Introduction: Historical Reference Points On NASA
It should be noted that NASA is an independent government agency and part of the United States federal government, which functions as an operator in civilian space programs as well as research related to space. It was established in 1958, which emerged from its predecessor, the National Advisory Committee for Aeronautics or NACA (Bizony et al., 2019). The main difference was rooted in the fact that NASA was oriented as a civilian agency with a pure interest in sciences related to space with military functional elements.
Discussion on the Cybersecurity Policies of NASA
It is important to note that “much of the United States’ critical infrastructure relies on space systems” (Falco, 2018, p. 1). In other words, practically all critical infrastructure elements are dependent on the space assets, making space systems the most important critical infrastructure of all. The examples include “agribusiness’ reliance on weather and climate satellites, the U.S. military’s reliance on intelligence satellites, and various transportation industries’ reliance on global positioning system (GPS) satellites” (Falco, 2018, p. 1). Therefore, it is important to note that NASA’s essentiality among all critical infrastructures makes the agency a prime and ultimate target for cyber attacks. Thesis: Although NASA’s cybersecurity measures are effective for the most part in areas such as decentralized cybersecurity, data inaccessibility, and access restriction, it fails in regards to assessment of its cyber defenses resulting in non-adherence to national security standards and carrying significant risk to the latter.
It is stated that “the Agency’s vast online presence of approximately 3,000 websites and more than 42,000 publicly accessible datasets also makes it highly vulnerable to intrusions” (Office of Inspector General, 2021, p. 3). In accordance with the global trend of cyber threat increases across all private and public spaces, NASA is also becoming a major target for hackers (Johnson, 2015). Given NASA’s importance and interconnectedness to other critical infrastructure elements, a plausible scenario that major breaches could tax society significantly (Guiora, 2017). Thus, NASA’s cybersecurity readiness and preparedness, as well as resilience, are of paramount importance.
One should be aware that NASA invests heavily in its cyber security programs and systems. These operations are primarily managed by NASA OCIO Cybersecurity & Privacy Division (CSPD), which provides cost-effective services in cyber security, decreases the number of barriers to improve cross-agency collaboration, and removes identified vulnerabilities (Bizony et al., 2019). NASA has a set of strict regulatory policies in regard to cybersecurity and privacy of sensitive information used, accepted, and disclosed by the agency.
All personnel working at NASA must comply with the NASA Cybersecurity and Privacy Rules of Behavior or NASA ROB, where “unauthorized or improper use of NASA IT may result in the suspension or revocation of access to NASA IT, and disciplinary action, as well as civil and criminal penalties” (National Aeronautics and Space Administration, 2021, p. 2). The examples include a “mobile phone, tablet, computer, Internet of Things (IoT) device, or wearable technology that does not have a valid Authority To Operate (ATO) from a NASA Authorizing Official (AO), regardless of who provided or owns the device” (National Aeronautics and Space Administration, 2021, p. 2). Thus, NASA takes matters of cybersecurity and privacy seriously where all potential aspects of the operations are controlled and strictly regulated.
How the Policy Hardens Networks
NASA has implemented a number of measures to ensure that its cybersecurity is strong and resilient. The agency made the access control policies significantly stricter for all its providers and engineers, which were partly described in the previous sections, such as NASA ROB. Therefore, “this will help guard against some of the phishing attacks used against NASA employees in the past that steal credentials and access valuable intellectual property” (Falco, 2018, p. 16). In the past, the Office of the Chief Information Officer or OCIO was responsible for agency-wide cybersecurity measures, but it recognized that it is incapable of ensuring proper cybersecurity for both mission systems as well as NASA’s labs. Thus, “NASA’s Jet Propulsion Laboratory (JPL) created the Cyber Defense Engineering and Research Group (CDER). CDER’s goal is specifically to address mission systems” (Falco, 2018, p. 16). In other words, the current NASA cybersecurity system is decentralized.
Pros of the Policies
Moreover, NASA is implementing a wide range of effective encryption programs to encrypt its data. For example, “at the end of 2016, AT&T encrypted NASA’s Deep Space Network (DSN), which is the foundation of communication infrastructure for technology such as the Mars Rover” (Falco, 2018, p. 16). In other words, the agency is making its data highly inaccessible to external threats even if all other systems are breached. It is a plausible and effective strategy to ensure that NASA’s data is only usable by the agency itself.
