Private companies and universities. It is an hour and 20 minutes. Members should keep their video feed on as long as they are present in the hearing. Please keep your microphones muted unless you are speaking. If members have documents they wish to submit for the record, please email them to the Committee Clerk whose email address was circulated prior to the hearing. Good morning, everyone. I would like to welcome our distinguished panel of witnesses and members and those viewing plotely. Cybersecurity and nasa, ongoing to challenges and emerging issues for increased telework during covid19. In early 2020 the world was caught off guard with the dramatic rapid onset of the coronavirus. It shifted to a telework operations to ensure the health and safety of its more than 17,000 Civil Servant employees. To its credit, nasa prepared for the transition having held an agencywide telework exercise in early march and expanded telework operations. Today 75 to 80 of Civil Servants continue to work remotely handling reviews, oversight, engineering analysis and other activities. The shift to increase telework at nasa raises many questions. Front and center, cybersecurity. What does it mean for protecting nasas intellectual property, identifiable information and operations . How does it affect the agencys overall cyberSecurity Risks and what steps is nasa taking to ensure the effectiveness during the pandemic and beyond . These are some of the questions todays hearing will explore. What is clear is that nasa is a target. I want to pause here for a moment to net that an article in the hill today where the Justice Department has brought charges hacking a u. S. Satellite company. This is the timely. A recent report stated that given nasas mission and valuable technical and intellectual capital it produces, information it maintains presents a high value target for hackers and criminals. N 2019 administrator jim broadenstein said nasa is the most attacked federal Government Agency when it comes to cybersecurity. It has resulted in large amounts of stolen data. Installation and copying and modifying and deleting Sensitive Files and accessing servers. Cybersecurity Infrastructure Security Agency is a very Important Agency has issued specific alerts on vulnerabilities related to telework during the pandemic and encourages organizations to adopt a heightened state of cybersecurity. In april 2020, the agencys then chief Information Officer notified employees of increased hacking attempts on the agencys system. In june 2020, media articles reported that malicious actors congratulated nasa and space exon a temperature stragsestration flight and then they had infected and breached a nasa contractor. If true, it is a concerning report and part of reason were here today. Protecting nasas i. T. And data during the pandemic remains vigilant. However it doesnt begin and end with the covid19 crisis. The workforce has identified weaknesses and ongoing concerns with nasas information security. Further they have ranked this issue as a top agency challenge. Ensuring effective cybersecurity at nasa becomes more pressing given Rapid Advances in i. T. , supply chain risks. The partnership and the overall increase in space activity. Nasa is a national treasure. Its Missions Continue to inspire young and old. Nasas cutting age Space Technology and research is the envy of the world. Nasas accomplishments would not be possible o without computers, software and information system. Will nasa or any organization ever been b 100 risk free from cyberthreat . Probably not. Is there room for improvement . Absolutely there is. Givee todays hearing will understanding and whether or not nasa is mitigating those risks. The bottom line is we need to make sure nasa has the tools it needs and takes the necessary action to ensure the agencys success during covid19 and beyond. I look forward to our witnesses testimony today. I think we are there he is. Everyoneng member babb in. I know it can be a little bit of a challenge. The chair now recognizes Ranking Member babbin and my good friend from texas for an opening statement. We have three computers here. I couldnt get on but i got on one of my telephones. Any way we can do it, im glad to be with you. Innovation and ingenuity. I love it. The success with america shuttle ini, apollo, and International Space programs along with jawdropping robotic probes attract worldwide attention. Unfortunately that attention comes with many challenges. The technologies that nasa develops are sought after by criminal entities, unscrube scrupulous foreign governments and destructive vandals. Many of these technologies have both civil and military applications, these challenges are particularly gray and this is a topic this committee has focused on for decades. Mr. Martin testified before the investigations and oversight subcommittee almost 10 years ago on the topic of information security. At that hearing, he testified that an unencrypt laptop was stole frontline nasa that resulted in the loss of the algorithms used to control the space station and personally identifiable information and intellectual property. Similarly the u. S. China economical Security Review Commission noted in its 2011 report to congress that the satellites experienced at least two separate instances of interference consistency with cyberactivities against their command and control systems. More recently, the nasa i. G. Issued its report in july which found that Information Systems throughout the agency faced an unnecessarily high level of risks that threatens the the report concluded it is imperative the agency continue efforts to strengthen the Risk Management and government practices to safeguard its data from cybersecurity threats, unquote. Last month the i. G. Issued another report of nasas use of nonagency it devices and found nasa is not adequately securing its networks from unauthorized access of it devices, unquote. The nasa i. G. Is currently tracking 25 open recommendations from the office of the chief Information Officer. These do not include it and cybersecurity recommendations o mission direct rits or other observations in the nasa enterprise. Its startling but many reasons the recommendations remain open. For instance Agency Guidelines and best practices are often general rules and principles not optimized to the agencys expertise and challenges. For instance, nasa is the world leader in designing, building, operating and communicating with spacecraft. This expertise resides within the Mission Directorates and within the centers who cultivated this expertise over many decades. In some instances they develop the software and Information Systems and underlying Technologies Industries adopted and embraced. Even more extreme circumstances they continue to use one off operating systems that while perhaps not compliant with o. M. B. Governmentwide guidance are arguably more secure because of their uniqueness and obscurity. Efforts to bring these technologies into compliance with a one size fits all cookie cutter approach for development of enter price systems could actually introduce more risk into the system. This isnt to excuse the shortcomings identified by the g. A. O. Over the years. Lost laptops, unsecured devices and unauthorized access to systems and authorizations to operate and poor Inventory Management are all cause for concern which brings us to the situation that nasa