Hearing is an hour and twenty minutes. This hearing will come to order. Without objection, the chair is authorized to tulare recess at any time. Before i deliver my opening remarks, i want to note today the committee is meeting virtually and announce a couple of reminders of this hearing. First, members should keep video feed on and members of responsible for microphones. Please keep muted if you are speaking. Finally if members have documents they wish to submit to the record, please email them to the Committee Clerk whose email address was circulated prior to the hearing. Good morning, everyone. Id like to welcome our distinguished panel of witnesses, members, and those viewing remotely to todays space and aeronautics security on cybersecurity at nasa, ongoing challenges and emerging issues for increased telework during covid19. In early 2020 the world was out caught offguard with rapid on set of coronavirus. Nasa like man agencies and consistent with management and budget guidance rapidly shifted to telework to ensure the health and safety of its more than 17,000 Civil Servant employees and extensive contractor workforce. To its credit nasa prepared for the transition having held an agencywide telework exercise in early mark. It expanded telework operations. Today 75 to 80 of nasa Civil Servants continue to work remotely handling proposal reviews, project oversight and inspections, development work, engineering analysis and other activities. The shift to increase telework at nasa raises many questions. Front and center cybersecurity. What does increase of telework mean for protecting nasas property, personal identifiable information and mission operations. How do the cyber challenges relate to increased telework affect the agencys overall cyberSecurity Risk posture and what steps is nasa taking to assure effectiveness of cybersecurity efforts during the pandemic and beyond. These are some of the questions todays hearing will explore, because whats clear is that nasa is a target. I want to pause here for a moment to note an article in the hill today where the Justice Department has brought charges against iranian nationals for u. S. Satellite companies. This is incredibly timely. A nasa ig report stated given nasas mission and valuable technical and intellectual capital it produces, the information maintained within the agencys itm infrastructure presents a highvalue target for hackers and criminals. In 2019, nasa administrator stated at an agency town hall that nasa is the most attacked agency in the federal government when it comes to cybersecurity. Past data breaches and system intrusions at nasa and its facilities have resulted in large amounts of stolen data, installation of malware, copying, modifying and deleting Sensitive Files and accessing nasa servers, including those supporting missions. The department of homeland securitys Cybersecurity Infrastructure security agency, which is a mouthful, of course, sisa, a very Important Agency issued specific results on vulnerabilities related to telework during the pandemic and organizations to dont hyper cybersecurity. The agencys then chief Information Officers notified employees of increased hacking attempts on the agencys systems. In june 2020 media articles reported that malicious actors congratulated nasa and spacex on a crude demonstration flight and then announced they had allegedly breached and infected a nasa contractor specifically one that provides tblg, cybersecurity and cybersecurity to the agency. If true, thats a concerning report and part of the reason were here today. Protecting nasas i. T. And data during the pandemic demands vigilence. However, nasa cybersecurity challenges dont begin and end with the covid19 crisis. Multiple nasa ig and gao reports have identified weaknesses and ongoing concerns with nasas Information Security. Further, they have ranked this issue as a top agency challenge. Ensuring effective cybersecurity at nasa becomes even more pressing given Rapid Advances in i. T. Supply chain risks, nasas culture of openness and partnerships and the overall increase in space activities. Nasa is a national treasure. Its Missions Continue to inspire both young and old and nasas cutting edge space technologies, research and spaceflight experience are the envy of the world. Nasas accomplishments wouldnt be possible without computers, software, and Information Systems. Nasa or any organization be 100 riskfree from Cyber Threats . Probably not. Is there room for improvement . Absolutely there is. I hope that todays hearing will give an understanding of the challenges and risks posed by increased telework and whether or not nasa is organized in resource sufficiently and effectively to mitigate those risks. The bottom line is we need to ensure that nasa has the tools it needs and takes the necessary actions to ensure the agencys success, safety and security during covid19 and beyond, and i look forward to our witnesses testimony today. So i think we are there he s is. Ranking member, glad you were able. I know sometimes technology speaking of technology can be a will chaening. Glad you made it through of the chair recognizes Ranking Member babbitt and my good friend from texas for an opening statement. Absolutely. Thank you. We had three computers here we couldnt get on but i got on by telephone. Any way we can do it, im glad to be with you. Innovation in ingenuity. I love it. Absolutely. Thank you so much. Nasa is one of the best known organizations in the entire world. Its successes with mercury, Apollo International programs along with breathtaking scientific discoveries and jawdropping robotic probes attract worldwide attention. Unfortunately that attention comes with many challenges. The technology nasa developments are soughtafter by criminal industries, Foreign Government and destructive vandals. Because many technologies have both civil and military applications, these challenges are particularly gray. This is a topic this committee testified on for decades. Testified before the investigations and oversight subcommittee almost 10 years ago on the topic of information securi security. At that hearing he testified an unencrypted laptop was stolen from nasa that resulted in the loss of the algorithms, quote, unquote, used to control the space station as well as personally identifiable information and intellectual property. Similarly, the u. S. China, economic and Security Review Commission noted in its 2011 report to congress that the terror and land sat satellites experienced two separate instances of interference consistent with cyber activities against their command and control systems. More recently the nasa ig issued its yearly report in july which found, quote, Information Systems throughout the agency face an unnecessarily high level of risk that threatens the confidentiality, integrity and availability of nasas information unquote. The report concluded that it is imperative the agency continue its efforts to strengthen its Risk Management and governance practices to safeguard its data from cybersecurity threats, unquote. Last month the ig issued another report on nasas use of nonagency i. T. Devices and found that nasa is not adequately securing its networks from unauthorized access by i. T. Devices, unquote. The nasa ig is currently tracking 25 open recommendations for the office of the chief Information Officer. These do not include i. T. And cybersecurity recommendations to Mission Director ates or other organizations in the nasa enterprise. While they may steam startling, there are specific reasons that many of the recommendations remain open. For instance, agency wide guidelines and best practices are often general rules and principles that are not optimized to specific agencies unique capabilities, expertise and challenges. For instance, nasa is the world leader in designing