It’s the classic B spy movie scene: the Chinese (or Russians?) somehow hack into our satellite systems and find out where the Pentagon keeps “the weapon.” Millions of American moviegoers laugh at the premise, thinking that the omniscient U.S. government could not possibly be incompetent enough to be hacked so easily. Yet, that’s exactly what happened in 2007 and 2008 when Chinese hackers managed to seize control of two NASA satellites, the Terra EOS earth observation system and the Landsat-7 satellite. While access was gained in these cases for mere minutes, a 2011 U.S.-China Economic and Security Review Commission report warned that such takeovers could easily lead to intelligence on “ground-based infrastructure” and disrupts vital satellite communications. Ten years later, weaknesses still exist.
While it’s understandable that large federal agencies have cyber vulnerabilities, weaknesses must be promptly patched up once identified. And, in the decade since the Chinese hack, NASA has basically done nothing to assure citizens that its security-sensitive equipment is safe from sabotage. An Office of Inspector General report released recently on NASA’s information technology compliance found that, despite $1.4 billion in annual IT funding, NASA remains hopelessly outmanned. The OIG concluded that little has changed since 2013, when IT governance was described as “inefficient, ineffective, and overly complex.” In particular, devices are not adequately encrypted, information system inventories are rarely updated, and astoundingly, known software vulnerabilities have not been patched up.
Nor is this problem confined to NASA. The federal government on the whole has a terrible track record in cybersecurity, with basic safeguards absent and fragmented enforcement. According to an analysis conducted last year by SecurityScorecard (a prominent benchmarking firm), the U.S. government ranks at the bottom of seventeen major industries in protecting critical systems. As the Taxpayers Protection Alliance has previously documented, the Internal Revenue Service hasn’t moved past the 1960s in technological prowess. According to a September audit conducted by the Treasury Inspector General for Tax Administration, nearly 70 percent of the infrastructure underpinning IRS operations is “beyond its useful life.” For the fiscal year 2016, 107 incidents requiring IRS support were traced back to aged software, with resulting replacement costs totaling $6.6 million.
But why are government agencies so inept at tackling basic cybersecurity issues? According to Chris Wysopal, Chief Technology Officer of the cloud-based service firm Veracode, “they (agencies) don’t fix them because there’s no regulation or compliance rules that require it … When we evaluate these agencies, we often find that their internal testing procedures involve nothing more than interviewing the people involved, and not testing the systems themselves.” The term “bottom-line thinking” has been used in criticizing businesses obsessed with profit, but in fact, the opposite approach of checking off items without regard for results is far more destructive.
Private space companies such as SpaceX and ULA have far more mature cybersecurity operations than NASA does, due to a focus on retaining profits. While no comprehensive reporting of their cyber efforts exist, the information available to the public shows continued robust efforts in preventing hacks. SpaceX’s use of virtual sessions to root out phishing activity, for example, lead to that technology’s successful replication by Spikes Security and later AurionPro. Not allowing foreign hackers to compromise operations was an early obsession of Musk, and despite no shortage of attempts, SpaceX constantly remained on the cybersecurity offensive.
Insights from these private successes can be used to reform agencies with IT deficiencies like NASA and the IRS. IT Reform will not come easily, but a few alterations could go a long way toward cutting legacy IT costs and ensuring a safer taxpayer experience. Tying future agency funding to modernization benchmarks would turn agency risk aversion on its head, and put some muscle into reform. These monetary incentives can bring “bottom-line” thinking to agencies, forcing them to think more seriously about cybersecurity goals rather than processes.
Unless agencies beef up their IT security efforts, Chinese and Russian hacks will continue to provide fodder for B directors looking for their big break. With the right incentives, Congress can ensure that cyberattack on critical infrastructure dies hard.
Ross Marchand is a policy analyst with the Taxpayers Protection Alliance.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.