currently faces. The covid 19 challenge requires most employees and contractors to work remotely and nasa has embraced teleworking for years, the standard of this practice introduces a larger target and more vulnerabilities for malicious actors to explode. In addition to teleworking challenges, im also interested in understanding what level of insight nasa has for contract cybersecurity as nasa moves to publicprivate partnerships. Finally, its worth noting President Trump recently issued space policy directive number five. Focused on Cybersecurity Principles for space systems. While its not covid inspectioned specifically, its particularly timing given todays hearing and demonstrates the administrations forward looking leadership on this very topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. So with that, madam chair, i yield back. Thank you, Ranking Member babin, for your opening statement. We share many of the same concerns in this area and excited and grateful for the opportunity for this hearing today. If there are any members who wish to submit additional opening statements, the statements will be added to the record at this point. And now id like to introduce our witnesses. Our first witness today is mr. Jeff seton. In april of 2020 he was named nasas chief acting chief acting chief Information Officer. Lets see if i can get that out right. Prior to his current position he served as nasas chief Information Officer and spent seven years as the chief Information Officer at Nasas Langley research center. He began his career with nasa in 1991 as a Research Engineer designing robotic systems for space based applications and also served as langley chief Technology Officer and deputy c. I. O. He received a bachelors degree and masters degree in Electrical Engineering from virginia tech. Welcome. Were glad youre with us today. Our next witness is mr. Paul martin, Inspector General for the National Aeronautics and space administration. Mr. Martin has been the nasa Inspector General since define 2009. Before to his appointment he served on the department of justice and spent 13 years at the u. S. Sentencing commission including six years as the Commission Deputy staff director. Mr. Martin received a bachelor degree from journalism from Pennsylvania State university and a jurist doctorate from Georgetown University law center. Welcome, mr. Martin. Our third and final witness today is dr. Diana burly. In july 2020 she was appointed as vice provost for research and director of Public Administration at American University. Prior to her current position dr. Burly spent 13 years as a professor of human and organizational learning at George Washington university where she was the inaugural chair for the organizational and learning department and checktive leadership doctor at program and also managed a multimillion dollar computer education and portfolio for the National Science foundation. She received a bachelors degree of economics from the Catholic University of america, masters in Public Management and policy from Carnegie Melon University and masters and doctoral degrees in organizational science and information policy also from Carnegie Melon University. Welcome, dr. Burly. As our witnesses, you should know you each have five minutes for your spoken testimony. The written testimony will be included in the record for this hearing. Bhu have completed your spoken testimony we will begin with questions and each member will have five minutes to question the panel. Well start with mr. Seton. Mr. Seton, youre recognized for five minutes. Mr. Seton thank you chairwoman horn and Ranking Member babin and the subcommittee for space aeronautics allowing me to talk about nasa sec knowledge infrastructure and our efforts to manage and protect the infrastructure during the covid19 pandemic. Thankfully due to Strategic Investments made the last several years nasa was well positioned to keep our Missions Moving Forward to shift our work to telework. As a result nasa never has been closed and our work force has continued to work in a creative manner despite the highly contagious covid19 virus. With strict protocols in place nasa is allowing more employees on sight based on local conditions and guidance from the c. D. C. And other partners. The safety of our work force remains our top priority. At the same time protecting and effectively operating our it infrastructure continues to be another top nasa focus. It plays a krill cat Critical Role in nasas missions. However, effective it management is not an easy task. As nasas chief officer, it is my job to balance it capabilities with Operational Efficiency and effective cybersecurity to guard against evolving threats. During the pandemic, the demands and expectations placed on nasas infrastructure has been incredibly high and threats from external actors remain an ongoing concern. However, with hard work, dedication and innovation, nasas c. I. O. Team has risen to the challenge of keeping our Missions Moving Forward. For example, i. C. O. Developed software to track cases of on site covid19 exposures and also meeting all Security Privacy requirements. Additionally nasa continues to hire onboard new employees, contractors and interns with innovative approaches to provisioning and maintaining it systems and tools remotely. For nasa employees, the pandemic changed the way we worked. Some employees teleworked occasionally before the pandemic, having 90 teleworking salt the same time is Game Changing and theyve increased their use of virtual tools such as webx and Microsoft Teams to share face to face and share workplaces. Employees are dependent on nasas private network to connect to other systems. Our highest v. P. N. Rate was 12,000 users on a sing 8 day and today is supporting almost 40,000 daily users with an availability exceeding 99 . Thanks to architectural and capacity improvements implemented the past 24 months. Like other agencies, nasas infrastructure is under constant attack from well resourced and domestic and foreign adversaries and we main a popular target today. We continue to strengthen our capability to proactively defend and protect our systems and data. The reported number of cyberincidents continues to increase because we have greater visibility into our network, im confident nasa is strengthening our response to these threats. In fiscal year 2020 nasa developed a continuity operations capability to further enhance our Security Operations Center Located at the Ames Research center. Previously if operations were interrupted we had a limited ability to identify tech and respond to incidents. Today nasa sok operations allow us to remain 24 by seven operations at all times if there is a isolated disruption. With strength and tools and capabilities nasa is transitioning to a largely reactive to proactive cybersecurity posture. In april nasa removed the sok to ensure employee safety and did so without impacting our cybersecurity capabilities. In closing, i want to personally thank not only my oco staff and leadership but the entire nasa work force for the hard work and personal sacrifices theyve made during this challenging time. Our employees are finding new ways to keep Missions Moving Forward, support each other, balance work and family pressures and dedicate their expertise and personal time to developing technologies that are aiding in the National Response to the coronavirus. While no one is