Skip to main content

tv   House Hearing on NASA Cybersecurity During Coronavirus  CSPAN  October 8, 2020 9:51am-11:01am EDT

9:51 am
stephen breyer discusses on c-spac c-span, or with the radio app. >> watch live senate confirmation hearings for amy coney barrett starting monday with opening statements by judiciary committee members and judge barrett. watch on c-span, and listen live on the c-span radio app and be sure to view a play list of amy coney barrett's legal views. next, a hearing on nasa cyber security concerns during the coronavirus pandemic, including weaknesses in the network due to nasa's reliance on outside institutions such as private companies and universities. the house space subcommittee hearing is an hour and 20 minutes. minutes. >> this hearing will come to order. without objection the chair is authorized to declare recess at
9:52 am
any time. before i deliver my opening remarks, i want to note today the committee is meeting virtually and announce a couple of reminders to the members about conduct of this hearing. first, members should keep their video feed on as long as they're present in the hearing and members are responsible for their own microphones. please keep your microphones muted unless you're speaking. if members have documents they wish to submit for the record. please e-mail them to the committee clerk whose e-mail address was committed prior to the hearing. good morning, i'd like to welcome our distinguished panel of witnesses, members and those viewing remotely. today's subcommittee hearing, cybering security at nasa. ongoing challenges and increased telework during covid. in early 2020 the world was caught off guard with the rapid and dramatic onset of the coronavirus.
9:53 am
nasa and many agencies and consistent with the committee of budget. to ensure the health and safety of more than 17,000 civil servant employees and extensive contractor work force. for its credit nasa prepared for the transition having held an agency-wide telework in early march, the expanded telework operations and today, 75 to 80% of nasa's civil servants continue to work remotely, development work, engineering analysis and other activities. the shift to increased telework at nasa raises many questions, front and center cyber security. what is the increase and extended use of telework mean for protecting nasa's intellectual property, identifiable information and how is does the cyber challenge affect the risk postures and
9:54 am
what steps is nasa taken during the pandemic and beyond? these are some of the questions today's hearing will explore because what's clear is that nasa is a target and i want to pause here for a moment to note an article in the hill today, where the justice department has brought charges against iranian nationals for hacking u.s. satellite companies, so, i think this is incredibly timely. in a recent nasa i.d. report stated that given nasa's mission and valuable technical and information it produces the information maintained in the i.t. infrastructure is a target for hackers and individuals. and jim bridenstine stated at a town hall, nasa is the most attacked agency in the federal government when it comes to cybersecurity. past data breaches and system intrusions at nasa and its facility have resulted in large apartments of stolen data.
9:55 am
installation is now aware, copying, modifying, and deleting sensitive files and accessing nasa servers, including those supporting missions. the department of homeland security's cybersecurity security agencies, which is a mouthful of course, it's related to telework and encouraging organizations to adopt a heightened state of cybersecurity. in june 2020, media articles reported that malicious actors congratulated nasa and spacex on a crude demonstration flight and then announced they had allegedly breached and infected a nasa contractor. specifically one that provides information technology, cybersecurity, and
9:56 am
cybersecurity information to the agency. if true, that's a concerning report and part of why we're here today. protecting nasa's i.t. and data during the pandemic demands vigilance. however, nasa's cybersecurity doesn't end with the crisis. they've identified weaknesses and ongoing concerns with nasa's information security. further, they've ranked this as a top agency challenge. ensuring cybersecurity at nasa becomes even more pressing, given rapid advances in the supply change risk. the open partnerships, and overall increase in space activity. nasa is a national treasure. its missions continue to inspire young and old and cutting edge space technology, research and space flight experiences are the envy of the world. nasa's accomplishments wouldn't be possible without computers, software, and information
9:57 am
systems. will nasa or any organization be 100% free from risk and cyber threat? probably not. is there room for improvement? there is. and the na-- the bottom line we need to ensure that nasa has the tools it needs to r and takes the necessary actions for success and safety and security during covid-19 and beyond and i look forward to our witness's testimony today. so i think we are-- there he is. >> hey. >> ranking member babin, i'm glaed you were able-- i know that technology can sometimes-- speaking of technology, be a little bit of a challenge, but glad you made it through so the chair now recognizes ranking member babin and my good friend from texas for an opening
9:58 am
statements. >> absolutely. thank you. we have three computers here we couldn't get on, but i got on with my telephone. so-- any way we can do it, i'm glad to be with you. >> innovation and ingenuity, i love it. >> absolutely, okay, well, thank you so much. nasa is one of the best known organizations in the entire world. its successes with the mercury, gemini, apollo shuttle and international space station programs along with its breathtaking scientific discoveries and jaw-dropping robotic probes attract worldwide attention. unfortunately, that attention comes with many challenges. the technologies that nasa develops are also sought after by criminal entities, unscrupulous foreign governments and destructive-- and because they have civil and military applications these challenges are particularly grave. and this is a topic that this
9:59 am
committee is focused on for decades. mr. martin testified before the-- excuse me, before the investigations and oversight subcommittee almost 10 years ago on the topic of information security. at that hearing he testified that an unencrypted laptop was stolen from nasa that resulted in the loss of the algorithms, quote, unquote, used to control at space station as well as personally identifiable information and intellectual property. similarly, the u.s.-china economic and security review commission noted in its 2011 report to congress, that the terror and landset 7 satellites experienced at least two separate incidents of interference apparently cyber security with their command and control systems. recently nasa ig released the yearly report that found that information systems throughout the agency faced an unnecessarily high level of
10:00 am
risk that threatens the confidentiality, the integrity availability of nasa's information, unquote. the report concluded that it's imperative the agency continue its efforts to strengthen its risk management and governance practices to safeguard its data from cyber security threats...
