I just learned that NASA — the National Aeronautics and Space Administration — lost an unencrypted laptop in March 2011. The incident resulted in the “loss of the algorithms used to command and control the International Space Station.” Weird…it doesn’t take a rocket scientist to deploy and use disk encryption software like AlertBoot. I’m wondering what’s going on here.
Inspector General Testimony
According to testimony by Inspector General Paul Martin, there were 5,408 documented “computer security lapses in 2010 and 2011,” according to discovery.com. I think that discovery.com is being generous, because according to the written statement that I’ve found online, Martin notes:
In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorized access to its system. These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.
Nowhere goes the Inspector General mention that the figure of 5,408 includes the loss of laptops and other devices. In fact, the above statement is slightly off-kilter compared to the following:
Between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property. For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs.
It might not mean anything, but notice how the dates don’t quite match up. I feel that the 5,408 figure might actually be limited to instances related to network intrusions. This means that the number could be much higher. Of course, if that’s the case, the loss of 48 laptops and other portable devices pales in comparison.
This does not mean, however, that the loss of those 48 devices is acceptable, especially when you consider that preventing a data breach would have been very easy with the use of encryption software (the full-disk variety). Martin seems to agree:
Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.
It’s quite surprising that this hasn’t been done yet when you consider that NASA annually spends “approximately $58 million for IT security.”
A Lax Culture When It Comes to Data Security?
This is not the first time that NASA has been embroiled in controversy due to data security issues. It’s not news that the space agency faces hacking attempts daily (perhaps that’s putting it mildly. Faces hacks hourly(?) is probably much closer to the mark). That’s not NASA’s fault.
However, there are certain things that make one go “huh?”…and is totally their fault. Such as this story from 2010, where the government auditors caught NASA selling used hard drives with agency data still stored in them (also in the Inspector’s testimonial).
The Cold War is over, the but race to space is still in its infancy, despite the fact that it’s been nearly 60 years since it started. In a way, it’s understandable that the culture has become a bit laidback (assuming it has become laidback): instead of trying to beat the Soviets, NASA is in full exploration mode.
But, come on! They’re rocket scientists. They really shouldn’t be coming up short when it comes to the basics in technology (and that’s what full disk encryption is when it comes to laptops and data security).
Related Articles and Sites: