Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.fcw.com/pubs/fcw/1999/0503/fcw-newnasa-5-3-99.html
(Federal Computer Week) [5.3.99] NASA's inspector general told a Senate
subcommittee last week that parts of the agency are failing when it comes
to fending off and reporting hacker attacks, leaving the agency vulnerable
to people who would steal or alter sensitive data.
Roberta Gross, IG for the agency, told the Senate Science, Technology and
Space Subcommittee that simple actions -- such as recruiting more workers
who are attuned to information security issues and making sure NASA
centers use the latest software security patches -- can go a long way
toward making the agency's networks more secure.
But she said broader problems, such as failures by NASA centers to report
cyberattacks, remains an obstacle to better oversight of information
security. Moreover, she said an internal NASA organization -- NASA's
Automated Systems Incident Response Capability -- must improve its
performance. "That [organization] has not been performing adequately," she
said. Gross added that her office next month will issue a report on
NASIRC's performance.
Gross' criticism comes in the wake of a recent cyberattack on two NASA
centers. She confirmed to FCW that the attacks occurred in the past month,
but she declined to reveal which NASA centers had been attacked or any
details of the attack. Gross also told FCW that her office had not fully
analyzed the attacks to determine the amount of damage they may have
caused or how they might have been prevented.
She said NASA centers did not report the two recent cyberattacks to her
office. Rather, staff members in her office learned about the attacks
through "other ways," which she did not identify. She said alerting top
NASA officials of attacks is one of the "low-cost, free things" that NASA
centers can do to help leaders defend against and prevent attacks.
Gross told senators Thursday that keeping NASA leaders, including those in
the IG's office, informed of cyberattacks is important because of the
agency's decentralized nature. NASA is made up of several centers.
"This multiple-center approach leads to serious coordination problems,
diminishes corporate oversight and leaves NASA partners more vulnerable,"
she said. "NASA is a vulnerable target because it depends heavily on IT
and the Internet to support the operations it conducts at its field
centers and other facilities across the United States and abroad."
Subcommittee chairman Sen. Bill Frist (R-Tenn.) agreed. "In many ways
[NASA's dependence on the Internet] does invite potential internal abuse
and external abuse," he said.
Cathy Cromley, director of federal marketing for Secure Computing Corp.,
stressed the importance of sharing information when systems are abused or
hacked. "In not sharing information internally, NASA and the government as
a whole cannot benefit from lessons learned," she said.
Keith Cowing, editor of NASA Watch, an independent World Wide Web site,
said NASA's security problems stem from inconsistencies at the agency.
"Despite all the arm-waving and so forth, they've never really had a
consistent [information security] policy," he said.
According to Cowing, NASA has to struggle to balance the public's interest
in accessing NASA information via the Web with protecting sensitive
information. "It again goes back to the chief information officers at each
respective center having different policies," he said. "Some centers just
seem to go out of their way to make things public."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
Received on Fri May 7 22:34:42 1999