Review tests NASA's security

The National Security Agency, the supersecret agency known for its computer security expertise, soon will begin trying to penetrate NASA's mission-critical systems as part of a comprehensive security review by the General Accounting Office of agencies' key computer systems.

Jack Brock, GAO director of information resources management and general government issues, last week confirmed that NASA will be the third agency to be subjected to such a review. GAO officials, at the request of the Senate Governmental Affairs Committee, have completed security reviews of critical systems at the State Department and the Federal Aviation Administration.

Lee Holcomb, NASA's chief information officer, said NASA officials are negotiating final details of the testing procedures. He said the systems to be tested will be unclassified and will most likely span the entire agency. NASA routinely performs computer security tests, and the agency's inspector general and its financial auditing contractor also perform extensive system auditing, he said.

Holcomb said the tests probably will take place late this spring. Employees are being notified that the tests will occur, but there still will be "some element of surprise," he said.

In a recent memo, Scott Santiago, chief information officer of NASA's Ames Research Center, warned agency employees of the upcoming NSA "attack." The tests will affect computers that are either owned or funded by the government, and users should expect no privacy during the tests, according to the memo.

Officials from NSA could not be reached for comment.

GAO's reports about computer security at State and the FAA have been classified as secret, and the reports have been forwarded to the committee, Brock said. But the committee is working to prepare a version of the reports that can be made public, a committee aide said.

"Those agencies (that GAO has studied) had some of the most critical information in terms of safety," the aide said. "Certainly people care about the value of information when it relates to safety. Sen. [Fred] Thompson (R-Tenn.) has expressed his serious concerns about the issue and is anxious to have a hearing."

In addition to these three agencies, GAO last week completed a security review of key financial systems at the 24 agencies that are represented on the Chief Financial Officers Council. GAO targeted financial systems because at many agencies, these systems support core missions, particularly at the Social Security Administration, the Health Care Financing Administration and the departments of Treasury and Veterans Affairs.

A report on the review, which will be made public, is expected to be completed in May, said Jean Boltz, assistant director of governmentwide and defense information systems in the Accounting Information Management Division at GAO.

An initial summary of the review findings released last month concluded that computer control weaknesses in key financial systems were "pervasive across government." The report specifically cited weaknesses at HCFA and SSA.

Barry Collin, senior research fellow at the Stanford, Calif.-based Institute for Security and Intelligence, said NSA officials recently performed security assessments for the Defense Department. He said he did not know if NSA previously had performed testing for civilian agencies.

NASA, Collin noted, has long been a popular target for hackers because of its large number of scientific users, which are known for favoring open communications environments. Now, as NASA moves increasingly toward commercial activities, Collin said the agency has become a target for unauthorized users seeking something of value rather than just pulling a prank. NASA officials have recently considered prohibiting individual desktop modems and disconnecting large systems from external networks in an attempt to ward off hackers, he said.