report found that despite spending $2.3 billion on IT, networking and cybersecurity in 2019, NASA has struggled to implement agencywide security policies (see: NASA Still Struggling With Agencywide Cybersecurity Program).