NASA's computer network is open to potentially catastrophic hacking attacks across the internet, its inspector general Paul Martin has warned.
In a report, he says that six computer servers containing critical data and actually used to control spacecraft had vulnerabilities that would allow a remote attacker to take control.
"Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations," he says.
"We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers."
Martin criticizes NASA for failing to assess and deal with risks, as well as failing to assign responsibility for IT security oversight.
It's all the more shocking, given that these issues were highlighted in Martin's last report, which was published in May last year. It seems that despite agreeing to implement a series of changes, NASA has not actually done so.
NASA now says it will make sure that, by September, internet-accessible computers on its mission networks are continually evaluated, and risks dealt with promptly. It's also promised to develop an agency-wide risk assessment by the end of August.
"As noted in the OIG's report, NASA has remediated all the high-risk vulnerabilities detected during this audit," says Linda Cureton, NASA's chief information officer.
"NASA management is committed to protecting the agency's computers and networks from internet-based attacks and appreciates the OIG's efforts in this area."