Houston, you have a security problem

NASA is in the news for a security lapse again, and it shouldn’t shock you one bit. The embattled space agency has proven a few times already that it doesn’t have a grip on its information security needs.

The latest example: This report from Melanie Pinola on 48 NASA laptops stolen in the last two years. She writes:

It’s not only businesses that need to worry about laptop security. Even NASA laptops are vulnerable to theft and poor security practices: 48 NASA laptops or mobile devices were stolen from America’s space agency between April 2009 and April 2011, including one–unencrypted–laptop containing control codes for the International Space Station (ISS). Although ISS does not appear to be in jeopardy, according to a NASA public affairs officer who spoke to the Security News Daily, the NASA security breaches underscore how serious and difficult a problem laptop and mobile device theft is–whether you’re a government agency or a small business or an individual.

News of the stolen laptops follows last year’s reports that six NASA servers were compromised. At the time, my colleague Tim Greene wrote:

Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions — flaws that would have been found by a security oversight program the agency agreed to last year but hasn’t yet implemented, according to a report by the agency’s inspector general. NASA’s CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled “Inadequate Security Practices Expose Key NASA Network to Cyber Attack.” The deadline for the plan is Sept. 30.

These reports always take me back to an interview I did six years ago with a NASA  IT admin. Back then, the seeds of insecurity were planted and watered.

I was working for TechTarget’s SearchSecurity.com back then, and was writing a series called “Access (out of) control.” As part of the project I interviewed William Likens, chief of application development and technology for NASA’s Ames Research Center in Mountain View, Calif. Likens left the agency shortly after the interview, but at the time we talked he spoke of a decentralized and fragmented network without much interfacing or centralization of systems from one division to the next.

To make matters worse, he told me, he had not seen a groundswell of support among managers to change things. One of the things he said floored me:“We know when someone employed by NASA has left, but when you are dealing with contractors, it’s much harder to know when they are gone,” he said. It’s a considerable security risk, he said, because people often retain access to systems, sometimes privileged access, after their work at NASA ends. It means orphaned accounts could be exploited not only to gain network access, but also to leverage sensitive network resources.To be fair, that interview is just a snapshot in time. Likens had also told me about increasing efforts to tighten up access control despite the resistance, and back then you didn’t see the paranoia over potential data breaches that you see today.NASA ramped up its security efforts in the following years, but I always wondered if it would be enough.Apparently not.

NASA and its supporters dream of the day when an American will once again walk on the moon, and maybe even Mars. I want to see us returning to space travel as much as the next guy.

But first, I’d like NASA to get a handle on its security challenges.

It may not be the final frontier, but it’s a frontier the agency remains unfamiliar with.