Transcripts For CSPAN House Hearing On NASA Cybersecurity Du

Want to submit, email them to the committee clerk. That email address was circulated prior to the hearing. Good morning, everyone. I want to welcome our panel of witnesses, members and those who were viewing remotely to todays subcommittee hearing on cybersecurity at nasa, the ongoing challenges and emerging issues for telework during covid19. In 2020, the world was caught off guard with the onset of the coronavirus. Nasa, like other federal aencies, rapidly shifted to telework operation to ensure the health and safety of its more than 17,000 Civil Servant employees and extensive contractor workforce. To its credit nasa prepared for , the transition having held in agencywide telework exercise in early march. It expanded telework operations nasasay 75 to 80 of silver Civil Servants work remotely, with project oversight and inspections, development work, engineering analysis and other activities. The shift to increased telework raises many questions, front and center cybersecurity. What is the increase and extended worth of telework means for protecting nasas intellectual property, personally identifiable information and Mission Operations . How do cyber challenges relate d to increase telework affect the agencys overall Cyber Security risk and what steps is nasa taking to assure the effectiveness of its fiber security efforts during the pandemic and beyond . These are some of the questions todays hearing will explore, because what is clear is nasa is a target. I want to pause for a moment to note an article in the hill today where the Justice Department has brought charges against iranian nationals for attacking u. S. Satellite companies. This is incredibly timely. Recent nasa report stated given nasas mission and intellectual capital it produces, the information maintained in its i. T. Infrastructure presents a high value target for hackers and criminals. Administratorsa jim bridenstein, said nasa is , the most attacked agency in the federal government when it comes to cybersecurity. Past data breaches at nasa and its facilities have resulted in stolen data, installation of malware, copying, modifying and deleting Sensitive Files and accessing nasa servers, including those supporting missions. The department of Homeland Security Cybersecurity Infrastructure security agency, which is a mouthful, a very important agency, has issued specific alerts on vulnerabilities related to telework during the pandemic and has urged facilities to adopt a heightened in cybersecurity. The agencys chief Information Officer notified employees of increased hacking attempt on the agency systems. And in june of 2020, media articles recorded that malicious reported that malicious announced they had allegedly breached and infected a nasa contractor, specifically one that provides Information Technology, Cyber Security and Cyber Security services to the agency. If true concerning report and , part of the reason we are here today. Protecting nasas i. T. And data demands but nasa Cyber Security challenges dont begin and end with the covid19 crisis. Multiple nasa reports have identified weaknesses and ongoing concerns with nasas Information Security. Further, they ranked this issue as a top agency challenge. Ensuring cybersecurity at nasa even more pressing given the Rapid Advances in the supply chain risks nasas culture of , openness and the increase in space activity. Nasa is a national treasure, its missions inspire young and old, and nasas cuttingedge research and spaceflight experiences are the envy of the world. Nasas accomplishments would not be possible without computers software, and information , systems. Will nasa or any organization be risk free, probably not. ,s there room for improvement absolutely. I hope that todays hearing will give an understanding of the challenges and risks posed by increased telework. And whether or not nasa is organized sufficiently and effectively to mitigate the risks. The bottom line is we have to ensure that nasa has the tools it needs and takes an effort to take the action to ensure safety and security in 2019 and beyond. And i look forward to our testimony today. Therenk that we are he is. Ranking member babbitt, i know that technology i know it can be a challenge, but i am glad you made it through. They chair recognizes Ranking Member babin, my good friend from texas, for his opening statement. We had three computers here that we could not get on, but i got on with my telephone. Im glad to be with you. Innovation and ingenuity, i love it. Thank you so much. Nasa is one of the bestknown organizations in the entire world. Its successes with the mercury, gemini, apollo, shuttle and International Space station programs, along with its breathtaking scientific discoveries, attract worldwide attention. Unfortunately, that comes with many challenges. The technologies nasa develops are sought after by criminal entities, unscrupulous foreign governments and destructive vandals. Because many of these technologies have both civil and thesery applications, challenges are particularly grave. This has been a focus of this committee for decades. That testimony from 10 years ago was on the topic of Information Security and that year testified that an unencrypted laptop was stolen from nasa that resulted in the loss of the algorithms, quote, used to control the space station as well as personally identifiable information and intellectual property. Similarly the us China Economic the u. S. China economic and Security Review Commission noted in its 2011 report to congress that the landsat 7 satellites experienced two separate instances of interference apparently consistent with cyber activities against the command and control systems. G. E recently, the nasa i issued a yearly report in july that found, quote information , systems throughout the agency faced an unnecessarily high level of risk that threatens the confidentiality, integrity and availability of nasas information. The report concluded that it is imperative the agency continue its efforts to strengthen its Risk Management and governance practices to safeguard its data, from cyberSecurity Threats. Last month, the ig issued another report on nasas use of and found that nasa is not adequately securing its networks from unauthorized access by i. T. Devices. They are currently tracking 25 recommendations for the office of the chief Information Officer. And do not include i. T security recommendations to Mission Directorates or other organizations in the nasa enterprise. While these may seem startling, there are specific reasons many of the recommendations remain open. For instance agencywide , guidelines and best practices are often general rules and principles are not optimized to specificncy agencies unique capabilities, expertise and challenges. Nasa is the world leader in designing, building, operating and communicating with spacecraft. This expertise is in the Mission Directorates and centers who cultivated the expertise over many decades. In some instances, they developed Software Information systems and underlying technologies that the government has adopted and embraced. And more extreme circumstances, they continue to use operating systems, while not compliant with guidance, are arguably more secure because of their uniqueness and obscurity. The effort to bring these into compliance with a onesizefitsall cookiecutter developed for commercial enterprises systems could actually introduce more risk into the system. This is not to excuse nasas Cyber Security shortcomings a. G. Ified by the i. G. And over the years. Unauthorized access to systems and authorization to operate, and poor Inventory Management are all cause for concern. Which brings us to the situation nasa currently faces. The covid19 challenge requires most of nasas employees to work remotely. The covid19 challenge requires most of nasas employees to work remotely. While nasa has embraced teleworking for years the expansion of this practice introduces a larger target and more vulnerabilities for actors to exploit. In addition to teleworking challenges im interested in understanding what level of insight nasa has on cybersecurity as nasa moves toward the publicprivate partnerships. Finally, it is worth noting that donald trump recently issued space policy directive number 5 focused on Cybersecurity Principles for Space Systems and while it is not focused not covid19 focused specifically it is particularly timely given todays hearing and demonstrates the administrations forwardlooking leadership on this topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. With that i yield back. Thank you for your opening statement. We share the same concerns and are excited and grateful for the opportunity. If there are any members who wish at this point to submit additional opening statements, the statements will be