building, operating, and communicating with spacecraft. This expertise resides with Mission Director ates and senators that cultivated over many decades. In some instances they actually developed the software Information Systems and underlying technologies that industry and the rest of the government adopted and embraced. Even more extreme circumstances, they continued to use oneoff operating systems that while perhaps not compliant with omb government guidance are arguably more secure because of their uniqueness and on security. Efforts to bring these systems and technologies interest compliance with oneside fits all cookie cutter for systems could actually introduce more risk into the system. This isnt to excuse nasas cybersecurity short comes as identified by ig and gao over the years. Lost laptops, unsecured devices, unauthorized systems, authorization to operate and poor Inventory Management are all cause for concern, which brings us to the situation that nasa currently faces. The covid19 challenge requires most of nasas employees and contractors to work remotely. While nasa has embraced teleworking for years, the expansion of this practice introduces a larger target and more vulnerabilities for malicious actors to exploit. In addition to teleworking challenges, im also interested in understanding what level of insight that nasa has on contract for cybersecurity as nasa moves toward publicprivate partnerships. Finally, its worth noting that President Trump recently issued space policy directive number five focused on Cybersecurity Principles for space systems. While it is not covid focused specifically, it is particularly timely given todays hearing and demonstrates the administrations forwardlooking leadership on this very topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. With that, madam chair, i yield back. Thank you, Ranking Member babbitt for your opening statement. I think its safe to say we share many of the same concerns in this area and excited and grateful for the opportunity for this hearing today. If there are any members at this point if there are any members who wish to submit opening statements, the statements will be added to the record at this point. Now id like to introduce our witnesses. Our first witness today is mr. Jeff seton. In april of 2020, he was named nasas chief acting chief Information Officers acting chief Information Officers. Lets see if i can get that out right. Prior he served as deputy chief Information Officers and spent seven years as the chief Information Officer at Nasas Langley research center. He began his career with nasa in 1991 as a Research Engineering designing robotic systems for spacebased applications and also served as langleys chief Technology Officer and deputy cio. He received a bachelors degree and masters degree in Electrical Engineering from virginia tech. Welcome. Were glad youre with us today. Our next witness is mr. Paul martin, Inspector General for the National Aeronautics and space administration. Mr. Martin has been the nasa Inspector General since 2009. Prior to his appointment at nasa, he served as deputy Inspector General at the department of justice. He also spent 13 years at the u. S. Sentencing commission including six years as the commissions deputy staff director. Mr. Mar tip received a bachelors degree in journalism from Pennsylvania State university and jures doctorate from the University Law center. Welcome, mr. Martin. Our third and final witness is dr. Diana burly. In july 2020, appointed vice provost forry search and director of Public Administration at American University. Prior to her current position, she spent 13 years as a professor of human and organizational learning at George Washington university where she was the inaugural chair for the human and Organizational Learning Department and the director of executive leadership doctoral program. Shes also managed a multimillion dollar Computer Science education and resource portfolio for the National Science foundation. Dr. Burly received a bachelors degree in economics from the Catholic University of america, a masters in Public Management and Public Policy from Carnegie Mellon university and masters and doctoral in organizational science and information policy also from carnegie melon university. Welcome, dr. Burly. As you know five minutes for written testimony. Your written testimony will be included in the record for this year. When you have completed your spoken testimony, well begin with questions and each member will have five minutes to question the panel. Well start today with mr. Seton. You are recognized for five minutes. Thank you members of the subcommittee on space and aeronautics for allowing me to appear before you and talk about infrastructure and efforts to manage and protect infrastructure during. Thankfully nasa was well positioned to keep Missions Moving Forward by shifting majority of workforce to telework last march. As a result nasa has never been closed and our workforce has continued to work productively manner despite covid19 virus. With strict safety protocols in place, nasa is now allowing more protocols on site based on guidance from the cdc and other federal partners. Let me assure you, the safety of our workforce remains our top priority. At the same time protecting and effectively operating i. T. Infrastructure continues to be another top nasa focus. I. T. Plays a Critical Role in every aspect of nasas missions. However, effective til managemei. T. Management is not an easy task. Its my job to balance Innovative Mission enabling i. T. Capabilities with Operational Efficiency and effective cybersecurity to guard against evolving threats. During the pandemic, the demand and expectations placed on nasas i. T. Infrastructure have been incredibly high and threats from external actors remain an ongoing concern. However, with hard work, dedication and innovation, nasas cio team has risen to the challenge of keeping our Missions Moving Forward. For example, oci helped rapidly develop software to track cases of on site covid19 exposures while meeting security and privacy rirts. Additionally nasa continues to hear and on board new employees, contractors and interns with innovative approaches to provisioning and maintaining i. T. Systems and tools remotely. For nasa employees, the pandemic has dramatically changed the way that we work. While many employees already teleworked occasionally before the pandemic, having 90 of employees teleworking at the same time has been game changing. Nasa employees have significantly increased virtual Collaboration Tools such as webex and Microsoft Teams so we can interact facetoface sharing virtual collaborative work spaces. Employees dependent on nasas Virtual Private Network to connect securely to internal networks and systems. Before the pandemic our highest vpn connection rate was about 12,000 users in a single day. Today our vpn is supporting almost 40,000 daily users with an availability exceeding 99 , thanks to architectural an capacity improvements implemented over the past 24 nts mo. Like other federal agencies, nasas infrastructure under constant attack, highly domes indica domesticated. Procedural abilities to proactively defend systems and data. The reported number of attempted Cyber Incidents increases partly because we have greater visibility into our network today, im confident nasa is appropriately addressing and strengthening our ponce to threats. In fiscal year 2020, developed to enhance Security Operation Center located at the Ames Research center. Previously if operations were interrupted, we had a limited ability to identify the tech and respond to incidents. Today it spans multiple centers allowing us to maintain 24 by 7 operations at all times even if there is an isolated disruption. With strengthened tools and capabilities, nasa is