[ISN] NASA centers fail to report cyberattacks

From: cult hero (jerichoat_private)
Date: Fri May 07 1999 - 15:10:50 PDT

  • Next message: cult hero: "[ISN] The case of the unhappy hacker"

    Forwarded From: William Knowles <erehwonat_private>
    
    http://www.fcw.com/pubs/fcw/1999/0503/fcw-newnasa-5-3-99.html
    
    (Federal Computer Week) [5.3.99] NASA's inspector general told a Senate
    subcommittee last week that parts of the agency are failing when it comes
    to fending off and reporting hacker attacks, leaving the agency vulnerable
    to people who would steal or alter sensitive data. 
    
    Roberta Gross, IG for the agency, told the Senate Science, Technology and
    Space Subcommittee that simple actions -- such as recruiting more workers
    who are attuned to information security issues and making sure NASA
    centers use the latest software security patches -- can go a long way
    toward making the agency's networks more secure. 
    
    But she said broader problems, such as failures by NASA centers to report
    cyberattacks, remains an obstacle to better oversight of information
    security. Moreover, she said an internal NASA organization -- NASA's
    Automated Systems Incident Response Capability -- must improve its
    performance. "That [organization] has not been performing adequately," she
    said. Gross added that her office next month will issue a report on
    NASIRC's performance.
    
    Gross' criticism comes in the wake of a recent cyberattack on two NASA
    centers. She confirmed to FCW that the attacks occurred in the past month,
    but she declined to reveal which NASA centers had been attacked or any
    details of the attack. Gross also told FCW that her office had not fully
    analyzed the attacks to determine the amount of damage they may have
    caused or how they might have been prevented.
    
    She said NASA centers did not report the two recent cyberattacks to her
    office. Rather, staff members in her office learned about the attacks
    through "other ways,"  which she did not identify. She said alerting top
    NASA officials of attacks is one of the "low-cost, free things"  that NASA
    centers can do to help leaders defend against and prevent attacks.
    
    Gross told senators Thursday that keeping NASA leaders, including those in
    the IG's office, informed of cyberattacks is important because of the
    agency's decentralized nature. NASA is made up of several centers.
     
    "This multiple-center approach leads to serious coordination problems,
    diminishes corporate oversight and leaves NASA partners more vulnerable,"
    she said. "NASA is a vulnerable target because it depends heavily on IT
    and the Internet to support the operations it conducts at its field
    centers and other facilities across the United States and abroad."
    
    Subcommittee chairman Sen. Bill Frist (R-Tenn.) agreed.  "In many ways
    [NASA's dependence on the Internet] does invite potential internal abuse
    and external abuse," he said.
    
    Cathy Cromley, director of federal marketing for Secure Computing Corp.,
    stressed the importance of sharing information when systems are abused or
    hacked. "In not sharing information internally, NASA and the government as
    a whole cannot benefit from lessons learned," she said.
    
    Keith Cowing, editor of NASA Watch, an independent World Wide Web site,
    said NASA's security problems stem from inconsistencies at the agency.
    "Despite all the arm-waving and so forth, they've never really had a
    consistent [information security] policy," he said.
    
    According to Cowing, NASA has to struggle to balance the public's interest
    in accessing NASA information via the Web with protecting sensitive
    information. "It again goes back to the chief information officers at each
    respective center having different policies," he said. "Some centers just
    seem to go out of their way to make things public."
    
     
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:07 PDT