10:01 am
while these may seem startling, there are specific reasons that many of the recommendations remain open. for instance, agencywide guidelines and best practices are often general rules and principles that are not optimized to specific agencies unique capabilities, expertise and challenges. her instance now sit is the world leader in designing, building, operating and communicating with spacecraft this expertise resides within the mission directorates and that the centers of cultivated this expertise over many decades. in some instances they develop the software, information systems that underlying technologies that industry and the rest of the government adopted and embraced. and even more extreme circumstances they continue to use one off operating systems that, while perhaps not compliant with omb derived governmentwide guidance, are arguably more secure because of
10:02 am
their uniqueness and their obscurity. efforts to bring the systems and technologies into compliance with a one-size-fits-all cookie-cutter approach developed for commercial enterprise systems could actually introduce more risk into the system. this isn't to excuse nasa's cybersecurity shortcomings as identified by the ig and gao over the years. lost laptops, , and secure devices, unauthorized access to systems and lapsed aco's alterations operate, and for inventory management all cause or concern. which brings us to the situation that nasa currently faces. the covid-19 challenge requires most of nasa's employees and contractors to work remotely. while bass has embraced teleworking for years, the expansion of this practice introduces a larger target and more vulnerabilities from
10:03 am
malicious actors to exploit. an addition to teleworking challenges i am interested in understanding what level of insight nasa has on contractor for cybersecurity as nasa moves more to public-private partnerships. and finally it's worth noting that president trump recently issued space policy directive number five, focus on cybersecurity principles for space systems. and while it is not focused -- is not covid focus specifically, it is particularly timely given today's hearing and demonstrates the administrations forward-looking leadership on this very topic. i look forward to hearing more about these important issues, and what nasa plans to do to mitigate as well as what congress and the administration can do to help. with that, madam chair, i yield back. >> iq, ranking member babin come for your opening statement. i think it's safe to say we share many of the same concerns in this area, and excited and
10:04 am
grateful for the opportunity for this hearing today. if there are any members who wish, at this point if there any of us who wish to submit additional statements, statements will be added to the record at this point. now i would like to introduce our witnesses. our first witness today is mr. jeff seaton. in april 2020 mr. seaton was named nasa's chief acting chief information -- acting chief information officer. let's see if i can get that outright. prior to his position he served as nasa's deputy chief information officer and spent seven years at the chief information officer at nasa's langley research center. he began his career with nasa in 1991 as as a research engineer, designing robotic systems for space-based applications and also served as lengthways chief technology officer and deputy cio. he received a bachelors degree
10:05 am
and master degree in electrical engineering from firm -- from virginia. i'll compare we're glad you're with us today. our next witness is mr. paul martin, specter general for the national aeronautics and space administration. mr. martin has been the nasa inspector general sense 2009 and pride his appointment at nasa he served as the deputy inspector general at the department of justice. he also spent 13 years as you sent commission clean six years as the commission's deputy staff director. mr. what received a bachelors degree in journalism from pennsylvania state university at a juris doctorate from georgetown university law center. welcome, mr. martin. our third and final witness today is dr. diana burley. in july 2020 dr. burley was appointed as vice provost for research and professor of public administration at american university. prior to her current position dr. burley spent 13 years as a professor of human and
10:06 am
organizational learning at george washington university where she was the inaugural chair of the human and organizational learning department and the direct of executive leadership doctoral program. she's also managed a multimillion dollar computer science education and resource portfolio for the national science foundation. dr. burley received a bachelors degree in economics from the catholic university of america, a masters in public management and policy from carnegie mellon university, and a masters and doctoral degrees in organizational sites and information policy also been from carnegie mellon university. welcome, dr. burley. as our witnesses you should know you each have five minutes for your spoken testimony. your written testimony will be included in the record for this hearing. when you have completed your spoken testimony will begin with questions and each member of what happened five minutes to question the panel. we will start today with mr. seaton. mr. seaton, you are recognized for five minutes.
