NASA scrambles to encrypt laptops after major breach
"Additionally, the CIO will identify any other changes in policy and/or procedures that are necessary to prevent a recurrence of this type of breach in the future," Keegan added.
NASA's new measures appear intended to blunt criticism of the latest data breach.
The agency has been criticized in the past for lacking strong measures to protect sensitive data. In February , NASA Inspector General Paul Martin criticized the agency for lagging "far behind other federal agencies" in protecting data on agency laptops.
In testimony before the U.S. House of Representatives, Committee on Science, Space and Technology, Subcommittee on Investigations and Oversight, Martin noted that NASA had reported the loss or theft of 48 mobile computing devices between April 2009 and April 2011. Some of the incidents resulted in unauthorized release of sensitive data, Martin had noted. (The full report is available here).
In his testimony, Martin pointed to the March 2011 theft of an unencrypted notebook computer that resulted in the exposure of algorithms used to command and control the International Space Station. In another incident, sensitive data on NASA's Constellation and Orion programs were similar compromised when a laptop containing the data was stolen.
"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," Martin testified.
"Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he added.
Gant Redmon, general counsel and vice president of business development at Co3 Systems, an incident management company, said the issue is why NASA didn't take measures to encrypt all of its systems sooner. "I have two questions. Why didn't they have it before the [March] incident? Why didn't they have it after that first breach?"
Incidents like this highlight the somewhat cavalier attitude many organizations and employees continue to have towards handling PII on laptop computers, he added. It's surprising that people continue to keep sensitive information on their laptops in unprotected fashion and then leave the laptops in relatively unprotected locations, Redmon added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts