A NASA computer stolen in March 2011 contained unencrypted codes "used to command and control the International Space Station," according to an internal audit released to Congress Wednesday.
Besides that breach, which apparently caused no harm, the audit reveals a multitude of computer security holes that Paul Martin, inspector general of NASA, admitted "could result in significant financial loss, adversely affect national security, or significantly impair our nation's competitive technological advantage."
Just one percent of NASA employee laptops and cell phones encrypt data, a base-level of security used in 54 percent of other government agencies' laptops and cell phones. Between April 2009 and April 2011, 48 computers and cell phones were lost or stolen, and Martin admitted that the agency has no idea what data most of them held.
"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," Martin told the House.
One of the most technologically-integrated government agencies, Martin said, NASA spends more than $1.5 billion annually on information technology-related services, including more than $58 million on IT security. That didn't stop hackers from breaking in more than 5,400 times in 2010 and 2011, ranging from "individuals testing their skill to break into NASA systems" to "well-organized criminal enterprises hacking for profit" to "intrusions that may have been sponsored by foreign intelligence services."
During one of those attacks, intruders stole login credentials for more than 150 NASA employees that Martin said "could have been used to gain unauthorized access to NASA systems."
Martin recommended that NASA implement an "agency-wide data encryption solution" to avoid sensitive data from being lost in the future. Summing up, he said "NASA needs to improve agency-wide oversight of the full range of its IT assets."