Cybercrooks broke into NASA's computer systems 13 times last year gaining "full functional control" of important systems in the worse cases, according to the testimony before the US Congress by the space agency's inspector general.
Paul Martin told a Congressional panel on information security at the space agency that NASA spent $58m of its $1.5bn annual IT budget on cyber security. The space agency has long been a prestige target for hackers of various skill levels and motivations, including profit-motivated malware distributors (cybercrooks) and intruders thought to be in the pay of foreign intelligence services.
Poorly implemented security policies mean that these attacks were often successful. In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems, Martin testified (PDF) before the US House Committee on Science, Space and Technology last Wednesday.
Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7m.
In the most serious of these incidents, hackers gained control of systems at NASA's Jet Propulsion Laboratory. The attack was traced back to IP addresses in China, Martin explained. Another of the most serious APT (advanced persistent threats) that hit NASA last year resulted in the extraction of user credentials from 150 space agency workers.
Martin told the panel:
In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts."
The compromised access would have allowed hackers to gain "full functional control over these networks" including the ability to extract data, delete sensitive files, plant hacking tools, add accounts or modify logs meant to provide a warning that such attacks had taken place.
More than 130 NASA computers were infected by DNS changer malware connected to the Operation Ghost Click bust, Martin testified. NASA computers were among the millions of PCs worldwide infected by malware capable of highjacking internet searches to run click-fraud scams, punt scareware at potential victims and to promote unlicensed pharmaceutical stores.
Fortunately, we found no evidence of operational harm to NASA or compromise of sensitive data caused. Nevertheless, the scope and success of the intrusions demonstrate the increasingly complex nature of the IT security challenges facing NASA and other Government agencies.
Martin noted the agency faced particular difficulties, including its need to share its scientific research, and acknowledged the agency had made progress in improving security loopholes uncovered by previous audits. Nonetheless he criticised the agency for lagging behind other US government agencies in encrypting data on laptop computers.
He said the government-wide encryption rate for mobile devices stood at around 54 per cent. However, as at the start of February 2012, only 1 per cent of NASA portable devices/laptops have been encrypted.
Between April 2009 and April 2011, NASA reported the loss or theft of 48 of the agency's mobile computing devices, some of which resulted in the leak of all manner of sensitive data. For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the codes used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programmes. Martin warned:
Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.
Martin added that Office of Inspector General investigators had conducted more than 16 separate investigations of breaches of NASA networks during recent years, several of which have resulted in the arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia.
NASA was one of the organisations breached by the British hacker Gary McKinnon, during his self-admitted search for UFO files on US military systems during 2001 and 2002. A decade after his initial arrest, McKinnon and his supporters are still fighting attempts to extradite him to the US to answer charges related to alleged intrusions against US military and NASA systems.
Linda Cureton, NASA's Chief Information Officer, defended the space agency's record in a statement (PDF) submitted to the Congressional committee.
Like most Federal agencies, NASA has seen the full spectrum of cyber attacks, ranging from minor attacks, where countermeasures are sufficient and appropriate, to sophisticated attacks where in some cases countermeasures are reactive and need improvement. NASA has a high public and internet profile, its information can be highly attractive to attackers, and whenever IT security compromises occur they tend to generate media attention when the information is public in nature.
NASA has acted on previously reported shortcomings by scanning its websites for flaws, improving its patch management and developing an incident response programme, she explained.
Since NASA’s infrastructure is worldwide, the agency is striving to achieve a risk-based balance between security, system operability, and user requirements. While demanding a culture of security awareness, NASA will continue to improve the defense of our IT security posture and build security into the System Development Life Cycle (SDLC) of our IT solutions and everyday work habits.