sure what the future holds, nasa Senior Leaders including myself are committed to keeping the nasa work force safe and providing them with the it tools and infrastructure they need to continue executing our missions. I want to assure you protecting and evolving nasas it infrastructure is and will remain a top agency priority. Thank you for the opportunity to testify before you today and i look forward to answering any of your questions. Thank you. Thank you very much, mr. Seton. Mr. Martin, youre now recognized for your testimony. Mr. Martin thank you. The nasa office of Inspector General has conducted a significant amount of oversight work to help nasa improve its Information Technology governance while securing its networks and data from cyberattacks. Over the past five years we issued 16 audit reports with 72 recommendations related to it governance and security. During the same period, weve conducted more than 120 investigations involving intrusions, service attacking and data breaches on nasa networks, several of which resulted in criminal convictions. My testimony today is informed by this body of audit and investigative work. The soundness and security of the data and it system is central to nasas success. The agency spends more than 2. 2 billion a year on a portfolio of it assets that includes hundreds of Information Systems used to control spacecraft, collect and process Scientific Data and enable nasa personnel to collaborate with colleagues around the world. Given the valuable and technical intellectual compll nasa produces the it systems are a target for cybercriminals. The past six months tested the agency as more than 90 of nasas work force moved from on site to remote work due to the pandemic. During this period nasa has experienced an uptick in cyberthreats with fiduciarying attempts doubling and mall wear attacks doubling. This morning i offered three observations about nasas it governance to provide context for the scope of the challenges. First, our concerns with nasas it governance, security are wide ranging and longstanding. For more than two decades nasa struggled to implement a effective it structure that aligns authority and responsibility commensurate with the agencys overall mission. Specifically the agencys c. I. O. Has limited oversight and influences over it purchases and missions at it directities and centers. The decentralized nature of nasa operations doubled with the historic culture of autonomy have limited it wide governance. Moreover, nasas connectivity with educational institutions and other outside organizations and the vast Online Presence of 3,000 web domains in more than 42,000 publicly accessible data sets offers cybercriminals a larger target than most other Government Agencies. Second, despite positive forward momentum, the agencys it practices continue to fall short of federal requirements. For example, in 2019 for the fourth year in a row, nasas performance during our annual fisma review remained level 2 out of five. Meaning the agency has issued but has not consistently implemented important policies and procedures defining its it security program. And third, like many other public and private organizations, nasa struggles to find the right balance between user flexibility and system security. For example, for years nasa permitted personally owned and partner owned global it devices to access nonpublic data even if those devices did not have a valid authorization. Today nasa employees and partners can use nonagency mobile devices to access email if the user installs Security Software moan as mobile Device Management. However, an o. I. G. Audit last month found nasa was not adequately securing its email networks by unauthorized access by these personally owned devices. Nasa has deployed technologies to monitor unauthorized connections it has not fully implemented controls to move or block those devices. Moreover, the agencys december 2019 target for installing these controls was delayed due to technological issues and pandemic related center closures. Until these enforcement controls are fully implemented, nasa faces an elevated risk of a breach. Finally, as part of its math initiative, nasa plans to centralize and consolidate it capabilities. The c. I. O. s office expects to complete the math assessment by march 2021 with implementation on institutional systems beginning later that year. As map unfolds we plan to angs what is the enterprise level alignment and strengthen cybersecurity at nasa. I look forward to your questions. Thank you, mr. Martin. Dr. Burly, youre recognized for your testimony. Dr. Burly chairwoman horn and Ranking Member babin and members of the committee, thanks for the opportunity to appear of before you today. As nasa engages in the emerging issues for increased telework during this time, at American University we are guided by our strategic plan, changemakers for a changing world. It empowers graduates to navigate shape and lead the future of work and a. U. Researchers are pushing the boundaries of discovery in health care, data science, social equity and security. In my remarks today, which are shaped by decades long career leading cybersecurity initiatives, i will highlight how the interplay of these areas supports the development of a holistic strategy to address cyberSecurity Issues surrounding the exponential growth of telework during these unprecedented times. Concerns over exfoes you are to covid19 has access rated a mass high graduation to the setting and teleworking has existed for years but never before have we seen the range and volume of remote workerses or Remote Working environments. Employees across the spectrum of demographic categories and capabilities are working remotely and engaging with their employees, colleagues and customers through a digital interface and a range of devices. Securing this activity necessitates we recognize both the technical needs and environmental factors that shape that behavior. Consider the following, novice users and novice experiences create vulnerability. In the murrayed transition to remote work, agencies did not have sufficient time to prepare novice users for the complexity of their newly virtual working environment, where overall security is more reliant on individual decisions made by employees and nonemployees alike, even seasoned users who have developed behavors in on court projections face new challenges to expose the vulnerabilities by the Remote Working environment. Employees are working under duress. Covid19 continues to drive economic instability, Health Related concerns, anxiety and confusion. Employees are worry about meeting their basic needs and less likely to attend to lower priorities like cybersecurity. Cybercriminals exploit opportunity and the shift in activity provides a larger attack service and leads to more opportunities for cybercriminals to use social engineering techniques such as fraud, misdirection and misinformation to exploit those vulnerabilities. Users bring their entire cells online. If we use a Public Health analogy as treating the whole patient we can strengthen the efficacy of guidance to engage in robust cyberactivities. Excessive treatments are in extrickably linked to the Global Environment of its patients. Today in the midst of the covid19 pandemic we must recognize while basic cyberhygiene practices relatively doable under normal circumstances these are not normal times. Our