By Grace George
NASA officials told a House subcommittee on Friday that cybersecurity threats to NASA intelligence increased during the COVID-19 pandemic.
“NASA, unfortunately, has been under attack from both domestic and foreign cyber criminals,” said NASA Inspector General Paul Martin. “It is just an ongoing, incredibly difficult issue to keep NASA’s defenses up.”
Most NASA employees are now working from home due to the pandemic. Martin told the House Space and Aeronautic subcommittee that mass teleworking has put a strain on NASA’s IT department as employees are using their own technology while handling sensitive intelligence and data in environments less secure than NASA headquarters.
“The past six months in particular has tested the agency as more than 90 percent of NASA’s workforce moved from onsite to remote work due to the pandemic,” Martin said. “During this period, NASA has experienced an uptick in cyber threats, phishing attempts doubling and malware attacks rising substantially.”
Chairwoman Kendra Horn (D-OK) and ranking member Brian Babin (R-TX) said that threats to NASA data and intelligence predate the pandemic.
“The technologies that NASA develops are also sought after by criminal entities, unscrupulous foreign governments and destructive vandals,” Babin said in his opening statement. “Because many of these technologies have both civil and military applications, these challenges are particularly great, and this is a topic that this committee is focused on for decades.”
The subcommittee and witnesses discussed phishing prevention as well as how to deal with personnel problems related to teleworking and cybersecurity. Diana Burley, vice provost for research at American University and global cybersecurity expert, raised concerns for the well-being of employees adjusting to teleworking with little technical ability.
“Today, in the midst of the COVID-19 pandemic, we must recognize that while basic cyber hygiene practice is relatively doable under normal circumstances, these are not normal times,” she said. “Our workers are distracted, frightened and fatigued. This is especially true for the most vulnerable users.”
Burley raised concerns about employees’ potential technological incompetency and inability to prevent phishing attacks on their own while teleworking.
Burley said that NASA should not solely rely on the IT department to address how this remote work environment fosters anxiety among new and seasoned employees.
“Human resource professionals need to be involved to provide the kind of support to our employees that they need so that they are able to focus on, not only doing their work, but doing their work in a secure manner,” Burley said.
The hearing also addressed what tools and personal devices NASA employees may be using for teleworking. NASA approves specific programs for teleworking employees and contractors for cybersecurity purposes, Martin said.
NASA also provides equipment for new employees and interns and discourages the use of personal devices, said NASA Chief Information Officer Jeff Seaton.
Seaton was appointed acting CIO in May, following the retirement of his predecessor, Renee Wynn. His office changed a rule that allowed employees to use personal devices for sensitive information pertaining to their work at NASA. Employees are now only allowed to use mobile devices with management software that NASA provides.
The hearing also addressed how NASA is working with its business partners to ensure compliance with their cybersecurity measures. Rep. Randy Weber (R-TX), ranking member of the House Science, Space and Technology committee, brought up how the supply chain factors into the agency’s cybersecurity.
“I don’t mean to sound too skeptical but shouldn’t NASA—and all of our U.S. space and defense companies—be taking a proactive posture to know exactly what safeguards are in place for our supply chain?” Weber said.
Seaton said the agency is taking such precautions.
“Validating that [suppliers] are complying with the requirements is something that we’ve been doing for years with our supply chain risk management efforts,” Seaton said. “[We are] ensuring the things that we buy are free of risks through coordination with the FBI and now making sure that even within their organizations, they do not have IT equipment provided by prohibited providers.”
NASA has not conducted a separate audit of its contractors to determine if their contracts include necessary clauses related to IT security, Martin said.
Other businesses NASA works with are implored to comply with the agency’s cybersecurity protocol in order to ensure the safety of NASA intelligence, Seaton said.
“Compliance with our cybersecurity requirements is absolutely critical, and that is our responsibility,” Seaton said.
While the hearing was focused on the an increase in cybersecurity threats at NASA and the shortcomings of NASA’s IT department, the agency’s inspector general offered a bit of optimism.
“I think they’re making incremental improvement,” Martin said, referring to NASA’s ability to address an increase in cybersecurity threats. “They’re heading in the right direction, and I think there’s a real new realization over the last couple years of the expanse and significance of the challenge. So, I think we’re very, very cautiously optimistic.”