NASA centers fail to report cyberattacks

NASA's inspector general told a Senate subcommittee last week that parts of the agency are failing when it comes to fending off and reporting hacker attacks, leaving the agency vulnerable to people who would steal or alter sensitive data.

Roberta Gross, IG for the agency, told the Senate Science, Technology and Space Subcommittee that simple actions - such as recruiting more workers who are attuned to information security issues and making sure NASA centers use the latest software security patches - can go a long way toward making the agency's networks more secure.

But she said broader problems, such as failures by NASA centers to report cyberattacks, remains an obstacle to better oversight of information security. Moreover, she said an internal NASA organ-

ization - NASA's Automated Systems Incident Response Capability - must improve its performance. "That [organization] has not been performing adequately," she said. Gross added that her office next month will issue a report on NASIRC's performance.

Gross' criticism comes in the wake of a recent cyberattack on two NASA centers. She confirmed to FCW that the attacks occurred in the past month, but she declined to reveal which NASA centers had been attacked or any details of the attack. Gross also told FCW that her office had not fully analyzed the attacks to determine the amount of damage they may have caused or how they might have been prevented.

She said NASA centers did not report the two recent cyberattacks to her office. Rather, staff members in her office learned about the attacks through "other ways," which she did not identify. She said alerting top NASA officials of attacks is one of the "low-cost, free things" that NASA centers can do to help leaders defend against and prevent attacks.

Gross told senators Thursday that keeping NASA leaders, including those in the IG's office, informed of cyberattacks is important because of the agency's decentralized nature. NASA is made up of several centers.

"This multiple-center approach leads to serious coordination problems, diminishes corporate oversight and leaves NASA partners more vulnerable," she said. "NASA is a vulnerable target because it depends heavily on IT and the Internet to support the operations it conducts at its field centers and other facilities across the United States and abroad."

Subcommittee chairman Sen. Bill Frist (R-Tenn.) agreed. "In many ways [NASA's dependence on the Internet] does invite potential internal abuse and external abuse," he said.

Cathy Cromley, director of federal marketing for Secure Computing Corp., stressed the importance of sharing information when systems are abused or hacked. "In not sharing information internally, NASA and the government as a whole cannot benefit from lessons learned," she said.

Keith Cowing, editor of NASA Watch, an independent World Wide Web site, said NASA's security problems stem from inconsistencies at the agency. "Despite all the arm-waving and so forth, they've never really had a consistent [information security] policy," he said.

According to Cowing, NASA has to struggle to balance the public's interest in accessing NASA information via the Web with protecting sensitive information. "It again goes back to the chief information officers at each respective center having different policies," he said. "Some centers just seem to go out of their way to make things public."