NASA Plagued By Security Breaches?


IEEE Spectrum's Senior Editor Jean Kumagai let me know of an article in the 1st of December issue of BusinessWeek detailing the rash of security breaches that have been plaguing NASA since the late 1990s.

For instance, the BusinessWeek article tells of a breach in April 2005 (which BW claims was never publicly disclosed about before) "that sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists."

The article says, "One reason NASA is so vulnerable [to cyber attacks] is that many of its thousands of computers and Web sites are built to be accessible to outside researchers and contractors. Another reason is that the agency at times seems more concerned about minimizing public embarrassment over data theft than preventing breaches in the first place."

BusinessWeek, for example, outlines a June 2002 breach at Marshall Space Flight Center in Huntsville, Alabama where for four days, someone "methodically probed enormous volumes of proprietary information at Marshall, according to NASA documents. The electronic intruder ... gained access to servers handling sensitive work on new versions of the Delta and Atlas rockets that power intercontinental missiles, enhancements of the Shuttle's main engines, and Lockheed's F-35 Joint Strike Fighter, an advanced fighter jet that remains in development."

The BW article goes on to say:

"Some NASA investigators believed top officials tried to keep a lid on what had happened at the Marshall Center so the agency wouldn't suffer criticism from Congress or the public. Internal e-mails and statements written by Michael G. Ball, a Huntsville-based NASA special agent, and several of his colleagues describe an investigation repeatedly stalled by superiors who sought to play down any impression that the incident had compromised national security. 'I felt that we were covering up the loss to save embarrassment to NASA,' Ball wrote in one document dated Oct. 24, 2005. In a June 2003 memo labeled 'Law Enforcement Sensitive,' Ball used the subject heading 'Potential Concealment of Facts Pertaining to Case # C-MA-0200526-0'â''the investigation of the breach at Marshall. He described attempts to impede the investigation and signaled a desire for whistleblower protection under federal law. Reached by phone at Marshall, where he still works as an agent for NASA, Ball declined to be interviewed."

"Congress never heard any of the details of the Marshall affair, at least not publicly. In June 2003, NASA Inspector General Cobb, a former ethics counsel to President George W. Bush, referred only vaguely to the incident in testimony before the House Government Reform Committee's technology subcommittee. His prepared one-paragraph account made no mention of the specific incident or its $1.9 billion impact. He told the committee that 'there are examples from our ongoing investigations where inadequate IT security, such as weak password controls, resulted in unauthorized access to significant amounts of NASA data that was sensitive but unclassified.' NASA 'is aware of cases and acknowledges that serious compromises have occurred,' he added, but 'it would not be appropriate to share the details in any open forum.' "

It is a very detailed and sad, if instructive, story, which I highly recommend.


Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Robert Charette
Spotsylvania, Va.
Willie D. Jones
New York City