NASA Faces Serious Danger Due to a Big Black Hole in its Security
Reading Time: 2 minutes

NASA faces serious danger to its operations due to a big black hole in its security, according to an infosec audit against insider threats. 

NASA published its Insider Threats Program on Monday, in an effort to defend and prevent insider threats to classified information. According to NASA’s definition, it is “Official information regarding the national security that has been designated Confidential, Secret, or Top Secret.”

The report further stated, it has “created an insider threat reference website that assists employees and contractors with identifying threats, their risks, and follow-up information.” 

This means NASA has deployed defenses that include user activity monitoring and adopted mandatory agency-wide insider threat training as well. 

According to the report, NASA has done well to protect the Classified info, though a large number of its tech is not Classified. It includes numerous “high-value assets and critical infrastructure.”  Not to mention these assets are sensitive and valuable information including scientific, engineering, or research data; human resources files; or procurement sensitive information. As this infrastructure is not classified, it’s not covered by the insider threat program.

According to the report, earlier in 2021 NASA’s auditor found “incidents of improper use of NASA IT systems had increased from 249 in 2017 to 1,103 in 2020 – a 343 percent growth; the most prevalent error was failing to protect Sensitive but Unclassified (SBU) information.” Which may be worrisome. 

Further, the report stated, “sending unencrypted email containing SBU data, Personally Identifiable Information, or International Traffic in Arms Regulations data, any of which could expose the Agency to a risk that can affect national security, incur a loss of intellectual property, or compromise sensitive employee and contractor data.”

It also mentions, in the last three years there have been more than 12000 requests for elevated privileges by NASA users, which may lead to more information reaching the wrong eyes.

With NASA infosec responsibilities spread around in different teams, it makes matters more complicated. This can be seen from the fact that the Office of Protective Services (OPS) is responsible for protecting against insider threats to Classified info, and does not have resources to cover Unclassified systems. While the Office of the Chief Information Officer (OCIO) has responsibility for “data loss prevention and behavioral analysis but has no defined responsibility to monitor unclassified systems for indicators of compromise specifically related to insider threats.”

NASA needs to undertake two specific reforms to get in line with the other US government agencies that have already extended their insider threat defenses to cover Unclassified info.

Suggested NASA reforms

  • Establish a cross-discipline team to conduct an insider threat risk assessment to evaluate NASA’s unclassified systems and determine if the corresponding risk warrants expansion of the insider threat program to include these systems.
  • Improve cross-discipline communication by establishing a working group that includes OPS, OCIO, procurement, human resources officials, and any other relevant agency offices to collaborate on wide-ranging insider threat-related issues for both classified and unclassified systems.

NASA management has agreed with the findings of the report, agreed to implement the recommendations, and set December 1 2023 as the deadline for it. 

Related Articles:
Nasa Exoskeleton Spacesuit Designed For Intergalactic Space Exploration
NASA retires S-3B Viking Research Aircraft From Its Fleet
Russian Space Research Institute Website Hacked