10:07 am
>> thank you, chairwoman horn, ranking member babin and members of the subcommittee on space and aeronautics. for allowing me to appear before you today talk but about nasa's information technology infrastructure and efforts to manage and protect that infrastructure during the covid-19 pandemic. thankfully due to strategic investments made over the last several years nasa was well-positioned to get our mission moving for by shifting the majority of the workforce to telework last march. nasa has never been close and a workforce has continued to work remotely in a productive and often creative manner despite the highly contagious covid-19 virus. with strict safety protocols in place nasa is no now graduate t more employees on-site based on factors such as local conditions and guides from the cdc and other federal partners. let me assure you the safety of our workforce remains our top priority. at the same time, protecting a effectively operating our i.t. infrastructure continues to be
10:08 am
another top nasa focused. i keep plays a role in every aspect of nasa's missions. however, effective i.t. management is not an easy task. as nasa's acting chief information officer is my job to balance implement innovative mission enabling i.t. capabilities with operational efficiency and effective cybersecurity to guard against evolving threats. during the pandemic the demands and expectations placed on nasa's i.t. infrastructure been incredibly high and the threats of extra actors remain an ongoing concern. however, with hard work, dedication and innovation nasa's cio team is risen to the challenge of keeping our missions moving forward. for example, we help rapidly to help software to -- exposure of also meeting all security and privacy requirements. additionally, with help nasa can desire and onboard nucleus, contractors and interns with integrated approaches to provisioning and maintaining
10:09 am
i.t. systems and tools remotely. the pandemic has dramatically change the way we work. while many employees already telework at least occasionally before the pandemic, having 90% of employees teleworking at the same time has been game changing. nasa employees have significantly increased their use of virtual collaboration tools such as webex and microsoft teams so we can interact with each other face-to-face while sharing virtual collaborative workspaces. employees are dependent on nasa's virtual private network to connect securely to internal networks and systems. before the pandemic our highest vpn connection rate was about 12,000 users in a single day. today are vpn is supporting almost 40,000 daily users within the availability of exceeding 99%. thanks architectural and capacity improvements implemented over the past 24 months. like other federal agencies nasa's i.t. infrastructure is under constant attack from well resourced and highly motivated
10:10 am
domestic and foreign adversaries, and would remain a popular target today. therefore the continued strength of our technical and procedural capabilities to proactively defend and protect our systems and data. while the reported number of attempted cyber incidents continue to increase part of because with greater visibility into our network today i'm confident nasa is appropriate addressing and strengthening our response to these threats. in fiscal year 2020 nasa develop a continuity of operation capability to further enhance our security operations center located at the ames research center. if stock operation would disrupt a read of limited bills identify and respond incidents. today nasa's stock operations allow us to maintain 24 x seven stock operations at all times even if there is an isolated disruption. with strength and the tools and capabilities nasa is transitioning from a largely reactive to a more proactive
10:11 am
cybersecurity posture. as the pandemic worse and enablement nasa moved if stock remote operation suture employee safety and did so without negatively impacting our network or are cybersecurity capabilities. in closing i i want to personay thank natalie my staff and leadership but the entire nasa workforce for the hard work and the personal sacrifices they've made during this challenging time. our employees are finding new ways to keep missions moving forward, support each other, balance work and family pressures and even dedicate their expertise and personal time to developing technologies that are aiding in the national response to the coronavirus. while no one is sure what the future holds, nasa senior leaders include myself are committed to keeping nasa workforce safe and providing them with the i.t. tools and infrastructure they need to continue executing our missions. i want to assure you that protecting and evolving nasa's i.t. infrastructure is and will remain a top agency priority. thank you for the opportunity to
10:12 am
testify before you today, and i look forward to answering any of your questions. thank you. >> thank you very much, mr. seaton. mr. martin, you are now recognized for your testimony. >> thank you, chairwoman horn, ranking member babin and members of the subcommittee. the nasa office of inspector general has conducted a significant amount of oversight work to look nasa improve its information technology governance while securing its networks and data from cyber attacks. over the past five years we issued 16 on reports with 72 recommendation related to i.t. governance and security. during this same time we conducted more than 120 investigations involving intrusions, denial of service attacks and data breaches on national networks. several of which have resulted in criminal convictions. my testimony today is with informed by the body upon an investigative work. the sound is and security of its
10:13 am
data and i.t. systems essential to nasa's success big the agency spends more than $2.2 billion a year on a portfolio of i.t. assets that include hundreds of information systems used to control spacecraft, collect and process fight to the gate and naval collaborate with colleagues around the world. given the valuable technical and intellectual capital nasa produces, its i.t. systems present a high-value target for cyber criminals. the past six months in particular has tested the agency as more than 90% of nasa's workforce moved from on-site to remote work due to the pandemic. during this time nasa's experience an object in cyber threats phishing attempts doublet and malware attacks rising substantially. this morning i offered three observations about the state of nasa's i.t. security in governance to provide context to the scope of its challenges.
