A key NASA computer network managed by Hewlett Packard Enterprise has so many security holes that the space agency’s head of IT refused to sign off on a standard authority to operate, a new report said.
“Letting an ATO (authority to operate) expire on a major agency network is unheard of in government,” said a report this week by Federal News Radio.
Nearly every NASA employee and contractor uses the network, the station reported.
Ames Research Center, a NASA agency at Moffett Field, has nearly 1,500 computers that fall under the HPE maintenance contract, according to the report. Within the HPE-managed system at Ames are almost 15,000 “critical” security flaws not remedied with patches, and across NASA as a whole, there are more than 375,000 vulnerabilities in the network HPE manages, the report said.
A former chief information security officer at the Nuclear Regulatory Commission told the station that in general, cyberattackers get into systems via unpatched flaws.
“The fact that the overwhelming majority of successful attacks stem from unpatched vulnerabilities tells you that patching is a major problem in federal IT,” Pat Howard said.
Palo Alto’s HP Enterprise has a 10-year, $2.5 billion contract to manage the bulk of NASA’s personal computing hardware, software, mobile IT services and supporting infrastructure, according to the report. The firm won the contract in 2010.
NASA confirmed to the radio station that the operating authority on the systems had been allowed to expire on July 24, and that chief information officer Renee Wynn signed a six-month conditional authority for the systems to continue operating. However, the station reported that internal NASA sources had revealed that the authority granted did not apply to laptops and desktop computers in NASA agencies.
“Wynn’s decision to issue a ‘conditional’ ATO goes against long-standing policy from the Office of Management and Budget and the National Institute of Standards and Technology,” the report said. NASA responded that granting such a conditional authority was Wynn’s prerogative, in order to “ensure that she is aware of the underlying operational activities, and managing risk accordingly.
“NASA continues to work with HPE to remediate vulnerabilities.”
HPE referred SiliconBeat to NASA for comment on the report. NASA did not immediately respond to a request for comment. A spokeswoman for Ames said she would seek an official response to the report. Any responses from NASA or Ames may be added to this post in an update.
Earlier this year, Federal News Radio reported that network security analysis firm SecurityScorecard had detected thousands of signals emanating from malware – including some of the world’s nastiest computer viruses – that had apparently infected NASA systems. NASA responded to the station, saying its “continuous monitoring tools and scans, a set of monitoring and scans performed by Department of Homeland Security, and various independent third-party audits of NASA’s computing environment do not support this claim of a broad malware infection in NASA’s IT infrastructure.”
Photo: The space shuttle Endeavour passes Hangar One over Moffett Field and the NASA Ames Research Center in 2012. (Gary Reyes/Staff)
The post NASA computer network a security mess under HP Enterprise management: report appeared first on SiliconBeat.
