Mr. Lee B. Holcomb
Chief Information Officer
National Aeronautics And Space Administration
Subcommittee on Science, Technology, and Space
Committee on Commerce, Science, and Transportation
United States Senate
Mr. Chairman and Members of the Subcommittee:
I appreciate this opportunity to discuss with you NASA's views on information security from the perspective of a user. As Chief Information Officer (CIO), I am responsible for providing advice to ensure that information technology is acquired and managed to comply with existing laws and regulations and achieve the Agency’s mission. Key among these responsibilities is to ensure that NASA has a secure information technology environment.
NASA, as chartered by the National Aeronautics and Space Act, is expected to make available to the public the results of its programs. Each day NASA moves nearly one million electronic mail messages. Last month, NASA was named the number one World Wide Web site by Yahoo. The imagination and interest of the world was sparked by the incredible images and data that were returned from the Mars Pathfinder mission. Yahoo identified the NASA Mars Pathfinder Web Page as the most frequently accessed Web Page last year, with a recorded 566 million hits worldwide during the period of July 1 - August 4, 1997. These high volumes of internal and external information traffic present enormous technical challenges - providing efficient operations while assuring security and integrity of NASA computing resources and data. We develop, maintain, and operate over fifty major systems that are either high cost or of critical management importance. These investments represent a broad portfolio of supercomputer, mainframe, desktop and communications applications, capabilities and assets. NASA is a premier research and development Agency; information technology, from a laptop flying on the Space Shuttle to a communications network transmitting images from a new galaxy, has enabled NASA to deliver on its commitments for better, faster, cheaper, and safer missions and products.
We are pleased to see the Committee focus this hearing on information security. Over the past year, internal and external reviews have identified increasing concerns with information security and data integrity. The NASA CIO community has placed the highest priority on correcting our Year 2000 computer problems and improving information security.
Our information technology security (ITS) program addresses seven critical and linked areas which include organization, policy/procedures, training, incident reporting and vulnerability corrections, technology, physical security, and criminal investigations. Each area plays a critical part in providing overall level of integrity, confidentiality, and availability of information and information systems. NASA’s activities in the area of computer security include:
The NASA CIO established a Principal Center for information technology security (ITS) led by an ITS manager who reports to me and the Director of Ames Research Center (ARC). The ITS manager ensures a close working relationship between the NASA Enterprises and NASA installations regarding IT security. The ITS manager is responsible for recommending information security policies, procedures, guidance, architecture, standards and metrics. This responsibility fits well with ARC’s role as the NASA Center of Excellence in information technology. The ARC, located in Silicon Valley, is ideally situated to facilitate the infusion of new computer and communication security technology and products to meet near-term and long-term NASA requirements. In order to better leverage the wealth of expertise that resides across NASA's Centers, we identified Expert Centers and assigned ITS functional area responsibilities. The functional areas are: Notifications, Incident Coordination, and Response - Goddard Space Flight Center (GSFC); Training and Awareness - Lewis Research Center (LeRC); Network and Communication - Marshall Space Flight Center (MSFC); Systems and Applications - Jet Propulsion Laboratory (JPL); Development - ARC.
Our information technology security policy mandates risk assessments to establish prudent ITS investment levels for each major mission, program or institutional requirement. A second major objective of our ITS policy is to promote the development of IT security architectures and standards which contribute to open, standard, scaleable, interoperable, yet secure IT environments.
We are rewriting the existing NASA security policy and procedure documents to update and enhance our overall IT security position as it relates to sensitive but unclassified IT systems and information. The ITS policy reflects the role of the NASA CIO and associated organizational structure. As part of our process for developing and approving ITS policies, the NASA Enterprises and Centers must approve standards and architecture recommendations. Our policy is coordinated, where appropriate, with other Federal policies and procedures, such as those established by the Federal CIO Council and its associated Boards.
NASA is developing sound and lasting procedures and guidance to address ITS. The establishment of metrics is critical for overall management of NASA's information technology security (ITS) resources. The ability to measure the effectiveness of our ITS program will translate into cost-effective investment strategies which address our most significant system vulnerabilities. These metrics address overall IT security effectiveness as well as specific measures of the effectiveness of training, prevention and detection activities.
An important part of our ITS program is the establishment and documentation of ITS architecture and standards which is intended to better facilitate the development of more uniform and cost-effective NASA-wide solutions.
Training and awareness are key to a successful ITS program. Based on known ITS vulnerabilities, training and awareness provide large return on investment. We are consolidating our efforts to provide effective ITS training to leverage the resources we
currently spend in this area and to identify areas were we can improve. LeRC is working on standard Agencywide approaches for IT Security training. These training programs are being developed using the best practices of other government agencies and the private sector. For example, we are currently evaluating computer security training modules developed by the US Army. Strategies to ensure both civil service and contractor personnel are properly trained and certified are being developed. The final recommendation on the appropriate Agencywide IT Security training initiatives and Master Training Plan will be coordinated with the entire NASA CIO community for review and approval.
4. Incident Reporting, Vulnerability Corrections
Information security begins with avoidance. GSFC is currently operating an Agencywide vulnerability notification, emergency response, and incident handling, the NASA Automated Security Incident Response Capability (NASIRC). Avoidance includes awareness at all levels and it promotes well trained security and audit professionals. Because of our strong presence on the public internet, our computing resources are subject to significant security risks. NASIRC has provided an effective means to rapidly deal with incidents.