added to the record at this point. Now i would like to introduce our witnesses. Our first witness is mister jack seaton. In april of 2020 Mister Seaton was named nasas chief Information Officer, acting chief Information Officer. Prior to his current position he served as nasas deputy chief Information Officer, spent 7 years as the chief Information Officer and Nasas Langley research center. He began his career in 1991 at as a Research Engineer with robotic systems for spacebased applications and served as langleys chief Information Officer and deputy cio. He received a masters degree and masters degree in Electrical Engineering from virginia tech. Welcome, we are glad you are with us today. Our next witness is mister paul martin, Inspector General for the National Aeronautics and space administration. Mister martin has been the nasa Inspector General since 2009 and prior to that appointment he served as deputy Inspector General at the department of justice. He also spent 13 years at the Us Commission including six years as the commissions deputy staff director. Mister martin received a bachelors degree in journalism from Pennsylvania State university and a doctorate from Georgetown University law center. Welcome, Mister Martin. Our third and final witness is doctor diana burley. She was appointed as professor of Public Administration at American University. Prior to that position she spent 13 years as a professor of human and organizational learning at George Washington university where she was the inaugural chair for the human and Organizational Department and director executive leadership doctoral program. She managed a multimillion dollar Computer Science education and resource portfolio for the National Science foundation, doctor burley received a National Degree from Catholic University of america, masters in Public Management and policy from Carnegie Mellon university and masters in doctoral degrees from organizational science and information policy from Carnegie Mellon university. Welcome doctor burley. As witnesses, you have 5 minutes for your spoken testimony. Your written testimony will be included in the record for this hearing. We will begin with questions and each member will have five minutes to question the panel. We will start today with Mister Seaton. You are recognized for five minutes. Members of the subcommittee on space and aeronautics, thank you for allowing me to appear you want talk about nasas information infrastructure and efforts to manage and protect that the structure during the covid19 pandemic. Due to Strategic Investments over the last several years nasa was wellpositioned to keep our mission moving forward by shifting our workforce to telework last march. As a result nasa has never enclosed and our workforce has continues to work remotely in a productive and creative manner despite highly contagious covid19 virus. With strict safety protocols in place nasa is allowing more employees on site based on factors like local conditions and guidance from cdc another federal partners. Let me assure you the safety of our workforce remains our top priority. At the same time protecting and operating our it infrastructure continues to be another top nasa focus was it plays a Critical Role in every aspect of nasas missions. Effective it management is not an easy task. Is chief Information Officer it is my job to balance implementing it capabilities with Operational Efficiency and effective Cyber Security to guard against evolving threats. During the pandemic demanded expectations placed on nasas it is incredibly high and threats from external actors, but with hard work, dedication, innovation, nasas team has written to the challenge of keeping our mission moving forward. We rapidly developed software for covid19 exposures while all security and privacy requirements. Additionally nasa continues to higher on board employees, contractors and interns with approaches to provisioning and maintaining it systems and tools remotely. The pandemic has dramatically changed the way we work. Many employees telework before the pandemic, having 90 of employees working at the same time has been game changing. Nasa employee cyclically increase their use of virtual Collaboration Tools like webx to interact facetoface while sharing virtual collaborative workspaces. Employees are dependent on natural private network to connect security to internal networks and systems. Before the pandemic our highest vpn connection rate was 12,000 users in a single day. Our support is 40,000 users with an availability of 99 , architectural capacity improvements implemented in the past 24 months. Like other federal agencies nasas it infrastructure is under constant attack from well resourced and highly motivated domestic and foreign adversaries and we remain a popular target for them. We continue to strengthen our technical and procedural capabilities to proactively protect our systems and data. The recorded number of Cyber Incidents continues to increase partly because we have greater visibility into our network i am confident that nasa is addressing and strengthening our response to these threats. In fiscal year 2020 nasa developed continuity of operation to enhance our Security Operations Center Located at the Ames Research center. The stock operations were disrupted we had the ability to identify and respond to incidents. Today nasa stock operations allow us to maintain 24 by 7 stock operations at all times even if there is not isolated distraction. With isolated tools and capabilities nasa is transitioning to a more proactive cybersecurity posture. Nasa move remote operations to ensure employee safety without negatively impacting our network or cybersecurity capabilities. In closing i want to thank staff and leadership and the entire nasa workforce for their hard work and the personal sacrifices they made during these challenging times, new ways to keep Missions Moving Forward and support each other and balance work and family pressures and dedicate their expertise and personal time to developing technologies that are aiding in the National Response to the coronavirus. No one is sure what the future holds but nasa leaders including myself are committed to keeping the nasa workforce safe and providing the it tools and infrastructure they need to continue executing our missions. I want to assure you protecting any evolving nasas it infrastructure is and will remain a top agency priority. Thank you for the opportunity to testify before you today and i look forward to answering your questions, thank you. Mister martin, you are recognized for your testimony. Thank you, members of the subcommittee. The nasa office of Civil Servant<\/a> employees and extensive contractor workforce. To its credit nasa prepared for , the transition having held in agencywide telework exercise in early march. It expanded telework operations nasasay 75 to 80 of silver Civil Servant<\/a>s work remotely, with project oversight and inspections, development work, engineering analysis and other activities. The shift to increased telework raises many questions, front and center cybersecurity. What is the increase and extended worth of telework means for protecting nasas intellectual property, personally identifiable information and Mission Operations<\/a> . How do cyber challenges relate d to increase telework affect the agencys overall Cyber Security<\/a> risk and what steps is nasa taking to assure the effectiveness of its fiber security efforts during the pandemic and beyond . These are some of the questions todays hearing will explore, because what is clear is nasa is a target. I want to pause for a moment to note an article in the hill today where the Justice Department<\/a> has brought charges against iranian nationals for attacking u. S. Satellite companies. This is incredibly timely. Recent nasa report stated given nasas mission and intellectual capital it produces, the information maintained in its i. T. Infrastructure presents a high value target for hackers and criminals. Administratorsa jim bridenstein, said nasa is , the most attacked agency in the federal government when it comes to cybersecurity. Past data breaches at nasa and its facilities have resulted in stolen data, installation of malware, copying, modifying and deleting Sensitive Files<\/a> and accessing nasa servers, including those supporting missions. The department of Homeland Security<\/a> Cybersecurity Infrastructure<\/a> security agency, which is a mouthful, a very important agency, has issued specific alerts on vulnerabilities related to telework during the pandemic and has urged facilities to adopt a heightened in cybersecurity. The agencys chief Information Officer<\/a> notified employees of increased hacking attempt on the agency systems. And in june of 2020, media articles recorded that malicious reported that malicious announced they had allegedly