transitioning from largely reactive to proactive security posture. As the pandemic worsened in april, it moved to ensure employee safety and we did so without negatively impacting our network or cybersecurity capabilities. In closing i want to personally thank not only oci staff and leadership but entire nasa workforce for hard work an personal sacrifices they have made. Our employees are finding new ways to keep Missions Moving Forward, support each other, balance work and family pressures and dedicate expertise and personal time to developing technologies aiding in the National Response to the coronavirus. While no one is sure what the future holds nasa senior leaders, including myself, are committed to keeping nasa workforce safe and providing them with i. T. Tools and infrastructure they need to continue executing our missions. I want to assure you protecting and evolving is and will remain a top priority. Thank you for the opportunity to testify before you today, and i look forward to answering any of your questions. Thank you. Thank you very much, mr. Seaton. Mr. Martin, you are now recognized for your testimony. Thank you, chairman horn, the nasa office has conducted significant oversight work to help nasa improve governance while secure its networks and data from Cyber Attacks. Over the past five years, issued 16 audit reports with 72 recommendations related to i. T. Governance and security. During the same period, weve conducted more than 120 investigations involving intrusions, denial of service attacks and beta breaches on nasa networks, several of which have resulted in criminal convictions. My testimony today is informed by this body of audit and investigative work. The security of data and i. T. Systems is central to nasas success. The agency spends more than 2. 2 billion a year on a portfolio of i. T. Assets that include hundreds of Information Systems used to control spacecraft, collect and process scientific data, and enable nasa personnel to collaborate with colleagues around the world. Given the valuable technical and intellectual capital nasa produces, its i. T. Systems present highvalue target for cyber criminals. The past six months in particular has tested the agency as more than 90 of nasas workforce moved from on site to remote work due to the pandemic. During this period, nasa has experienced an uptick in Cyber Threats with fiphishing attempt doubling. This morning i offer three observation about the state of nasas i. T. Security and governance to provide context for the scope of its challenges. First, our concerns with nasas i. T. Governance and security are wide ranging and longstanding. For more than two decades, nasa has struggled to implement Effective Governance structure that Alliance Authority and responsibility commensurate with the agencys overall mission. The agencys cio has limited oversight and influence over i. T. Purchases and security decisions within mission directa directates. This decentralized nature of nasas operations coupled with autonomy have hindered cios ability to implement enterprise wide i. T. Governance. More over nasas connectivity with educational institutions and other outside organizations and vast Online Presence of 3,000 web domains and 3,000 public accessible data sets offer cyber criminals a larger target than most other Government Agencies. Second, despite positive forward momentum, the agencys i. T. Practices continue to fall short of federal requirements. For example, in 2019 for the fourth year in a row, nasas performance during our annual review remained at level two out of five meaning the agency has issued but has not consistently implemented important policies and procedures defining its i. T. Security program. Third, like many other public and private organizations, nasa struggles to find the right balance between user flexibility and security. For example, for years nasa permitted personally owned and partner owned mobile i. T. Devices to access nonpublic data, even if those devices did not have a valid authorization. Today nasa employees and partners can use nonagency devices to access email if the user installs Security Software known as mobile Device Management. However, an oig audit last month found nasa was not adequately securing its email networks from unauthorized access by these personally owned devices. Although nasa has deployed technologies to monitor unauthorized connections, it is not fully implemented controls to remove or block those devices. Moreover, the agencys december 2019 target for installing these controls was delayed due to technological issues and pandemic related center closures. Until these enforcement controls are fully implemented, nasa faces an elevated risk of a breach. Finally, as part of its map initiative nasa plans to centralize and consolidate i. T. Capabilities. The cios office expects to complete its map assessment by march 2021 with implementation on institutional systems beginning later that year. As map unfolds we plan to assess whether enterprise level alignment has strengthened cybersecurity at nasa. I look forward to your questions. Thank you, mr. Martin. Doctor burly, you are recognized for your testimony. Thank you. Subcommittee chairwoman more than, Ranking Member babbitt an distinguished members of the committee thank you for the opportunity to appear before you today. As the nation continues to navigate the complex and uncertain environment of the global pandemic, it is viable we engage in robust cybersecurity challenges and emerge issues for increased telework during this time at American University guided by the plan change maker for changing world. It empowers graduates to navigate appear change and au pushing boundaries of discovery in health care, data science, social equity and security. In my remarks today, which are shaped by decades long career leading cybersecurity initiatives, i will highlight how the interplay of these areas support development of holistic strategy to address cyberSecurity Issues surrounding exponential growth and telework during this unprecedented time. Concerns over exposure to covid19 has accelerated a mass migration to virtual settings while teleworking arrangements have existed for years, never before have we seen range and volume of Remote Workers and Remote Working environments. Employees across categories and technical abilities are working remotely and engaging with employers, colleagues and customers through a digital interface and on a range of devices. Securing this activity necessitates that we recognize both the technical needs and the environmental factors that shape that behavior. Consider the following. Novice users an novice experiences create vulnerabilities. In the hurried transition to remote work, agencies did not have sufficient time to prepare novice users for complexity of their newly virtual working environments where overall security is more reliant on individual decisions made by employees and nonemployees alike. Even seasoned users who have developed behaviors in accordance with on site face new challenges and can find themselves less prepared to avoid the vulnerabilities exposed by the Remote Working environments. Employees are working under duress. Covid19 continues to drive economic instability, Health Related concerns, anxiety and confusion. Employees are worried about meeting their basic needs and are less likely to attend to seemingly lower priorities like cybersecurity. Cyber criminals exploit targets of opportunity but shift in activity provides larger attack service and more opportunities for cyber criminals to use social engineering techniques such as fraud, misdirection and misinformation to exploit those vulnerabilities. Users bring their entire cells online. If we use Public Health analogy of treating the whole patient, we can strengthen efficacy of guidance with robust