workers are distracted, frightened and fatigued. This is especially true to the most vulnerable users. As such, strategies to strengthen the cybersecurity of teleworkers must consider the full spectrum of user experiences and address the conflict realities of their needs. What ive represented is only a snapshot of the benefit of using a holistic approach to reduce the impact of cybersecurity related vulnerability. I have long advocated for this type of approach. Now and with a greater accepts of urgency we must collaboratively develop programs there work between the availables that shape the cybersecurity posture among the broad range of teleworkers navigating the covid19 environment. I look forward to tipped engagement with this committee to develop concrete strategies that raise awareness of the threat, encourage actions that increase the cybersecurity of the nations employees and protect our most vulnerable citizens. Thank you. Chairwoman horn thanks very much, dr. Burly. At this point we will begin with our first round of decrees and the chair recognizes herself for five minutes. Thank you to our witnesses today. Its clear these are important issues and theres a lot of things to tackle. I want to start, mr. Seaton about questions about contractors and cybersecurity contractors, especially given the increased use and the significant use of contractors within nasas work force. I have a number of questions and try to get through as many of them as we can and some are just yes or no and then well get to a few other things. What we know and i entioned the article today in the hill, that our systems theres a lot of information our hackers are very interested in and the contractors that nasa works with are intrigual to our nations space agency. My first question is are there federal acquisition clauses that specifically refer to contractor cybersecurity requirements . Yes, your honor, and we include those in our agency contracts. Our providers follow the cybersecurity requirements. Chairwoman horn let me follow up. Those are nasa cybersecurity requirements because we asked earlier this year about associated bar language and nasas response was there are no far requirements, no far clauses but do those fall under nasa requirements in contracts . Mr. Seaton we have the nasa supplements but have to get the spembings of what are included and i can take a question for the record to do that. Chairwoman horn absolutely. Who those clauses are included, is it nasa that signs off on the cybersecurity, are there waivers, who signs off on the requirements for cybersecurity that theyve been met . Mr. Seaton we have automated tools to be able to ensure our contractors are complying with the requirements when theyre expecting to any nasa system just like any employee would. S was mentioned in the earlier testimony, weve put in place in controlling to strengthen them to ensure o. A. I. Devices can connect to our systems. Chairwoman horn who has oversight to cybersecurity protocols, through your office, are you able to conduct oversight and audits of cybersecurity practices by contractors . Mr. Seaton ultimately i am the acting chief Information Officer so cybersecurity is my responsibility and so it would be me and the team that ensures compliance with the cybersecurity requirements. Chairwoman horn do you feel like you have sufficient oversight and insight and ability to do that within your within your authorized authority with your authorities . Mr. Seaton yes, i would say i believe within nasa ive been given the appropriate authority and support, but i will say the environment is continuing to change and its a dynamic landscape as it is no longer just the computer and laptop on your desk but expands to Operational Technology where it is imbedded within systems. So i would say its challenging with that evolving landscape so we continue to mature our processes. Chairwoman horn thank you. Stepping back to the challenges from this year during covid19, ill have a question for mr. Martin and mr. Seaton and hopefully well have time to get to dr. Burly about broader. The memo, mr. Seaton, your predecessor published april 8 warned of increased attempts in cyberattacks and especially during covid19. And my first question is to you actually and then mr. Martin, how is the rate of cyberattacks changed since that memo in april and what steps has the ocio taken to respond to those increased attempts . Mr. Martin we have an increase in fiduciarying attacks and at a low phishing attacks and t a lower operation. We supported a mobile work force and have in place controls and technologies to mitigate against some of these threats including automated prevention of phishing attacks. When it comes down to it, you and i are the most vulnerable part of our it security is the people. We try to put in place automated controls to actually make that easier for our employees and ive seen significant improvements in phishing protections the last two years. Chairwoman horn quickly, mr. Martin, my time is coming to an end. But what is your confidence level in nasas ability to sufficiently address the increase in cyberthreats as reported by the ocio . Mr. Martin overall, i think theyre making incremental improvements. Theyre headed in the right direction and i think theres a new realization the last couple years of the expanse and significance of challenge. Were very cautiously optimistic. Chairwoman horn wonderful. I recognize Ranking Member babin for five minutes of questions. Mr. Babin thank you, madam chair. Hopefully im unmuted. I would address this to the chief Information Officer, mr. Seaton. Two weeks ago President Trump signed space policy directive number 5 which focused on Cybersecurity Principles for space systems, spd5 states, it is the policy of the United States that executive departments and agencies will foster practices within government Space Operations and across the commercial space industry that protects space assets and their supporting infrastructure from cyberthreats and ensure continuity of operations. My question is this, as nasa increases its use of publicprivate partnerships, how will it ensure contractors comply with this policy without implementing regulations . Mr. Seaton spd5, we appreciate the administration and this congress focus on space cybersecurity because thats critically important thousand. Were currently in the process of reviewing and analyzing spd5 but the good news is we see a lot of consistency with best practices that we are already implementing and will continue to look to strengthen our cybersecurity both within our missions as well as with our contract partners. Mr. Babin thank you so much. The next question would be to Inspector General paul martin. Your Office Issued a report on j. P. L. , jet Propulsion Laboratory cybersecurity management last year, j. P. L. , unlike other nasa centers, is managed by a contractor from cal tech. The report highlighted the fact that nasas contract with cal tech did not include relative requirements from nasa it Security Policies it. And so has the o. I. G. Conducted a review of other nasa contractors to determine if their contracts contracts include necessary clauses pertaining to i. T. Security, and, if so, how many has your Office Conducted . Havemartin thank you, we not conducted a separate audit looking at that specific issue, although if i could double back the concerns we had when nasa entered