A little over a year ago, NASA was directed, largely if not solely by the efforts of Rep. Wolf, Chairman of the House Commerce, Justice, and Science Appropriations Subcommittee, to commission an independent study from the National Academy of Public Administration, chaired by former Attorney General Thornburgh. The purpose of the study was to look at NASA’s Foreign National Access Management policies after several security issues at NASA centers arose, primarily at Ames Research Center and Langley Research Center. The full Thornburgh report was completed and submitted to NASA. In February, NASA provided the full report, although with restricted access, to certain members of Congress, such as Rep. Wolf. NASA publicly released an Executive Summary that was as innocuous as the full report itself was, according to sources, explosive. There have been calls by Rep. Wolf and others for NASA to publicly release the full report, which the space agency has so far refused to do.
Today, Richard Thornburgh is testifying before the House Commerce, Justice, and Science Appropriations Subcommittee about the National Academy of Public Administration’s findings concerning security incidents involving foreign nationals at NASA research centers.Key points addressed in Thornburgh’s opening statement, a copy of which can is available, are:
- The Academy found that there is little accountability for non-compliance when identified through specific incidents or periodic assessments. This validates the identified perception among NASA personnel that “mandatory compliance” means little, as there are few, if any, consequences for deliberate or inadvertent violations of the mandates.
- Due to the fact that the NASA systems lack the necessary controls to protect information, allow foreign nationals access to the networks, and allow remote access, the Panel concludes that the NASA networks are compromised. Publicly available reports on systemic data breaches across the country, NASA’s own internal reports, and briefings given to Academy staff leave little doubt that information contained on the NASA IT systems is compromised.
- NASA Headquarters (HQ) Officials and Center Directors have not adequately communicated that strict compliance was and is required for foreign national hosting, sponsoring, and escort policy and procedures.
- Directives, and orders, can be seen more as “guidance” as opposed to mandatory policy and procedural requirements that must be adhered to. This can lead to communications breakdowns and negative outcomes.
- After fixing a problem, the Agency has a tendency to lapse back into old habits once the spotlight is off the area under review.
- A number of NASA leaders also noted that the Agency tends not to hold individuals accountable even when they make serious, preventable errors. Whenever an example of such an error was mentioned during the interviews, Academy staff would follow-up with: What happened to those responsible for the error? In almost every instance, the answer was either “nothing” or “I don’t know.”
- Certain NASA centers “take a more laissez-faire approach with training either being optional or, if mandatory, provides no sanctions against those who fail to take the training” and “Export control training requirements are inconsistent; the training is confusing and inadequate; and the rationale for such training is often poorly understood.”
- The Export Control program needs a more standardized and systematic approach in furtherance of its export compliance objectives, as well as better audit and review mechanisms. NASA senior leaders also need to more strongly endorse the critical importance of such controls.
- Specific intelligence regarding threats posed by foreign nationals and insiders to specific NASA assets is available from IC agencies, but has been inconsistently utilized to educate NASA personnel.
- NASA facilities, personnel, technologies, and information are highly regarded and of great interest to the world. That interest extends to some countries, governments, organizations, and individuals whose intent is to compromise those facilities, co-opt the personnel, and steal those technologies and information.
- Not one single person within NASA has been held accountable to repeated security breaches.
- The report was declared as “sensitive but unclassified” by NASA.