Sources inside the agency and internal documents reveal the grim state of NASA's cyber-security status

Mar 30, 2016 06:56 GMT  ·  By

Jason Miller, executive editor for Federal News Radio, is saying that the National Aeronautics and Space Administration (NASA) has a severe patching problem that's putting many of its systems at risk.

Citing multiple inside sources and internal documents, Mr. Miller is saying that there are hundreds of thousands, if not millions of patches that haven't been applied to NASA IT systems, exposing the company to potential attacks.

While NASA's external shield is strong, the investigator says that, once its external protections are penetrated, a skilled attacker would have no barriers if they want to map the agency's entire internal network and access every nook and cranny.

The blame falls on NASA's cyber-security culture and HPE

Mr. Miller cites various reasons in regard to this situation. First and foremost, NASA is putting missions above everything else. This sometimes means freezing patching operations to mission-related systems in order to avoid any downtime or delays due to bugs or improper patching. Basically, nobody is allowed to touch and patch computers until the mission has ended, leaving systems unprotected for extended periods of time.

Additionally, sources inside NASA are also putting the blame on Hewlett Packard Enterprise (HPE), saying the company has been uncooperative and sometimes negligent. HPE won the $2.5 billion ACES (Agency Consolidated End-user Services) contract in 2010 and should have helped NASA revamp its technology infrastructure under the Information Technology Infrastructure Integration Program (I3P).

The company has failed to do so, and according to Mr. Miller, it is having trouble keeping up with the massive workload.

While HPE has answered Mr. Miller accusations with a one-liner, saying that "Hewlett Packard Enterprise takes security very seriously and remains committed to our close partnership with NASA," a NASA spokeswoman has denied that the agency is having any problems.

NASA says they have everything under control

"Since the 2015 Cybersecurity Sprint, NASA has made substantial progress in tracking and managing vulnerabilities. This agency effort is reflected in [Feb. 15’s] Department of Homeland Security Cyber Hygiene report on NASA, which shows zero critical vulnerabilities older than 30 days since September 2015," the NASA spokeswoman has told Federal News Radio.

In fact, the agency is also preparing to release a new cyber-security tool called Gryphon X, considered by a few experts a cyber-security gamechanger.

Mr. Miller has also contacted Security Scorecard, a US-based security vendor, who has reinforced his initial investigation by saying that their telemetry data shows over 10,000 constant pings from NASA network to known malware hosts.

You can listen to a few of Mr. Miller's comments on NASA's cyber-security problem below, but we recommend reading his entire investigation as well.