NASA faces increased cybersecurity threats due to pandemic

NASA Inspector General Paul Martin raised concerns about NASA’s cybersecurity in a Friday subcommittee hearing.

By Grace George

NASA officials told a House subcommittee on Friday that cybersecurity threats to NASA intelligence increased during the COVID-19 pandemic.

“The past six months in particular has tested the agency as more than 90 percent of NASA’s workforce moved from onsite to remote work due to the pandemic,” said NASA Inspector General Paul Martin in his opening statement. “During this period, NASA has experienced an uptick in cyber threats, phishing attempts doubling and malware attacks rising substantially.”

A House Science, Space and Technology subcommittee spoke with NASA officials and cybersecurity experts in a Friday hearing about how the pandemic and mass teleworking at NASA has led to an increase in the agency’s cybersecurity threats.

“At one point, over a given period of time, we saw a doubling of phishing attacks, but there are other weeks where it’s been lower [than double],” said NASA Chief Information Officer Jeff Seaton. “So, I do think because of the pandemic, people are looking for the opportunity to attack and will continue to.”

Phishing attempts threatening NASA intelligence have come from a wide range of offenders, including foreign governments and American hackers.

“NASA, unfortunately, has been under attack from both domestic and foreign cyber criminals,” Martin said. “It is just an ongoing, incredibly difficult issue to keep NASA’s defenses up.”

Chairwoman Kendra Horn and Ranking Member Brian Babin said that threats to NASA’s intelligence predate the pandemic.

“The technologies that NASA develops are also sought after by criminal entities, unscrupulous foreign governments and destructive vandals,” Babin said in his opening statement. “Because many of these technologies have both civil and military applications, these challenges are particularly great, and this is a topic that this committee is focused on for decades.”

The subcommittee and witnesses discussed phishing prevention as well as how to deal with personnel problems related to teleworking and cybersecurity. Diana Burley, vice provost for research at American University, raised concerns for the well-being of employees adjusting to teleworking with little technical ability.

“Today, in the midst of the COVID-19 pandemic, we must recognize that while basic cyber hygiene practice is relatively doable under normal circumstances, these are not normal times,” she said in her opening statement. “Our workers are distracted, frightened and fatigued. This is especially true for the most vulnerable users.”

Burley said that NASA should not solely rely on the IT department to address how this remote work environment fosters anxiety among new and seasoned employees.

“Human resource professionals need to be involved to provide the kind of support to our employees that they need so that they are able to focus on, not only doing their work, but doing their work in a secure manner,” Burley said.

The hearing also addressed what tools and personal devices NASA employees may be using for teleworking. NASA approves specific programs for teleworking employees and contractors for cybersecurity purposes, Martin said.

NASA also provides equipment for new employees and interns and discourages the use of personal devices, Seaton said. Employees are only allowed to use mobile devices with management software that NASA provides.

Seaton was appointed as the acting CIO in May, following the retirement of his predecessor, Renee Wynn. His office changed the rule that allowed employees to use personal devices for sensitive information pertaining to their work at NASA.

The hearing also addressed how NASA is working with its business partners to ensure compliance with their cybersecurity measures. Ranking Member of House Science, Space and Technology Committee Randy Weber brought up how the supply chain factors into the agency’s cybersecurity.

“I don’t mean to sound too skeptical but shouldn’t NASA—and all of our U.S. space and defense companies—be taking a proactive posture to know exactly what safeguards are in place for our supply chain?” Weber said.

Seaton said the agency is taking such precautions.

“Validating that [suppliers] are complying with the requirements is something that we’ve been doing for years with our supply chain risk management efforts,” Seaton said. “[We are] ensuring the things that we buy are free of risks through coordination with the FBI and now making sure that even within their organizations, they do not have IT equipment provided by prohibited providers.”

NASA has not conducted a separate audit of its contractors to determine if their contracts include necessary clauses related to IT security, Martin said.

Other businesses NASA works with are implored to comply with the agency’s cybersecurity protocol in order to ensure the safety of NASA intelligence, Seaton said.

“Compliance with our cybersecurity requirements is absolutely critical, and that is our responsibility,” Seaton said.

NASA’s suppliers and small business partners are not being monitored by NASA for their business practices outside of cybersecurity measurements, he said.

The hearing’s focus was on the shortcomings of NASA’s IT department and where there is room for improvement in thwarting cybersecurity threats, but the agency’s inspector general offered a bit of optimism.

“I think they’re making incremental improvement,” Martin said, referring to NASA’s ability to address an increase in cybersecurity threats. “They’re heading in the right direction, and I think there’s a real new realization over the last couple years of the expanse and significance of the challenge. So, I think we’re very, very cautiously optimistic.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: