NASA had 5,408 computer security lapses in 2010 and 2011, including the March 2011 loss of a laptop computer that contained algorithms used to command and control the International Space Station (ISS), the agency's inspector general told Congress Wednesday.
An attack by Chinese hackers on NASA's Jet Propulsion Laboratory (JPL), in Pasadena, Calif., was also mentioned, although details were scant of the ongoing investigation.
"These incidents spanned a wide continuum, from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives," Inspector General Paul Martin said in written testimony before the House Science, Space and Technology Committee investigations panel.
"Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7 million," Martin said.
It's not known how the number and scope of computer security breaches at NASA compare to other federal agencies because NASA's Office of the Inspector General is the only OIG that regularly conducts international network intrusion cases, Martin added.
"NASA needs to improve agency-wide oversight of the full range of its IT assets," Martin wrote.
The JPL incident that occurred in November 2011 gave the attackers "full functional control over these networks," he added. JPL is the base of operation for a host of operational robotic space missions and the security breach could have allowed the deletion of sensitive files, access to user accounts of critical systems and the uploading of malicious software, FOXNews.com reports.
The security lapses include the loss or theft of 48 mobile computing devices between April 2009 and April 2011, "some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property."
"For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," Martin wrote.
"Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA's Constellation and Orion programs. Moreover, NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files.
"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," Martin wrote.
NASA said it is aware of the problem and taking steps to step up its computer security programs.
"The NASA IT Security program is transforming and maturing," the agency's chief information officer Linda Cureton said in her written testimony to the same panel.
"NASA is increasing visibility and responsiveness through enhanced information security monitoring of NASA's systems across the agency," she said.
Image: International Space Station - at risk from hackers? Credit: NASA