(Correction: A previous version of this story incorrectly identified the interim leader of NASA’s new Foreign National Access Management office. The acting program manager is Jolene Meidinger, not Joe Thompson.)
NASA’s administrator says his agency has taken significant steps to fix major problems with its oversight of foreign nationals who work inside the U.S. space program, following an external examination that found serious security lapses.
Under pressure from the agency’s congressional appropriators, led by Rep. Frank Wolf (R-Va.), NASA turned to the National Academy of Public Administration for an outside look at whether its security controls were adequate to prevent foreign nationals who have inside access from exfiltrating sensitive information.
Charles Bolden, the NASA administrator, told Congress last week that he agrees with all 27 recommendations the NAPA panel ultimately made, and that the agency is moving to implement all of them.
“NASA has established a foreign national access management program to strengthen our foreign national oversight, including efforts to ensure compliance with U.S. government export control policies,” he said. “I have repeatedly communicated the importance of the NAPA report and NASA’s corresponding actions to all of my senior managers. I am now in the process of visiting each of the NASA centers and underscoring the importance of security to our entire workforce, consistent with the report’s recommendations.”
For the most part, the recommendations are unknown to the public, because NASA has deemed both the report itself and its conclusions a “sensitive” document.
“There were a number of vulnerabilities that are pointed out in the report that, when taken in total, could create inroads into our systems, and that’s not [information] that we want to get out,” Bolden said. “It’s not because it was embarrassing.”
Dick Thornburgh, a former U.S. Attorney General and Pennsylvania governor, led the NAPA study. In testimony last week, he shed some light on what his team found as they explored the inner workings of an agency that is required to interoperate with foreign partners on a daily basis while also keeping U.S. secrets under wraps.
One central conclusion is that until recently, NASA did not have a meaningful oversight program to manage the information access rights of foreign nationals who have access to agency data.
“While NASA is among the best organizations in the world when it comes to managing complex technological efforts, the agency does not apply its normal degree of program management rigor to foreign national access management,” Thornburgh said. “It is not managed as a program. Individual headquarters elements produce overly- broad program directives, which in turn are subject to widely varying interpretations by NASA centers. Additionally, NASA headquarters have inadequate means for determining the overall efficacy of their directives and mandated processes, so problem areas can go unrecognized.”
Also, Thornburgh said, his panel found serious and longstanding cybersecurity vulnerabilities at NASA, at least on its unclassified networks. Many of the NASA IT managers his team interviewed assume that their networks have already been compromised, he said.
“This finding is reinforced by other reviews of NASA’s information technology, including those done by the NASA inspector general,” he said. “The fundamentally flawed outcomes result when you couple this loosely structured program with relatively easily penetrable information technology security systems. Many of the panel’s findings apply equally to threats arising from trusted insiders, as well as other parties looking to compromise NASA’s information technology.”
Thornburgh stressed that the panel’s mandate was to examine administrative problems at NASA around the foreign national access management process, and not specific instances in which data has been stolen through espionage or other criminal acts. He also emphasized that he could not discuss many details beyond the unclassified four-page executive summary of the report NASA has already released.
Bo Jiang, a Chinese national, came to NASA four years ago by way of a job at the nonprofit National Institute of Aerospace, after having recently graduated from a Chinese university that is on the Commerce Department’s “special entities list” because of concerns about its potential connection to distributors of weapons of mass destruction.
Jiang was eventually given a NASA-issued laptop and hard drive while he was working on an imaging enhancement program for the agency. According to federal court records, he acknowledged having taken that equipment to China at least once in violation of agency regulations.
An after-the-fact NASA audit found that the computer did not contain any classified material, but the hard drive held “extensive NASA proprietary and research information.”
Jiang was later arrested in March 2013 by FBI and customs agents at Dulles International Airport as he tried to make a separate trip to China last March. He was returned to his home country two months later as part of a plea agreement in which he confessed to a misdemeanor count of violating NASA regulations, court records show.
Thornburgh did not directly address the Jiang case, but he said NASA faces a fundamental tension within its own charter. It is supposed to operate in a cooperative fashion and share information with other nations, as it does on, for example, the International Space Station. But its mission also requires it to make sure some information is restricted only to U.S. personnel.
Thornberry said the agency needs to do a significant amount of work to make sure it can identify its informational “crown jewels,” and to decide who should be allowed to access it.
“The agency should determine its critical assets and build mechanisms to protect them,” he said. “This would begin with NASA compiling a comprehensive assessment of threats to its assets and establishing a board to manage the overall effort. NASA also needs to correct longstanding information technology security issues, including establishing clear, specific and mandatory requirements for all centers to follow regarding remote access of their information technology systems and giving the NASA chief information officer more control over IT operations in field centers.”
Ultimately, Thornburgh said, many of the changes NASA needs to make are cultural.
For example, even though it had security procedures on the books with regard to foreign national access to information, the panel found there were few, if any, consequences within the agency for staff that failed to follow them. It also found that while competition between the agency’s various centers around the United States might be a good catalyst for innovation, it is not the best recipe for coherent management.
“NASA needs to ensure individuals are held accountable, particularly when serious mistakes are made or important mandates are ignored, and to guard against the organizational tendency to revert back to prior lax habits once the problem has been deemed to have been solved and the tension of the moment has passed,” Thornburgh said. “And the agency needs to communicate the importance of these changes clearly, firmly and consistently. The importance of security, the existence of real-world threats to NASA assets, and the need for improvement in handling foreign national issues have not been clearly and consistently communicated throughout NASA. Senior leaders must firmly establish and communicate their total commitment to an effective foreign national access management program that enhances cooperation while safeguarding information.”
NASA has now created an agencywide Foreign National Access Management office and is in the process of recruiting a director to lead it, Bolden said. In the meantime, it is being led by Jolene Meidinger, who served as NASA’s liaison to the NAPA review, and is being staffed by a handful of contractors plus some borrowed manpower from the agency’s Office of Personnel Security. Bolden said NASA would be able to operate the program within its existing budget.
Wolf said that while the unclassified summary of the report was stark in its conclusions, it did not offer a full picture of the problem. He and his staff have seen the full version and have so far honored NASA’s request to keep it under wraps, but he believes many more of the details could be made public without compromising national security.
“It really was a blunt instrument, because it covers the entire 140-page report without regard to the specific contents of any particular paragraph or page. I believe that a more tailored, redacted report would have resulted in substantial portions of it becoming releasable and therefore open for a detailed discussion,” he said.