cyber activity. In Public Health, its inextricably linked to social and environmental conditions of its patients. Today in the midst of the covid19 pandemic, we nus recognize while basic cyber hygiene practices are relatively doable under normal circumstances, these are not normal times. Our workers are distracted, frightened and fatigued. This is especially true for the most vulnerable users. As such, strategies to strengthen cybersecurity of teleworkers must consider the full spectrum of user experiences and address the complex realities of their needs. The points i have just outlined represent only a snapshot of the benefit of using a holistic approach to reduce the impact of cybersecurity related vulnerabilities. I have long advocated for this type of approach. Now, and with a greater sense of urgency, we must collaboratively develop interventions that address interplay between technical and environmental variables that Shape Cybersecurity posture across broad range of teleworkers as they navigate the covid19 environment. I look forward to continued engagement with this esteemed committee to develop concrete strategies but raise awareness of the threat, encourage actions that increase cybersecurity of the nations employees and protect our most vulnerable citizens. Thank you. Thank you very much, dr. Burly. At this point well begin with our first round of questions. The chair recognizes herself for five minutes. Thank you to our witnesses today. Its clear these are important issues and theres a lot of things to tackle. I want to start, mr. Seaton with some questions about contractors and cybersecurity contractors, especially given the increased use and the significant use of contractors within nasas workforce. I have a number of questions. Im going to try to get through as men as we can. Some are just yes or no and then we can get to other things. What we know and i mentioned the article on the hill that our systems, a lot of information that hackers are very interested in. The contractors nasa works with are integral to our nations space agency. So my first question is are there far clauses, federal acquisition related clauses that wrefr to contractor security requiremen requirements . Yes, there are. We include those in our agency contracts. Our providers follow cybersecurity requirements. Let me follow up on that for a moment. Those are nasa cybersecurity requirements. We asked earlier this year about associated far language and nasas response there are no far clauses. Do those fall under nasa requirements in contracts . We have nasa far supplements. We get specifics on what those requirements are via that i can take a question for the record for you guys. Absolutely. When those clauses are included, is it nasa that signs off on the cybersecurity or their waivers . Who signs off on the requirements for cybersecurity that they have been met . Well, we have automated tools to be able to ensure that our contractors are complying with the requirements when they are connecting to a nasa system just as any nasa employee would. So as was mentioned in the earlier testimony, we have put in place controls and are continuing to strengthen those controls to ensure only authorized devices can connect to network and systems. Okay. Who has oversight of contractor cybersecurity protocols . Is that through your office . Are you able to conduct oversight and audits of cybersecurity practices by contractors . Ultimately, i am the acting Information Officer and so cybersecurity is my responsibility, and so it would be me and my team that ensures compliance with the cybersecurity requirements. Okay. Do you feel like you have sufficient oversight and insight and ability to do that within your authorized within your authorities . Yes, i would say i believe within nasa ive been given the appropriate authority and support, but i will say the environment is tipping to change, and its a dynamic landscape. I. T. Is no longer just the computer and laptop on your desk but expands to Operational Technology where i. T. Is embedded within systems. Its challenging with evolving landscape and so we continue to mature our processes. Thank you. Stepping back to challenges this year from covid19 ill have a question for mr. Martin and mr. Seaton and hopefully have time to get to dr. Burly about a broader. The memo your predecessor published on april 8th warned of increased attempts in Cyber Attacks and especially during covid19. And my first question is to you, actually, then to mr. Martin. How has the rate of Cyber Attacks changed since that memo in april, and what steps has the ocio taken to respond to those increased attempts . Well, we have seen an increase in phishing attacks and a lower level some other attacks. But honestly, the change to the pandemic operating model is consistent with how nasa has operated in the past. Weve supported a mobile workforce, and so, have put in place controls and technologies to mitigate against some of these threats, including automated prevention of phishing attacks, because when it comes down to it, you and i are the most vulnerable part of our i. T. Security, is the people. So we tried to put in place automated controls to make that easier for our employees and have seen significant improvements in phishing protections over the last two years. Okay. Thank you. And quickly, mr. Martin my time is coming to an end. But what is your confidence level in nasas ability to sufficiently address the increase in Cyber Threats as reported by the uscio . Overall, i think theyre making incremental improvement. Theyre headed in the right direction, but and i think theres a new realization over the last couple years of the expanse and significance of the challenge. So, i think were very, very cautiously optimistic. Wonderful. Thank you very much. Now i recognize Ranking Member babin for five minutes of questions. Thank you, madam chair. I think im unmuted. Hopefully, i am. I want to address this to chief Information Officer mr. Seaton. Two weeks ago, President Trump signed space policy directive number five, which focused on Cybersecurity Principles for space systems. Spd5 states, it is the policy of the United States that executive departments and agencies will foster practices within government Space Operations and across the commercial space industry that protects space assets and their supporting infrastructure from Cyber Threats and ensure continuity of operations. My question is this as nasa increases its use of publicprivate partnerships, how will it ensure the contracts comply with this policy without implementing regulations . Thank you for the question. Yes, so, spd5. We appreciate the administration and this congress focus on space cybersecurity, because thats critically important to us. Were currently in the process of reviewing and analyzing apd5 spd5, but get news is we see a lot of consistency with best practices that were already implementing and well continue to look to strengthen our cybersecurity, both within our missions as well as with our contract partners. Absolutely. Thank you so much. My next question would be to Inspector General paul martin. Your Office Issued a report on jpl jet propulsion laboratorys cybersecurity management last year. Jpl, unlike other nasa centers, is managed by a contractor. Of course, thats cal tech. The report highlighted the fact that nasas contract with cal tech did not include relevant requirements from nasa i. T. Security policies. And so, has the oig conducted a review of other nasa contractors to determine if their contracts include necessary clauses pertaining to i. T. Security . And if so, how many has your Office Conducted . Thank you, mr. Babin. We had not conducted a separate audit looking at that specific issue, although if i could double back, the concerns we had when nasa entered into a new fiveyear