http://www.gcn.com/online/vol1_no1/45450-1.html By Wilson P. Dizard III GCN.com 11/16/07 A recent series of intrusions into the Earth Observing System’s networks “cost NASA $1.5 million for incident mitigation and cleanup costs alone,” said the agency’s inspector general, Robert Cobb, in a memo issued Nov. 13. Those costs came on top of the “operational impact to the agency‘s mission, such as the temporary suspension of automated processes,” caused by the criminal hack of the networks, Cobb said. The memo was addressed to NASA’s administrator and accompanied the IG’s report titled “NASA’s Most Serious Management and Performance Challenges.” “Our criminal investigative efforts over the past five years confirm that the threats to NASA’s information are broad in scope, sophisticated and sustained,” auditors wrote in the report. “Even more troubling is that the threats appear to evolve along with new technologies and range from low-end hacking to complex attacks aimed at some of NASA’s most sensitive data,” the report states. “In addition, internal and external audits and reviews of the agency’s [information technology] security continue to identify systemic management and technical and operational control weaknesses,” the report states. Those weaknesses menace the confidentiality, integrity and availability of the agency’s data and systems. NASA should protect its computers by launching an “IT security internal control program; enhancing intrusion detection and computer forensics with incident management analysis; implementing improved NASA network security monitoring capabilities; and managing IT asset and [IP] addresses,” the report states. NASA has taken significant actions to curb the hacker threats posed by criminals; national military and intelligence forces; and malicious vandals, the auditors found. But a shortage of fully trained security personnel, poor patch management and haphazard incident response have hindered progress, the report states. However, the hacker risk could pale in comparison to NASA’s tendency to be its own worst enemy with regard to financial management and procurement practices. After years of attempting to build a financial management system that could span the agency’s 10 centers and deliver timely, accurate financial data — a task mastered by much smaller enterprises inside and outside government— NASA doesn’t appear close to its goal. The auditor’s report states that NASA has not mastered double-entry accounting — a technology that dates back to the Middle Ages — well enough to produce timely, accurate financial statements on a routine basis. The auditors described a NASA accounting approach that might be characterized as whimsical or madcap. Officials decide how much of their expenditures to allocate to capital accounts only after the disbursements have been made, according to the report. They also rely heavily on contractors to identify assets the contractors created, auditors said. The multibillion-dollar agency’s retrospective financial management method, which resembles that of bankrupt musician Willie Nelson or a financially embarrassed starlet with driving issues, resonates with its Scarlett O’Hara procurement approach of “I’ll worry about that tomorrow,” according to the IG report. “Given that NASA expends most of its budget through contracts and other procurement vehicles, weaknesses in NASA’s acquisition and contracting processes pose significant challenges to the agency’s ability to make informed investment decisions,” the report states. The Government Accountability Office first warned that NASA’s inadequate methods for tracking acquisition costs and contractors’ activities were serious problems 17 years ago. The agency continues to experience failures in “developing adequate cost estimates, managing program costs, and ensuring that NASA is using the most advantageous acquisition and procurement strategies and safeguards to promote competition in contracting and to maximize the agency’s ability to fulfill its missions,” the auditors wrote. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Sun Nov 18 2007 - 23:45:38 PST