NASA’s inspector general, Paul Martin, testified to Congress that thieves who stole a laptop containing the codes used to control the International Space Station in March was just one of 5,408 cybersecurity incidents — many foreign-based — that the space agency has suffered during the past two years.

“NASA is a regular target of cyber attacks both because of the large size of its networks and because those networks contain information highly sought after by criminals attempting to steal technical data or compromise NASA networks to further other criminal activities,” Martin testified. “Moreover, NASA’s statutory mission to share scientific information presents unique IT security challenges. The agency’s connectivity with outside organizations — most notably non-governmental entities such as educational institutions and research facilities — presents opportunities [for cyber attacks].”

Between April 2009 and April 2011, NASA reported the loss or theft of 48 mobile computing devices, some of which resulted in the unauthorized release of sensitive data, including export-controlled, personally identifiable information (PII) and third-party intellectual property.

Yet the OIG report found that NASA has been slow to implement full-disk encryption on notebook computers and other mobile computing devices, citing the Office of Management and Budget Office’s FY 2010 report to Congress on FISMA implementation, which found the average for government-wide encryption for devices was 54% with the agency only at 1% in comparison as of Feb. 1, 2012.

The OIG found that NASA needs to create and maintain a complete, up-to-date record of IT components connected to agency networks; define the security configuration baselines required for system components and develop an effective means of assessing compliance with those baselines; and use best practices for vulnerability management on all its IT systems.

Several hearings have been held on Capitol Hill about the threat of cybersecurity breaches on U.S. facilities, including the debate over whether to implement legislation. This includes seven Republican senators who recently rejected the current bill in the Senate — S.2105, the Cybersecurity Act of 2012 — that would give DHS regulatory cyber security authority over private networks critical to U.S. security, and instead passing the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT). SECURE IT asks companies to voluntarily share and receive threat data through cyber security centers within the government.

This video requires a Microsoft plug-in.

Related links: