The NASA Hack and Areas of Expertise
According to the internal message which quickly leaked, NASA information security personnel discovered a potential breach on October 23rd 2018. While countermeasures were immediately taken, the exact scope of the breach remains unclear. We can however infer what kind of system was hit from the data that is reported as compromised.
According to the message, the breach may affect “Civil Service employees who were on-boarded, separated from the agency, and/or transferred between Centers, from July 2006 to October 2018”. The statement further claims that “NASA does not believe that any Agency missions were jeopardized by the cyber incidents”.
This indicates that the compromised systems were used for staff management purposes, and not for any mission-critical affairs of the agency.
Was it a targeted attack?
Media reports are quick to jump to conclusions when high visibility targets such as NASA are hit by attacks. The imagery of a foreign agent purposefully attacking NASA leads to very compelling articles. However, we must at least consider the possibility that NASA fell victim to common malware. Staff administration and general clerical affairs are usually handled by non-technical staff and on computers that aren’t under as high security restrictions as those used for more critical tasks.
Thus, a careless employee falling for a sweeping phishing attack, downloading a file including malware or simply running an unpatched system are legitimate possibilities. Of course, so are government actors trying to gain a foothold within NASA’s general network.
We will have to wait for the release of detailed reports before any media outlet can make reasonable claims about the nature of the attack.
The fallacy of technical capability.
In closing this briefing, we would like to address a common fallacy found in the coverage of such incidents. We will refrain from linking to a specific example as the issue is common across the industry. In many articles covering breaches of high-tech organizations you will find passages claiming that that “It's concerning that an organization capable of sending humans into space and allowing them to live outside Earth's atmosphere for extended periods of time, isn’t able to secure its own servers down on earth” or something similar.
This is a fallacy that is quite unintentional and quite common. The logic goes that since cyber security is a technical field, organizations that work with technology should be good at it. However, cyber security is a complex and specialized field that should best be looked at by itself. A high level of expertise in a different technical field bears absolutely no correlation to aptitude in security matters. Claiming that it is somehow exceptionally worrying that an organization capable of putting humans into orbit is not capable of fully protecting its IT infrastructure is somewhat akin to claiming that the inability of a famous painter to perform a perfect ballet routine is somehow surprising since both activities are considered “artistic pursuits”.
A note on holidays
This will be Reflare’s final briefing for 2018. We will continue our coverage in early 2019 and wish all of our readers happy holidays and an excellent new year.