Cons of the Policies
Although NASA plays a critical role in ensuring national security as an agency playing a central role in the functionality of all other critical infrastructure elements, the practical assessments of NASA’s cybersecurity measures show the inherent weaknesses of the systems utilized in the organization. The first and major issue is the fact that “NASA conducts its assessment and authorization (A&A) of IT systems inconsistently and ineffectively, with the quality and cost of the assessments varying widely across the Agency” (Office of Inspector General, 2021, p. 15). These assessments are mandatory to ensure that the utilized systems are meeting the standard requirements and adhering to national security mandates.
Despite the recent efforts to ensure better cybersecurity at the agency, it is important to emphasize that cyber attackers are becoming “more aggressive, organized, and sophisticated, managing and mitigating cybersecurity risk is critical to protecting NASA’s vast network of information technology systems from malicious attacks or breaches that can seriously inhibit the Agency’s ability to carry out its mission” (Office of Inspector General, 2021, p. 20). Therefore, it is of paramount importance to constantly track and monitor the effectiveness of the currently implemented systems in order to ensure that NASA is willing to the given arms race, which can only be done by regular and efficient assessment procedures.
Therefore, the lack of consistent and effective assessment and authorization programs at NASA hinders national security on a massive scale due to the core importance and interconnectedness of NASA’s operations and its influence on all other critical infrastructure elements. Despite the effective measures undertaken by the agency, NASA cannot be secure and resilient enough due to its highly paramount role in the overall national security of the United States. Full and reliable cybersecurity can only be ensured if an integrated and systematic approach is applied. The cybersecurity system must be built taking into account all current threats and vulnerabilities, also taking into account those threats that may arise in the future. Therefore, it is important to provide support for continuous monitoring, which must operate on a daily basis around the clock.
Preventing Exploitation of Vulnerabilities
A prerequisite is to ensure control at each stage of the life cycle of information, from the moment of its arrival and ending with the loss of its relevance or destruction of data. The use of a multi-level integrated information protection system is definitely more effective than the use of individual cybersecurity methods. At the same time, cybersecurity is only one of the areas that need to be addressed. Given the ever-increasing computerization of all spheres of business and the increase in the number of electronic transactions, these threats are also rapidly developing. In search of ways to obtain classified information and harm organizations, cybercriminals are actively using modern technologies and software solutions. Their actions can cause significant damage, including in the form of direct financial losses or loss of intellectual property.
Biblical Foundations
In the case of biblical implications, the Bible supports self-reflection and self-assessments. It is stated: “Examine yourselves, to see whether you are in the faith. Test yourselves. Or do you not realize this about yourselves, that Jesus Christ is in you?—unless indeed you fail to meet the test” (Holy Bible, King James Bible, 1769/2017, Corinthians 13:5). In other words, the presence of inconsistent and ineffective assessment and authorization programs as NASA illustrates that the agency does not adhere to key biblical practices monitoring and tracking progress in the face of evil, which includes cyber threats and cyber-attacks.
The Bible states: “two are better than one; because they have a good reward for their labour. For if they fall, the one will lift up his fellow: but woe to him that is alone when he falleth; for he hath not another to help him up. Again, if two lie together, then they have heat: but how can one be warm alone?” (Holy Bible, King James Bible, 1769/2017, Ecclesiastes 4:9-11). In other words, the verses support the decentralized cybersecurity at NASA, where the Office of the Chief Information Officer handles NASA’s labs and Cyber Defense Engineering and Research Group protects mission systems.
Conclusion
In conclusion, NASA is a highly important agency in the critical infrastructure network because all other elements rely on the space assets’ functionality and security. NASA utilizes a decentralized approach towards cybersecurity, encrypts its data, and restricts the accessibility of its data to providers and engineers. However, it fails to conduct consistent and effective assessment and authorization procedures, which carries a serious national security risk. Although the Bible supports NASA’s best practices, it condemns the lack of self-analysis.
References
Bizony, P., Chalkin, A., & Launius, R. (2019). The NASA archives. 60 years in space. TASCHEN.
Falco, G. (2018). Job one for Space Force: Space asset cybersecurity[PDF document].
Guiora, A. N. (2017). Cybersecurity: Geopolitics, law, and policy. Routledge.
Johnson, T. A. (2015). Cyber-security: Protecting critical infrastructures from cyber attack and cyber warfare. CRC Press.
King James Bible. (2017). King James Bible Online. (Original work published 1769)
National Aeronautics and Space Administration. (2021). NASA cybersecurity and privacy rules of behavior.
Office of Inspector General. (2021).NASA’s cybersecurity readiness.