Unauthorized Access to a NASA Scientific Network
IMTEC-90-2: Published: Nov 13, 1989. Publicly Released: Dec 18, 1989.
- Full Report:
Pursuant to a congressional request, GAO reviewed the National Aeronautics and Space Administration's (NASA) Space Physics Analysis Network (SPAN), focusing on: (1) SPAN characteristics; (2) instances of unauthorized use of the SPAN system; and (3) steps NASA took to minimize unauthorized SPAN use.
GAO found that: (1) SPAN was a worldwide computer network that the scientific community used to conduct NASA space and earth sciences research; (2) although SPAN did not contain any classified or sensitive data, NASA designated it a sensitive system because recovery from unauthorized access or viruses could potentially cost over $100,000; (3) NASA could prosecute any unauthorized access to the system, but had no mechanism to ensure that the more than 6,000 node managers implemented the security guidelines or that each node did not contain classified or sensitive data; (4) although SPAN began operating in 1981, NASA did not require formal reporting and investigations of computer security incidents until 1988; (5) NASA reported two incidents that occurred before 1988 but filed 27 reports after it established the reporting system, reporting that unauthorized users successfully gained access to SPAN 67 times; (6) except for any damage to scientific data and disruption of services to users, NASA incurred only the costs associated with computer and staff time to investigate the incidents; (7) NASA took various actions in response to the security incidents, but did not perform a required risk analysis to ensure that its actions provided adequate security protection for SPAN; and (8) NASA continued to report a computer security internal control weakness in its annual report to Congress because of existing deficiencies in the conduct of risk assessments and incidents of unauthorized access to SPAN.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: A risk management plan has been prepared and is being implemented.
Recommendation: The Administrator, NASA, should ensure that a risk analysis of SPAN is performed and documented. On the basis of this analysis, NASA, in cooperation with SPAN users, should develop an approach for ensuring that the security measures resulting from the risk analysis are implemented by SPAN managers and users. In this regard, NASA should continue to report the computer security area as a material internal control weakness in this year's report to the President and Congress, and discuss the actions that will be taken to correct the weakness.
Agency Affected: National Aeronautics and Space Administration