Concerns Over NASA Security and Privacy

In December we saw that the United States (US) National Aeronautics and Space Administration (NASA) come out with an announcement that their servers were compromised nearly two months prior to the announcement (October).  It is believed that the unauthorised access was made on servers that contained former and current NASA employee data.

We had a brief look into this from an outsider perspective and you don’t have to go very far to come across information that causes some concern over how effective NASA’s Cyber Security and Privacy programmes really are.

NASA’s Breach Response Incident and Management – Not updated regularly and difficult to see how it is followed

We carried out a brief review of NASA’s Privacy Incident and Management Policy and within this NASA identifies that an individuals name, combined with either address, mother’s maiden name or date of birth qualify as Sensitive Personal Information (SPI).  From this information and the notice from NASA, there is a high chance that the data compromised was classified as SPI in terms of NASA’s interpretation.

On reviewing the latest breach with NASA and contrasting this with a comprehensive, yet dated document, it is difficult to believe this was followed in the recent security breach, as the steps are time-bounds and do not really correlate with a breach being communicated several months after it became known.

NASA Ref: ITS -HBK-1382.05.-01

Privacy and Information Security – Overview Document

This document is stated to “bridge the gap between privacy and security” and also “to ensure that individuals within the privacy community are aware of the privacy related responsibilities.”

Since this document was drafted, it doesn’t appear to have been reviewed for three years, following a review it then went to version 1.1 (although the document still has v1.0 throughout its footer) and then hasn’t been reviewed since 2015.  Of course, it is not uncommon for policies and procedures to not be reviewed in a timely manner but for an organisation with the stature, responsibility and budget that NASA has, combined with their recent mishaps, this does cause you to feel concerned and think they’re not taking these issues seriously.

NASA Ref: ITS 8HBK 81382.04

NASA have confirmed that no missions were endangered as a result of their recent compromise and we anticipate that they may have been informed by US authorities to hold off informing data subjects of the attack whilst their investigation is carried out, as this has happened during previous investigations.

Previous breaches

This is not the first time the agency has been hacked and in fact they suffered similar breaches in 2011 and 2016.  In 2011, the agency suffered 13 separate network security breaches including an incident whereby the hackers gained full control of the agency’s systems and were able to modify, copy or delete information.  In 2016, the hackers attempted to bring down a multi-million dollar drone, an attack which may be beneficial to Gatwick Airport!

Warning signs

Without being on the inside surely a breach of this nature, against an organisation such as NASA raises some questions over their ability to;

Without being on the inside surely a breach of this nature, against an organisation such as NASA raises some questions over their ability to;

• Appropriately secure their infrastructure and associated data
• Identify, detect and respond to incidents in an effective manner

US security frameworks such as the Federal Information Security Modernisation Act 2014 (FISMA) were developed to improve cyber security across federal agencies and NASA have scored considerably low in previous assessments.  For an organisation of this size and importance, surely this is something that has to be immediately addressed, as NASA do not appear to be learning from past mistakes and we are yet to understand the root cause of the incident.  The statement made by NASA also raised concerns with us, particularly the sentence “NASA is continuing its efforts to secure all servers, and is reviewing its processes and procedures” surely they should have already been secured, along with processes and procedures being constantly reviewed a long time ago, yet evidence suggests otherwise.

What are your thoughts on this issue?