into a new fiveyear contract with caltech, that the contract was absent these significant i. T. Oversight provisions. We have since followed up and found that jpl issued an nasa accepted, and we reviewed, and they meet the criteria we were concerned about. Enclosed federal i. T. Oversight is going to happen at jpl, so we are pleased with that. Rep. Babin thank you. And does the o. I. G. Conduct compliance audits to ensure that following rules pertaining to cybersecurity . Ag. Martin we have conducted significant number of program audits, part of that includes a detailed dive into the contracts to make sure that the i. T. Security requirements are not only in the contract but are actually followed. Rep. Babin is this a more appropriate role for the nasa cio or Procurement Office to conduct rather than the o. I. G. . I. G. Martin certainly the cios office and procurement have to ensure at the outset that the appropriate Security Issues and safeguards are contained in the audit themselves, and ongoing with contract management which show that you need to ensure they are being effective. Has limited capacity, so we will try to target the more highrisk, high value operations that nasa has to do a deep dive audit. Thisbabin and then, as very hearing demonstrates, nasa and the nation have adopted videoconferencing to adapt to social distancing requirements. Has nasa and verified any vulnerabilities with commercial videoconferencing platforms are certain video platforming not allowed at nasa based on concerns over foreign influence or technical i will start with that and say we have a set of approved tools ive gone through the approved security validation, which includes assessing any threats externally to those environments. Outside of that, other tools are not approved for use in nasa. O. I. G. Isn the using those approved tools. Rep. Babin and dr. Burley, did you want to add to that at all . Dr. Burley most agencies and other organizations have their list of approved tools. , i havein madam chair spent all my time, and i will yield back. I want to thank all the witnesses. Chairwoman horn thank you very much, Ranking Member babin. Perlmutter, you are recognized for five minutes. Perlmutter thank you very much. I feel one of the biggest is ms with this question is for you, dr. Burley. Mr. Seaton mentioned the most vulnerable spot for hacking and cybersecurity is the individual, the person. When you are testifying, you talked about novice users not familiar with the equipment or security protocols, employees under duress, work to be about their bases need basic needs and not worry about their cybersecurity, that folks are having trouble because they are distracted, frightened, and fatigued, i think where your terms. It almost feels not that the cio should be involved but that the Personnel Department is really one of the keys here. What do you see, whether it is nasa or generally across the agency, being done to help the individuals through this anxious period and maintain cybersecurity . Dr. Burley thank you for your questions. Awareness programs need to be adapted, recognizing that employees are working in a different environment, they are working remotely, and they are working around other people. It is not just them, it is also family mothers family members and others in their environment, so we have to look at those awareness programs and recognize they need to be adapted raised on the current realities of work. Second, Human Resource professionals need to be involved to provide the kind of support to our employees that they need, so they are able to focus on not only doing their work but doing their work in a secure manner. Perlmutter i guess had not even thought of it, but i sure people are working from home, and whoever may be in the background, so it is is not like you are in the office at nasa headquarters where everything is safe and secure. So i think i will yield back, reallyhink this is cooperation certainly between the Hr Department and all of the technology folks. All three of our speakers have focused on that, but in this pandemic, that is critical. I yield back. Chairwoman horn thank you. Posey, you are recognized for five minutes. Rep. Posey thank you, madam chair, for holding this important hearing. Some recap in june of 2020, the nasa Inspector General said that nasas highprofile makes it an attractive target for hackers. During the covid19 pandemic, teleworkinged that possibly makes the agency a bigger target. Duringe 2020 report said without to protect the confidentiality and availability of its networks, not a new problem facing nasa in 2014, there was a report that nasas networks are being compromised and individuals are not being held accountable. A billded language in back in 2015 to address this in requiring a report to protect external control violations. The Inspector General also made nine recommendations to nasa including making sure there general concluded that the threats are increasing, and that it is imperative for nasa to implement practices to safeguard its data from cybersecurity threats. So it was noted that the ispector general that nasa an attractive target for hackers and that actors, is china one of those bad actors . What steps are incidental to sue will nasa refer criminally i. G. Martin yes, yes, no. Im joking, that was a lot of questions. China is one of the foreign entities out there, china is not the sole entity, country out there that is seeking nasas very valuable intellectual property. Nasa is taking steps, and has been, to secure its intellectual property and its networks from attack, both from china and from the series of other countries, and also local hackers. Series ofnducted a criminal investigations, and we work with the fbi and counterintelligence officials when we get leads on these issues. Rep. Posey thank you. Ton, is nasa taking the essary actions i am happy tos, report that we close down all of the recommendations there were quite a few in those reports, and those have been implemented. I think they improved our security and our practices. Dr. Burley, should the National Academy do another study to examine the vulnerabilities that teleworking presents . Dr. Burley the opportunity for associations and national the depth, sos us i would say yes. Rep. Posey thank you. I yield back. Chairwoman horn the chair now recognizes mr. Beyer for five minutes. Rep. Beyer thank you, madam chair. Mr. Seaton, thank you for joining us. You mentioned that you were able to onboard new employees, new interns. Our office has been able to do the same. We have also been able to ensure that all staff warehoused equipment, including laptops. I wasthe new report, surprised that personally owned devices could connect to internal some systems. Notthat o. I. G. Was monitoring those with access to the internal systems. Those you make sure that personal devices are secured . Mr. Seaton great question. We do require the use of nasaprovided equipment for our new employees and interns. We provide them with the tools they need. Recently, within the last two years, it was my office that changed the policy that was referred to earlier, where previously, we did allow personal devices to connect that is no longer allowed by policy. The only allowance is for a mobile device that has a mobile Device Management software that secureide that creates a connection to our systems if an employee will consent to us managing their