breached and infected a nasa contractor, specifically one that provides Information Technology<\/a>, Cyber Security<\/a> and Cyber Security<\/a> services to the agency. If true concerning report and , part of the reason we are here today. Protecting nasas i. T. And data demands but nasa Cyber Security<\/a> challenges dont begin and end with the covid19 crisis. Multiple nasa reports have identified weaknesses and ongoing concerns with nasas Information Security<\/a>. Further, they ranked this issue as a top agency challenge. Ensuring cybersecurity at nasa even more pressing given the Rapid Advances<\/a> in the supply chain risks nasas culture of , openness and the increase in space activity. Nasa is a national treasure, its missions inspire young and old, and nasas cuttingedge research and spaceflight experiences are the envy of the world. Nasas accomplishments would not be possible without computers software, and information , systems. Will nasa or any organization be risk free, probably not. ,s there room for improvement absolutely. I hope that todays hearing will give an understanding of the challenges and risks posed by increased telework. And whether or not nasa is organized sufficiently and effectively to mitigate the risks. The bottom line is we have to ensure that nasa has the tools it needs and takes an effort to take the action to ensure safety and security in 2019 and beyond. And i look forward to our testimony today. Therenk that we are he is. Ranking member babbitt, i know that technology i know it can be a challenge, but i am glad you made it through. They chair recognizes Ranking Member<\/a> babin, my good friend from texas, for his opening statement. We had three computers here that we could not get on, but i got on with my telephone. Im glad to be with you. Innovation and ingenuity, i love it. Thank you so much. Nasa is one of the bestknown organizations in the entire world. Its successes with the mercury, gemini, apollo, shuttle and International Space<\/a> station programs, along with its breathtaking scientific discoveries, attract worldwide attention. Unfortunately, that comes with many challenges. The technologies nasa develops are sought after by criminal entities, unscrupulous foreign governments and destructive vandals. Because many of these technologies have both civil and thesery applications, challenges are particularly grave. This has been a focus of this committee for decades. That testimony from 10 years ago was on the topic of Information Security<\/a> and that year testified that an unencrypted laptop was stolen from nasa that resulted in the loss of the algorithms, quote, used to control the space station as well as personally identifiable information and intellectual property. Similarly the us China Economic<\/a> the u. S. China economic and Security Review Commission<\/a> noted in its 2011 report to congress that the landsat 7 satellites experienced two separate instances of interference apparently consistent with cyber activities against the command and control systems. G. E recently, the nasa i issued a yearly report in july that found, quote information , systems throughout the agency faced an unnecessarily high level of risk that threatens the confidentiality, integrity and availability of nasas information. The report concluded that it is imperative the agency continue its efforts to strengthen its Risk Management<\/a> and governance practices to safeguard its data, from cyberSecurity Threat<\/a>s. Last month, the ig issued another report on nasas use of and found that nasa is not adequately securing its networks from unauthorized access by i. T. Devices. They are currently tracking 25 recommendations for the office of the chief Information Officer<\/a>. And do not include i. T security recommendations to Mission Directorates<\/a> or other organizations in the nasa enterprise. While these may seem startling, there are specific reasons many of the recommendations remain open. For instance agencywide , guidelines and best practices are often general rules and principles are not optimized to specificncy agencies unique capabilities, expertise and challenges. Nasa is the world leader in designing, building, operating and communicating with spacecraft. This expertise is in the Mission Directorates<\/a> and centers who cultivated the expertise over many decades. In some instances, they developed Software Information<\/a> systems and underlying technologies that the government has adopted and embraced. And more extreme circumstances, they continue to use operating systems, while not compliant with guidance, are arguably more secure because of their uniqueness and obscurity. The effort to bring these into compliance with a onesizefitsall cookiecutter developed for commercial enterprises systems could actually introduce more risk into the system. This is not to excuse nasas Cyber Security<\/a> shortcomings a. G. Ified by the i. G. And over the years. Unauthorized access to systems and authorization to operate, and poor Inventory Management<\/a> are all cause for concern. Which brings us to the situation nasa currently faces. The covid19 challenge requires most of nasas employees to work remotely. The covid19 challenge requires most of nasas employees to work remotely. While nasa has embraced teleworking for years the expansion of this practice introduces a larger target and more vulnerabilities for actors to exploit. In addition to teleworking challenges im interested in understanding what level of insight nasa has on cybersecurity as nasa moves toward the publicprivate partnerships. Finally, it is worth noting that donald trump recently issued space policy directive number 5 focused on Cybersecurity Principles<\/a> for Space Systems<\/a> and while it is not focused not covid19 focused specifically it is particularly timely given todays hearing and demonstrates the administrations forwardlooking leadership on this topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. With that i yield back. Thank you for your opening statement. We share the same concerns and are excited and grateful for the opportunity. If there are any members who wish at this point to submit additional opening statements, the statements will be added to the record at this point. Now i would like to introduce our witnesses. Our first witness is mister jack seaton. In april of 2020 Mister Seaton<\/a> was named nasas chief Information Officer<\/a>, acting chief Information Officer<\/a>. Prior to his current position he served as nasas deputy chief Information Officer<\/a>, spent 7 years as the chief Information Officer<\/a> and Nasas Langley<\/a> research center. He began his career in 1991 at as a Research Engineer<\/a> with robotic systems for spacebased applications and served as langleys chief Information Officer<\/a> and deputy cio. He received a masters degree and masters degree in Electrical Engineering<\/a> from virginia tech. Welcome, we are glad you are with us today. Our next witness is mister paul martin, Inspector General<\/a> for the National Aeronautics<\/a> and space administration. Mister martin has been the nasa Inspector General<\/a> since 2009 and prior to that appointment he served as deputy Inspector General<\/a> at the department of justice. He also spent 13 years at the Us Commission<\/a> including six years as the commissions deputy staff director. Mister martin received a bachelors degree in journalism from Pennsylvania State<\/a> university and a doctorate from Georgetown University<\/a> law center. Welcome, Mister Martin<\/a>. Our third and final witness is doctor diana burley. She was appointed as professor of Public Administration<\/a> at American University<\/a>. Prior to that position she spent 13 years as a professor of human and organizational learning at George Washington<\/a> university where she was the inaugural chair for the human and Organizational Department<\/a> and director executive leadership doctoral program. She managed a multimillion dollar Computer Science<\/a> education and resource portfolio for the National Science<\/a> foundation, doctor burley received a National Degree<\/a> from Catholic University<\/a> of america, masters in Public Management<\/a> and policy from Carnegie Mellon<\/a> university and masters in doctoral degrees from organizational science and information policy from Carnegie Mellon<\/a> university. Welcome doctor burley. As witnesses, you have 5 minutes for your spoken testimony. Your written testimony will be included in the record for this hearing. We will begin with questions and each member will have five minutes to question the panel. We will start today with Mister Seaton<\/a>. You are recognized for five minutes. Members of the subcommittee on space and aeronautics, thank you for allowing me to appear you want talk about nasas information infrastructure and efforts to manage and protect that the structure during