During FY97, NASIRC issued 244 Alerts, bulletins, and follow-up technical advisories. So far in FY98, NASIRC has issued 112 such notices. Every time NASIRC issues an alert or technical advisory it is reflective of our collaboration with many other organizations, and identifies threat and vulnerability situations that affect all IT system user communities. We work closely with alert services such as Computer Emergency Response Team (CERT), Federal Computer Incident Response Capability (FedCIRC) and other international response teams as well as monitoring vendor notices and news groups. IT Security is a world-wide issue, especially for those who have extensive internet connectivity. By conducting extensive coordination and collaboration with other organizations around the world, we are able to get timely heads-up information to better protect our IT system environments, and we are able to share lessons we have learned with others who are working such issues in a trusted incident handling arena.
GSFC has also been working on building an inter-Agency affinity group with other government agencies to leverage limited resources and coordinate more closely on inter-Agency emergency response and incident handling issues. The Department of Justice has joined our efforts through a Memorandum of Understanding. The Department of Education and the Federal Aviation Administration are expected to join this inter-Agency effort during the second quarter of FY98.
Emerging information security technologies are essential to satisfy new requirements for digital signatures, secure messaging, electronic commerce, and trusted web-based applications. An essential technology is Public Key Infrastructure (PKI). Important requirements for PKI include ease of use (works with common applications), authentication (know who you are), certification policy (mixed user groups), and trusted certificate authority (sender authentication, nonrepudiation and message integrity). The ARC has participated in several joint Federal activities for improving information security and data integrity. One of these was the Collaborative Internet Security Testbed. The results of this activity are found at: http://cis.dyncorp-is.com/. Likewise, ARC has been coordinating its activities for an Agencywide PKI with the Federal PKI Steering Committee. NASA has been developing and deploying a standard infrastructure for PKI and digital signature. This technology provides a common security infrastructure that can be relied on to support the many different programs and projects within NASA. As part of this activity, we developed a secure messaging system and we are currently testing the solution across all NASA Centers. We developed and are currently pilot testing a secure electronic solicitation and review process for scientific grants with approximately 50 universities. The results to date are very promising. We also are working closely with private industry to develop and test secure web capabilities that could use the same common PKI technology. We are evaluating solutions at the transmission level which provide Virtual Private Network (VPN) capability. In all these efforts, we have focused on early commercial technology products which are compatible with NASA’s Agencywide architecture and standards.
6. Physical Security
NASA takes a comprehensive and layered risk management approach to all aspects of IT security. In the area of physical security we are concerned with the behavior of people with access to NASA IT systems from the threat posed by the "trusted insider" to the thief or the terrorist. NASA screens each person who will require access to our IT systems. Depending on the criticality of the information contained in the system building and/or facility, access may be restricted and protected by various access control devices as described by our NASA Resource Protection program. As the outermost perimeter, access to NASA Centers is restricted to authorized personnel and approved visitors only.
JPL has completed work on evaluating the Agencywide virus scanning posture, and has recommended a standard Agencywide approach for acquiring, operating, and maintaining standard virus scanning software/capabilities. JPL is evaluating the Agencywide posture and recommending a standard approach for acquiring, operating, and maintaining network intrusion detection and analysis software/capability for all of NASA.
MSFC completed an evaluation of the local area networks (LANs) and has recommended an Agencywide standard approach for acquiring, operating, and maintaining standard firewall software/capabilities for HQ and all Field Centers. As part of their support to the Agency, MSFC is providing guidance for Center level implementations. MSFC is also testing the efficacy of new electronic devices and software designed to prevent the theft of computers for possible Agencywide implementation.
7. Criminal Investigations
NASA continues to work closely with the NASA Inspector General and other law enforcement agencies to support their efforts in any criminal investigations that involve IT resources at all Centers. In order to deter misuse and notify all users that their use may be monitored, NASA has implemented a warning banner on all appropriate NASA computer systems. These banners state that by continuing to use a U.S. Government computer, you consent to your keystrokes and data content being monitored. These banners have aided the law enforcement communities in their investigations.
NASA is facing the challenge of adapting to the changing IT environment where vulnerabilities are serious and increasing. Information sharing is essential to achieve the mission of NASA. NASA not only has a strong presence in the National Information Infrastructure as a major component of the internet, but also must maintain separate and protected mission critical information technology systems. As a direct result of our very strong presence on the Internet, we have of necessity become a significant player in the incident handling arena which cuts across Federal civilian/military government, private industry, academia, and foreign partners. NASRIC has become recognized as a model within the Federal Government.
To protect our mission critical information systems, NASA has become an early adopter of information security technology. Over the next several months, we plan to deploy a public key infrastructure in support of secure messaging, digital signatures, electronic procurement applications and secure web based applications. Our efforts in deploying virtual private networks and firewalls are essential to the successful and secure deployment of our Agencywide Integrated Financial Management Program.
In summary, we take seriously our responsibility as stewards of the public’s space and aeronautics information technology systems and we are committed to working with other agencies of the Executive Branch and with the Congress to ensure we maintain the proper balance between accessibility of research results and protection of our IT investment.