personal device with our software. Where we do have opportunities to continue to strengthen our architecture is implementing automated controls to ensure that that is what is happening, so Network Access control, and the pandemic, have actually impacted us there, pushing out that scheduling for next year, but we made significant progress to know what is on our network and who is on our network and have a little more rep. Beyer that is encouraging to know. I am sure the stuff you have is more important than the stuff that is on my network. You talked about the unauthorized access to deep Space Network other than the personally identified information, what are they after, and how much of this is china, russia, the other nations that are interested in space, our lunarthis affect , theons or Mars Missions important things that nasa is doing . I. G. Martin thank you. Nasa has vast troves of important intellectual Information Capital that it has spent decades amassing, so i think folks are country actors are after that information, the innovations that nasa is so famous for around the world, everything data on. I. , contractual the systems. There is a vast and wide array. And nasa, unfortunately, has been under attack from both domestic and foreign cyber anminals, and so it is just ongoing, incredibly difficult issue, to keep nasas defenses up. Rep. Beyer thank you. Professor briley burley, one of the challenges nasa has is it is so decentralized. So onesizefitsall will always be difficult. Are there other examples of systems that are similarly centralized they have been able to effectively secure their i. T. Systems . Is there anybody for nasa to imitate . Dr. Burley i think the cio from nasa would know better, but there are many different decentralized systems, both in the federal government and outside that could be used as a guide to at least begin to think about best practices and other strategies for securing the network. ,ep. Beyer to mr. Seaton quickly, that apartment of congress has 13 different cios do you have the same challenge within nasa . Mr. Seaton there is one cio, but there are center cios that report to me. We have a single i. T. Strategy for almost a decade now, we have been working to integrate and operate as a cohesive unit. Acknowledging that there are some weaknesses and our centers but implementing consistent policies and moving towards Enterprise Services and contracts. We are moving in the enterprise direction significantly. Rep. Beyer thank you very much. Chairwoman horn thank you. Rep. Garcia thank you. Very exciting times for nasa and very challenging, with very unique dynamics in play here. I have a few questions, probably directed to all of you, mr. Seaton, . , and. Martin,kr. Seaton, mr. And dr. Burley. One of the challenges that we had was the classified elements, which were effectively what chairwoman horn was talking about as far as requirements, tose requirements led onerous costs to suppliers and to the lower level supply chain folks. What are we able to do, what is nasa doing, to make sure that the Small Businesses that are a critical element of your supply chain are not necessarily with eitherwhelmed Cyber Security requirements or Cyber Security, Software Department were, and therefore being dissuaded from entering into this industry, into this support chain . Are we able to provide gfi, government furnished ip, to make sure and flow down to the lower level suppliers, to make sure they are baking in some of the cybersecurity elements into their respective programs . How do we communicate with those lower tier supply chain folks . Mr. Seaton, we can start with you. Mr. Seaton i will say that is a challenge, making sure all of providers appreciate the significance of cybersecurity at our building that into the solutions they deliver is a requirement of doing business today. August, section 889 required us to certify anybody we are doing business with complies with supply chain restrictions that are federal wide. We are working with our providers and suppliers to make sure they understand and that they build that into our practices. Rep. Garcia we have to make sure we are balancing our risk mitigations and do it with the cost elements, just making sure we are not driving some of these key suppliers out of business or out of industry or out of your business, right . I know that is a delicate balancing act as well. Mr. Seaton the cost of having a compromise is a significant to those. You are right. It is a balancing act. Rep. Garcia are the primes or tier one suppliers actively looking to package up programs programs to download to the lowerlevel suppliers . Or is it ad hoc, depending on what the threat is or what the threat mitigation level is . Mr. Seaton i cant speak to the individual practices of the suppliers. Rep. Garcia from just characterizing classified versus unclassified, are you able to speak to what percentage of your networks are on classified networks, and is one of the sides lagging the other . In other words, do you see more threats on the classified side or fewer threats but maybe more critical impact to those networks . Or how would you characterize unclassified versus the mr. Seaton my office is responsible for the unclassified side. We work with the office of protective services on classified side. We cannot really speak in this form to the division there, but often compromise on the classified side can be used to propagate to other systems, so that is a concern, even on the unclassified sided. Rep. Garcia great. , i do. Martin, dr. Burley not know if either of you care to comment on those topics. I. G. Martin we have little to no work on the classified side at nasa. Rep. Garcia ok, thats good enough. Okay. We hosted a Small Business summit with Kevin Mccarthy and nasa administrator bridenstine a couple of weeks ago. The cost of entry into the supply chain for all Space Programs is pretty high for some of the small suppliers. Lets make sure we give them the tools to enable them to defend only their networks but yours, your suppliers, as we navigate this challenge and hopefully look to synergize Lessons Learned and download those through contract requirement lowdown documents accordingly. Really appreciate your time and good luck with the upcoming launches as well. Thank you. I yield back. Chairwoman horn thank you, mr. Garcia. Now for the honorary member of our subcommittee who is reliable and with us mr. Weber, you are recognized for five minutes. If we can get you on muted. Rep. Weber there we go. There are a lot of people who want to mute me, but nonetheless. Thank you for that, chairwoman. I appreciate the opportunity being here. You asked the question to mr. Earlier about how many intrusion attempts per month were there, and i want to follow up on that by saying how does that compare, mr. Seaton, to the intrusion attempts per month this year during covid . Are you making a distinction there . Mr. Seaton yes. Not that direct comparison. But there are fluctuations based on our insight which is increasing so sometimes that is cause for higher numbers. We have seen a number of phishing attacks and Malware Attacks at various times throughout the pandemic that has not been steady, it has been fluctuating. Rep. Weber any idea i guess 10 , 20 , 5 increase . Mr. Seaton at one point, over a given period of time, we saw a doubling of phishing attacks. But again, there been other weeks where it is