Hearing is an hour and twenty minutes. This hearing will come to order. Without objection, the chair is authorized to tulare recess at any time. Before i deliver my opening remarks, i want to note today the committee is meeting virtually and announce a couple of reminders of this hearing. First, members should keep video feed on and members of responsible for microphones. Please keep muted if you are speaking. Finally if members have documents they wish to submit to the record, please email them to the Committee Clerk whose email address was circulated prior to the hearing. Good morning, everyone. Id like to welcome our distinguished panel of witnesses, members, and those viewing remotely to todays space and aeronautics security on cybersecurity at nasa, ongoing challenges and emerging issues for increased telework during covid19. In early 2020 the world was out caught offguard with rapid on set of coronavirus. Nasa like man agencies and consistent with management and budget guidance rapidly shifted to telework to ensure the health and safety of its more than 17,000 Civil Servant employees and extensive contractor workforce. To its credit nasa prepared for the transition having held an agencywide telework exercise in early mark. It expanded telework operations. Today 75 to 80 of nasa Civil Servants continue to work remotely handling proposal reviews, project oversight and inspections, development work, engineering analysis and other activities. The shift to increase telework at nasa raises many questions. Front and center cybersecurity. What does increase of telework mean for protecting nasas property, personal identifiable information and mission operations. How do the cyber challenges relate to increased telework affect the agencys overall cyberSecurity Risk posture and what steps is nasa taking to assure effectiveness of cybersecurity efforts during the pandemic and beyond. These are some of the questions todays hearing will explore, because whats clear is that nasa is a target. I want to pause here for a moment to note an article in the hill today where the Justice Department has brought charges against iranian nationals for u. S. Satellite companies. This is incredibly timely. A nasa ig report stated given nasas mission and valuable technical and intellectual capital it produces, the information maintained within the agencys itm infrastructure presents a highvalue target for hackers and criminals. In 2019, nasa administrator stated at an agency town hall that nasa is the most attacked agency in the federal government when it comes to cybersecurity. Past data breaches and system intrusions at nasa and its facilities have resulted in large amounts of stolen data, installation of malware, copying, modifying and deleting Sensitive Files and accessing nasa servers, including those supporting missions. The department of homeland securitys Cybersecurity Infrastructure security agency, which is a mouthful, of course, sisa, a very Important Agency issued specific results on vulnerabilities related to telework during the pandemic and organizations to dont hyper cybersecurity. The agencys then chief Information Officers notified employees of increased hacking attempts on the agencys systems. In june 2020 media articles reported that malicious actors congratulated nasa and spacex on a crude demonstration flight and then announced they had allegedly breached and infected a nasa contractor specifically one that provides tblg, cybersecurity and cybersecurity to the agency. If true, thats a concerning report and part of the reason were here today. Protecting nasas i. T. And data during the pandemic demands vigilence. However, nasa cybersecurity challenges dont begin and end with the covid19 crisis. Multiple nasa ig and gao reports have identified weaknesses and ongoing concerns with nasas Information Security. Further, they have ranked this issue as a top agency challenge. Ensuring effective cybersecurity at nasa becomes even more pressing given Rapid Advances in i. T. Supply chain risks, nasas culture of openness and partnerships and the overall increase in space activities. Nasa is a national treasure. Its Missions Continue to inspire both young and old and nasas cutting edge space technologies, research and spaceflight experience are the envy of the world. Nasas accomplishments wouldnt be possible without computers, software, and Information Systems. Nasa or any organization be 100 riskfree from Cyber Threats . Probably not. Is there room for improvement . Absolutely there is. I hope that todays hearing will give an understanding of the challenges and risks posed by increased telework and whether or not nasa is organized in resource sufficiently and effectively to mitigate those risks. The bottom line is we need to ensure that nasa has the tools it needs and takes the necessary actions to ensure the agencys success, safety and security during covid19 and beyond, and i look forward to our witnesses testimony today. So i think we are there he s is. Ranking member, glad you were able. I know sometimes technology speaking of technology can be a will chaening. Glad you made it through of the chair recognizes Ranking Member babbitt and my good friend from texas for an opening statement. Absolutely. Thank you. We had three computers here we