contract with cal tech, that the contract was absent these significant i. T. Oversight provisions. We have since followed up and found out that jpl has issued and nasa has accepted, and weve reviewed, and they do meet the criteria that we were concerned about. So, the federalimposed oversight, i. T. Oversight, is going to happen at jpl, so were pleased with that. Okay. Thank you. And does the oig conduct compliance audits to determine if contractors are fulfilling their contractual obligations pertaining to Information Security . And if so, how many has your Office Conducted there . Again, we conduct a significant number of Program Audits that look at the programs run by these contractors, and part of that review includes a detailed dive into the contracts to make sure that the i. T. Security requirements are not only in the contract, but theyre actually followed. Is this a more appropriate role for the nasa cio or Procurement Office to conduct, rather than the oig . Well, i think the audit certainly, the cios office and procurement have to ensure at the outset that the appropriate Security Issues and safeguards are contained in the audit themselves. And ongoing good contract management would show that you need to ensure that theyre being effective. Now, the oig has limited capacity, like most organizations, and so, were going to try to target the more highrisk, highvalue operations that nasa has to do a deepdive audit. Okay. And then as this very hearing demonstrates, nasa and the nation have adopted Video Conferencing to adapt to social distancing requirements. Has nasa identified any vulnerabilities with commercial Video Conferencing platforms or certain Video Conference platforms not allowed for nasa use based on technical characteristics or concerns over foreign influence . I would just see what every one of you have to say, just a short, concise answer. Appreciate it. Ill start with that and say we have a set of approved tools that have gone through the appropriate security validation, which includes assessing any threats externally to those environments. And outside of that, other tools are not aproved for use within nasa. Okay. And then nasa oig is using those approved tools. Okay. All right. Good. And dr. Burley, did you want to add to that at all . Most agencies and other organizations have their list of approved tools. Okay. Well, madam chair, ive spent all my time, so i will yield back. And i want to thank all of the witnesses. We appreciate it very much. Yield back. Thank you very much, Ranking Member babin. And mr. Perlmutter, youre recognized for five minutes. Thank you, madam chair. And i think one of the biggest problems with this remote stuff is when somebody like dr. Babin is Walking Around with his phone and i feel like were on the blair witch project, but thats a whole other problem. My questions are for you, dr. Burley. And mr. Seaton mentioned the most vulnerable spot for, you know, hacking and cybersecurity is the individual, the person. And when you were testifying, you talked about novice users, you know, not familiar with the equipment or security protocol, employees under duress, worried about their basic needs and not the more refined things like cybersecurity, you know, that the folks are having trouble because theyre distracted, frightened, and fatigued, i think were your terms. So, what i mean, it almost feels not the cio should be involved, but the Personnel Department is really one of the keys here. So what do you see, whether its nasa or generally across the agencies, being done to help the individuals kind of get through this very anxious period and maintain cybersecurity . Thank you for your question. So, youre absolutely right in that it needs to be a collaboration between the i. T. Department and the Hr Department. So first, every agency has a set of Cybersecurity Awareness programs that they have in place and that really guide not only behavior within the organization and within the walls, but also outside. Those awareness programs need to be adapted, recognizing that the employees are working in a different environment, theyre working remotely, and theyre working around other people. Its not just them. Its those family members and others who are in their environments. And so, we have to take a hard look at those awareness programs and recognize that they need to be adapted based on the current realities of work. And second, yes, absolutely, Human Resource professionals need to be involved to provide the kind of support to our employees that they need so that they are able to focus on not only doing their work, but doing their work in a secure manner. I guess i hadnt even thought of it, but obviously, we should think of it. People are working from home. The kids are in the background, or you know, whoever might be in the background, so it isnt like youre in the office at nasa headquarters where everythings pretty safe and secure. So, i think, madam chair, im going to yield back, but i do think this really is cooperation, certainly, between the Hr Department and all of the technology folks. And, mr. Seaton i mean, all three of our speakers have sort of focused on that. But i, in this pandemic, thats critical. And i yield back. Thank you very much, mr. Perlmutter. Mr. Posey, youre recognized for five minutes. Thank you, madam chair, for holding this hearing on this important issue regarding cybersecurity at nasa during covid19. Just to recap, sometime in june 2020, nasas Inspector General stated nasas highprofile and Sensitive Technology makes it an attraction for computer hackers and other bad actors. As stated earlier, during the covid19 pandemic, many contractors are now teleworking, possibly making the agency a bigger target. In june 2020, report of the Inspector General said its time that the agency develop a review of its Information Security program to protect the confidentiality, the integrity, and availability of its data, systems, and networks. This is not a new problem facing nasa. Under the National Academy of the Public Administration concluded back in 2014 that nasa networks are compromised and that individuals are not being held accountable. Its not a new concern for us either. I included language in the housepassed nasa authorization bill back in 2015 to address this by requiring a report from how nasa will safeguard its networks and protect against external control violations. The Inspector General also made nine recommendations to nasa, including making sure the risk Information Security system Compliance SystemsData Protection capabilities are updated to keep the data secure. And the Inspector General concluded that the threats are increasing and that it is imperative for nasa to continue to strengthen its Risk Management government practices to safe guard its data from cybersecurity threats. So, mr. Im sorry, inspector martin first. It was noted that the Inspector General that nasa is an attractive target for computer hackers and bad actors. Is china one of those bad actors . And does china present a Sovereign Security threat to nasa . And besides securing its information technology, what steps has nasa done to secure its supply chain from china hackers . And has nasa, as the insuspector general referred a cybersecurity case involving china yes, yes, no. Im joking. That was a lot of questions. China is one of the foreign entities out there. Chinas the sole entity, country out there, that is seeking nasas very valuable intellectual property. Nasa is taking steps and has been to secure its intellectual property and its networks from attack from china and a series of other countries and also local hackers. But yes, nasa is. We have conducted a series of criminal investigations and we work with the fbi and counterintelligence officials when we get leads on these issues. Okay, thank you. All right, to