NASA’s Chief Information Officer Anticipated Laptop Theft
Protecting and Safeguarding NASA Information and Information Systems (page 6), IT Talk, July-September 2012, NASA CIO
“What if this article was the national headline across the United States? Is NASA protecting and safeguarding its information and information systems? Is it possible to protect and safeguard information and information systems 24/7?”
Keith’s note: Well, it happened. No fancy cyber break-ins occurred. No massive network failure was at fault. Nothing complicated or deliberate happened – the sort of stuff where overt high-tech protection and safeguards would be called into play. Instead, a NASA employee was dumb enough to leave an agency laptop with sensitive information in her car such that it could be stolen. And that laptop had a substantial amount of personal information on 10,000 or more NASA employees that the CIO’s office was inept enough to allow to be on a laptop taken out of NASA in the first place.
The CIO’s own official publication openly talked about what might happen if the theft of a NASA laptop with “10,000 employees private information” became “an actual NASA Headline”. But instead of focusing on the real world where people can and will do dumb things, the CIO focused only on all the complicated technological threats to NASA’s IT. The CIO utterly ignored simple human behaviors that could be just as damaging as a cyber attack if not dealt with. Other than than a memo (2 weeks after the theft) to employees announcing an emergency disk encryption program and a half-hearted attempt to assist employees in case of identify theft, the NASA CIO has done absolutely nothing to address the core issues at hand. And now the NASA CIO cannot even bear to mention this situation on her own website – with the exception, of course, of this hypothetical article written months before the event.