couldnt get on but i got on by telephone. Any way we can do it, im glad to be with you. Innovation in ingenuity. I love it. Absolutely. Thank you so much. Nasa is one of the best known organizations in the entire world. Its successes with mercury, Apollo International programs along with breathtaking scientific discoveries and jawdropping robotic probes attract worldwide attention. Unfortunately that attention comes with many challenges. The technology nasa developments are soughtafter by criminal industries, Foreign Government and destructive vandals. Because many technologies have both civil and military applications, these challenges are particularly gray. This is a topic this committee testified on for decades. Testified before the investigations and oversight subcommittee almost 10 years ago on the topic of information securi security. At that hearing he testified an unencrypted laptop was stolen from nasa that resulted in the loss of the algorithms, quote, unquote, used to control the space station as well as personally identifiable information and intellectual property. Similarly, the u. S. China, economic and Security Review Commission noted in its 2011 report to congress that the terror and land sat satellites experienced two separate instances of interference consistent with cyber activities against their command and control systems. More recently the nasa ig issued its yearly report in july which found, quote, Information Systems throughout the agency face an unnecessarily high level of risk that threatens the confidentiality, integrity and availability of nasas information unquote. The report concluded that it is imperative the agency continue its efforts to strengthen its Risk Management and governance practices to safeguard its data from cybersecurity threats, unquote. Last month the ig issued another report on nasas use of nonagency i. T. Devices and found that nasa is not adequately securing its networks from unauthorized access by i. T. Devices, unquote. The nasa ig is currently tracking 25 open recommendations for the office of the chief Information Officer. These do not include i. T. And cybersecurity recommendations to Mission Director ates or other organizations in the nasa enterprise. While they may steam startling, there are specific reasons that many of the recommendations remain open. For instance, agency wide guidelines and best practices are often general rules and principles that are not optimized to specific agencies unique capabilities, expertise and challenges. For instance, nasa is the world leader in designing building, operating, and communicating with spacecraft. This expertise resides with Mission Director ates and senators that cultivated over many decades. In some instances they actually developed the software Information Systems and underlying technologies that industry and the rest of the government adopted and embraced. Even more extreme circumstances, they continued to use oneoff operating systems that while perhaps not compliant with omb government guidance are arguably more secure because of their uniqueness and on security. Efforts to bring these systems and technologies interest compliance with oneside fits all cookie cutter for systems could actually introduce more risk into the system. This isnt to excuse nasas cybersecurity short comes as identified by ig and gao over the years. Lost laptops, unsecured devices, unauthorized systems, authorization to operate and poor Inventory Management are all cause for concern, which brings us to the situation that nasa currently faces. The covid19 challenge requires most of nasas employees and contractors to work remotely. While nasa has embraced teleworking for years, the expansion of this practice introduces a larger target and more vulnerabilities for malicious actors to exploit. In addition to teleworking challenges, im also interested in understanding what level of insight that nasa has on contract for cybersecurity as nasa moves toward publicprivate partnerships. Finally, its worth noting that President Trump recently issued space policy directive number five focused on Cybersecurity Principles for space systems. While it is not covid focused specifically, it is particularly timely given todays hearing and demonstrates the administrations forwardlooking leadership on this very topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. With that, madam chair, i yield back. Thank you, Ranking Member babbitt for your opening statement. I think its safe to say we share many of the same concerns in this area and excited and grateful for the opportunity for this hearing today. If there are any members at this point if there are any members who wish to submit opening statements, the statements will be added to the record at this point. Now id like to introduce our witnesses. Our first witness today is mr. Jeff seton. In april of 2020, he was named nasas chief acting chief Information Officers acting chief Information Officers. Lets see if i can get that out right. Prior he served as deputy chief Information Officers and spent seven years as the chief Information Officer at Nasas Langley research center. He began his career with nasa in 1991 as a Research Engineering designing robotic systems for spacebased applications and also served as langleys