NASA scrambles to encrypt laptops after major breach
"Additionally, the CIO will identify any other changes in policy and/or procedures that are necessary to prevent a recurrence of this type of breach in the future," Keegan added.
NASA's new measures appear intended to blunt criticism of the latest data breach.
The agency has been criticized in the past for lacking strong measures to protect sensitive data. In February , NASA Inspector General Paul Martin criticized the agency for lagging "far behind other federal agencies" in protecting data on agency laptops.
In testimony before the U.S. House of Representatives, Committee on Science, Space and Technology, Subcommittee on Investigations and Oversight, Martin noted that NASA had reported the loss or theft of 48 mobile computing devices between April 2009 and April 2011. Some of the incidents resulted in unauthorized release of sensitive data, Martin had noted. (The full report is available here).
In his testimony, Martin pointed to the March 2011 theft of an unencrypted notebook computer that resulted in the exposure of algorithms used to command and control the International Space Station. In another incident, sensitive data on NASA's Constellation and Orion programs were similar compromised when a laptop containing the data was stolen.
"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the Agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," Martin testified.
"Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he added.
Gant Redmon, general counsel and vice president of business development at Co3 Systems, an incident management company, said the issue is why NASA didn't take measures to encrypt all of its systems sooner. "I have two questions. Why didn't they have it before the [March] incident? Why didn't they have it after that first breach?"
Incidents like this highlight the somewhat cavalier attitude many organizations and employees continue to have towards handling PII on laptop computers, he added. It's surprising that people continue to keep sensitive information on their laptops in unprotected fashion and then leave the laptops in relatively unprotected locations, Redmon added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!