"We have designated information security as a government-wide, high-risk area since 1997 and subsequently expanded this high-risk area to include protecting cyber critical infrastructure and securing personally identifiable information," GAO wrote in a June 21 letter to NASA administrator Bill Nelson. "Accordingly, federal agencies need to take urgent actions to ensure that they have programs in place to protect their information technology systems and sensitive information against increasing cyber risks."
The warning comes following a wave of cyberattacks this year against companies and organizations including the Colonial Pipeline, the world's largest meat producer, JBS, New York City's Metropolitan Transportation Authority and Law Department, the Massachusetts Steamship Authority, truck maker Navistar, McDonald's, Electronic Arts, Department of Energy subcontractor Sol Oriens, and St.Joseph's/Candler, one of the largest hospital systems in Savannah, Georgia.
The GAO letter notes that NASA has agreed to take action to strengthen its cyber protections based on three priority recommendations. GAO's priority recommendations include:
- Reviewing the assignment of the "000" code to any positions at NASA in the 2210 IT management occupational series, assigning the appropriate National Initiative for Cybersecurity Education (NICE) framework work role codes, and assessing the accuracy of position descriptions
- Establishing a process for conducting an organization-wide cybersecurity risk assessment
- Establishing a time frame to develop an inventory of electronic information systems used to store agency records that includes all of the required elements
NASA plans to implement the first two recommendations by Nov. 30 and Sept. 30, respectively, and said it will continue to work towards implementing the third recommendation, GAO said.
The letter comes after NASA's Office of the Inspector General warned in a May report that "attempts to steal critical information are increasing in both complexity and severity," with phishing attempts against NASA doubling and malware attacks increasing "exponentially" during the COVID-19 pandemic.
"Although NASA has taken positive steps to address cybersecurity in the areas of network monitoring, identity management, and updating its IT Strategic Plan, it continues to face challenges in strengthening foundational cybersecurity efforts," the report stated.
The inspector general's office found that NASA is "highly vulnerable to intrusions" due to its online presence of approximately 3,000 websites and more than 42,000 publicly accessible datasets. It also warned that the agency's ability to prevent, detect, and mitigate cyber-attacks is "limited by a disorganized approach to Enterprise Architecture", or blueprints for how an organization analyzes and operates its IT and cybersecurity, and that the assessment and authorization of its IT systems are conducted "inconsistently and ineffectively" due to its "decentralized approach to cybersecurity."
In 2020, NASA identified a total of 1,785 cyber incidents, a slight drop from 1,888 cyber incidents in 2019. The majority were improper use incidents, which result from a violation of an organization’s acceptable use policies, such as installing unapproved software or viewing inappropriate material. NASA's improper use incidents have increased 343% from 249 in 2017 to 1,103 in 2020.
Collectively, GAO and OIG have issued dozens of reports over the past five years identifying weaknesses in NASA’s information technology systems.
The Office of the Inspector General has made 73 IT-related recommendations over the last five years, with 46 of the actions implemented and approved, while the remaining 27 are being worked on. During the same period, OIG conducted more than 120 investigations involving intrusions, malware, denial of service attacks, and data breaches on NASA networks, several of which resulted in criminal convictions.
NASA plans to spend a total of $2.17 billion to improve its IT systems in fiscal year 2021, or about 10% of its overall budget.