you, mr. Seaton. With cybersecurity threats increasing as nasas taken the necessary actions in addressing assessment from the National Academy administration back in 2014 and the nine recommendations that were identified by the Inspector General to keep data secure . Yes. Im happy to report that we closed down all of the recommendations. There were quite a few in the report and those have been implemented, and i do think that they improved our security and our practices. Dr. Burley, should the National Academy do another study to examine the vulnerabilities that teleworking presents . The opportunity for associations and National Academies to do studies gives us an indepth look, and so, i would say yes. Thank you, madam chair. I yield back the remainder of my time. Thank you, mr. Posey. The chair now recognizes mr. Beyer for five minutes. Unmute button. Thank you, madam chair, very much. Mr. Seaton, thank you very much for joining us today. In your testimony, you mentioned that in the course of the pandemic, you were able to onboard new employees, new interns. And amazingly, our office has been able to do the same. Wonderful interns, new staff. Weve also been able to safely ensure that all staffs have houseissued equipment, including laptops and phones. So, in the oig report, i was surprised that personally owned devices could connect to internal systems and that oig was critical of monitoring, enforcing rules associated with granting access to the nasa networks. So, how do you make sure that no employees were given the proper equipment . And if theyre not getting nasaissued equipment, how do we ensure that those personal devices are secure . Yes, thanks. Great question. We actually do require the use of nasaprovided equipment for our new employees and interns. We do provide them with the tools in they need. Recently, within the last two years, it was my office that changed the policy that was referred to earlier, where, yes, previously, we did allow personal devices to connect. That is no longer allowed by policy. The only allowance is for a mobile device that has a mobile Device Management software that we provide that creates a secure container and a secure connection back to our email and calendaring systems, if an employee will content to us managing their personal device with that software. Thats the one case where we do allow that. Where we do have opportunities to continue to strengthen our architecture is implementing the automated controls to ensure that that is whats happening. So, Network Access control and the pandemic has actually impacted our implementation there, pushing out that schedule into next year, but we made significant progress through dhs, the cdm program, to know whats on our network and whos on our network and have a little bit more to do there. Thank you. Thats encouraging to know, because im sure the stuff you have is much more important than the thing thats on my network. Mr. Martin, you talked about the malicious intrusions into nasas systems unauthorized access to deep space network. Other than the personally identifiable information, what are they after . And how much of this is china, russia, the other nations that are interested in space . And will this affect, or could this affect our lunar missions, our mars mission, the really big important things that nasas doing . Thank you, congressman beyer. Nasa has vast troves of important intellectual information, capital, that it has spent decades amassing. And so, i think folks are country actors are after that information, the innovations that nasas so famous for around the world. Theres everything from pii, theres contractual data on the systems, so theres just a vast and wide array. And again, weve had, nasa, unfortunately, has been under attack from both domestic and foreign cyber criminals, and so, it is just an ongoing, incredibly difficult issue to keep nasas defenses up. Thank you very much. And professor burley, one of the challenges nasa has, obviously, is that theyre so decentralized. So many of us have nasa facilities near or close. And so, a one size fits all is always going to be difficult. Are there other examples of systems, especially federal systems, that are similarly decentralized that have been able to effectively secure their i. T. Systems . Are there anybody for nasa to imitate . I think that the cio from nasa would know better, but there are many different decentralized systems, both within the federal government and outside that could be used as a guide to at least begin to think about best practices and other strategies for securing the networks. Let me pivot to mr. Seaton then quickly, because i know like the department of commerce had 13 different cios. Do you have the same challenge within nasa . Yeah, so, there is one cio, but there are center cios that all report to me. We have a single i. T. Strategy. And for almost a decade now, weve been working to integrate and operate as a cohesive unit, acknowledging that there are some uniquenesses at our centers but implementing consistent policies and moving towards Enterprise Services and contracts. So, i think we are moving in the enterprise direction very significantly. Thank you very much. And madam chair, i yield back. Thank you very much, mr. Beyer. Mr. Garcia, youre recognized for five minutes. Thank you, madam chairwoman, appreciate it, and i appreciate the testimony and the witnesses today. Very exciting times for nasa and also very challenging with very unique dynamics in play here. I guess ive got a few questions, and probably directed to all of you, mr. Seaton, mr. Martin, and dr. Burley. I come from a company where i was a Program Director for a large air breather program, and it was both classified and unclassified elements to it. One of the big challenges that we had as a large prime was that the classified elements fell under mispom requirements, which i think were effectively what chairwoman horn was asking about on the classified side as far as our compliance and requirements. Those requirements led to onerous cost to suppliers and to the lowerlevel supply chain folks. What are we able to do what is nasa doing, i guess, to make sure that the Small Businesses that are a critical element of your supply chain arent necessarily getting overwhelmed with either cybersecurity requirements or Cybersecurity Development or Software Development work, and therefore, almost being dissuaded from entering into this industry, into this support chain . Are we able to provide gfi or governmentfurnished ip to make sure and flow down to the lowerlevel suppliers to make sure that theyre baking in some of these cybersecurity elements into their respective programs . How do we communicate, i guess, with those lowertier supply chain folks . I guess, mr. Seaton, we can start with you. Sure. I will say that is a challenge. Making sure that all of our suppliers and providers appreciate the significance of cybersecurity and are building that into the solutions they deliver is a requirement of doing business today, right . Today with supply chain Risk Management, just in august, section 889 was enacted that requires us to certify that anybody were doing business with complies with supply chain restrictions that are federalwide. So were working with our providers and suppliers to make sure that they understand and that they build that into their practices. Yeah, just you know, weve got to just make sure were balancing the Risk Mitigation efforts, which are absolutely critical and essential we have to do it with the cost elements and, you know, just making sure that were not driving some of these key suppliers out of business or out of our industry or out of your business, right . I know thats a delicate balancing act as well. Cost of having a compromise is significant, too, though. So youre right, it is a balancing act and well