been lower. I do think, because of the pandemic, people looking for the opportunity to attack and will continue to. Rep. Weber theres been a lot of discussion about having personal devices and being at home and those kinds of security firewalls, if you will if it is Sensitive Information i know you said you worked with the fbi or other task forces, but that Sensitive Information, if you could get it to us, it would be interesting for us to have. And i want to follow up on your discussion with mr. Garcia. You all talked about before do that, let me go to mr. Martin real quick. Mr. Martin, understanding this hearing is supposed to be narrowly focused on Cyber Threats during covid, since youre here with us, i thought it would be appropriate to discuss some of the things weve been talking about with china, for example. During this intellectual property threat obviously to the aerospace your supply chain, it was wheeled that longtime a long time dod and nasa launch provider proactively identified and cut ties with a supplier that was a Security Risk due to chinese ownership. Were you aware of that, mr. Martin . I. G. Martin i was not, congressman. Rep. Weber okay. In comments earlier, i would go back to mr. Seaton, with his exchange with mr. Garcia, he said he couldnt speak to suppliers, or speak for the suppliers. Was that what you were saying to mr. Garcia . Mr. Seaton i said that i could not speak to how they were structuring their Business Operations to meet the federal requirements. Rep. Weber shouldnt that be something we are looking at . I dont mean to sound too skeptical, but shouldnt nasa and actually all u. S. Defense company should be taking a proctor posture to know exactly what safeguards are in place across the supply chain . Mr. Seaton totally agree. So how they go about doing it is what im saying that we are not in their Business Operations. Validating that they are complying with requirements is something that weve been doing for years with our supply chain Risk Management efforts, ensuring the things that we buy are free of risk, through coordination with the fbi and making sure that, even within their organization, they do not have i. T. Equipment provided by prohibitive providers. So yes, we are actively involved in ensuring that level of compliance. Rep. Weber you say how they know about it you are not necessarily involved in, but shouldnt there be some level of protocol, for lack of a better term, some threshold, some safeguard they have to meet minimum safeguards, and somebody has to be looking over their shoulder in that regard, is that fair to say . Mr. Seaton again, compliance with our cybersecurity requirements is absolutely critical and that is our responsibility. Their Business Practices is what i am saying we are not getting in the middle of. Rep. Weber would you say, in this particle instance, where that supplier was identified, that it would be worthwhile to go back and see exactly how that happened, how that supplier at the proverbial camels nose under the tent . Mr. Seaton i think its in the federal governments best interest to understand where bowling abilities emanate from, so certainly. Rep. Weber whose responsibility is that . Mr. Seaton i think its a shared responsibility. Rep. Weber between who . Between the federal agencies that are responsible for our cybersecurity policy as well as an agency that would be interacting with a specific fighter. Rep. Weber is that something you can follow up with our office on and tell us who those agencies are and who has responsibility for that agency . Im talking about addressing this particular instance and how it was discovered and how we got there and what steps will be taken to prevent some recurrences. Can you follow up . Mr. Seaton certainly. We will take that as as a question for the record, yes. Rep. Weber i appreciate that. Madam chair, i yield back. Chairwoman horn thank you very much, mr. Weber. Appreciate your questions, and , as always, your participation in the subcommittee. I think i have a few more questions i want to follow up with, and we will have an opportunity for the members to do another round of questions if everyone is available to stay, since were still have time. I want to follow up on a couple of things going back to some of the earlier questions about, one, about the unauthorized devices or personal devices, and then i do want to follow up on mr. Webers line of questions a little bit more. Mr. Martin, the august 2020 iq report on unauthorized devices, which, of course, this nasas Network Sites cio offices saying theres currently no authoritative way to obtain the number of partnerowned i. T. Devices. I know mr. Seaton mentioned you are not allowed that anymore, but it seems that still happening. Mr. Martin, i am wondering what the risks are not to be able to identify and why that may be the case from your perspective in this report, and then mr. Seaton, i want to follow about what nasa is doing to improve its understanding and insight into those devices. So mr. Martin, if you want to start with that. I. G. Martin sure. Like i said at the outset, nasa has been searching for that balance between user flexibility and system security. During the ten years ive been nasa, it has somewhat how widely lurched between those. I remember early on a number of years ago when they had a byob policy, which was a bring your own device policy. That was about allowing employees and even contractors to use personal devices. In the last couple of years, nasas taken a much more measured approach and focus recently, but there are still gaps that remain in the security of these mobile devices. As you keep as you indicate in the report that we issued just last month, they have implemented software, but they havent wholly implemented the controls to remove or block devices from nasa systems that shouldnt be on a nasa system. They are also not adequately monitoring the business rules for granting access with the personal device to nasas network. They are not enforcing consistently the Business Needs to that, but they are also not ensuring the mobile devices, the personal bubble mobile devices that connect to the systems, dont finally supply chain violate supply chain rules. Chairwoman horn thank you very much, mr. Martin. Mr. Seaton, i know youve taken steps in that direction. Can you speak to i know theres been a delay, but what is nasa and what is cao doing to address these outstanding issues . Mr. Seaton certainly. As an agency, i think we have been a leader in preventing the diagnosticuous program, where we diagnostic mitigation program, where cdm phase one one identified what was on the network. Phase two is controlling who is on the network. That includes the Network Access control elements that mr. Martin spoke of. In the coming year, i think we will be able to enable those controls to be able to have a Technology Based way to enforce a policy that has been issued by my office. Chairwoman horn thank you very much. And just following up on a couple of mr. Webers questions. In terms of the insight, getting back to some of the first questions about contractor requirements and how we control for suppliers and information, theres a balance between overly burdensome requirements and the opportunity for bad actors to influence or to gain access. Im wondering, mr. Martin, what you see as potential authorities that nasa may need to be able to have additional insight or