Protecting NASA From Hackers Is Not Rocket Science, Say Analysts
Mar 5, 2012 12:23 PM PT
NASA has become a popular target of hackers. The space agency's computer network was breached 13 times in 2011 -- to the point where suspected Chinese hackers gained "full functional control" of computers used by NASA's Jet Propulsion Laboratory," a government inspector general told congressional investigators.
The agency spends just US$58 million of its $1.5 billion annual budget on computer security, NASA inspector general Paul Martin said recently.
That low priority extends to physical security. Codes controlling the International Space Station, along with data on the agency's Constellation and Orion programs, were exposed after personnel lost unencrypted notebook computers, Martin told the U.S. House Committee on Science, Space and Technology.
Hackers Gained 'Full Control' of NASA Computers
In November, NASA learned hackers had taken "full functional control" of computers based at the JPL, according to the inspector general. The attack -- routed through an IP address based in China -- permitted them to steal NASA credentials, cover their tracks, and upload software designed to exploit further security vulnerabilities.
"Our review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL's networks" Martin testified.
UK-Based NASA Hacker
Gary McKinnon, a 45-year-old hacker based in the UK, is accused of breaking into NASA computers, among other U.S. government networks during 2001 and 2002. In February, a 20-year-old hacker that went by the handle "TinKode" was arrested by Romanian police, charged with infiltrating NASA computers.
Although the agency watchdog suggests the rather trivial amount of spending aimed at computer security is to blame for the repeated hacking, the problem may be more deeply rooted.
'The Real Issue Is NASA'
It's no surprise the space agency has become a playground for hackers, said John Pescatore, security analyst with Gartner Research.
"The real issue is NASA," he told TechNewsWorld.
"The major, major problem hurting NASA is they don't have a strong IT governance approach," said Pescatore.
NASA is like a fiefdom of competing opinions, he said, over things like whether to base networks on Windows or Macs, or whether laptops should carry security software. While these issues have been long resolved in the corporate world, NASA is different.
More Like a College Campus
"There is no such thing as a secure system that is not well-managed," Pescatore said.
The Social Security Administration, he noted, has top-down security rules governing everything from the type of computer employees can use to the brand of security installed on every desktop and laptop holding Social Security Numbers.
By comparison, NASA is "more like a college campus," Pescatore observed.
Although NASA's distributed organization helped during the U.S. push to the moon, what was once an advantage has become a negative. With the agency's lack of a clear mission following the end of space shuttle flights, the focus has moved away from security, he said.
Top Priorities: Stronger Leadership
What does NASA need to do to improve security? If he were made security czar, Pescatore said, his first move would be give NASA's chief information officer more power to enforce rules regarding security.
As Martin's testimony before Congress showed, the agency's CIO "can't enforce anything" now, he noted.
Another goal should be to reduce the number of entrances into NASA computer networks now available to hackers, Pescatore continued.
As the U.S. Defense Department discovered when its networks came under cyberattack, the agency must reduce the number of "trusted Internet connections" and closely watch their activity, he said.
NASA Is 'Hacker Honey'
Improvoing NASA security measures should start with the realization that its networks are "hacker honey," said independent security analyst Randy Abrams.
Unlike other agencies that might have data of direct commercial appeal, NASA is more of a Rubik's Cube for hackers, he said. Because the space agency's computers hold interesting information and hackers tend to be intelligent, it makes an "enticing target."
One of Abrams' favorite vacation activities is to see what information tourists unwittingly left behind when using a hotel's public computers.
Although brainy, NASA employees may not be trained to avoid simple security mistakes, he suggested, and it might be a good idea for NASA to "phish" its staff to uncover security weaknesses.