Computer Security

Unauthorized Access to a NASA Scientific Network Gao ID: IMTEC-90-2 November 13, 1989

Pursuant to a congressional request, GAO reviewed the National Aeronautics and Space Administration's (NASA) Space Physics Analysis Network (SPAN), focusing on: (1) SPAN characteristics; (2) instances of unauthorized use of the SPAN system; and (3) steps NASA took to minimize unauthorized SPAN use.

GAO found that: (1) SPAN was a worldwide computer network that the scientific community used to conduct NASA space and earth sciences research; (2) although SPAN did not contain any classified or sensitive data, NASA designated it a sensitive system because recovery from unauthorized access or viruses could potentially cost over $100,000; (3) NASA could prosecute any unauthorized access to the system, but had no mechanism to ensure that the more than 6,000 node managers implemented the security guidelines or that each node did not contain classified or sensitive data; (4) although SPAN began operating in 1981, NASA did not require formal reporting and investigations of computer security incidents until 1988; (5) NASA reported two incidents that occurred before 1988 but filed 27 reports after it established the reporting system, reporting that unauthorized users successfully gained access to SPAN 67 times; (6) except for any damage to scientific data and disruption of services to users, NASA incurred only the costs associated with computer and staff time to investigate the incidents; (7) NASA took various actions in response to the security incidents, but did not perform a required risk analysis to ensure that its actions provided adequate security protection for SPAN; and (8) NASA continued to report a computer security internal control weakness in its annual report to Congress because of existing deficiencies in the conduct of risk assessments and incidents of unauthorized access to SPAN.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.