NASA’s Insider Threat Program

The Office of Inspector General has audited NASA’s insider threat program:

While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency’s information technology (IT) systems—including many containing high-value assets or critical infrastructure—are unclassified and are therefore not covered by its current insider threat program. Consequently, the Agency may be facing a higher-than-necessary risk to its unclassified systems and data. While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources. According to Agency officials, expanding the insider threat program to unclassified systems would benefit the Agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented. However, on-going concerns including staffing challenges, technology resource limitations, and lack of funding to support such an expansion would need to be addressed prior to enhancing the existing program.

Further amplifying the complexities of insider threats are the cross-discipline challenges surrounding cybersecurity expertise. At NASA, responsibilities for unclassified systems are largely shared between the Office of Protective Services and the Office of the Chief Information Officer. In addition, Agency contracts are managed by the Office of Procurement while grants and cooperative agreements are managed by the Office of the Chief Financial Officer. Nonetheless, in our view, mitigating the risk of an insider threat is a team sport in which a comprehensive insider threat risk assessment would allow the Agency to gather key information on weak spots or gaps in administrative processes and cybersecurity. At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the Agency’s ability to carry out its mission.

Tags: , ,

Posted on March 23, 2022 at 6:16 AM6 Comments

Comments

Ted March 23, 2022 8:16 AM

Good teamwork. It looks like NASA concurs with OIG’s two recommendations: creating a cross-discipline team and a working group. NASA lists an estimated completion date of Dec 1, 2023.

Do organizations like SpaceX or Blue Origin have these kind of audits?

Ed Hurst March 23, 2022 2:00 PM

@Ted

My experience is that, to the degree private agencies hold federal contracts, some portion of their operations are subject to auditing. It’s not the auditing, but the liability to auditing that comes with any use of government funding. Who knows if anyone actually bothers to audit? At any rate, whether their networks and data are secure would tend be a function of who runs things and what their habits are.

JonKnowsNothing March 23, 2022 3:24 PM

@ Ed Hurst, @Ted

re: degree private agencies hold federal contracts, some portion of their operations are subject to auditing.

It also depends on what is being reviewed. Some companies will have embedded auditors to observe every aspect of manufacture, testing, field testing etc. Some stuff is very complex and you can’t just roll-in the auditor of the day to determine if it’s correctly done.

MilSpec is really a tough gig.

Like all auditors, the knowledge of the auditor is important. Sometimes they are ex-Mill who already have 20-30 years of experience with the item(s). Sometimes they are just hi-paid suits sitting at desks waiting for someone else to do their work, since they just got a hot tip on the stock market.

From the thickness of cables and cable shielding to Nuclear Warhead Targeting down to the “O” rings on Nuclear Submarines Launch Tubes.

There is the other side too, the commercial side: Mil-Retro Fit. That’s a whole other gig with the $435 Hammer and the $640 Toilet Seat.

SJre March 23, 2022 4:09 PM

… intricate government bureaucracies and their endless management problems are so amusing.
One would have assumed that the Federal Government had long ago learned how to properly handle sensitive information. But no.

Trung Doan March 23, 2022 4:35 PM

“..SpaceX or Blue Origin have these kind of audits?”, good question, Ted. I guess the current answer is No but it ought to be Yes.

JonKnowsNothing March 24, 2022 8:59 AM

@SJre

re: One would have assumed that the … Government had long ago learned how to properly handle sensitive information. But no.

Something to consider:
  After millennia of sensitive information falling into the opposition’s possession, why not?

History and the History of Security+Encryption are littered with the evidence that “protections didn’t work”. There is the IMAMOCLEVERTHANU in systems which is the old:
  Anyone can devise a system they cannot break themselves.

There is another aspect, particularly in modern times when we have access to many better and tested methods of “protecting the important”, and that is an under lying, perhaps subconscious or even subliminal view of “We don’t really want to”.

Some of this is part of the framework problem for security issues:

  • It’s too hard
  • It’s too cumbersome
  • It’s too tedious
  • It’s stupid
  • It’s a waste of time

Because all of the above have kernels of truth to them, people don’t follow through the devised program(s). Only a few overtly exploit this aspect (1).

  • Most people, do most of it, most of the time.

The difficulty, still unresolved, is that even 1 lapse, no matter how trivial, is 1 lapse too many.

Perfect Security requires Perfect Follow Through. Humans are less than perfect.

Which is one reason that security has been handed off in greater share to computers because computers don’t arbitrarily change behavior. Computers only do what they are programmed to do. Even so, the same problems follow computer security; for all the above reasons.

  • Programmers are fallible, and no more perfect than the people who have to use the devised systems-schemes.

So our next attempt is through AI/ML systems. A Best Guess, Weighted Average of Averages, attempting to provide a perfect model for security (2). These models fail too. They may be able to generate output magnitudes faster than a human, but they are subject to the same failures.

  • AI/ML models fail and when they fail they fail spectacularly.

The next leap up will be Quantum Computers. Quantum computers won’t solve the fundamental problem:

  • Humans do not want to, will not do it and in fact cannot do it. Humans are erratic, chaotic, changeable and malleable. We don’t do static well.

Remember old school days: Gazing out the window, Daydreaming, Mind spinning wonderful images from the imagination only to be interrupted with:

  • ARE YOU PAYING ATTENTION!!

We daydream of perfect security but we aren’t paying attention.

===

Subconscious: Existing in the mind but just below the conscious level. Subconscious is the part of the mind that is not currently of focal awareness.

Subliminal: Use of words or images (referred to as stimuli) we don’t consciously detect. Those stimuli can be undetectable because they’re hidden inside other wrapper ideas or images. Any sensory stimuli below an individual’s threshold for conscious perception.

1) Honey Pots/ Exfiltration

2) AI/ML model: security/surveillance Quantum models: more of the same.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.