the covid19 pandemic. Due to Strategic Investments<\/a> over the last several years nasa was wellpositioned to keep our mission moving forward by shifting our workforce to telework last march. As a result nasa has never enclosed and our workforce has continues to work remotely in a productive and creative manner despite highly contagious covid19 virus. With strict safety protocols in place nasa is allowing more employees on site based on factors like local conditions and guidance from cdc another federal partners. Let me assure you the safety of our workforce remains our top priority. At the same time protecting and operating our it infrastructure continues to be another top nasa focus was it plays a Critical Role<\/a> in every aspect of nasas missions. Effective it management is not an easy task. Is chief Information Officer<\/a> it is my job to balance implementing it capabilities with Operational Efficiency<\/a> and effective Cyber Security<\/a> to guard against evolving threats. During the pandemic demanded expectations placed on nasas it is incredibly high and threats from external actors, but with hard work, dedication, innovation, nasas team has written to the challenge of keeping our mission moving forward. We rapidly developed software for covid19 exposures while all security and privacy requirements. Additionally nasa continues to higher on board employees, contractors and interns with approaches to provisioning and maintaining it systems and tools remotely. The pandemic has dramatically changed the way we work. Many employees telework before the pandemic, having 90 of employees working at the same time has been game changing. Nasa employee cyclically increase their use of virtual Collaboration Tools<\/a> like webx to interact facetoface while sharing virtual collaborative workspaces. Employees are dependent on natural private network to connect security to internal networks and systems. Before the pandemic our highest vpn connection rate was 12,000 users in a single day. Our support is 40,000 users with an availability of 99 , architectural capacity improvements implemented in the past 24 months. Like other federal agencies nasas it infrastructure is under constant attack from well resourced and highly motivated domestic and foreign adversaries and we remain a popular target for them. We continue to strengthen our technical and procedural capabilities to proactively protect our systems and data. The recorded number of Cyber Incidents<\/a> continues to increase partly because we have greater visibility into our network i am confident that nasa is addressing and strengthening our response to these threats. In fiscal year 2020 nasa developed continuity of operation to enhance our Security Operations<\/a> Center Located<\/a> at the Ames Research<\/a> center. The stock operations were disrupted we had the ability to identify and respond to incidents. Today nasa stock operations allow us to maintain 24 by 7 stock operations at all times even if there is not isolated distraction. With isolated tools and capabilities nasa is transitioning to a more proactive cybersecurity posture. Nasa move remote operations to ensure employee safety without negatively impacting our network or cybersecurity capabilities. In closing i want to thank staff and leadership and the entire nasa workforce for their hard work and the personal sacrifices they made during these challenging times, new ways to keep Missions Moving Forward<\/a> and support each other and balance work and family pressures and dedicate their expertise and personal time to developing technologies that are aiding in the National Response<\/a> to the coronavirus. No one is sure what the future holds but nasa leaders including myself are committed to keeping the nasa workforce safe and providing the it tools and infrastructure they need to continue executing our missions. I want to assure you protecting any evolving nasas it infrastructure is and will remain a top agency priority. Thank you for the opportunity to testify before you today and i look forward to answering your questions, thank you. Mister martin, you are recognized for your testimony. Thank you, members of the subcommittee. The nasa office of Inspector General<\/a> has conducted a significant amount of oversight work to help nasa improve its Information Technology<\/a> governance while securing networks and data from cyber attacks. Over the past five years we should 60 not reports with 72 recommendations related to it governance and security. During the same period we conducted 120 investigations involving intrusions, denial of service and data breaches on nasa Network Several<\/a> of which resulted in criminal convictions. My testimony today is informed by this body of investigative work. The soundness and security of its data and it systems is central to nasas success. The agency spends more than 2. 2 billion a year on a portfolio of it assets that include hundreds of Information Systems<\/a> used to control spacecraft, collect and process Scientific Data<\/a> and enable nasa personnel to collaborate with callers around the world. Given the valuable technical and intellectual capital nasa produces its it systems highvalue target for cybercriminals, the past 6 months tested the agency as 90 of nasas workforce move from onsite to remote work due to the pandemic. During this period nasa has experienced an uptick in cyberthreats with phishing attempts doubling and air attacks rising substantially. This morning i offered three observations about the state that nasas it governance could provide context to the scope of its challenges. Our concern with nasas it governance security are wideranging and longstanding. For more than two decades nasa has struggled to implement an effective it governance structure the lines of authority and responsibility, can measure it with the agencys overall mission, specifically the agency cio has limited oversight over it purchases and security decisions within Mission Directorates<\/a> and that nasa centers. The nature of nasas operations coupled with historic culture of economy that hindered the cios ability to implement effective enterprisewide it governance. Moreover nasas connectivity with informational institutions and other outside organizations and its vast Online Presence<\/a> of 3000 web domains and 42,000 publicly accessible data sets offer cybercriminals a larger target than most other Government Agencies<\/a>. Second, despite positive Forward Momentum<\/a> the agencys it practices fall short of federal requirements. For example in 2019, the fourth year in a row, nasas performance remains that level 2 out of 5 meaning the agency has issued but not consistently implemented important policies and procedures defining its it Security Program<\/a> and third like many other public and private organizations nasa struggles to find the right balance between user flexibility and system security. For example, for years, nasa permitted personally and dance partner owned mobile it devices to access nonpublic data even if those devices did not have valid authorization. Today nasa employees and partners can use nonagency mobile devices to access email if the user install Security Software<\/a> known as mobile device management. However, an audit last month found that nasa was not adequately securing its email but from unauthorized access by these personally owned devices. Nasa has deployed technologies to monitor unauthorized connections, it now fully and limited controls to remove or block those devices. The agencys december target for installing these controls was delayed due to technological issues and pandemic related closures. Until these enforcement controls are fully implemented nasa faces elevated risk of a breach. As part of its initiative, nasa plans to centralize and consolidate it capabilities. The office expects to complete its assessment by march of 2021 with implementation on its institutional system is beginning later this year. As map unfolds we plan to assess whatever the alignment strengthens cybersecurity at nasa. I look forward to your questions. Thank you, Mister Martin<\/a>. Doctor burley, you are recognized for your testimony. The Committee Chairman<\/a> and distinguished members of the committee, thank you for the opportunity to appear before you today. As the nation continues to navigate the uncertain area of the Global Pandemic<\/a> it is vital we engage in a robust discussion of cyber related challenges to increase telework during this time. At American University<\/a> we are guided by our change in roads. To navigate, shape, and the boundaries for data science, social equity and security. In my remarks today shaped by decades long career leading Cyber Security<\/a> initiative i will highlight supporting the development of a holistic strategy to address Cyber Security<\/a> issues surrounding the exponential growth in