We can land a man on the moon but can’t encrypt a laptop

It was four pages into his testimony on cyberattacks at NASA when the agency’s inspector general, Paul Martin, dropped this little nugget:

“Between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property.”

Go on….

For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programs. Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files.

Stop right there, general. Let’s make a little list here of the problems:

1) NASA stores data unencrypted?

2) Someone got the codes of the International Space Station, as well as sensitive data on two of the few projects Congress still lets you have?

3) You depend on your employees to self report their incompetence?

It’s unclear whether Martin was quizzed on these blunders before he shifted his testimony to the efforts of outsiders to crack his agency’s security.

Early in his testimony he provided the context for why this situation may seem unusual:

To put these findings in context, however, NASA OIG is the only Office of Inspector General that regularly conducts international network intrusion cases, and this fact could skew perceptions with regard to NASA’s relative rate of significant intrusion events compared to other agencies.

NextGov’s story on the incident reveals the fatal flaw in this:

The top IT executive supervises administrative systems but has no power over mission-critical systems supporting NASA’s aeronautics, science, and space programs, including the Deep Space Network.

In other words: Failure is an option.

  • Elaine Love

    Unbelievable. My employer doesn’t even authorize flash drives or uploading photos. Nice to know we’re more secure than NASA.