10:14 am
first, , our concerns with nasas i.t. governance security are wide-ranging and long-standing. for more than two decades nasa has struggled to implement an effective i.t. governance structure that aligns with authority and responsibility commensurate with the agencies overall mission. specifically, the agency cio is limited oversight and influence over i.t. purchases and security decisions within mission directorates and that nasa centers. it decentralized a major of nasa's operations coupled with the store culture of autonomy have hindered the cio stability implement effective enterprisewide i.t. governance. moreover, nasa's connectivity with educational institutions and other outside organizations and its vast online presence of 3000 web domains and more than 42,000 public accessible data sets offers cyber criminals a larger target than most other
10:15 am
government agencies. second, despite positive for the momentum of the agencies i.t. practices continue to fall short of federal requirements. for example, in 2019 for the fourth year in a row nasa's performance during our annual physical review remains at level two out of five. meaning the agency has issued but is that consistently implemented important policies and procedures defining its i.t. security program. and third, like many of the public and private organizations, nasa struggles to find the right balance between user flexibility and system security. for example, for years nasa permit a personally owned and partner owned mobile i.t. devices to access nonpublic data even if those devices did not have a valid authorization. today nasa employees and partners can use nonagency mobile devices to access e-mail
10:16 am
if the user installs security software known as mobile device management. however, and omg audit last month found that nasa was not adequately securing its e-mail networks from unauthorized access by these personally own devices. all the nasa has deployed technologies to monitor unauthorized connections, it is not fully implement control to remove or block those devices. moreover, the agencies december 2019 target for installing these controls were delayed due to technological issues and pending liquidated center closures. until these enforcement controls are fully implemented, nasa faces an elevated risk of a breach. finally, as part of its initiative nasa plans to centralize and consolidate i.t. capabilities. the cios office expects to complete its assessment by marc. 2021. implementation on institutional systems beginning later that
10:17 am
year. as map unfolds we plan to assess whether this enterprise-level alignment strengthen cybersecurity at nasa. i look forward to your question questions. >> thank you, mr. martin. dr. burley, you are recognized for your testimony. >> thank you. subcommittee chairwoman horn, ranking member babin and distinguished member of the committee, thank you for the opportunity to appear before you today. as a nation continues to navigate the complex and that certain environment of the global pandemic it is vital that we engage in a robust discussion on the challenges and emerging issues for increased telework during this time. at american university we are guided by our strategic plan for the change world. we navigate come shape in the future of work and researchers are pushing the boundaries of discovery in healthcare, data sites, social equity and
10:18 am
security. in my remarks today which are shaped by decades long career leading cybersecurity initiative, i will highlight how the interplay of these areas supports the development of holistic strategy address cybersecurity issues surrounding the exponential growth and telework during this unprecedented time. concerns over its exposure to covenanting has great mass migration from virtual city. while teleworking arrangements have existed for years, never before have we seen the range involving of remote workers or remote working environment. employees across the demographic categories and tactical abilities are now working remotely and engaging with their employers come colleagues and customers through a digital interface and on a range of devices. securing this activity necessitates that we recognize those technical needs and environmental factors that shape that behavior. consider the following.
10:19 am
novice users and novice experiences create vulnerabilities. in the hurry to transition to remote work comp agencies did not have sufficient time to prepare novice user for the complexity of the newly virtually working fiber. our overall security is more reliant upon individual decisions made by employees and nine employees alike. even seasoned users had developed behaviors in accordance with on-site protections faced the challenges and can find themselves less prepared to avoid the vulnerabilities exposed by the remote working environment. employees are working under duress. covid-19 continues to drive economic instability health-related concerns, anxiety and confusion. employees who worry about beating their basic needs and are less likely to attend to lower priorities like cybersecurity. cyber criminals exploit opportunities, a shift
10:20 am
connectivity provides -- leads to more opportunities for cyber criminals to use social engineering techniques such as fraud, misdirection and disinformation to exploit those vulnerabilities. users framed entire sells online. if we use public health analogy of treating we can strengthen efficacy of guides to engage in robust cyber hygiene activity. in public health practice,, successful treatment is inextricably linked to the social and environmental conditions. today in the midst of the covid-19 pandemic we must recognize that while basic cyber hygiene practices relatively global under normal circumstances these are not normal times. our workers are distracted, frightened and fatigue. this is especially true for the most vulnerable users. as such, strategies to strengthen the cybersecurity of teleworkers must consider the full spectrum of user experiences and address the
10:21 am
complex reality of their needs. the points i have just outlined represent only a snapshot of the benefit of using a holistic approach to reduce the impact of cybersecurity related vulnerability. i have long advocated for this type of approach. now and with a greater sense of urgency we must collaboratively develop interventions that address the dynamic interplay between technical and environmental variables that shape the cyber scaredy posture across the broad range of teleworkers as the navigate the covid-19 environment. i look for to continued engagement with this esteemed committee to develop concrete strategies that raise awareness of the threat, encourage actions that increase the cybersecurity of the nation's employees, and protect our most vulnerable citizens. thank you. >> thank you very much, dr. burley. at this point we will begin our first come with a first round of
10:22 am
questions and the chair recognizes herself for five minutes. thank you to our witnesses today. it is clear these are important issues and there's lots of things to tackle. i want to start, mr. seaton come with some questions about contractors and cybersecurity contractors, especially given the increased use and the significance of contractors within nasa's workforce. i have a number of questions i would try to get through to asa kid. some of them are just yes or no and they will get to a few other things. what we know and i mentioned the article today in the hill is that our systems, there's a lot of information that hackers are very interested in. the contractors that nasa works with our integral to our nation space agency. my first question is either federal acquisition regulation classes specifically refer to
10:23 am
contractor cybersecurity requirements? >> yes, there are and we include those in our agency contracts, that all providers follow the cybersecurity requirement. >> let me follow up on that for a moment because, so those are nasa cybersecurity requirements. we asked earlier this year about associated bar language and nasa's response was there are no far requirements, no far clauses but do this fall under nasa requirements in contracts? >> we have supplements and we can get specifics of what those in private are included. i can take that question for the record. >> okay. absolutely. when those clauses are included, is at nasa that signs off on the cybersecurity? are there waivers? who signed off on the requirements for cybersecurity that they had been met?
