On October 31, 2012, NASA notified its employees that a laptop containing personal information on more than 10,000 employees was stolen. The theft occurred when a laptop containing the information was taken from a locked car. The laptop had a password, but the hard drive was not encrypted. The NASA announcement included a statement that the IT security policies and practices were under review. Additionally, several immediate actions were undertaken, including requiring that all laptops that leave NASA facilities be encrypted.

Although the details of the theft are unclear, what is clear is that the laptop was left unattended in a locked car. At many organizations, that would be considered a violation of acceptable use policy. Leaving a laptop with sensitive information unattended is not good practice. Typically, such policies require someone to maintain physical possession of devices when they are brought into public spaces, and to carry them into airline cabins rather than leave them in checked bags.

Also, full disk encryption is commonplace in the industry. For NASA not to require full disk encryption and to permit sensitive information to be placed on a laptop is to be out of compliance with industry norms.

In this case, this was a failure of policy as much as individual actions. Had the laptop been fully encrypted, the loss would have been limited to the device itself. Although the theft probably indicated a violation of acceptable use policy, the actual damage resulting in employees having their personal information stolen and the impact on NASA’s reputation could have been avoided.

In April 2018, an attacker was able to gain access to the NASA Jet Propulsion Laboratory by targeting an unauthorized Raspberry Pi. The Raspberry Pi attack went undetected for 10 months. The perpetrator stole approximately 500 megabytes of data.

An audit showed that this was not the only unauthorized device on the network. There have been multiple security incidents at NASA. Many of these threats were due to unauthorized devices on the network. Moreover, the audit found that security log tickets, which included applying a software patch or updating a system’s configuration, sometimes went unresolved for more than six months.

This scenario shows a lack of proper device management policies and/or enforcement of such policies. It also shows that security incidents went months without appropriate resolution. Resolution of this scenario would require a substantial overhaul of security policies, audits, and enforcement within the organization.

Unauthorized access to data can sometimes have substantial national security implications. In 2018, it was reported that Chinese government-backed hackers had compromised the computers of a Navy contractor. They were able to steal a wide range of data, including antiship missile data and over 600 gigabytes of material on a project named “Sea Dragon.”

This case is also an excellent example of a failure of policies. Although the data was all quite sensitive, it was stored on unclassified computers. This means that data classification policies were not being followed. This prompted the Pentagon’s inspector general’s office to begin reviewing contractor cybersecurity issues.