Even Organizations Like NASA Get Failing Grade on Cybersecurity
The U.S. National Aeronautics and Space Administration (NASA) falls short on cybersecurity, managing only to get Level 2 rating on its cybersecurity programs – way below the acceptable Level 4 rating, this according to the audit report conducted by the Office of Inspector General (OIG).
This is the second year in a row that the OIGhanded NASA the Level 2 rating. OIG rates cybersecurity programs from Level 1 to Level 5, with Level 5 as the highest rating and Level 4 as the passing rating using 61 metrics in the following 5 cybersecurity function areas:
Understanding to manage cybersecurity risk to systems, people, assets, data and capabilities
Appropriate safeguards to ensure delivery of critical services
Appropriate activities to identify the occurrence of a cybersecurity event
Appropriate activities to take action regarding a detected cybersecurity incident
Appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired
In addition to the overall Level 2 rating, OIG cited two areas of concern on NASA systems: (1) system security plans contained missing, incomplete, and inaccurate data and (2) untimely performance of information security control assessments.
OIG said that the space agency’s untimely performance of information security control assessments “could indicate control deficiencies and possibly significant threats to NASA operations, which could impair the Agency’s ability to protect the confidentiality, integrity, and availability of its data, systems, and networks.”
Back in 2010, OIGfound that NASA’s IT security program “had not fully implemented key FISMA [Federal Information Security Modernization Act] requirements needed to adequately secure Agency information systems and data.”
Breaches at NASA
In December 2018, NASAacknowledged that on October 23, 2018, its cybersecurity personnel began investigating the potential illegal intrusion on the agency’s servers. The space agency said that personally identifiable information of current and past employees may have been illegally accessed and exfiltrated.
In February 2012, Paul Martin, Inspector General at NASA testified before the Subcommittee on Investigations and Oversight, House Committee on Science, Space, and Technology that between the years 2010 and 2011, NASArecorded 5,408 cybersecurity incidents that resulted in the installation of malicious software (malware) or unauthorized access to its systems. Martin said some of the illegal intrusions affected thousands of NASA computers, resulted in the theft of export-controlled and otherwise sensitive data, caused significant disruption to mission operations, with an estimated cost to NASA of more than $7 million.
According to Martin, intrusions on NASA systems include the series of intrusions to the Atmospheric Infrared Sounder (AIRS) Program resulting in losses to NASA of over $500,000, and intrusions on the Ames Research Center’s Super Computing Center which caused temporarily shut down for cleaning up after the intrusions resulting in losses to NASA estimated at more than $5 million.
NASA is a “target rich” environment for cyberattacks. It’s always under threat from individuals testing their hacking skills to well-organized criminal groups hacking for profit and to attackers that may have been sponsored by foreign intelligence services. Because of this, it’s but prudent for NASA to have an acceptable level of cybersecurity.
Cybercriminals, however, aren’t only after targeting rich organizations like NASA. Many of today’s cyberattacks are random, affecting not just large organizations but small and medium-sized organizations as well.
Statistics Canadareported that for the year 2017, one-fifth or 21% of Canadian businesses reported that they were impacted by a cybersecurity incident which affected their operations. Out of the 21% of Canadian businesses impacted by a cybersecurity incident, 41% were large businesses, while 19% were small businesses.
The Statistics Canada report showed that in 2017 only 13% of Canadian businesses had a written policy in place to manage or report cybersecurity incidents. Out of the 58% of businesses that took time to identify cybersecurity risks in 2017, 85% monitored their network and business systems, while 38% monitored the behaviors of their employees.
The 2017 Statistics Canada report further found that large businesses were more likely to use specialized external services to assess their cybersecurity risks compared with small and medium-sized businesses, with 45% of large businesses hiring an external party to conduct a penetration test of their security and 37% having their IT systems completely audited.
In terms of cybersecurity risk assessments, the Statistics Canada report found that over half or 52% of large businesses conducted cybersecurity risk assessments on a scheduled basis, while 56% of medium-sized businesses and 59% of small-sized businesses conducted cybersecurity risk assessments irregularly.