10:24 am
>> we have automated tools to ensure that our contractors are complying with the requirements when they're connecting to a nasa system just as any nasa employee would. as was mentioned in the earlier testimony, we put in place controls and are continuing to strengthen those controls to ensure that only authorized devices can connect to our networks and systems. >> and who is over a a set of contractor cybersecurity protocols? is that the your office? are you able to conduct oversight and out as of cybersecurity practices by contractors? >> ultimately i and the acting chief information officer and so cybersecurity is my responsibility, and so it would be -- ensures compliance with the cybersecurity requirements. >> do you feel like you have sufficient oversight and insight and ability to do that within your authorized -- within your
10:25 am
authority? >> yes, i would say i believe that within nasa i've been given the appropriate authority and support, but i will say that the environment is continuing to change and its the dynamic landscape, i.t. is no longer just computer and a laptop on your desk but expensive operation technology where i.t. is embedded within systems. i would say it's challenging without evolving landscape, and so we continued continue to mar processes. >> thank you. stepping back to the challenges from this year during covid-19, i will have a question for mr. martin and mr. seaton, and hope you to have time to get to dr. burley. about broader. the memo or predecessor published on april 8 warned of increased attempts in cyber
10:26 am
attacks and especially during covid-19. my first question is to you actually come to mr. martin, how has the rate of cyber attacks change since that memo in april, and what steps has the ocio taken to respond to those increased attempts? >> there has been an increase in phishing attacks, and a lower level from other attacks. but honestly the change to the pandemic operating model is consistent without nasa has operated happened after we supported a mobile workforce and so and put in place controls and technologies to mitigate against some of these threats, including automated prevention of phishing attacks. when it comes down to it, you are the most vulnerable part of our i.t. security, it's the people and so we try to put in place automated controls to make
10:27 am
it easier for our employees and we have seen significant improvement in phishing protection over the last two years. >> thank you. quickly, mr. martin, by time is coming to an end, but what is your confidence level in nasa's ability is officially address the increase in cyber threats as reported by the u.s. cio? >> overall i think they're making incremental improvements. they're heading in the right direction and i think there's a real new realization of the last couple years of expense and significance of the challenge. i think we're very, very cautiously optimistic. >> wonderful. thank you very much. i never recognize ranking member babin for five minutes of questions. >> thank you, madam chair. i think i am unmuted. hopefully i am. i want to address this to the chief information officer mr. seaton. two weeks ago president trump
10:28 am
sign space policy directive number five which focus on cybersecurity principles for space systems. it states it is a policy of the united states that executive departments and agencies will foster practices within government space operations and across the commercial space industry that protects space assets and their supporting infrastructure from cyber threats, and ensure continuity of operations. my question is this. as nasa increase its use of public-private partnerships, how will it ensure that contractors comply with this policy without implementing regulations? >> thank you for the question. as pb five, we appreciate the administration and congress focus on space cybersecurity because that's critically important to us. we are currently in the process of reviewing and analyzing
10:29 am
number five but the good news is we see a lot of consistency with best practices that we're already implement think and will continue to look to strengthen our cybersecurity both within our mission as well as with our contract partners. >> absolutely. thank you so much. my next question would be to inspector general paul martin. your office issued a report on jpl, jet propulsion laboratories cybersecurity management last year. jpl, unlike other nasa centers, is managed a contractor, that's caltech. but the report highlights the fact nasa's contract with caltech did not include relevant requirements from nasa i.t. security policies. has the oig conducted a review of other nasa contractors to determine if their contracts include necessary clauses
10:30 am
pertaining to i.t. security? and if so how many has your office conducted? >> thank you here we have not conducted a separate audit looking at that specific issue. although if i could double back, the concerns we had when nasa entered into a new five-year contract with caltech, that the contract was absent the significant i.t. oversight provisions. we have since followed up and found out that jpl has issued aa nasa has accepted and we reviewed the criteria we were concerned about. so the federal oversight i.t. oversight is going to happen at jpl so we are pleased with that. >> thank you. and does the oig conducted compliance audits to determine if contractors are fulfilling their contracts obligations pertaining to information security? if so, , how many has your offie
10:31 am
conducted? >> again, , we conduct a significant number of program audits that look at the programs that are run by these contractors, , and part of that review includes a detailed dive into the contract to make sure that the i.t. security requirements are not only in the contract but there actually followed. >> is this a more appropriate for the nasa cio or procurement office to conduct rather than the oig? >> i think certainly the cios office and procurement have to ensure of the outset that the appropriate security issues and safeguards are contained in the audit themselves and ongoing, good contract management which show we need to ensure they are being effective. oig is limited capacity like most organizations, so we'll try to target the more high risk high value operations at the nasa has to do a deep dive
10:32 am
audit. >> and then as this very hearing demonstrate nasa in the nation have adopted videoconferencing to adapt to social distancing requirements. has nas identified any vulnerabilities with commercial videoconferencing platforms or certain videoconference platforms not about four nasa use based on technical characteristics or concerns over foreign influence? i which is see what everyone of you has to say come just a short and concise answer. >> i will start with that is a really senate approved told that a call to the appropriate security validation which include assessing any threats externally to those environments, and outside of that other tools are not approved for use in nasa. >> okay. and then -- >> as oig is using those approved tools. >> good. dr. burley, did you want to add
