NASA wrestles risk

NASA has a new mindset when it comes to protecting information, officials and vendors say.

The space agency, traditionally open and promotional, has been testing myriad security systems recently. A NASA security official called electronic risk management a philosophical change, since most scientists think that all their work should be shared with the public. But national security and intellectual property are at risk, the official said.

"All our information is not available to the rest of the world," he said, adding that otherwise, unauthorized users could tap satellite, telecommunications and aeronautics information and use it for weapon systems building or black market sales to other countries.

NASA tests many types of risk management software to prevent electronic information from leaving NASA networks unmonitored. But most companies package extraneous functions into their security appliances, the official said. "The problem with security today is that too many companies come in with a Mercedes, when we only need a Ford," he said.

As a result, the agency may ask for modifications from would-be security vendors. Customizing and combining an offer to conduct security assessments with a proposal related to a secured data software package for e-mail saved about $15 million, the official said.

Technology vendors say they can see the difference in NASA’s new take on intellectual property and security. "They seem to be moving from the defensive posture to more offensive posture," said Kevin Cheek, vice president of marketing for Reconnex, whose iGuard network appliance is currently being used in a NASA pilot program.

Content that leaves the networks of Ames Research Center, Marshall Space Flight Center and NASA headquarters is stored by iGuard for real-time document scanning and network forensics, which involves analyzing network events to discover the source of security attacks or other problems.

The agency has been evaluating Reconnex's for two months and plans to test it for at least six more months, the NASA security official said.

Employees for the space agency must physically monitor the application’s data sheets and logs, regularly, to prevent leaks. While it is natural to share data with universities and aeronautics contractors, who possess passwords, sometimes, mistakes occur.

"Most leaks are not intentional. They’re just sloppy," the official said, adding that NASA will not turn into an armed camp. "We don’t want to wait for the leak to occur, we’re trying to fortify the firewalls."

A product from technology and services company Strategic Thought is being used for NASA's redesigned exploration projects. The Exploration Systems Mission Directorate has mandated that Strategic Thought's Active Risk Manager -- a Web-based, commercial, off-the-shelf product -- be used by all programs to help mitigate mission problems.

"If they continued to have cost overruns, budget overruns or kill people, their reputation was not going to be enhanced," said Karl Pringle, Strategic Thought general manager. "With the new directorates, they are taking risk very seriously."