Nasa admits losing laptop containing Space Station controls

IT security widely criticised at US space agency

US space agency Nasa has admitted to losing an unencrypted laptop last March that contained codes used to control the International Space Station.

The admission was made by Paul Martin, inspector general at Nasa, in a report submitted to the US Congress that also revealed other key data had been put at risk.

"The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," he said.

"Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA's Constellation and Orion programs."

The damning report into the IT security systems at Nasa also found that between 2010 and 2011, the agency suffered more than 5,400 incidents of malware being installed on, or people gaining unauthorised access to, its systems.

Those attacks included ones launched by organised crime groups and foreign intelligence services.

The damage to Nasa, as a result of disruption to missions and the theft of export-controlled and sensitive data was put at more than $7m.

Martin also noted that as of 1 February 2012 just one per cent of its laptops used data encryption, despite the loss of 48 laptops in the past year.

In 2011, 13 attacks against Nasa computers resulted in the theft of credentials for more than 150 staff.

According to Martin's the agency's IT chief lacked the capability to enforce IT security policies across the organisation, putting it at an unacceptably high risk of attack.

"The CIO has limited ability to direct NASA's Mission Directorates to fully implement CIO-recommended or mandated IT security programmes," he warned.

As a result, critical software patches were not installed on many of its systems.

Nasa has more than 550 IT systems, which are used to control spacecraft, collect and process data and help staff communicate.

It spends at least $58m a year on IT security - although the true figure may be somewhat higher, as this estimate does not include the IT costs bundled into many of its projects and programmes.

In 2010, Nasa was forced to admit it had sold several computers without first wiping them of sensitive data.