Uh-oh! Stolen NASA laptop contained space station control codes

Contributed by
Dec 17, 2012

Losing your laptop to theft is a bummer in any context, but what if it wasn't really yours? What if it was your work laptop, and you worked for NASA, and the stolen computer in question just happened to contain the unencrypted codes necessary to operate the multibillion-dollar International Space Station? Yeah, we wouldn't want to be you, either.

News that this particular laptop—stolen last March—contained much more than someone's vacation photos came earlier this week during testimony before a House subcommittee on science, space and technology by NASA inspector general Paul K. Martin.

Martin said the laptop theft "resulted in the loss of the algorithms" used to control the ISS, and noted it was one of 48 thefts of NASA mobile devices reported between April 2009 and April 2011.

Those 48 thefts resulted in a number of bad bits of news for the agency. Martin said the devices contained, among other things, "export-controlled, Personally Identifiable Information, and third-party intellectual property," along with employee Social Security numbers and data on upcoming NASA programs. Martin also noted that the actual number of device thefts could be much higher than 48 because NASA relies on its staff to report the thefts, and no one wants to admit they're the guy who lost the plans to the secret spacecraft that will save us all when an asteroid comes hurtling at Earth.

But it gets worse, because the laptop thefts only point to much larger problems with NASA security. Public Affairs Officer Trent Perrotto assured everyone that "at no point in time have operations of the International Space Station been in jeopardy due to a data breach," and noted that the agency has made "significant progress to better protect the agency's IT systems and is in the process of implementing the recommendations made by the NASA inspector general in this area." Still, it seems there are a lot of gaps.

Martin called NASA a "target-rich environment for cyberattacks," and noted that 47 advanced persistent threats attacked the agency's computers in 2011. Thirteen of them were able to successfully compromise the system. Those 47 attacks are a small fraction of the 5,408 cybersecurity attacks NASA reported in 2010 and 2011. That's 5,408 chances for intrusion, malware planting and other such cyber-mischief that reportedly cost NASA $7 million to fix.

"These incidents spanned a wide continuum, from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives," Martin said.

Martin also noted that some of the incidents affected "thousands of NASA computers" and caused "disruption" to missions.

So why is all this happening? It's NASA. You'd think they of all people would want to keep their computers safe. Martin pointed out that as of Feb. 1 only 1 percent (yes, you read that right) of NASA's portable devices are encrypted, while many of the holes in the agency's software are often left unpatched because problems in the chain of command mean that the chief information officer is often unable to put mandatory security measures in place.

So, it's not just that they haven't fixed the problem. It's that they apparently can't. It's a bad situation, but Martin has an answer.

"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he said.

So get on that, NASA, because nobody wants to see the ISS get piloted into the sun.

(via Huffington Post)