Over the past three years, NASA has investigated more than 200 reports that space agency equipment or systems were accessed from outside the country without prior authorization, violating internal policies regarding where mobile technology units can be taken abroad.
The reports of unauthorized foreign access investigations, obtained by FedScoop through a public records request, occur when a NASA device is discovered overseas without any prior planned travel clearly documented. These reports are similar to databases FedScoop has obtained from other agencies, including the Federal Emergency Management Agency and the U.S. Agency for International Development — and reflect the government’s longstanding approach to restricting the use of its devices overseas. The documents do not show the results of the investigations or which countries the pings came from.
These reports appear to occur for a variety of reasons, including: a device was pinged or geolocated on a non-U.S. cellular network, a device not cleared for transport was pinged overseas, or a device had connected to a NASA system from outside the country. The documents were obtained through a public records request for reports of lost or internationally carried devices from the past three years, as well as other information explaining rules for mobile device security abroad.
NASA’s Security Operations Center (SOC) monitors connections to the space agency’s networks. Connections from abroad are reported to the SOC, which then investigates whether the employee connected to that device was on an authorized trip, according to Jennifer Dooren, the space agency’s deputy director of intelligence. She said if a device does not have prior authorization, “that device will be denied access to NASA’s networks and systems.”
Their statement continued: “After review and approval, NASA employees may take government IT equipment on official foreign travel. Some NASA users may be required to perform authorized federal government work on NASA IT in certain countries. Users must comply with all IT equipment and travel requirements. For security reasons, it is not appropriate for NASA to disclose details of NASA equipment configurations or potential individual security incidents.”
The agency did not respond to FedScoop’s questions about the extent to which NASA employees currently travel to Russia or whether Russia – or any other country identified as at risk – has ever come into possession of NASA equipment.
There are risks when government equipment is taken abroad, said Sean Costigan, managing director of resilience strategy at software company Red Sift. The reports of equipment taken abroad without authorization underscore the importance of policies and protocols to protect government equipment before government employees travel. China and Russia, he said, “continue to aggressively pursue intelligence collection efforts, which poses an increased risk if government-provided property is mishandled abroad.”
Greg Falco, an engineering professor at Cornell University who specializes in cybersecurity and aerospace, said the number of reported devices appears to be “excessive,” although he said the problem is likely due to poor communication or possibly a cumbersome loaner device policy. “The risks are primarily related to eavesdropping or theft, where foreign entities could specifically target data or software on a suspect device and monitor the activity,” he said.
The documents also show that NASA issued an interim policy late last year governing travel with government equipment and other related regulations. Under the policy, which is the most current version of the agency’s rules for taking equipment abroad, space agency users can take government equipment to any country as long as it meets certain technical and specific requirements and has approval, except Russia and countries on the agency’s list of designated countries. Those countries include Taiwan, with which the U.S. does not officially have diplomatic relations, and Israel, which is classified as “rocket technology of concern” under the Commerce Department’s methodology. Other countries on the list include North Korea, Iran and China.
When visiting these countries, NASA employees will use specially configured loaner equipment.
“Deployment outside the United States increases these risks, particularly when the telecommunications networks are owned or controlled by the host government. IT devices are always at risk of being infected with malware, and these risks are greater when the devices leave the user’s physical control,” the policy states. These risks are greatest when traveling to the Russian Federation or countries on the list of designated countries, it continues.
The document also specifies what to do if a device is confiscated by a foreign government or by U.S. agencies, including the Transportation Security Administration and Customs and Border Protection. NASA employees should try to maintain control of the device using their credentials. If asked for access codes to use the devices, they should try to enter the device manually before providing a password.
The interim directive, which will remain in effect until December when it will be replaced by another directive, comes amid growing concerns about the space industry’s cybersecurity. Last August, the Office of the Director of National Intelligence issued a brief warning that “foreign intelligence agencies” could target the commercial space industry and try to steal technological assets.
Namrata Goswami, an independent space policy expert, said: “If a malicious foreign cyber actor gains access to a NASA network, it could mean hiding undetected within the network, gaining access to export control technologies, and stealing encrypted passwords. This could have long-term strategic consequences for the United States, particularly related to space technologies that could have both civilian and military uses and could be used by adversary nations against the United States.”
Costigan, Red Sift’s cyber expert, said that given the new technologies and strategic importance of the space industry, the sector is “a prime target for espionage activities aimed at acquiring intellectual property and gaining national security advantages.”
“NASA equipment deployed abroad and its data transmission over foreign networks would be particularly attractive targets,” he added.
