The US Government Accountability Office reports that NASA has not yet fully implemented key parts of its information security program despite the publicity around Gary McKinnon, the so-called NASA hacker.
According to a report from the Government Accountability Office released on 15 Oct., “NASA [does] not consistently implement effective controls to prevent, limit and detect unauthorised access to its networks and systems.”
While the report found that “NASA has made important progress in implementing security controls and aspects of its information security program,” it said NASA’s networks remain vulnerable.
“A key reason for these weaknesses is that NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively,” the GAO wrote, (PDF) and pointed out, “Many of these systems and networks are interconnected through the Internet, and may be targeted by evolving and growing cyber-threats from a variety of sources.”
The GAO also said, “During fiscal years 2007 and 2008, NASA reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorised access to sensitive information. To address these incidents, NASA established a Security Operations Center in 2008 to enhance prevention and provide early detection of security incidents and coordinate agency-level information related to its security posture. Nevertheless, the control vulnerabilities and program shortfalls, which GAO identified, collectively increase the risk of unauthorised access to NASA’s sensitive information, as well as inadvertent or deliberate disruption of its system operations and services.”
“GAO’s findings reminds us that much remains to be done to ensure the security of all of our federal agencies’ IT networks,” Rep. Bart Gordon, chairman of the House Science and Technology Committee, said in a statement. “However, regulation and legislation alone will not suffice. Agencies and departments must follow through with corrective actions to mitigate identified vulnerabilities. GAO has performed an invaluable service to NASA by identifying weaknesses and recommending needed improvements.”
NASA generally concurred with GAO’s recommendations that “the NASA administrator take steps to mitigate control vulnerabilities and fully implement a comprehensive information security program.”
“This GAO audit provides the NASA administrator and his team with important information [with which] to strengthen its cyber-security controls and processes. Correcting the vulnerabilities identified by GAO will take determination, time and focused leadership. We will continue to monitor NASA’s performance in this important area,” said Rep. Gabrielle Giffords, chair of the Space and Aeronautics Subcommittee.
Gary McKinnon is reportedly facing up to 60 years in jail in the US after he was indicted in late 2002 for hacking into military computers between February 2001 and March 2002. The US alleged his hacking caused it to shut down critical systems and networks in the aftermath of the 9/11 attacks, and caused damages of approximately £435,000.