Skip the navigation

NASA scrambles to encrypt laptops after major breach

November 14, 2012 04:05 PM ET

"Additionally, the CIO will identify any other changes in policy and/or procedures that are necessary to prevent a recurrence of this type of breach in the future," Keegan added.

NASA's new measures appear intended to blunt criticism of the latest data breach.

The agency has been criticized in the past for lacking strong measures to protect sensitive data. In February , NASA Inspector General Paul Martin criticized the agency for lagging "far behind other federal agencies" in protecting data on agency laptops.

In testimony before the U.S. House of Representatives, Committee on Science, Space and Technology, Subcommittee on Investigations and Oversight, Martin noted that NASA had reported the loss or theft of 48 mobile computing devices between April 2009 and April 2011. Some of the incidents resulted in unauthorized release of sensitive data, Martin had noted. (The full report is available here).

In his testimony, Martin pointed to the March 2011 theft of an unencrypted notebook computer that resulted in the exposure of algorithms used to command and control the International Space Station. In another incident, sensitive data on NASA's Constellation and Orion programs were similar compromised when a laptop containing the data was stolen.

"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," Martin testified.

"Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he added.

Gant Redmon, general counsel and vice president of business development at Co3 Systems, an incident management company, said the issue is why NASA didn't take measures to encrypt all of its systems sooner. "I have two questions. Why didn't they have it before the [March] incident? Why didn't they have it after that first breach?"

Incidents like this highlight the somewhat cavalier attitude many organizations and employees continue to have towards handling PII on laptop computers, he added. It's surprising that people continue to keep sensitive information on their laptops in unprotected fashion and then leave the laptops in relatively unprotected locations, Redmon added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter@jaivijayan, or subscribe to Jaikumar's RSS feed Vijayan RSS. His e-mail address is jvijayan@computerworld.com.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies