Most NASA Systems at Risk From Insider Threats: Audit
Most of the IT systems at the National Aeronautics and Space Administration (NASA) are exposed to higher-than-necessary risks from internal threats, a recent audit has concluded.
A report from NASA’s Office of Inspector General (OIG) reveals that, while the agency has efficiently implemented an insider threat program that covers classified systems, most of the agency’s systems are unclassified, thus potentially exposed.
Insider threats may include accidental leaks originating from phishing attacks or erroneously forwarded emails, the misuse of network or database access, and data theft – when an employee intentionally copies data with the intent of sharing it with third parties.
As part of its fully operational insider threat program, NASA monitors the classified network for anomalous user activity, it conducts mandatory threat training and it has established a website to help employees and contractors identify potential threats, and it has strengthened procurement controls.
However, “the vast majority of its IT systems—including many containing high-value assets and critical infrastructure—are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data,” the report reads.
The audit has concluded that NASA’s insider threat program – which was established in 2014 and validated as fully operational in 2018 – meets federal requirements, and that adding the unclassified systems to the program could provide an additional level of maturity.
According to the report, the current maturity of NASA’s classified insider threat program should be considered adequate for keeping systems protected from both unwitting and witting insiders, especially since the agency mandates annual insider threat awareness training.
However, the auditors also note that most of NASA’s systems are unclassified, underlining that the insider threat risk for these systems is higher, given that many contain sensitive and valuable information, including scientific data, personal information, and procurement data.
“At NASA, valuable data including information related to critical infrastructure and other high-value assets resides in unclassified systems. Consequently, an insider threat incident on an unclassified system could pose serious jeopardy to Agency operations,” the report reads.
Although it does limit access to high-value assets and critical infrastructure, NASA does not monitor access to unclassified data related to intellectual property and high-value assets. While unclassified systems are assigned to users with limited privileges, over the past three years NASA received over 12,000 requests for elevated privileges that enable the download of task-specific software.
“Without proper monitoring of the purpose and source of this software, NASA systems are vulnerable to the introduction of malicious artifacts that can sabotage systems or collect and deliver information to outside sources. Additionally, accessing IT systems with elevated user privileges greatly increases the risks of cybersecurity incidents by introducing unintended, detrimental changes to system configurations,” the report says.
While NASA officials believe that the agency’s cybersecurity posture would greatly benefit from expanding the insider threat program to unclassified systems, there are staffing and technology limitations that should be addressed first, to support such an effort. Even so, the program should be expanded, the report says.
The auditors recommend that NASA establishes a cross-discipline team to conduct an insider threat risk assessment of unclassified systems and determine whether the insider threat program should be expanded to cover these systems as well, and that the agency ensures improved cross-discipline communication.