The International Space Station (ISS)
(2 of 2)
Even within a single NASA center, security can be fragmented. Each mission operates under its own directorate, and they all may impose different cyber-standards. Thus, the Juno mission to Jupiter may have tighter IT controls than the Cassini mission to Saturn, and both may be looser than the Messenger mission to Mercury. This again is as much a function of NASA's legacy of balkanization as it is of any inherent laxness.
In NASA's defense too, the alarming number of security breaches Martin revealed may be inflated by the simple fact that NASA conducts more investigations than other government agencies do and thus spots more problems. This is the same kind of statistical illusion that can result when a more sensitive test for a particular disease makes it look like a sudden epidemic has broken out, when all that's happened is that more cases are being detected. "This fact could skew perceptions with regard to NASA's relative rate of significant intrusion events compared to other agencies," Martin argues.
None of this is to say NASA hasn't been careless. The shuttle program's main servers were not scrapped after the final ship flew, but rather sold. Their memories and hard drives were supposed to have been digitally sanitized before sale, but ten of the computers were released after having failed sanitization testing and four more like them were pulled from sale just in time. Discarded hard drives at one unnamed NASA center were found tossed in a Dumpster.
What's more, the stolen laptop that contained the ISS data was hardly an anomaly. From April 2009 to April 2011, NASA reported the loss of 48 mobile devices, and while a little of that may be unavoidable — what large organization doesn't deal with electronic loss and theft? — the agency has failed abysmally to encrypt its systems properly. Government-wide encryption rate for mobile devices is 54%, according to Martin. NASA's rate? Just 1%.
Permanent fixes to this leaky system won't come cheap. NASA already spends $58 million dollars per year on cybersecurity out of a $1.5 billion IT budget. And that itself is about 10% of the agency's entire annual funding. Somewhere in there they need the money to build spaceships and keep the lights on at the centers.
But the answer would not have to depend solely on upgrading to better and more secure electronics. NASA has already changed its internal structure so that all Agency security falls under a single command center, located at Ames. Martin boasts that 69 recommendations for improved security have resulted from various investigations by his office in the past 5 years and 51 of them have been implemented so far. He is also moving faster than other parts of the government to anticipate — and prepare for — security risks as more and more agencies make the switch to cloud computing.
NASA was ahead of the rest of the government in getting itself computerized half a century ago — something it was rightly proud of at the time. Now it has to be equally nimble at keeping those systems safe.