A recent report revealed that the internal agency in charge of cybersecurity efforts at NASA currently lacks the capabilities to combat against international threats.
The audit specifically outlined the agency’s poor efforts over the last decade in improving cybersecurity, which leaves many assets open to attack, the Free Beacon reported on Wednesday.
Expert: NASA’s Cybersecurity Flaws Leave Agency Exposed to International Threats https://t.co/cHUM6AQ3dV
— Free Beacon (@FreeBeacon) May 30, 2018
The Security Operations Center (SOC), a sub-agency in charge of cybersecurity for all of NASA, “lacks the key structural building blocks to effectively meet its IT security responsibilities,” according to the audit. The SOC also lacks the authority “to manage information, security incident detection and remediation for the entirety of NASA’s IT infrastructure.”
The SOC was created in 2008 as an all-encompassing computer security agency that detected and responded to potential threats. Prior to the SOC, the various sub-agencies within NASA were responsible for their own cybersecurity.
According to the audit, the SOC currently has a limited capacity to “effectively respond to cyberattacks and proactively protect NASA’s IT assets.”
Michael Listner, founder of the Space Law & Policy Solutions think tank, stressed the seriousness of NASA’s cybersecurity flaws when viewed as an outsider looking to take advantage of the situation.
“We all know there’s a current ban on any direct participation with China in outer space activities, and that’s primarily because we don’t want them to acquire our technology through the use of cooperation [exercises],” Listner said. “We all know that China’s heavy into espionage, and these vulnerabilities could imply that there’s a potential that China — if [NASA] doesn’t get these fixed — China could exploit those and garner more information from our civilian space program.”
“The rapidly evolving threat landscape against our IT systems and data requires constant diligence, and we recognize we still have opportunities for improvement,” said Sean Potter, a media relations specialist with NASA. “Protecting, upgrading and improving management of the IT infrastructure is and will remain a top agency priority.”
While the purpose of the SOC was originally to centralize NASA’s IT security efforts, the audit revealed that little progress has been made, with many of the agencies still self-regulating. The audit proposed that the agencies sign charter agreements in order to address the SOC’s “purpose, authority and responsibilities.”
The recent audit was not the first report that revealed potential problems with NASA’s cybersecurity.
A 2013 audit claimed: “For over two decades, NASA has struggled to implement an effective IT governance approach that appropriately aligns authority and responsibility commensurate with the Agency’s overall mission.”
A 2016 report also revealed that NASA’s IT systems were riddled with malware combatted by inadequate software patches.