10:33 am
to that at all? >> those agencies and other organizations have their list of approved tools. >> well, madam chair, i have spent all my time and so i will yield back and it what you think all the witnesses. we appreciate it very much. yield back. >> thank you very much, ranking member babin. mr. perlmutter, you are recognized for five minutes. >> thank you, madam chair. i think one of the biggest problems with this remote stuff is when somebody like doctor babineaux is walking around with his phone and i feel like we're in the blair witch project, that's a whole other problem. my questions are for you, dr. burley. mr. seaton mentioned the most vulnerable spot for hacking and cybersecurity is the individual, the person. when you are testifying, you
10:34 am
talked about novice users nothing they with equipment or security protocol, employees under duress, worried about the basic needs and not the more refined things like cybersecurity. you know, that folks are having trouble because they are distracted, frightened and fatigue, i think were your terms. it almost feels not, the cao should be involved but the personnel department is really one of the keys here. so what do you see, whether it's nasa or generally across the agency being done to help the individuals kind of get through this very anxious period, and maintain cybersecurity? >> thank you for your question. you're absolutely right in that it needs to be a collaboration between the i.t. department and the h.r. department. so first every agency has a set
10:35 am
of cybersecurity awareness programs that they have in place and really guide not only behavior within the organization, within the walls, but also outside. those awareness programs need to be adapted, recognizing that employees are working in a definite vibrant, working remotely and working around other people. it's not just then. it's family members and others in their environment. we have to take a hard look at those awareness programs and recognize the need to be adapted based on the current realities. second, yes, absolutely human resource professionals need to be involved, provide the kind of support to our employees at the needs of their able to focus on that only doing the work but by doing the work in a secure manner. >> i guess i hadn't even thought of it but obviously we should think of it, people are working from home. the kids are in the background or whoever might be in the background so it isn't like you
10:36 am
in the office at nasa headquarters where everything is pretty safe and secure. i think, madam chair, i'm going to yield back but i do think this really is a cooperation certainly between the h.r. department and all of the technology -- technology folks. all three of our speakers have focus on that but i, in this pandemic, that's critical. i just back. >> thank you very much, mr. perlmutter. mr. posey, you are recognized for five minutes. >> thank you, madam chair probably this hearing on this important issue regarding cybersecurity that at nasa drink over that you just recap, in june 2020 nasa's inspector general stated nasa's high-profile makes it a attractive target of computer hackers and other bad actors. as stated earlier, during the covid-19 pandemic many contractor employees or
10:37 am
teleworking possibly making agency bigger target. in june 2020 report the specter josette is finally agency develop a review of its information security programs, integrity and availability of its data systems and networks. this is not a new problem facing nasa. it was concluded back in 2014 at nasa networks are compromise and individuals are not being held accountable. not a new concern for us either. i include language in the house passed nasa authorization bill back in 2015 to address this by requiring a report on a nasa will safeguard its networks and protect against control violation inspector general also made nine recommendations including they ensure the risks information security systems and compliance systems are updated to keep the data secure. the inspector general concluded
10:38 am
that the threats are increasing and that it is imperative for nasa's -- strengthen its mismanagement and government practices to safeguard its data from cybersecurity threats. so inspector martin, first, it was noted that the inspector general that nasa is an attractive target for computer hackers and bad actors. is china one of those bad actors and is china present a cybersecurity threat to nasa? and besides security is a great technology what steps is now seeking to secure supply chain from -- case involving china -- [inaudible] >> yes, yes, no. i'm joking. that was a lot of questions.
10:39 am
china is one of the foreign entities out there. chine is not the sole entity, country out there that is seeking nasa's very valuable intellectual property. nasa is taking steps and has been to secure is intellectual property and its networks from attack both from china and from a series of other countries, and also local hackers. because we have conducted a series of criminal investigations and work with the fbi and counterintelligence officials when we get leads on these issues. >> thank you. to you and mr. seaton. cyberspace threats increasing as nasa taken the necessary action -- [inaudible] back in 2014 and the nine recommendations identified by inspector general --
10:40 am
[inaudible] >> yes. happy to report that we closed out all of the recommendations. there were quite a few in the report of those have been implemented. i do think they improved our security and our practices. >> thank you. dr. burley, shouldn't the national academy do another study to examine these vulnerabilities that teleworking present? >> the opportunity for associations and national academy to do studies to assess an in-depth look and so i would say yes. >> thank you, madam chair. i yield back. >> thank you, mr. posey. the chair now recognizes mr. beyer for five minutes. thank you, madam chair, very much. mr. seaton, thank you very much for joining us today. in your tests when you mention in the course of the pandemic you are able to onboard new employees, new interns and
10:41 am
amazingly our office hasn't been able to the same thing. we've also been able to make sure all staff -- house house d equipment including laptops and phones. in the oig report i was surprised that personally own devices could connect to integral systems, and that oig was critical of your not monitoring or enforcing rose associate with gaining access to the nasa networks. how do you make sure employees are given the proper equipment and if the not giving nasa issued equipment, how do venture those personal devices are secure? >> great question. we actually do require the use of nasa provided equipment for a new employees come interns so we do provide them with the tools they need. recently within the last two years it was my office that change the policy that was
