NASA is apparently seriously lacking when it comes to data security

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

The National Aeronautics and Space Administration (NASA) is pretty good at keeping Classified information away from falling into the wrong hands, but it’s not that good at labeling all of the right data as Classified.

This becomes a major problem because it puts many projects and information in jeopardy from insider attacks, says the latest report on the organization's state of cybersecurity, published by the NASA Office of Inspector General.

The “NASA’s insider threat program” report reveals that the “vast majority” of NASA technology is not labeled as Classified, including "high-value assets and critical infrastructure." Some of these assets include "sensitive and valuable information such as scientific, engineering, or research data; human resources files; or procurement sensitive information."

TechRadar needs you!

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Labeling classified data

As these items are not labeled as Classified, they aren’t covered by the various defenses the organization deployed for its insider protection program. 

Things wouldn’t be that bad if unclassified, but sensitive information, wasn’t abused every day. The auditor says in its report that the number of incidents, including the improper use of the organization’s IT systems, rose 343% in three years (from 249 in 2017, to 1,103 in 2020). 

Of all these incidents, the most common problem was “failing to protect Sensitive but Unclassified (SBU) information”. Apparently, many NASA employees were sending each other unencrypted emails containing SBU data, Personally Identifiable Information (PII), or International Traffic in Arms Regulations data. 

Another potential problem is frequent privilege elevation for the employees. In the last three years, NASA users made more than 12,000 requests for privilege elevation.

To better protect its data, the watchdog hints, NASA needs to reorganize informational security responsibilities. As things stand now, multiple teams are in charge of securing the organization's endpoints, including the Office of Protective Services (OPS), and the Office of the Chief Information Officer (OCIO). 

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.