The “algorithms used to command and control the International Space Station” were lost when an unencrypted NASA laptop computer was stolen in March 2011. That tidbit came in testimony Wednesday delivered by NASA Inspector General Paul K. Martin as he reported on the space agency’s IT security track record.
The loss of the ISS command code was symbolic of one glaring deficiency: a lack of data encryption on mobile devices. Martin testified:
“NASA has been slow to implement full-disk encryption on the notebook computers and other mobile computing devices it provides to its employees, potentially exposing sensitive information to unauthorized disclosure when such devices are lost or stolen. In fact … the OMB reported a Government-wide encryption rate for these devices of 54 percent. However, as of February 1, 2012, only 1 percent of NASA portable devices/laptops have been encrypted.”
Martin said NASA also faced a host of network security threats from organized efforts to hack into its systems. While he his testimony made it clear that the organization was struggling to bring all of its far-flung operations into line, Martin did report that efforts were being made to track and respond on a number of levels to security breaches.
“Because of NASA’s status as a ‘target rich’ environment for cyber attacks, the OIG devotes substantial resources to overseeing NASA’s efforts to protect its IT systems. Over the past 5 years, we have issued 21 audit reports containing 69 IT-related recommendations. In addition, OIG investigators have conducted more than 16 separate investigations of breaches of NASA networks during the past few years, several of which have resulted in the arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia.”
NASA spends at least $1.5 billion on IT each year, with $58 million of that going to security, though Martin noted those numbers may be low due to the nature of how individual programs and projects get funded.