NASA fixing security holes in oversight of foreign nationals

Monday - 4/14/2014, 3:56am EDT

Jared Serbu reports.

Download mp3

(Correction: A previous version of this story incorrectly identified the interim leader of NASA's new Foreign National Access Management office. The acting program manager is Jolene Meidinger, not Joe Thompson.)

NASA's administrator says his agency has taken significant steps to fix major problems with its oversight of foreign nationals who work inside the U.S. space program, following an external examination that found serious security lapses.

Under pressure from the agency's congressional appropriators, led by Rep. Frank Wolf (R-Va.), NASA turned to the National Academy of Public Administration for an outside look at whether its security controls were adequate to prevent foreign nationals who have inside access from exfiltrating sensitive information.

Charles Bolden, the NASA administrator, told Congress last week that he agrees with all 27 recommendations the NAPA panel ultimately made, and that the agency is moving to implement all of them.

"NASA has established a foreign national access management program to strengthen our foreign national oversight, including efforts to ensure compliance with U.S. government export control policies," he said. "I have repeatedly communicated the importance of the NAPA report and NASA's corresponding actions to all of my senior managers. I am now in the process of visiting each of the NASA centers and underscoring the importance of security to our entire workforce, consistent with the report's recommendations."

For the most part, the recommendations are unknown to the public, because NASA has deemed both the report itself and its conclusions a "sensitive" document.

"There were a number of vulnerabilities that are pointed out in the report that, when taken in total, could create inroads into our systems, and that's not [information] that we want to get out," Bolden said. "It's not because it was embarrassing."

Dick Thornburgh, a former U.S. Attorney General and Pennsylvania governor, led the NAPA study. In testimony last week, he shed some light on what his team found as they explored the inner workings of an agency that is required to interoperate with foreign partners on a daily basis while also keeping U.S. secrets under wraps.

One central conclusion is that until recently, NASA did not have a meaningful oversight program to manage the information access rights of foreign nationals who have access to agency data.

"While NASA is among the best organizations in the world when it comes to managing complex technological efforts, the agency does not apply its normal degree of program management rigor to foreign national access management," Thornburgh said. "It is not managed as a program. Individual headquarters elements produce overly- broad program directives, which in turn are subject to widely varying interpretations by NASA centers. Additionally, NASA headquarters have inadequate means for determining the overall efficacy of their directives and mandated processes, so problem areas can go unrecognized."

Also, Thornburgh said, his panel found serious and longstanding cybersecurity vulnerabilities at NASA, at least on its unclassified networks. Many of the NASA IT managers his team interviewed assume that their networks have already been compromised, he said.

"This finding is reinforced by other reviews of NASA's information technology, including those done by the NASA inspector general," he said. "The fundamentally flawed outcomes result when you couple this loosely structured program with relatively easily penetrable information technology security systems. Many of the panel's findings apply equally to threats arising from trusted insiders, as well as other parties looking to compromise NASA's information technology."

Thornburgh stressed that the panel's mandate was to examine administrative problems at NASA around the foreign national access management process, and not specific instances in which data has been stolen through espionage or other criminal acts. He also emphasized that he could not discuss many details beyond the unclassified four-page executive summary of the report NASA has already released.

But at least one potentially troubling case became public last year following an FBI investigation.

Bo Jiang, a Chinese national, came to NASA four years ago by way of a job at the nonprofit National Institute of Aerospace, after having recently graduated from a Chinese university that is on the Commerce Department's "special entities list" because of concerns about its potential connection to distributors of weapons of mass destruction.

Jiang was eventually given a NASA-issued laptop and hard drive while he was working on an imaging enhancement program for the agency. According to federal court records, he acknowledged having taken that equipment to China at least once in violation of agency regulations.

An after-the-fact NASA audit found that the computer did not contain any classified material, but the hard drive held "extensive NASA proprietary and research information."