NASA management has agreed to conduct a risk assessment of its unclassified systems to determine if its insider threat program should be expanded to include them, according to an Office of Inspector General report.
The agency plans to assemble a cross-discipline team with representatives from the offices of Protective Services and the Chief Information Officer, as well as the OIG Cyber Crimes Division by Dec. 1, 2023.
OIG recommended the move after finding that — while NASA appropriately implemented its insider threat program established in 2014 for classified IT systems — the agency’s unclassified systems still contained high-value assets and critical infrastructure facing “higher-than-necessary risk.”
“While NASA’s exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources,” reads the report released Monday. “According to agency officials, expanding the insider threat program to unclassified systems would benefit the agency’s cybersecurity posture if incremental improvements, such as focusing on IT systems and people at the most risk, were implemented.”
NASA management further agreed to establish an insider threat working group with the offices of Protective Services, the Chief Information Officer, and Procurement and human resources by Dec. 1, 2023.
The working group will assess the resources needed to expand the insider threat program to protect unclassified systems from cybersecurity threats posed by employees and contractors. Limited staffing, technology resources and funding present challenges to expansion, as does the fact the offices of Protective Services and the Chief Information Officer share handling of unclassified systems, the Office of Procurement manages contracts, and the Office of the Chief Financial Officer grants and cooperative agreements.
The insider threat program currently consists of one full-time government employee and two contract employees performing user activity monitoring for anomalous activity with the help of software and resides within the Office of Procurement. Agency-wide insider threat training and a reference website for identifying threats, risks and follow-up are also provided, and the program is expanding contractor disclosure requirements to limit the risk of foreign influence during procurements.
“Nations such as Russia and Iran wage sophisticated cyber espionage campaigns directed at the
acquisition of U.S. trade secrets in both the private and government sectors, while other countries like
China attempt to blur the line between informal technology transfer and intellectual property theft by
recruiting leading U.S. experts in high-tech fields,” reads the report. “Currently, China is by far the most prolific sponsor of such recruitment programs through what it calls ‘talent plans.'”
OIG found NASA’s risk is “significant” given its ties to academia, research institutes and international partners.
Accidental leaks through phishing or forwarding of sensitive emails are most common at NASA, followed by misuse of networks or databases to skirt the agency’s cyber policy and then data theft for sale or inappropriate release. Improper use of NASA IT systems increased from 249 incidents in 2017 to 1,103 in 2020, 343% growth, with the most prevalent error being the failure to protect sensitive but unclassified information by, say, sending an unencrypted email containing such data, according to an OIG report from May.
A comprehensive insider threat risk assessment is intended to identify gaps in administrative processes and cybersecurity.
“At a time when there is growing concern about the continuing threats of foreign influence, taking the proactive step to conduct a risk assessment to evaluate NASA’s unclassified systems ensures that gaps cannot be exploited in ways that undermine the agency’s ability to carry out its mission,” reads the new report.