chief Technology Officer and deputy cio. He received a bachelors degree and masters degree in Electrical Engineering from virginia tech. Welcome. Were glad youre with us today. Our next witness is mr. Paul martin, Inspector General for the National Aeronautics and space administration. Mr. Martin has been the nasa Inspector General since 2009. Prior to his appointment at nasa, he served as deputy Inspector General at the department of justice. He also spent 13 years at the u. S. Sentencing commission including six years as the commissions deputy staff director. Mr. Mar tip received a bachelors degree in journalism from Pennsylvania State university and jures doctorate from the University Law center. Welcome, mr. Martin. Our third and final witness is dr. Diana burly. In july 2020, appointed vice provost forry search and director of Public Administration at American University. Prior to her current position, she spent 13 years as a professor of human and organizational learning at George Washington university where she was the inaugural chair for the human and Organizational Learning Department and the director of executive leadership doctoral program. Shes also managed a multimillion dollar Computer Science education and resource portfolio for the National Science foundation. Dr. Burly received a bachelors degree in economics from the Catholic University of america, a masters in Public Management and Public Policy from Carnegie Mellon university and masters and doctoral in organizational science and information policy also from carnegie melon university. Welcome, dr. Burly. As you know five minutes for written testimony. Your written testimony will be included in the record for this year. When you have completed your spoken testimony, well begin with questions and each member will have five minutes to question the panel. Well start today with mr. Seton. You are recognized for five minutes. Thank you members of the subcommittee on space and aeronautics for allowing me to appear before you and talk about infrastructure and efforts to manage and protect infrastructure during. Thankfully nasa was well positioned to keep Missions Moving Forward by shifting majority of workforce to telework last march. As a result nasa has never been closed and our workforce has continued to work productively manner despite covid19 virus. With strict safety protocols in place, nasa is now allowing more protocols on site based on guidance from the cdc and other federal partners. Let me assure you, the safety of our workforce remains our top priority. At the same time protecting and effectively operating i. T. Infrastructure continues to be another top nasa focus. I. T. Plays a Critical Role in every aspect of nasas missions. However, effective til managemei. T. Management is not an easy task. Its my job to balance Innovative Mission enabling i. T. Capabilities with Operational Efficiency and effective cybersecurity to guard against evolving threats. During the pandemic, the demand and expectations placed on nasas i. T. Infrastructure have been incredibly high and threats from external actors remain an ongoing concern. However, with hard work, dedication and innovation, nasas cio team has risen to the challenge of keeping our Missions Moving Forward. For example, oci helped rapidly develop software to track cases of on site covid19 exposures while meeting security and privacy rirts. Additionally nasa continues to hear and on board new employees, contractors and interns with innovative approaches to provisioning and maintaining i. T. Systems and tools remotely. For nasa employees, the pandemic has dramatically changed the way that we work. While many employees already teleworked occasionally before the pandemic, having 90 of employees teleworking at the same time has been game changing. Nasa employees have significantly increased virtual Collaboration Tools such as webex and Microsoft Teams so we can interact facetoface sharing virtual collaborative work spaces. Employees dependent on nasas Virtual Private Network to connect securely to internal networks and systems. Before the pandemic our highest vpn connection rate was about 12,000 users in a single day. Today our vpn is supporting almost 40,000 daily users with an availability exceeding 99 , thanks to architectural an capacity improvements implemented over the past 24 nts mo. Like other federal agencies, nasas infrastructure under constant attack, highly domes indica domesticated. Procedural abilities to proactively defend systems and data. The reported number of attempted Cyber Incidents increases partly because we have greater visibility into our network today, im confident nasa is appropriately addressing and strengthening our ponce to threats. In fiscal year 2020, developed to enhance Security Operation Center located at the Ames Research center. Previously if operations were interrupted, we had a limited ability to identify the tech and respond to incidents. Today it spans multiple centers allowing us to maintain 24 by 7 operations at all times even if there is an isolated disruption. With strengthened tools and capabilities, nasa is transitioning from largely reactive to proactive security posture. As the pandemic worsened in april, it moved to ensure employee safety and we did so without