control or contracting provision to ensure that there is compliance all the way up and down the supply chain. Is it with the primes or are there other provisions that may be needed . Mr. Seaton i will answer that by focusing inhouse on nasa. We commented in the last audit in 2014 and did a followup in 2017, and one of our concerns is how a nasa instructor, whoever is sitting in the cios position does not have full insight into all of nasa systems. Particularly admission systems and centerbased systems. Jeff and his colleagues have full control over what is known as the institutional systems, but they may have about 25 to 30 of nasas overall budget, so the lack of insight and oversight wielding the state that controls the money on the internet is a real governance issue. Chairwoman horn thank you very much, mr. Martin. Mr. Seaton, do want to speak to that quickly . It sounds like, to be able to do that, you need additional authorities over insight and oversight. Mr. Seaton actually, i think that is been changing. I sit on the Agency Program Management Council and Acquisition Strategy counsel as a full member, so ive insight into major agency decisions. The Administration Fully supports programs and plans were putting in place. And then the collaboration with the missions to ensure the systems are secure, where we now have much more widespread effective, consistent approaches to authorities to operate. I have been working with the council of deputies with an asset to ensure that we have the appropriate mission leadership, Senior Executives designated as authorizing officials for those mission systems. I do think were making significant progress. Chairwoman horn thank you. Thank you very much, mr. Seaton. Mr. Babin. You are recognized for five minutes, if you have more questions. Rep. Babin yes. Can you hear me . Thank you. I do have some more questions. I wanted to address this to all the witnesses, if possible. How many intrusion attempts per month did nasa identify last year . How does that compare to the intrusion attempts per month this year during covid . If this information is sensitive, please provide a response to the staff after the hearing concludes. Mr. Seaton if i could take the specifics of the question for the record, but i can speak in more general terms. As i mentioned before, i think that the measurement of intrusion continues to fluctuate based on our insight into the network, and that has increased. So, in some cases, where we see an increase in intrusions, it is because we are seeing more of what is happening, and we are to the point now where we have got a pretty solid visibility into our network today. But then a comparison of a comparison of specific ones by month, we will have to take that and get back to you. Rep. Babin ok. All right, thank you. I think i will yield back, madam chair. Chairwoman horn thank you very much, mr. Babin. Mr. Beyer, you are recognized. Rep. Beyer i have no more questions. I keep learning but i yield back. Chairwoman horn excellent, thank you. Mr. Garcia . Rep. Garcia thank you, madam chair. Just a quick question. The old adage that the best defense is a good offense is kind of appropriate here. Mr. Seaton, are you happy with the support you are getting from other Government Agencies in terms of the development as, at the national level, we develop offensive cyber capability that informs your defensive cyber techniques and vulnerabilities . Are you comfortable and satisfied with the communications, i will just say, to other Government Agencies that should be informing as to where the state of the art is going in terms of offenses cyber capabilities, which may be in hands of the bad guys and be within our own Domestic Networks . If not, where can we help to maybe improve your ability to leverage the development of other equities outside of nasa . I. G. Martin i think the administration has been very supportive of our need to continue with the appropriate focus on cybersecurity, and i think that nasa has effective relationships with our counterparts that can provide as counterintelligence information as well as best practices on cybersecurity, the cios across the federal agencies engaging to share information is another effective mechanism for that information sharing. Rep. Garcia so the historical, i will call it historical evidence over the last two years though, have been any surprises, i guess, from the threats where it was a completely unknown rider come in through an unknown technique or vulnerability that really had not been discussed . I know there are sensitivities about how much you can say here, but, you know, any sort of unknown riders that just completely caught you off guard that we ultimately found out another equity throughout the government, maybe, had been aware of . Mr. Seaton yeah, i think because of the dynamic landscape , we are going to face surprises. We want to minimize those, right . But i will say there are times when either agencies have observed activity and contacted nasa, and then we would partner on that. Again, i think the mechanisms are there. Rep. Garcia thats good. Thats encouraging to hear. A lot of these Lessons Learned cap and learned several times before, so if we could avoid duplication of Lessons Learned, especially in this cyber domain, thats a huge benefit to you guys. Thank you. I yield back, madam chair. Chairwoman horn thank you very much, mr. Garcia, and thank you to all of our members for the thoughtful, intentional questions, and to all of our witnesses. Its clear that these are critically important issues that nasa is facing as well as some important Lessons Learned during covid19. As dr. Burley stated that these are not normal times, so the strategies during covid19 are important but also inform cybersecurity more broadly. And i think it sounds as nasas making progress, but as the authorizing committee, we want to ensure that you have sufficient authorities and funding capabilities to have strong cybersecurity practices and protocol in place, and we continue to move forward with the recommendations and implementations from the gao, and other strategies that ensure not just the 25 that you have authority, direct authority over, but the contractors, especially given some of the things that we have seen. So unless any of our members have further questions, we will bring this hearing to a close today. I want to thank, again, the witnesses for your testimony and for your time and for what you do. The record will remain open for two weeks for additional statements from the members and additional questions of the committee or that the committee or members may ask of the witnesses. Thank you all again for your time. The witnesses are excused, and the hearing is now adjourned. Thanks, everybody. [captions Copyright National cable satellite corp. 2020] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. Visit ncicap. Org] this afternoon, candidates to ,e missouris next governor incumbent mike parson, democrat andle galloway, independent rik combs, and Green Party Jerome Bauer will participate in a televised debate. Evening, a televised colorado. Watch live coverage, beginning at 7 00 eastern on cspan, online at cspan. Org, or listen on the free cspan radio app. The Vice President travel to arizona for his First Campaign event following wednesday nights Vice President ial debate with senator kamala harris
comparemela.com © 2020. All Rights Reserved.