NASA is investigating a data breach that exposed personally identifiable information (PII) — including Social Security numbers — belonging to current and former employees who joined the agency after July 2006.
The breach is the latest of numerous major and minor security incidents at NASA in recent years and is sure to heighten scrutiny of its cybersecurity practices.
In an internal memo to employees Dec. 18 (posted here), NASA's head of human relations, Bob Gibbs, said the space agency's cybersecurity staff discovered the breach when investigating a potential compromise of several servers in late October. An initial analysis of the incident showed that one of the impacted servers contained PII on NASA employees that the attackers may have stolen.
"Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within," Gibbs' memo stated without further elaboration.
NASA and other federal cybersecurity partners are doing a forensic analysis of the impacted systems to understand the full scope of the breach and to identify employees whose data might have been stolen, the statement noted. The process will take time but is a top priority at NASA, with senior leadership is actively involved in understanding the breach and developing a response.
"NASA does not believe that any agency missions were jeopardized by the intrusions," a spokeswoman said in a separate emailed statement to Dark Reading. "The agency is continuing its efforts to secure all servers and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency." NASA did not respond to a question about why the agency waited so long to disclose the breach.
The server intrusions appear to be the latest manifestation of what NASA's Office of Inspector General (OIG) has previously described as long-standing security issues at the agency.
In a November 2017 assessment of NASA's top management and performance challenges, inspector general Paul Martin identified IT governance and information security as one key issue. According to the OIG, NASA reported more than 3,000 computer security incidents involving malware or unauthorized access to agency computers in the two years preceding the report.
"These incidents included individuals testing their skills to break into NASA systems, well-organized criminal enterprises hacking for profit, and intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives," the report noted. In one instance, a contract employee was indicted for illegally accessing and attempting to sabotage NASA systems.
To address these issues, NASA has implemented a series of initiatives, including expanded network penetration testing, more incident response assessments, broader deployment of intrusion detection systems, and increased Web application security scanning. Despite such measure, problems persist, the OIG said. Among them: inadequate IT acquisition and governance practices, gaps in the agency's incident detection and handling capabilities, inadequate monitoring tools and Web application security controls.
Also troubling, according to the OIG, were NASA policies that did not distinguish OT systems from IT.
As of November 2017, the agency managed more than 500 information systems for everything from controlling spacecraft and processing scientific data to enabling NASA personnel to collaborate with peers around the world. NASA also manages some 1,200 publically accessible Web applications — or about 50% of all non-military federal websites that are publicly accessible.
Not a Houston Problem Alone
NASA, by far, is not the only federal agency with cybersecurity challenges. Though civilian US federal agencies spent an estimated $5.7 billion on cybersecurity last year, many serious deficiencies persist across the spectrum, said the White House Office of Management and Budget (OMB) in a report in May. Among them were gaps in network visibility that prevented agencies from fully knowing what was going on in their networks, lack of standardized processes and capabilities, and limited situational awareness. One example: In 38% of federal cybersecurity incidents, investigators were not able to identify an attack vector.
Michael Magrath, director of global regulations and standards at OneSpan, says breaches like the one at NASA are not surprising given how big of a target federal agencies are for cybercriminals because of the PII they collect and store. "That large human resources target plus the potential damage that can be inflicted from a national security standpoint means that federal agencies will always [face] cyberthreats," he says.
The OMB is expected to soon release final policy to address federal agencies' implementation of Identity, Credential, and Access Management (ICAM) policy, he says. The policy will update previous requirements for multifactor authentication, digital signatures, encryption acquisition, and other areas of security. "It remains to be seen what is included in the updated requirements," Magrath says. "Hopefully it addresses the growing number of successful cyberattacks on federal agencies."
Somewhat ironically, the latest breach is unlikely to make a huge difference for the victims because a lot of their PII was likely already compromised in the 2015 intrusion at the US Office of Personnel Management (OPM). In that incident, PII belonging to as many as 21.5 million current and former federal employees and others was compromised.
"Given the depth of the OPM breach, it is likely that most of the information has already been made available," says Keenan Skelly, vice president of global Partnerships at Circadence.