telework. Concerns of exposure to covid19 created mass migration from virtual setting. These arrangement existed for years but never before have we seen the range and volume of workers or the Remote Working<\/a> environment. The demographic categories and technical abilities, working remotely and engaging with employers, colleagues and customers through a digital interface on a range of devices. Securing this necessitates we recognize the technical needs and environmental factors that shape that behavior. Consider the following. Modest users and most experiences create vulnerabilities. In the hurried transitions remote work agencies do not have sufficient time to prepare novice users for the complexity of the newly virtual working environment where overall security is more reliant on individual decisions made by employees and nonemployees alike. These users who developed behaviors in accordance with onsite protections face new challenges and find themselves less prepared for the vulnerabilities exposed by the Remote Working<\/a> environment. Employees are working under duress. Covid19 continues to drive healthrelated concerns, anxiety and confusion, employees worry about meeting their basic needs and are less likely to attend lower priorities like cybersecurity. Cybercriminals have targets of opportunity, shift in activity leads to more opportunities for cyber criminals to use social engineering like fraud, misdirection and misinformation to exploit those vulnerabilities. Users bring things online. If we use the entire Public Health<\/a> analogy of treating the whole patience we can strengthen the efficacy of guidance to engage in robust cyber activity. In Public Health<\/a> practice successful treatment is inextricably linked to the social and environmental conditions, today in the midst of the covid19 pandemic we must recognize basic cyber hygiene practices doable under normal circumstances, these are not normal times. Our workers are distracted, frightened and fatigued. This is especially true for the most vulnerable. As such, strategies to strengthen the Cyber Security<\/a> of teleworkers must consider the fullspectrum of user experiences and address the complex reality of their needs. The points i outlined represent only a snapshot of the benefit of using a holistic approach to reduce the impact of cybersecretary created reliability. I long advocated for this type of approach. Now the greater sense of urgency we must collaboratively develop intervention between technical and environmental variables that shape the cybersecurity posture across a broad range of teleworkers as they navigate the covid19 environment. I look forward to continued engagement with the committee to develop strategies that raise awareness of the threat, encourage actions that increase cybersecurity and protect most vulnerable citizens. Thank you. Thank you very much, doctor burley. We begin with our first round of question of the chair recognizes herself or five minutes. Thank you to our witnesses, it is clear these are important issues and there is a lot to tackle. I want to start with some questions about contractors, cybersecurity contractors especially given the increased use and significant use of contractors within nasas workforce. I will try to get through as many questions as we can, some are just yes or no and a few other things. What we know, i mention the article today in the hill, that system is, theres a lot of information hackers are interested in and the contractors nasa works with our intragoal to the nations space agency. Are there federal acquisition regulations that specifically refer to contractor cybersecurity requirements . We include those in our agency contracts, providers follow the cybersecurity requirement. Let me follow up on that for a moment. Those are nasa Cyber Security<\/a> requirements. We asked about the language, nasas response that there were no far clauses but do those follow under nasa requirements in contracts . Supplements to get specifics on what those requirements are, i can take a question for the record. When those clauses are included is it nasa that signs off on cybersecurity . Are there waivers . Who signs off on the requirements for cybersecurity that have been met . We have automated tools to ensure that our contractors are complying with the requirements in nasa system just as any nasa employee would and as mentioned in the earlier testimony, we put in place controls and are continuing to strengthen those controls to ensure that authorized devices connect to networks. Who has oversight of contractor cybersecurity protocols . Is that your office . Due conduct oversight and audits of cybersecurity by contractors . Ultimately i am the acting chief Information Officer<\/a> and so it ensures compliance with cybersecurity requirements. Do you feel you have sufficient oversight and insight and ability to do that within your authorized, your authority . I believe within nasa i have been given appropriate authority and support but the environment is continuing to change, the dynamic landscape, it is no longer just computer and the laptop on your desk would expand to Operational Technology<\/a> invented within the system is so i would say it is challenging with that evolving landscape and we continue to mature our processes. Stepping back to the challenges during covid19, a question for Mister Martin<\/a> and Mister Seaton<\/a> and hopefully we will get to doctor burley. The memo your predecessor published on april 8th warned of increased attempts in cyberattacks during a covid19 and my first question to you is how has the rate of cyberattacks changed since that memo in april and what steps have been taken to respond to those increased attempts . We have an increase in phishing attacks and at a lower level some other attacks but the change to the pandemic operating level is consistent with how nasa has operated in the past which supported a mobile workforce and put in place controls and technologies, with automated prevention of phishing attacks. And it comes down to it you are the most vulnerable part, the people. We try to put in place automated controls to make that easier and seeming significant improvements in Phishing Protection<\/a> this in the last two years. My time is coming to a end, what is your confidence level, as reported by the us cio. Overall making incremental improvements, heading in the right direction but there is a new realization the last couple years of the expanse and significance, we are cautiously optimistic. I recognize Ranking Member<\/a> babin for five minutes of questions. I hope i am an muted. I want to address this to Mister Seaton<\/a>. Two weeks ago, the science space policy director, for Space Systems<\/a>. The policy of the United States<\/a> that executive departments and agencies foster practices within government Space Operation<\/a> in the commercial space industry that protects space assets and supporting infrastructure from cyberthreats and ensure continuity of operations. As nasa increases its use of publicprivate partnerships how will you ensure contractors comply with this policy without implementing regulations. Thank you for the question. Congresss focus on space cybersecurity is critically important to us. We are currently in the process, analyzing spd 5, the best practices we are already implementing and looking to strengthen our cybersecurity within our missions as well as our contract partners. My question would be Inspector General<\/a> paul martin. Your Office Issued<\/a> a report on the jet Propulsion Laboratory<\/a> cybersecurity management last year. Jpl unlike other nasa centers is managed by contractors highlighting the fact that nasas contract with caltech did not include relevant requirements from nasa, it security policies. Has the oig conducted a review for other nasa contractors, include necessary clauses, how many has your Office Conducted<\/a> . Thank you. Weve not conducted a separate audit looking at that specific issue. If i could double back the concerns we had when nasa entered a 5year contract with caltech the contract was absent significant it oversight provisions. We have since followed up and found out jpl has issued and nasa has accepted and we reviewed and meet the criteria, the federal oversight it oversight is going to happen at jpl. Thank you. Does the oig conduct compliance to determine if contractors are fulfilling contractual obligation, how many has your Office Conducted<\/a> . A number of Program Audits<\/a> that look at the programs run by these contracts, part of that review includes a dive into the contracts to make sure the Research Security<\/a> requirements are not only in the contract, but fallen. Is this a more appropriate role for the nasa cio or Procurement Office<\/a> to conduct rather than the oig. The cios office and procurement have to ensure at the outset the appropriate