Top officials at NASA say the agency is facing increasing attempts by foreign hackers to target sensitive information as it works to improve its IT security during the COVID-19 pandemic.
“NASA has vast troves of intellectual information capital that it has spent decades amassing. I think country actors are after that information, the innovations that NASA is so famous for around the world,” agency Inspector General Paul Martin testified to a House Science, Space and Technology Committee subcommittee on Friday.
“There is everything from PII [personally identifiable information], contractual data on the systems, so there is a vast and wide array,” Martin said. “NASA has unfortunately been under attack from both domestic and foreign cyber criminals, and so it is just an ongoing, incredibly difficult issue to keep NASA’s defenses up.”
When pressed by members of the committee on which countries were involved, Martin acknowledged that China was among the nations targeting the agency.
“NASA is taking steps and has been to secure its intellectual property and its networks from attacks both from China and from a series of other countries and also local hackers,” Martin testified. “We have conducted a series of criminal investigations and we work with the FBI and counterintelligence officials when we get leads on these issues.”
The Friday hearing focused on NASA’s cybersecurity and IT security posture in the midst of the COVID-19 pandemic, which has forced the majority of its employees to quickly transition to working from home.
NASA acting Chief Information Officer Jeff Seaton testified to the same panel that the variety of work spaces, along with the increased use of personal devices, led to a spike in malicious phishing emails that NASA has taken steps to address.
“We have seen an increase in phishing attacks and at the lower level some other attacks,” Seaton said. “When it comes down to it, you and I are the most vulnerable parts of our IT environment, the people, so we tried to put in place automated controls to make that easier for our employees, and have seen significant improvements in phishing protections over the last two years.”
The testimony to the committee was given the day after the Justice Department indicted three Iranian nationals for allegedly targeting and hacking into satellite and aerospace companies on behalf of Iran’s Islamic Revolutionary Guard Corps, a designated terrorist organization.
Rep. Kendra Horn (D-Okla.), chair of the subcommittee on space and aeronautics, pointed to the indictment in arguing the importance of shoring up NASA’s cybersecurity.
“Will NASA or any organization ever be 100 percent risk-free from cyber threats? Probably not,” Horn said. “Is there room for improvement? Most definitely, yes.”
The agency has faced a range of security issues over the past several years. In 2014, the NASA Office of Inspector General found wide-ranging security issues as part of an audit, concluding the agency had “management challenges” around IT.
In April, Seaton’s office sent out an alert to NASA personnel that they had seen a “new wave of cyberattacks” targeting those working from home, including malware and phishing attacks, similar to a wave of cyber targeting against other agencies and the private sector.
Seaton acknowledged these concerns on Friday, but emphasized that improvements have been made.
“The requirements and expectations on our IT capabilities and our OCIO [Office of the Chief Information Officer] teams are high, and the threats from external actors remain an ongoing concern,” Seaton said. “However, with hard work, dedication, and innovation, the team I have the privilege of leading has risen to the challenge of keeping NASA’s missions moving forward during these challenging times.”
Martin confirmed this outlook for the agency’s cyber and IT security.
“Overall, I think they are making incremental improvements, they are heading in the right direction,” he testified. “I think there is a new realization over the last couple years of the expanse and the significance of the challenges, so I think we are very, very cautiously optimistic.”
