NASA urged to address insider cybersecurity threats

A vast majority of NASA IT systems are unclassified, including many that contain high-value assets and critical infrastructure

NASA's Office of Inspector General (OIG) has urged the US space agency to make improvements to its current insider threat programme in order to protect its network infrastructure and data against attacks.

The OIG on Monday published the findings of its audit [pdf] of NASA's InfoSec readiness against insider threats, warning that the agency faces risks to its usual operations owing to a lack of protection for unclassified information.

Insider threats are cybersecurity dangers presented by an organisation's workers and contractors. Insiders tend to fly beneath the radar of standard security measures, making it harder to identify and prevent any inappropriate behaviour.

The most prevalent insider dangers, according to government and industry experts, are:

• unintentional leaks, such as those caused by phishing or an employee sending a sensitive email to the wrong person
• purposeful circumvention of cybersecurity rules or procedures by an employee using network access or database rights
• data theft, where an employee steals data from an organisation with the intention of selling or otherwise distributing it in an unauthorised manner.

The OIG report says NASA has taken reasonable measures to create an insider threat programme for its classified systems. The agency has set up user activity monitoring, conducted obligatory Agency-wide insider threat training, and built an insider threat reference website to help contractors and workers identify dangers, hazards, and follow-up information.

However, a large number of NASA's IT systems are unclassified, including many that contain high-value assets or vital infrastructure, and hence are not covered by the existing insider threat programme.

As a result, the agency's unclassified systems and data may be at more risk.

The number of incidents, including inappropriate use of the NASA's IT systems, increased 343 per cent in three years (from 249 in 2017, to 1,103 in 2020), according to the auditor's report.

The most prevalent issue in all of these cases was failure to preserve sensitive but unclassified (SBU) information.

Many NASA personnel were apparently sending unencrypted emails containing SBU data, International Traffic in Arms Regulations data or Personally Identifiable Information (PII).

Another potential issue is the workers' frequent privilege elevation. Over 12,000 requests for privilege elevation were filed by NASA users in the previous three years.

In order to bolster NASA's insider threat programme, the OIG recommends that the Associate Administrator, Chief Information Officer and Assistant Administrator for Protective Services create a cross-discipline team to perform an insider threat risk assessment.

This will help in evaluating NASA's unclassified systems and determining if the associated risk justifies expanding the insider threat programme to include those systems.

In addition, it recommends that the Office of the Chief Information Officer (OCIO), the Office of Protective Services (OPS), the Office of Procurement, human resources officials, and any other relevant NASA offices should form a working Group to collaborate on a wide range of insider threat related issues for both classified and unclassified systems.