By Matt Liebowitz
March 1, 2012
This story was updated at 7:31 p.m. ET.
A laptop stolen from NASA last year was unencrypted and contained command and control codes for the International Space Station on it, the agency’s inspector general told a United States House subcommittee yesterday (Feb. 29).
In his testimony before a Science, Space and Technology House subcommittee, NASA Inspector General Paul K. Martin said the notebook computer stolen in March 2011 “resulted in the loss of the algorithms” used to control the space station. This particular laptop, Martin said, was one of 48 NASA notebooks and mobile devices stolen between April 2009 and April 2011.
Some of these thefts resulted in the leak of sensitive data “including export-controlled, Personally Identifiable Information, and third-party intellectual property,” as well as Social Security numbers and data on NASA’s Constellation and Orion programs, Martin said.]
The actual number of stolen and compromised devices could be much higher because NASA relies on employees to self-report incidents.
In an email, NASA public affairs officer Trent Perrotto told SecurityNewsDaily that “at no point in time have operations of the International Space Station been in jeopardy due to a data breach.”
“NASA has made significant progress to better protect the agency’s IT systems and is in the process of implementing the recommendations made by the NASA Inspector General in this area,” Perrotto added.
In 2011, NASA, which Martin rightly called a “target-rich environment for cyberattacks,” was the target of 47 advanced persistent threats (APTs), 13 of which successfully compromised NASA computers.
These attacks are part of the 5,408 cybersecurity incidents in 2010 and 2011 that resulted in unauthorized intrusions or malware being planted on its systems and cost the space agency an estimated $7 million.
“These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives,” Martin said.
An example of one of these “skill-testing” hacks is the attack perpetrated by “TinKode”, a 20-year-old Romanian hacker (real name Razvan Manole Cernainu), who tapped into a computer server at NASA’s Goddard Space Flight Center in April 2011.
Martin continued, “Some of these intrusions have affected thousands of NASA computers, caused significant disruptions to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data.”
Martin’s testimony highlights the difficulties NASA information technology officials face in securing the agency’s laptops and mobile devices. As of Feb. 1, 2012, only 1 percent of NASA portable devices and laptops have been encrypted.
“Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,” he said.
Martin said software vulnerabilities in NASA computers are often left unpatched, a problem stemming from an IT chain of command in which the chief information officer “has limited ability” to fully implement mandated IT security programs across the agency.