Security Issues<\/a> are contained in the audit themselves, will show, you need to ensure they are being infected, limited capacity like most organizations to target high risk, highvalue on this audit. They adopted videoconferencing to adapt to social distancing requirements. And videoconference platforms not allowed for use beyond technical characteristics, concerns over foreign influence, what every one of you have to say. I will start with that, a set of approved tools and gone through appropriate Security Validation<\/a> which includes assessing externally to those environments. Other tools are not approved for use in that. Is approved tools. Doctor early, do you want to add to that at all . Most agencies and other organizations have the list of approved tools. Madam chair, i spent all my time and yield back, we appreciate it very much. Thank you very much, recognized for five minutes. One of the biggest problems with this remote stuff is when someone like doctor babin is Walking Around<\/a> with his phone and feel like were in the blair witch project but that is another problem. My questions are for you, and Mister Seaton<\/a> mentioned the most vulnerable spot for hacking and cybersecurity, the individual, the person. Talk about novice users not familiar with the equipment and security protocol, employees under duress, with cybersecurity, for of folks having trouble because they are a distracted and fatigued for your terms. The Personnel Department<\/a> is one of the keys. The agency being done to help the individuals, in this anxious period, maintain cybersecurity. Reporter it is a collaboration, the Hr Department<\/a>, every agency has Cyber Security<\/a> awareness they have in place within the organization, and outside. Those awareness programs need to be adapted recognizing, and they are working around other people. Family members and others in their environments so we have to take a hard look at those awareness programs and recognize they need to be adapted based on the current realities but absolutely Human Resource<\/a> professionals need to be involved to provide support so they are able to focus on not only doing their work but doing their work. Hadnt even thought of it. People are working from home, kids in the background and whoever might be in the background, not like the officer nasa headquarters, safe and secure. I will yield back but i do think this really is cooperation between the Hr Department<\/a> and technology folks. All three speakers have focused on that but in this pandemic it is critical. Thank you for holding this hearing. Cybersecurity. The Inspector General<\/a> stated nasas high profile makes the pardon of computer hackers as stated earlier. Making the agency a bigger target. In june, the Inspector General<\/a> said it is vital to review the program to protect the confidentiality, integrity and availability of its data systems and networks. This is not a new problem facing nasa, including in 2014 that nasa networks are compromised and individuals are not held accountable. And nasa authorization bill in 2015 to address this, for control violations. The recommendations to nasa making sure risks of Information Security<\/a> for data protection, to keep the data secure. The Inspector General<\/a>, threats are increasing and that is in fairness, Risk Management<\/a> and government practices to safeguard Cyber Security<\/a> threats. Inspector martin, it was noted the Inspector General<\/a> that nasa is an attractive target for bad actors, to present the Security Threat<\/a> from nasa. To secure Information Technology<\/a> for the supply chain and the Inspector General<\/a> referring to Cyber Security<\/a> cases yet. Yes, yes, no, i am joking. China is one of the foreign entities, china is not the sole into t country out there that is seeking nasas intellectual property. Nasa is taking steps and has been to secure its intellectual property and networks from attack both from china and a series of other countries and local hackers because we conducted a series of criminal investigations and we work with the fbi and counterintelligence officials with these issues. To you and Mister Seaton<\/a>, cybersecurity taking the necessary action for the administration in 2014 with recommendations identified by the Inspector General<\/a>. Happy to report we closed out all the recommendations, there were quite a few that improved our security. Thank you. Doctor early, should the National Academy<\/a> demonstrate for vulnerabilities. The opportunity for National Security<\/a> studies, i would say yes. The chair recognizes mister buyer for five minutes. Thank you very much. Thank you for joining us today. In the course of the pandemic, our office has done the same and make sure they have issued equipment including laptops and phones. It is surprised the personally owned devices connect to internal systems and oig was critical of your not monitoring or enforcing the with access so how do you make sure the proper equipment, if they are not issued equipment, making sure those devices are secure . Great questions. We do require the use of nasa provided equipment. We do provide them the tools they need. In the last few years. And we did allow personal devices, that is no longer allowed by policies. And create the security, with a secure connection for encountering system. And we do have opportunities, the automated controls to ensure what is happening, Network Access<\/a> control and the pandemic impacted, and in our network, there is a little more. Encouraging to note the stuff you have is more important than what is in my network. You talked about the nasa system of unauthorized access to deep space network. Other than personally identifiable information what are they after and how much of this is china, russia, other nations interested in this space and will this, could this affect our Lunar Missions<\/a> or mars mission, james webb, the big important things nasa is doing . Nasa has vast troves of information and capital it has spent decades amassing. Country actors are after that in formation, innovation around the world, everything from pii, contractible data on the system so there is a vast and wide array, we had a fleet that has been under attack from domestic and foreign cybercriminals so it is just an ongoing difficult issue to keep nasas defenses up. Professor burley, one of the challenges nasa has is so many of us have nasa facilities near or close. Are there other examples of systems that are similarly decentralized and secure the it systems . The cio, centralized systems outside that be used as a guide to think about best practices and other strategies for securing the networks. We debited to Mister Seaton<\/a>. That the permit of commerce had 13 different cios. Do you have the same challenges in nasa . There is one cio, others report to me, a single it strategy for almost a decade weve been working, to operate as a peaceful unit. Acknowledging there are weaknesses in our centers and consistent policies, we are not moving in the enterprise direction significantly. I yield back. Thank you very much. You are recognized for five minutes. Appreciate it and the testimony of the witnesses today, very exciting time for nasa and challenging with unique dynamics in play. A few questions for all of you. I come from a company where i was a Program Director<\/a> for a large air breather program that was classified and unclassified elements to it. One of the big challenges we had was the classified elements fell under requirements that as the chairwoman was asking about on the classified side as far as compliance, those requirements led to onerous costs to suppliers and lowerlevel supply chain folks. What are we able to do . What is nasa doing to make sure the Small Businesses<\/a> that are critical element of your supply chain are not necessarily getting overwhelmed with cybersecurity requirements or Cybersecurity Development<\/a> of Software Development<\/a> is their form of being dissuaded from entering the support chain . Are we able to provide it to slow down to lowerlevel suppliers to make sure they are baking in these Cyber Security<\/a> elements in prospect of programs . How do we communicate with those lower tier supply chain folks . Booster seton, we start with you. Making sure all our suppliers and providers appreciate the significance of Cyber Security<\/a> and building that into the solutions, a requirement of doing business with supply chain Risk Management<\/a>. In section 889, required us to certify anybody we are doing business with complies with supply chain restrictions federal wide. That builds into practices. Balancing the Risk Mitigation<\/a> efforts that are critical and the essential, making sure we are not driving key suppliers out of business or out of industry or out of your business, that is a delicate balancing act as well. The cost of having a