10:42 am
referred to earlier were you asked present we get about personal devices to connect. that is no longer allowed by policy. the only allowance is for a mobile device that has a mobile device management software that we provide that creates a secure container at is your connection back to e-mail and intelligencer system if an employee will consent to us managing the personal device without software. that's the one case will be do about that. where we do have opportunity to continue to strengthen our architecture, is implemented automated controls to ensure that that is what's happening. so network access control and the pandemic have actually impacted our implementation. pushing up a schedule into nature but we made significant progress through dhs programs to know what's on our network and who is on a network, and have a look at more control there. >> that's encouraging to know
10:43 am
because i'm sure this stuff you have as much important than what is on my network. mr. martin, you talked about the malicious intrusion into the nasa systems of unauthorized access to deep space network. other than the personally identifiable information, what are they after? how much of this is china, russia, the other nations that are interested in space? and will this the affect or cod this effect our lunar missions, our mars mission, james webb and some of the really big important things nasa is doing? >> thank you, congressman. nasa has vast troves of in important intellectual information, capital. it has spent decades amassing. folks, country actors are active information, the innovation that nasa is so famous for around the
10:44 am
world, everything from pii, contractual data on assistance. this is a vast and wide array and again we had a nasa onboard fleet is been under attack from both domestic and foreign cyber criminals. and so it's just an ongoing, and clearly difficult issue to keep nasa's defenses up. >> great. thanks very much. professor burley, one of the challenges nasa has is pursuant -- so many of us have nasa facilities near or close. a one size fits all will be difficult. as examples of systems, federal systems that are similarly decentralize and to be able to effectively secure i.t. systems? anybody for nasa to imitate? >> i think that the cio from nasa would know better, but there are many difference in
10:45 am
choices both inside and outside the federal government that could be used as a guide to at least begin to think about best practices and other strategies for securing the networks. >> i know like department of commerce had 13 different cios. do you have the same challenge within nasa? >> there is one cio put our cio stop for to me. strategy and for almost a a dee now we have been working to integrate and operate as a cohesive unit. acknowledging there are some unique this is at our centers by diplomat inconsistent policies and moving towards enterprise services and contract so i think we're moving into enterprise direction very significantly. >> thank you very much. madam chair, i yield back. >> thank you very much, mr. beyer. mr. garcia, you are recognized for five minutes.
10:46 am
>> trend thank you, madam chair. i appreciate the testing unwitnessed vapor very exciting time for nasa and challenging with unique dynamics in play. i guess i've got a few questions and probably directed to all of you, mr. seaton, mr. martin i dr. burley. i come from a company where i was a program director for a large air breather program and was both classified and unclassified elements to it. one of the big challenges that we had was that the classified elements felt under requirements which i think would effectively what chairwoman horne was tight but on classified site as far as compliance and requirements. those requirements led to owners costs to suppliers into the
10:47 am
lower-level supply chain folks. what a be able to do, what is nasa doing i guess to make sure that the small businesses that are critical element of your supply chain are not necessarily getting overwhelmed with either cybersecurity requirements or cybersecurity development or software development work and therefore almost been dissuaded from entering into this industry and to the support chain? are be able to provide gfi or government furnished ip to make sure and slow down -- flow down to the lower-level suppliers to making sure they're baking and some of the saprocit elements in their respective programs? how do we communicate with those lower tier supply chain folks? i guess mr. seaton, we can start with you. >> sure. i will say that is a challenge, making sure all of our suppliers and providers appreciate the
10:48 am
significance of cybersecurity after building that into the solutions they deliver is a requirement of doing business today. today was supply chain risk management. justin august section 889 requires us to certify that anybody with doing business with complies with supply chain restrictions that are found a wide. we are working with her providers and suppliers to make sure they understand and they build that into their practices. >> we have to make sure we're balancing the risk mitigation efforts which are critical and essential we have to do with the cost elements and just is makie we are not driving some of these key suppliers out of business or out of our industry or out of your business. i i know that's a delicate balancing act as well. >> a cost of adding a compromise is significant to those come so you're right, it is a balancing act and will try to continue to
10:49 am
work. >> are the tier one suppliers actively looking to package up programs or software, you know, programs to download to the lower-level suppliers, or is it sort of ad hoc defendant with wt the threat is and what the mitigation, threat mitigation measure is? >> unfortunately i i really cat speak to the individual practices of the suppliers. >> i guess just characterizing classified versus unclassified, are you able to speak to what percentage of her networks are on classified networks, and is there, is one of the sides liking the other? in other words, do you see more threats on the classified site or fewer threats but maybe more, you know, more critical impact to those networks, or how would you characterize between
10:50 am
underclass versus the high side. >> was my office responsible to unclassified sector we work with our office a a protective servs on the classified site. carefully speaking this form to kind of division there but i wasn't oftentimes compromise on the unclassified side can be used to promulgate to other systems, and so that's a concern even on the unclassified side. >> okay, great. mr. martin or dr. burley, i don't know if you guys care to comment on either of those topics there? >> we have little or no work on the classified side at nasa. >> okay. that's good to know. okay. i would just, we hosted a small business summit with kevin mccarthy as well and nasa with the nasa administrator brightest and a couple of weeks ago.