continue to try to work. Are the primes or tier one suppliers actively looking to package up programs or software, you know, programs to download to the lowerlevel suppliers, or is it sort of ad hoc, depending on what the threat is and what the mitigation threat mitigation measure is . Yeah. Unfortunately, i really cant speak to the individual practices of the companies and suppliers. Okay. And then, i guess from just characterizing classified versus unclassified, are you able to speak to what percentage of your networks are on classified networks . And is there is one of the sides lagging the other . In other words, do you see, you know, more threats on the classified side or fewer threats but maybe more, you know, more critical impact to those networks . Or how would you characterize that between unclass versus the high side . E, and my office is responsible for the unclassified side. We work with our office of protected services on the classified side. I cant really speak in this forum to kind of the division there, but i will say that oftentimes, compromises on the unclassified side can be used to propagate to other systems. And so, thats a concern, even on the unclassified side. Okay, great. And mr. Martin or dr. Burley, i dont know if you guys care to comment on either of those topics there . We have little to no work on the classified side at nasa. Okay. Thats good to know. Okay. So, i would just you know, we hosted a Small Business summit with Kevin Mccarthy as well and nasa with nasa administrator brian stein a couple of weeks ago. The cost of entry into the supply chain for all Space Programs is pretty high for some of these small suppliers. So, i would just end with, lets try to enable them, lets make sure were giving them the tools to be successful and be able to defend not only their networks, but yours, obviously, as your suppliers, as we navigate this challenge, and hopefully, look to synergize Lessons Learned and download those through contracts requirement flowdown documents accordingly. So, really appreciate your guys time and good luck with the upcoming launches as well, guys. Thank you. I yield back. Thank you, mr. Garcia. And now for the honorary member of our subcommittee who is reliable and with us, mr. Weber, youre recognized for five minutes. If we can get you unmuted. There we go. There we go. Theres a lot of people who want to mute me, but nonetheless. Thank you, madam chairwoman, and i appreciate the opportunity being here. You actually asked a question of mr. Seaton earlier, i think, about how many attempts, intrusion attempts per month did nasa identify last year, and i want to kind of follow up on that by saying, how does that compare, mr. Seaton, to the intrusion attempts per month this year during covid . Are you making a distinction there . Yeah, so, not that direct comparison. And we see fluctuations based on our insight, and that insight, as i mentioned, is increasing, so, sometimes that is the cause for a higher number. But we have seen an increase in phishing attacks and Malware Attacks at various times throughout the pandemic. That hasnt been steady. Its been fluctuating. Any idea, a guess, 10 , 20 , 5 . Increase . At one point over a given period of time, we saw a doubling of phishing attacks. But again, there have been other weeks where its been lower. So, i do think because of the pandemic, people are looking for the opportunity to attack and will continue to. Well, there has been a lot of discussion about having personal devices and being at home and those kinds of security firewalls, if you will. And if its Sensitive Information i know you said you worked with the fbi and some of the forces or task force or i forget the terminology you used, but that sense of information, if you could get it to us, it would be interesting for us to have, if you can get it to my staff. And i want to follow up in your discussion to mr. Garcia. You talked about well, before that, let me go to mr. Martin quickly. Mr. Martin, understanding that this hearing is supposed to be narrowly focused on Cyber Threats during covid, since youre here with us, i thought itd be appropriate to discuss some of the things weve been talking about with china, for example. During this intellectual property threat, threats, obviously, to the aerospace u. S. Supply chain yall talked about it a little bit, mr. Garcia, during this Weeks Association and aerospace cyber conference it was revealed that longtime dod and ul lab proactively i dont know if youre familiar with this proactively identified and cut ties with the supplier that was a Security Risk due to chinese ownership. Were you aware of that, mr. Martin . I was not, congressman. Okay. Well, in comments earlier, i think ill go back to mr. Seaton with his exchange with garcia. He said he couldnt speak to suppliers or speak for the suppliers. Was that what you were saying to mr. Garcia . I said that i could not speak to how they were structuring their Business Operations to meet the federal requirements. Shouldnt that be something that were looking at . I mean, i dont mean to sound too skeptical, but shouldnt nasa, and actually, all of our u. S. Space and Defense Companies should be taking a proactive posture to know exactly what safeguards are in place for us to totally agree. So, how they go about doing it is what im saying that were not in their Business Operations, validating that they are complying with the requirements. It is something that weve been doing for years with our supply chain Risk Management efforts, ensuring the things that we buy are free of risks through coordination with the fbi and now making sure that even within their organizations, they do not have i. T. Equipment provided by prohibited providers. So, yes, we are actively involved in ensuring that level of compliance. When you say how they go about it youre not necessarily involved in, but shouldnt there be some level of protocol, for lack of a better term, some threshold, some safeguard, they have to meet minimum safeguards and somebody has to be looking over their shoulder in that regard . Is that fair to say . Yeah, again, compliance with our cybersecurity requirements is absolutely critical, and that is our responsibility. Their Business Practices is what im saying that were not getting in the middle of. Would you say that in this particular instance where that supplier was identified, that it would be worthwhile to go back and see exactly how that happened, how that supplier got the proverbial camels nose under the tent . I think its in the federal governments best interests to understand where vulnerabilities emanate from, so, certainly. Whose responsibility is that . I think its a share of responsibility. Between who . Between the federal agencies that are responsible for our cybersecurity policy as well as an agency that would be interacting with a specific provider. Is that something you can follow up with our office on and tell us who those agencies are and who has responsibility for that agency . And im talking about addressing this particular instance and how it was discovered and how we got there and what steps are going to be taken to prevent similar occurrences. Can you follow up with us on that . Certainly. Well take that as a question for the record, yes. Okay. Well, i appreciate that. Madam chair, i yield back. Thank you very much, mr. Weber. Appreciate your questions, and as always, your participation in the subcommittee. I think i have a few more questions i want to follow up with, and well have an opportunity for the members to do another round of questions, if everyone is available to stay, since we are still we still have time. I want to follow up on a couple of things going back to some of the earlier questions. One about the unauthorized devices or personal devices. Then i do want to follow up on mr. Webers