Cybersecurity’s Moon Shot

NASA is leading the way with a mandate to manage computer risks in real time.

While other federal agencies wait for the White House and lawmakers to conclude their battle over stalled cyber legislation, NASA now has its own mandate to manage cyber threats using real-time intelligence. Before breaking for campaign season, space fans in Congress quietly pushed through a workaround in a law that requires NASA to keep lawmakers posted on its efforts to continuously monitor vulnerabilities across agency computer networks.

The NASA reauthorization bill also requires the agency's chief information officer to create an information security awareness and education program for employees and contractors. These are steps NASA and a few other agencies, such as the State Department, have been taking since the spring to bolster cyber defenses in anticipation of an overhaul of the government's nearly decade-old information security law.

NASA officials say they welcome the new legislation and expect their progress on cyber surveillance will spur other agencies to catch up. For most federal computer systems, the only window into their security status is periodic summaries of incidents. Critics say the existing law-the 2002 Federal Information Security Management Act-focuses too much on paperwork documenting protocols and not enough on executing them.

The NASA legislation, which President Obama signed in October, also mandates an agency study to determine whether the constant-surveillance framework is more effective than other methods of managing security. Continuous reporting is expected to reduce the time and cost of complying with FISMA, supporters say.

"It's a direction where we've already been going because we think it's important," says Marion Meissner, acting deputy CIO for IT security at NASA. In May, Jerry Davis, then deputy CIO for IT security, relaxed requirements for certifying network compliance to let managers concentrate on creating an automated risk management process. Today, every NASA center has a near real-time dashboard, or status-tracking website, that provides daily updates on security configurations, patches and network vulnerability scanning, Meissner explains. "If what we do is successful and we can show a measured improvement, then other agencies will be able to do this as well," she says.

During the past several years, Government Accountability Office auditors have identified weaknesses in NASA networks that could threaten space missions. "These networks traverse the Earth and beyond, providing critical two-way communication links between Earth and spacecraft; connections between NASA centers and partners, scientists and the public; and administrative applications and functions," GAO officials wrote in a February report on the challenges key agency programs face.

Passage of the NASA provisions comes amid a White House effort to update information security policies governmentwide. As of this fall, agencies must use automated tools for transmitting data on computer inventories, security incidents and other indicators to a secure online inbox called CyberScope.

But many agencies are off target. "My bet is it won't be done in the next year," says James A. Lewis, a senior fellow at the nonpartisan Center for Strategic and International Studies who researches cybersecurity. Of the 24 major agencies, "a few of them are already there; a lot of them are not," Lewis adds. He had estimated between 20 percent and 25 percent of the major agencies would be online this fall.

NASA is an exception. "We're meeting all the reporting requirements for CyberScope using the new tool," Meissner says. "We believe we are one of the few agencies that are able to do that this year using automated summaries." Aside from monitoring patches, configurations and scans, the dashboard helps managers inventory their hardware, software and external connections. They can check how many assets are hooked up to the automated system to confirm supplies.

To comply with the new law, NASA officials next year will connect more data sources to the tool, known as the IT security enterprise data warehouse, so they can gather additional indicators. Data quality will be the big challenge, officials note. "Anytime you integrate complex systems it takes time to ensure you have accurate data," Meissner says.

The cyber alert technology is not aboard the International Space Station and will not be spacebound anytime soon. "The tools that we have are not deployed up there," Meissner says. "Communications between the ground and ISS may not have the bandwidth to monitor that kind of information."

A House committee proposal aimed at decreasing the risks of cloud computing didn't make it into the bill, but senators on both sides of the aisle say they would be willing to pass the provision in a separate NASA spending bill. Cloud computing, a private sector practice that is gaining popularity in the government, allows agencies to access hardware and applications on demand and online through a third-party provider, instead of maintaining server farms and paying for software licenses.

The space agency was a government pioneer in the cloud back in 2008, when it launched Nebula, a service that has made it easier for scientists to exchange massive data sets with research partners and the public.

The House Science and Technology Committee agreed to a last-minute bipartisan compromise bill that called for NASA to inform lawmakers of any instances when classified or sensitive information is exchanged in the cloud, as well as any measures taken to ensure the data is protected. But the House ended up voting on the Senate version, which didn't include the committee's proposal.

Meanwhile, the Homeland Security Department is helping other agencies transition to the new digital surveillance method. "I do think this will give us in the long run much higher fidelity information," says Greg Schaffer, DHS assistant secretary for cybersecurity and communications. He says the shift to real-time monitoring will be "a process," adding he cannot provide a specific timeline. Lewis notes, "It's a big change, and moving people from where they are now to a better place is a great first step."