The recent news from NASA could easily serve as the poster story for the importance of all-around computer security.
If you hadn't heard the news, there were 48 NASA mobile devices lost or stolen between 2009 and 2011. One of those missing devices was a laptop containing algorithms used to command and control the International Space Station. And shockingly, but not surprisingly, the laptop was not encrypted. In fact, according the agency's inspector general, 99 percent of NASA portable devices are not encrypted.
Oh and the news gets better. NASA depends on its employees to report lost data, so officials at the agency can't measure the sensitive data lost - sensitive data that wasn't encrypted. And the data on the devices just doesn't include NASA data, but also third-party intellectual property and Social Security numbers. There were thousands of incidents involving the downloading of malicious software or unauthorized access.
Then we find out that Jet Propulsion Lab (JPL) computers were attacked a number of times in 2011, with 13 successful break ins. According to CNN:
The space agency's inspector general, Paul K. Martin, cited one case involving hackers with IP addresses in China. In that case, intruders gained "full system access" to change or delete sensitive files and user accounts for "mission-critical" systems at the Jet Propulsion Laboratory, he said in a report issued this week."In other words," Martin said, "the attackers had full functional control over these networks."
IT security is considered a CIO's problem, but IT security is basically a mission problem. The information that the actors are looking for is mission information.
She went on to say that if she were given more authority, she could do a better job at protecting the networks.
I'm sorry, but that sounds like a cop-out to me. Let's go back to that one very simple statistic I mentioned earlier: 99 percent of NASA's portable devices are unecrypted. I find it hard to believe that the CIO doesn't have the authority to make sure that agency computers aren't using one of the most basic forms of device security and that encryption isn't - or can't be made - mandatory on all portable devices. Also, I can't help but wonder about the overall computer security policies of the agency. Once again, we see that security often comes down to employee behavior. As Dan Moorman wrote in an IT Business Edge post:
It's been said that you are only as strong as your weakest link, and so it goes with your network security. You may have the latest and greatest equipment and software guarding the gateway to your network, but all that means nothing if you don't have an IT security policy in place that is being enforced.
Organizations can learn a lot from what happened with NASA - how not to approach network security and why you have to cover every single base when it comes to setting up a security system.