I once had a chance to hijack the Voyager spacecraft or at least that's how it seemed. It was back in 1999 and I was in a red-brick building on an unremarkable stretch of Madre Street in Pasadena, a little outpost of NASA's Jet Propulsion Laboratory (JPL) that was home to the few lonely consoles still monitoring the twin Voyager spacecraft. Even at that point, the ships had long since completed their primary missions. Voyager 1 was 6.51 billion miles from Earth; Voyager 2 was 5.02 billion, and while they were (and indeed, still are) beaming back information about the deepest reaches of the solar system, it was hardly the kind of picture-rich data-stream that requires a full-blown mission control team to manage. So it was down to just a console or two on Madre Street, one of which was unattended and bore a bright orange sticker with the all-caps notice: "CAUTION. THIS IS A LIVE VOYAGER CONSOLE. DO NOT TOUCH."
I didn't touch and I would have hardly known what kinds of mischievous signals to send the ships even if I had. But there are plenty of people around with a decidedly more criminal bent, and these days, they've got the know-how to strike. Worse, they don't even have to go to Madre Street or any other part of NASA's vast web of control centers anymore. They can and increasingly do reach into the space agency's systems from anywhere in the world.
In detailed testimony delivered on Thursday to a House subcommittee on investigations and oversight, NASA Inspector General Paul Martin painted a disturbing picture of an agency under electronic siege, with hackers from China, Italy, the U.K., Nigeria, Portugal, Romania, Turkey, Estonia and the U.S. itself attempting increasingly brazen attacks on operations both on the ground and in space. The network controlling the space shuttles was cracked, and while those ships have since been mothballed, the International Space Station (ISS) remains a fat and floating target. In perhaps the most alarming portion of Martin's testimony, it was revealed that just under a year ago, a laptop was stolen, and on its hard drive were critical algorithms used to command the ISS.
Overall, in 2010 and 2011, there were a breathtaking 5,408 computer security incidents involving either unauthorized access to NASA systems or the insertion of malware. In 2011, there were 47 major instances of hacking, 13 of which were successful at least to the extent that they somehow affected the operation of the targeted computers. In one case, "the attackers had full, functional control over...networks," Martin said in his official statement to the committee.
Bloggers and much of the rest of the web have been all over the story, anxious as ever to pounce on any new incident of perceived NASA fecklessness. And while the report is serious, you can be pretty sure we're at no risk of seeing some basement hacker send the ISS pinwheeling into solar orbit. The systems are just too complex and redundant for that. What's more, NASA is doing a creditable job of working to contain the problem and at the same time providing a possible template for other government agencies facing cybersecurity threats of their own.
One of the main reasons for NASA's particular vulnerability to cyberattack apart from the fact that is has so many computers and is uniquely dependent on communicating with people and machines very, very far away is that is has such a multiplicity of headquarters and centers. This was by design and dates from the 1950s, when the agency was first formed.
Rather than building NASA from scratch, Washington officials simply went cherry-picking from among existing tech labs, military bases and missile sites around the country Ames in California, Canaveral in Florida, Huntsville in Alabama, Goddard in Maryland. The only major NASA center built de novo was in Houston, and that was the doing of Lyndon Johnson, who was Vice President at the time and wanted his home state to get the biggest, sweetest NASA plum of all. This kind of distributed structure did limit start-up costs and help in the dissemination of science, but it left the NASA of half a century later with a lot of weak spots in a security system that has to weave so many disparate servers and databases together.
Even within a single NASA center, security can be fragmented. Each mission operates under its own directorate, and they all may impose different cyber-standards. Thus, the Juno mission to Jupiter may have tighter IT controls than the Cassini mission to Saturn, and both may be looser than the Messenger mission to Mercury. This again is as much a function of NASA's legacy of balkanization as it is of any inherent laxness.
In NASA's defense too, the alarming number of security breaches Martin revealed may be inflated by the simple fact that NASA conducts more investigations than other government agencies do and thus spots more problems. This is the same kind of statistical illusion that can result when a more sensitive test for a particular disease makes it look like a sudden epidemic has broken out, when all that's happened is that more cases are being detected. "This fact could skew perceptions with regard to NASA's relative rate of significant intrusion events compared to other agencies," Martin argues.
None of this is to say NASA hasn't been careless. The shuttle program's main servers were not scrapped after the final ship flew, but rather sold. Their memories and hard drives were supposed to have been digitally sanitized before sale, but ten of the computers were released after having failed sanitization testing and four more like them were pulled from sale just in time. Discarded hard drives at one unnamed NASA center were found tossed in a Dumpster.
What's more, the stolen laptop that contained the ISS data was hardly an anomaly. From April 2009 to April 2011, NASA reported the loss of 48 mobile devices, and while a little of that may be unavoidable what large organization doesn't deal with electronic loss and theft? the agency has failed abysmally to encrypt its systems properly. Government-wide encryption rate for mobile devices is 54%, according to Martin. NASA's rate? Just 1%.
Permanent fixes to this leaky system won't come cheap. NASA already spends $58 million dollars per year on cybersecurity out of a $1.5 billion IT budget. And that itself is about 10% of the agency's entire annual funding. Somewhere in there they need the money to build spaceships and keep the lights on at the centers.
But the answer would not have to depend solely on upgrading to better and more secure electronics. NASA has already changed its internal structure so that all Agency security falls under a single command center, located at Ames. Martin boasts that 69 recommendations for improved security have resulted from various investigations by his office in the past 5 years and 51 of them have been implemented so far. He is also moving faster than other parts of the government to anticipate and prepare for security risks as more and more agencies make the switch to cloud computing.
NASA was ahead of the rest of the government in getting itself computerized half a century ago something it was rightly proud of at the time. Now it has to be equally nimble at keeping those systems safe.