compromise, significant to those, are they looking to package for Software Programs<\/a> to download to the lowerlevel suppliers, or is it ad hoc depending on what the mitigation, the threat mitigation is. I cant speak to the individual practices of the suppliers. Characterizing classified versus unclassified, are you able to speak to what percentage of your networks are on classified networks and is one of the sides lagging the other . Do you see any more threats on the classified side or fewer threats but may be more critical impact to those networks or how would you characterize unclassified versus the hike time . My office is responsible for the unclassified side. We work with the office of protective services on classified side. We have little or no work on the classified side at nasa. Okay. Thats good enough. Okay. I would just, we hosted Small Business<\/a> summit with Kevin Mccarthy<\/a> and nasa administrator bridenstine a couple of weeks ago. The cost of entry into the supply chain for all Space Programs<\/a> is pretty high for some of the small suppliers. I would just end with lets try to enable them, make sure we giving them the tools to be successful and be able to defend not only the networks but yours obviously as you are suppliers as an navigate this challenge and hopefully look to synergize Lessons Learned<\/a> and download those through contract requirement lowdown documents. Really appreciate your time and good luck with the upcoming launch as well. Thank you. I yield back. Thank you, mr. Garcia. And now for the other very member of our subcommittee who was reliable and with us, mr. Weber, you are recognized for five minutes. If we can get you a lot of people who wanted me, but nonetheless. Thank you for that, chairwoman. I appreciate the opportunity being here your you asked the question about how many attempts per month less identify last year that i to follow up on that by saying how does that compare, mr. Seaton, to the inclusion attempts per month this year during covid . Are you making a distinction there . Yes. Not that direct comparison embassy fluctuations based on our insight which is increasing so sometimes that is cause for higher numbers. We have seen a number of phishing attacks and Malware Attacks<\/a> at various times throughout the band director that hasnt been steady study. The fluctuating. Any idea, 10 , 20 , 5 increase . At one point back we saw doubling of phishing attacks but again there been other weeks where it is been lower. I do think because of the pandemic people looking for the opportunity to attack and will continue to. Theres been a lot of discussion about having personal devices being at home on of the kind of security firewalls if you will. If its Sensitive Information<\/a> i know you said you work for the fbi, task force, forget the terminology used but Sensitive Information<\/a> if you get it to us to be interesting to have because my staff what to follow up into discussion with mr. Garcia. You all talked about before do that let me go to martin real quick. Mr. Martin, understanding this scary is supposed to be nearly focus on Cyber Threats<\/a> during covid, since youre here with us i thought it would be appropriate to discuss some of the things weve been talking about with china, for example. During this intellectual property threat obviously to the aerospace your supply chain, john talked about a little bit, your mr. Garcia, drink this weeks air force association airspace and cyber conference is revealed longtime dod and nasa launch provider proactively identified and cut ties with the supply that was a Security Risk<\/a> due to chinese ownership it were you aware of that, mr. Martin . I was not, congressman. Okay. In thomas earlier i would go back to mr. Seaton, his exchange with garcia that he said he couldnt speak to suppliers, or speak for the suppliers. Was that what you were saying to mr. Garcia . I said that i could not speak to how they were structuring their Business Operations<\/a> to meet the federal requirements. Shouldnt that be something we are looking at . I dont mean to sound too skeptical but shouldnt nasa and all u. S. Defense companies should be taken a proactive posture to know exactly what safeguards are in place across the supply chain . Totally agree. So how they go about doing it is what im saying that we are not in their Business Operations<\/a>. Validating that they are complying with requirements is something that weve been doing for years with our supply chain Risk Management<\/a> efforts, ensuring the things that we buy are free of risk, through coronation with the fbi and the making sure even within their organization they do not have i. T. Equipment provided by prohibitive providers. So yes, we are actively involved in ensuring that level of compliance. But you say how they go about it, youre not necessarily involved in, but shouldnt there be some level of protocol for lack of a better term, some threshold, some safeguard that has to meet minimum safeguards and somebody has to be looking over their shoulder in that regard, is that fair to say . Again, compliance with our cybersecurity requirements this absolutely critical and that is our responsibility. Their Business Practices<\/a> of what im saying we are not getting in the middle of. Would you say in this instance where that supply was identified that it be worthwhile to go back and see exactly how that happened, how that supplier at the proverbial camels nose under the tent . I think its in the federal government best interest to understand where vulnerabilities come from so certainly. Whose responsibility is that . I think its the shared responsibility. Between who . Between the federal agencies that are responsible for our cybersecurity policy as well as an agency that would be interacting with a specific provider. Is that something you could follow up with our office on and tell us who those agencies are and who has responsibility for the agency . Im talking about addressing this particular instance and how it was discovered and how we got there and what steps will be taken to prevent some recurrences. Can you follow up . We will take that as as a question for the record, yes. I appreciate that. Madam chair, i yield back. Thank you very much, mr. Weber. Appreciate your questions and a social participation in the subcommittee. I think, i have a few more questions i want to follow up with and will have an opportunity for the members to do another round of questions if everyone is available to stay since were still have time. I want to follow up on a couple of things going back to some of the earlier questions about, one about the unauthorized devices or personal devices, and then i do want to follow up on mr. Webers line of questions on little bit more. Mr. Martin, the august 2020 iq report on unauthorized of course this year on nasas network cio office saying theres currently no authoritative way to obtain the number of partner owned i. T. Devices. I know mr. Seaton mentioned you are not allowed that anymore but it seems that still happening. Mr. Martin on wondering what the risk are not being able to identify and why that may be the case from your perspective in this report, and then mr. Seaton, i want to follow about what nasa is doing to improve its understanding and insight into those devices. So mr. Martin, if you want to start with that. Sure. Like i said at the outset nasa as a sediment oral remarks has been searching for that balance between use flexibility and system security. During the ten years ive been nasa is somewhat wildly from the 16th 16th i remember earlya number of years ago when he had a byob policy which was a bring your own device policy. Thats a sort of formulating nasa was about allowing employees and even contractors use personal devices. In the last couple of years nasas taken a much more measured approach and focus recently, still gaps the remain in the security of these mobile devices. As you indicate in the report that we issued just last month, a of implemented software but they havent wholly implemented the controls to remove or block devices from nasa systems that shouldnt be on a nasa system. They are also not adequately monitoring the business rules for granting access with the personal device to nasas network. They are not enforcing consistently the Business Needs<\/a> and are also not ensuring each of the mobile devices, the personal mobile devices that connect to the systems dont finally supply chain rules. Thank you very much, mr. Martin. Mr. Seaton, i know you taken steps in that direction. Can you speak to, i know thers been a delay but what you didnt come what nasa is doing to address these. Sounds like you may progress but what is nasa and what is ddio doing to address these asked an issue . As an agent ablate i think would benefit in implementing the dhs continues diagnostic Mitigation Program<\/a> where cdm