NASA IG Issues Stern Warning to NASA About Computer Network Vulnerability

NASA’s Office of Inspector General (OIG) released a report today warning that a key NASA computer network remains vulnerable to cyber attack almost a year after an earlier IG report identified the weaknesses and NASA vowed to fix them.

The report, “Inadequate Security Practices Expose Key NASA Network to Cyber Attack,” concludes that “six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable.” The report goes on to say that once a hacker got inside the NASA network, “the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations.”

This new report notes that it had identified weaknesses in this network in a May 2010 report and “even though the Agency concurred with [our] recommendation it remained unimplemented as of February 2011. Until NASA addresses these critical deficiencies and impoves its IT security practices, the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations and personnel.”

The May 2010 report, “Review of the Information Technology Security of [a NASA Computer Network]”, is not available on the OIG website. Instead, the website to which one is directed provides a summary and states that the report contains data that is not usually released under the Freedom of Information Act. The name of the network in question is referred to in today’s report as “NASA’s Agency-wide mission network.”

Today’s report recommends that NASA “expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network.” It also recommends that NASA’s Mission Directorates identify and continuously monitor Internet-accessible computers on that network and take prompt action to mitigate identified risks. Lastly it calls on the agency to conduct a NASA-wide IT security risk assessment.

The report states that NASA concurred with its recommendations and the Chief Information Officer and Mission Directorates agreed to complete them by the end of this summer.