line of questions a little bit more. Mr. Martin, the august 2020 ig report on unauthorized devices, which is, of course, just this year, on nasas network, cios office saying there are currently no authoritative way to obtain the number of partnerowned i. T. Devices. And i know, mr. Seaton, you mentioned that youre not allowing that anymore, but it seems that thats still happening. So, mr. Martin, im wondering what the risk are of not being able to identify and why that may be the case from your perspective in this report. And then mr. Seaton, i want to follow up with you about what nasas doing to improve its understanding and insight into those devices. So, mr. Martin, if you want to start with that. Sure. If i can say at the onset, nasa has been searching for that balance between user flexibility and system security. And during the ten years that ive been at nasa, it has somewhat wildly lurched from those extremes. I remember early on, a number of years ago, where they had a byod policy, which was a bring your own device policy. And thats how sort of forward leaning nasa was about allowing employees and even contractors to use their personal devices. In the last couple years, nasas taken a much more measured approach in focus recently, but there are still gaps that remain in the security of these mobile devices. So, as you indicated, in the report that we issued just last month, they have implemented software, but they havent fully implemented the controls to remove or block devices from nasa systems that shouldnt be on that nasa system. And theyre also not adequately monitoring the business rules for granting access with a personal device to nasas network. Theyre not enforcing consistently the business need for that, and theyre also not ensuring that each of the mobile devices, the personal mobile devices that connect to the system dont violate supply chain rules. Thank you very much, mr. Martin. Mr. Seaton, i know youve taken steps in that direction. Can you speak to i know theres been a delay, but what youre doing, what nasas doing to address these holes . It sounds like youve made progress, but what is nasa and what is cio doing to address these other outstanding issues . Sure. Actually, as an agency, i believe, i think we have been a leader in implementing dhss continuous diagnostic and litigation program. Were cdm phase one identified what was on the network. And so, we have tools in place to automatically detect whats on the network. Phase two, which we are in the middle of implementing right now, is controlling who is on the network and that gets to the Network Access control element that mr. Martin spoke of. And again, i think we will in the coming year be able to enable those controls to be able to have a technologybased way to enforce the policy that has been issued by my office. Thank you very much. And just following up on a couple of mr. Webers questions. In terms of the insight, getting back to some of the first questions about contractor requirements and how we control for suppliers and information. Theres a balance between overly burdensome requirements and the opportunity for bad actors to influence or to gain access. And im wonder iing, mr. Martin what you see as potential authorities that nasa may need to be able to have additional insight or control or contracting provisions to ensure that theres compliance all the way up and down the supply chain. Is it with the primes or are there other provisions that may be needed . Im actually going to answer that question by focusing in house on nasa. We have commented for the last we did an audit in 2014 and a followup in 2017. And one of our concerns is just how nasas structured, where as jeff or whoevers sitting in the c cios position doesnt have full insight into all of nasas systems. In fact, doesnt have full control over the i. T. Spend and enforcing the i. T. Security requirements, particularly in Mission Systems and centerbased systems. Jeff and his colleagues have full control over whats known as the institutional systems, but they make up about 25 or 30 of nasas overall budget. So, the lack of insight and an oversight, wielding the stick that controls the money on the end of it, is a real governance issue. Thank you very much, mr. Martin. And mr. Seaton, do you want to speak to that quickly . It sounds like you need to be able to do that, you need additional authorities or insight and oversight. Actually, i think that that has been changing. I sit on the Agency Program management council, the Mission Support council, and the Acquisition Strategy council as a full member, so i have insight into major agency decisions. And the Administration Fully supports the programs and plans that were putting in place. And then the collaboration with the missions to ensure their systems are secure, where we now have much more widespread, effective, consistent approaches to authorities to operate. And ive been working with the council of deputies within nasa to ensure that we have the appropriate mission leadership, Senior Executives designated as authorizing officials for those Mission Systems. So, i do think were making significant progress. Excuse me. Thank you. Thank you very much, mr. Seaton. Mr. Babin, youre recognized for five minutes. You have more questions . Yes. Can you hear me . Okay. Thank you. I do have some more questions. I wanted to address this to all the witnesses, if possible. How many intrusion attempts per month did nasa identify last year . How does that compare to the intrusion attempts per month this year during covid . If this information is sensitive, please provide a response to the staff after the hearing concludes. Yeah, if i could take these specifics as a question for the record, but i can speak in more general terms. As i mentioned before, i think the measurement of intrusions continues to fluctuate based on our insight into the network, and that has increased. So, in some cases where we see an increase in intrusions, its because were seeing more of whats happening. And were to the point now i think weve got a pretty solid visibility into our network today. But then a comparison of specific ones by month, well have to take that and get back to you. Okay. All right, thank you. I will yield back, madam chair. Thank you very much, mr. Babin. Mr. Beyer, youre recognized. Madam chair, i have no more questions. I keep learning, but i yield back. Excellent. Thank you. Mr. Garcia . Thank you, madam chair. Just a real quick question. You know, the old adage that the best the best defense is a good offense is kind of appropriate here. Mr. Seaton, are you happy with the support that youre getting from other Government Agencies in terms of the development at a National Level we develop offensive cyber capabilities, that informs your defensive cyber techniques and vulnerabilities. Are you comfortable and satisfied with the communications, ill just say to other Government Agencies, that should be informing you as to where the stateoftheart is going in terms of offensive cyber capabilities, which may, you know, be in the hands of the bad guys and be within our own Domestic Networks . If not, where can we help to maybe, you know, improve your ability to leverage the developments of other equities, outside of nasa . Yeah, i think the administration has been very supportive of our need to continue with the appropriate focus on cybersecurity, and i think that nasa has effective relationships with our counterparts that can provide us counterintelligence information as well as best practices on cybersecurity, the federal cio council, the cios across the federal agencies engaging to share information is another effective mechanism for that informationsharing. Okay. So, the historical ill call it gist historical evidence over the last, call it, two years, though have there been any surprises, i