phase one one identified what n the network and soviet tools in place to automatically detect whats on the network. Phase two which were in the middle of implementing right now is controlling whos on the network and that gets to the Network Access<\/a> control element mr. Martin spoke of. We will in the coming year be able, to enable those controls to be able to have a technologybased way to enforce the policy that is been issued by my office. Thank you very much. Just following up on a couple of mr. Webers questions. In terms of the insight, getting back to some of the first questions about contract requirements and how we control for suppliers and information, theres a balance between overly burdensome requirements and the opportunity for bad actors to influence or to gain access. Im wondering, mr. Martin, as potential authorities that nasa may need to be able to have additional insight or control or contracting provision to ensure that theres compliant all the way up and down the supply chain. Are there other provisions that may be needed . I will answer that by focusing inhouse on nasa. With commented for the last come we didnt audit in 2014, followup and 27 think and one of her concerns is that nasa is structured where whos ever sitting in the cio position doesnt have full insight into all of nasas systems. In fact, doesnt have full control over the i. T. And forcing the i. T. Security requirements particularly in Mission Systems<\/a> and center based systems. Jeff and his colleagues have full control over what is known as the institutional systems, but they may have about 2530 of nasas overall budget so the lack of insight and oversight wielding the state that controls the money on the internet is a real governance issue. Thank you very much, mr. Martin. Mr. Seaton, do want to speak to that quickly . It sounds like you need additional authorities or insight and oversight. Actually i think that is been changing. I sit on the Agency Program<\/a> Management Council<\/a> and Acquisition Strategy<\/a> counsel as a full member so i had insight into major agency decisions. The Administration Fully<\/a> supports programs and plans were putting in place then the collaboration with the missions to ensure the systems are secure where we now have much more widespread effective consistent approaches to authorities to operate. I have been working with the council of deputies with the nest to ensure we have the appropriate Mission Leadership<\/a> and Senior Executives<\/a> designated as authorizing officials for those Mission Systems<\/a>. I do think were making significant progress. Thank you. Thank you very much, mr. Seaton. Mr. Papen, you are recognized for five minutes, if you have more questions. Can you hear me . Thank you. I do have some more questions. I wanted to address this to all the witnesses if possible. How many intrusion attempts per month that nasa identify last year . How does that compare to the intrusion attempts per month this year during covid, that this information is sensitive, please provide a response to the staff after hearing concludes. If i could take the specifics of the question for the record, and i can speak in more general terms. As i mentioned before i think the measurement of intrusion continues to fluctuate based on our insight into the network, and that is increased. In some cases we see an increase in terms were seeing more of whats happening and we are to the point now where weve got a pretty solid visibility into our network today. But then i can person specific month by month would have to take that and get back to you. Okay. All right, thank you. I think i will yield back, madam chair. Inc. Very much, mr. Babbitt. Mr. Beyer, you are recognized. Madam chair, i have no more questions. I keep learning but i yield back. Excellent, thank you. Mr. Garcia . Thank you, madam chair. Just a quick question. The old adage that the best defense is a good offense this kind of appropriate here. Mr. Seaton, are you happy with the support you are getting from other Government Agencies<\/a> in terms of the development as, at the National Level<\/a> we develop offensive cyber capability that informs your defensive cyber techniques and vulnerabilities . Are you comfortable and satisfied with the communications i want to say, two other Government Agencies<\/a> that should be informing as to where the state of the art is going in terms of offenses cyber capabilities, which may be in hands of the bad guys and be within our own domestic networks. If not, where can we help to maybe improve your ability to leverage the development of other equities outside of nasa . Back, i think the administration has been supportive of our need to continue with the appropriate focus on cybersecurity, and i think that nasa has effective relationships with our counterparts that can provide as counterintelligence information as well as best practices on cybersecurity, the cio across the federal agencies engaging to ensure information is another effective mechanism from that information sharing. So the historical, i will call it historical evidence over the last two years ago, have been any surprise, surprises i guess where it was a completely unknown writer come in to an unknown technique or vulnerability that really had not been discussed . I know there are sensitivities about how much you can say here, but you know, any sort of unknown writers that just completely cut you off guard that we ultimately found out another equity throughout the government may have been aware of . Yeah, i think because of the dynamic landscape were going we want to minimize those, right . What i will say there have been times when other agencies have observed activity and contacted nasa and then we would partner on that. Again i think the mechanisms are there. Thats good. Thats encouraging to hear. A lot of Lessons Learned<\/a> have been learned several times before, so if we could avoid duplication of Lessons Learned<\/a>, especially in this cyber domain thats a huge benefit to you guys. Thank you. I yield back, madam chair. Thank you very much, mr. Garcia, and thank you to all of our members for the thoughtful, intentional questions, and to all of our witnesses. Its clear that these are critically important issues that nasa is facing as well as some important Lessons Learned<\/a> during covid19 as dr. Burley stated that these are not normal times. For strategy during covid19 are important but also inform cybersecurity more broadly. And i think it sounds, nasas making progress but as authorizing committee would want to ensure that you have sufficient authorities and funding capabilities to have strong cybersecurity practices and protocol in place, and we continue to move forward with recommendations and implementations of the gao, and other strategies that ensure not just the 25 that you have authority, direct authority over, but the contractors, especially given some of the things we had seen. So unless any of our members have further questions, we will bring this hearing to a close today. I want to thank the witness again for your testimony and for your time and for what you do. The record will remain open for two weeks for additional statements from the members and additional questions of the committee or committee or members may ask of the witnesses. Thank you all again for your time. The witnesses are excuse and the hearing is now adjourned. Cspans washington journal. Every day we take your calls live on the air to discuss the news of the day and policy issues that impact you. Coming up, the chairman of the board of the Iran Institute<\/a> discusses the cdc to discusses the temporary ban on evictions. Then, the executive director of wouldwellill Climate Center<\/a> washington journal, live at 7 00 a. M. Eastern saturday morning join the conversation with your phone calls, facebook comments, texts and. Texts and tweets. Campaign 2020 coverage continues with candidates campaigning and debating. Cspan, your unfiltered view of politics. In just a few minutes, we will take you live to minnesota for a Campaign Rally<\/a> with resident from. Before departing the white house, the resident spoke to reporters about fbi director Christopher Wrays<\/a> recent testimony before a house attorney general William Barrs<\/a> Job Performance<\/a> on the coronavirus pandemic. President","publisher":{"@type":"Organization","name":"archive.org","logo":{"@type":"ImageObject","width":"800","height":"600","url":"\/\/ia601709.us.archive.org\/22\/items\/CSPAN_20200918_213600_House_Hearing_on_NASA_Cybersecurity_During_Coronavirus\/CSPAN_20200918_213600_House_Hearing_on_NASA_Cybersecurity_During_Coronavirus.thumbs\/CSPAN_20200918_213600_House_Hearing_on_NASA_Cybersecurity_During_Coronavirus_000001.jpg"}},"autauthor":{"@type":"Organization"},"author":{"sameAs":"archive.org","name":"archive.org"}}],"coverageEndTime":"20240716T12:35:10+00:00"}