10:51 am
the cost of -- administrator bridenstine. the cost for entry is pretty high for all of the small suppliers. i would just end with, let's try to enable them, make sure we're giving them the tools to be successful and be able to defense defend not on the networks but yours as your suppliers as we navigate this challenge, and hopefully look to synergize lessons learned and down those those two contract requirements accordingly. really appreciate your time and good luck with the upcoming launch as well. thank you. i yield back. >> thank you, mr. garcia. i now for the honorary dinner of our subcommittee who is reliable and with us, mr. weber, you are recognized for five minutes. if we can get you -- there you go. >> a lot of people who wanted to
10:52 am
mutiny, but nonetheless. think of that, chairwoman. i appreciate the opportunity being here. you asked the question of mr. seaton early about how many attempts, intrusion attempts per month nasa didn't fit last year and about up on that by saying, how does that compare, mr. seaton, to the intrusion attempts per month this year during covid? are you make a distinction? >> yes. not that direct comparison and we see fluctuations based on the inside of the insight as a midget is increasing the sometimes that is costs are higher numbers. but we have seen a number -- an increase in phishing attacks are no attacks at various times throughout the pandemic. it hasn't been steady. it's been fluctuating. >> any idea, 10%, 20%, i% increase? >> at one time we saw doubling back of phishing attacks but
10:53 am
again there been other weeks what it is been lower. i do think because of the pandemic people looking for the opportunity to attack and will continue to. >> there's been a lot of discussion about having personal devices and being at home and those kinds of security firewalls, if you will. if it said it information, i know you said you worked with the fbi and some of the forces or task force, i forget the terminology you use, but if you could get that information to us that would be interesting for us to have because my staff, i want to follow up with your discussion with mr. garcia. you'll talked about -- before do that let me go to mr. martin real quick. mr. martin, understanding that this hearing is supposed to be nearly focus on cyber threats during covid, since you're here with us i thought it would be appropriate to discuss some of things we've been talking about with china, for example. during this intellectual property threat obvious to the
10:54 am
aerospace u.s. supply chain, you'll talked about it with mr. garcia. drink this weeks air force association airspace on cyber conference it was revealed on time dod and nasa launch provider proactively identified and cut ties with the supplier that was a security risk due to chinese ownership. were you aware of that, mr. martin? >> i was not, congressman. >> okay. in comments earlier i would go back to mr. seaton with his exchange with darcy. he said he could speak to suppliers, or speak for the suppliers was that what you were saying to mr. garcia? >> i said that i could not speak to how they were structuring their business operations to meet the federal requirements. >> shouldn't that be something that we're looking at? i don't mean to sound too skeptical, that shouldn't nasa
10:55 am
and action all of our u.s. defense company should be taking a proactive posture to know exactly what safeguards are in place across the supply chain? >> totally agree. so how they go doing is what i'm saying that we're not in their business operations. validating that they are complying with requirements is something that we had been doing for years with our supply chain risk management efforts, ensuring the things that we buy are free of risk through coordination with the fbi and now making sure that even within their organization they do not have i.t. equipment provided by prohibited providers. so yes, we are actively involved in ensuring the level of compliance. >> but you see how they go about it. you're not essentially involved in, but shouldn't there be some level of protocol for lack of a better term, some threshold,
10:56 am
some safeguards they have to meet minimum safeguards and somebody has to be looking over their shoulder in that regard, is that fair to say? >> again, compliance with our cybersecurity requirements is critical and that is our responsibility. how their business practices is what i'm saying that we're not getting in the middle of. >> would you say in this instance where that supply was identified that would be worthwhile to go back and see exactly how that happened, have that supplier got the proverbial camel's nose under the tent? >> i think it's in the federal governments best interest to understand where vulnerabilities emanate from come so certainly. >> whose responsibility is that? >> i think it is a shared responsibility. >> between who? >> between the federal agencies that are responsible for our
10:57 am
cybersecurity policy as well as an agency that would be interacting with a specific provider. >> is that something you could follow up with our office on an tell us who those agencies are and who has responsibility for the agency? i'm talking about addressing this particular instance and how it was discovered and how we got there, and what steps will be taken to prevent similar occurrences. can you follow up with us on that? >> we will take that as a question for the record, yes. >> i appreciate that. madam chair, i yield back thank you very much, mr. weber. appreciate your questions and as always your participation in the subcommittee. i have a few more questions i want to follow up with and will have an opportunity for the numbers to do another round of questions if everyone is available to stay, since we still have time. i want to follow up on a couple
10:58 am
of things going back to some of the earlier questions about, one about the unauthorized devices or personal devices, and dented you want to follow up on mr. weber slanted questions all of it more. mr. martin, the august 2020 iq report on unauthorized devices which of course is this year on nasa's network sites, cio's office saying their score no authoritative way to obtain the number of partner owned i.t. devices. and i know, mr. seaton, you make in your not a it anymore but it seems as if there's stopping. mr. martin, i am wondering what the risks are not being able to identify and why that may be the case from your perspective in this report. and then
10:59 am
11:00 am
what are they doing to address these updating issues? >> i think we have been a leader and implementing the hss continuous diagnostic program where phase i identifies what was on the


info Stream Only

Uploaded by TV Archive on