Budget cuts, culture hurt NASA systems

Despite an increasing number of hacker attacks, NASA's computer and communications systems remain critically vulnerable to outside manipulation because of budget pressures and cultural bias, agency officials concede.

Hackers have already attached password sniffers to NASA systems and used the space agency's computers to store and exchange stolen data and software. And there are fears that satellites could be "hijacked" by hackers armed with nothing more than a PC and a ham radio.

This is not science fiction, NASA security experts insist. No attacks on satellites have been detected, but "the only reason it hasn't happened is because hackers haven't thought about it yet," said Jack Symanek, a communications security specialist at NASA.

"We continue to see an increase in the number of incidents reported to us," said Frank Husson, an employee of Hughes STX and manager of the NASA Automated System Incident Response Capability, which tracks system break-ins. "And we are positive that there are a number of things that are not being reported to us."

Ironically, specialists inside and outside the agency say NASA is one of government's leaders in preventing and combatting computer crime. In the past year, the agency has launched a series of new initiatives to protect NASA systems from intrusions and tamperings.

Nevertheless, attacks on NASA systems are increasing. Factors forcing the trend are:

* Information security programs that, due to NASA budget cuts, cannot keep up with the increase in network attacks.

* Lack of staff to monitor mission-critical systems because of government furloughs.

* A university-like culture that favors open communications over the Internet rather than more safeguards through encryption and authentication.

NASA's mission to disseminate information to the public often comes into direct conflict with its need to secure systems, said John Pike, director of the Space Policy Project at the Federation of American Scientists. "NASA, by definition, has an extremely porous environment. I think it's a dilemma that has to be lived with rather than solved," he said.

At no time was this dilemma more apparent than during the government furloughs, when NASA left many of its publicly accessible World Wide Web home pages and systems up and running without being monitored.

During the second shutdown, a hacker placed pirated software on a file transfer protocol server at NASA's Lewis Research Center, according to Pam Kotlenz, the information technology security program manager for Lewis. As a result, the ftp site acted as a distribution spot for pirated software on the Internet. The incident was not reported until after the shutdown ended.

Simply turning off all of NASA's connections to the Internet during such times is not the answer.

"I don't think that Congress or the public have a full appreciation for the fact that you cannot disconnect these systems. It would be like pulling out all the phone wires," said Rick Carr, manager of computer systems security for NASA.

Security has become a greater concern as NASA works more closely with industrial partners, who have an interest in protecting trade secrets. One such case is the High-Speed Research (HSR) Program, which involves a coalition of aeronautics companies developing high-speed airplane technology.

NASA security experts said engineers and contractors regularly send design plans, telemetry and wind tunnel data for the HSR plane over the Internet. They either send the plans unprotected, or they send the plans protected with encryption and software that can be easily cracked.

Security Concerns Not Widely Shared

Not everyone is convinced NASA has a problem. Mike Henderson, a program manager for Boeing, which is a partner in the HSR Program, believes there is only minimal exposure for sensitive data.

"We've been using mail and FedEx, not the World Wide Web, for large data sets," he said. "We don't ever send large data sets in an uncontrolled environment."

Other NASA contractors said their security funding, if anything, is increasing.

"We're not seeing any arbitrary cutbacks" in computer security, said Mike Plett, Computer Sciences Corp.'s vice president of the Program Information Systems Mission Services program at Marshall Space Flight Center. "We're of course trying to do everything we can better, faster and cheaper, but computer security is not being targeted as a specific area for cuts. It has become a more and more important issue."

Nevertheless, NASA is urgently pressing ahead with several strategies aimed at boosting security.

For example, the agency chief information officer's office has called for the HSR Program to conduct a risk assessment to examine the relative risk of industrial espionage in HSR. And NASA is trying to address the problem of vulnerable ground-to-satellite communications by sending warning letters to program managers to stress the need to design strong security mechanisms into satellites.

"We want to try and get security planning involved way up front," said NASA chief information officer John Lynn. "In order to secure uplinks and downlinks, it's necessary to design that in."

Also under Lynn's office, different NASA centers have been chosen to address particular computer security issues that affect the entire agency, such as incident response and software testing. An information systems security committee is now one of the three essential parts of NASA's Information Technology Management Steering Council.

"I think we're becoming more proactive," NASA's Carr said. "There's more cooperation. The concept of participating as a team in terms of prevention in a criminal investigation is being better understood."

But observers question whether NASA will ever be able to rid itself of its security problems.

"Unless you're prepared to throw a lot of resources out there, and in some cases cut functionality," the number of incidents will keep going up, he said.