Private companies and universities. It is an hour and 20 minutes. Members should keep their video feed on as long as they are present in the hearing. Please keep your microphones muted unless you are speaking. If members have documents they wish to submit for the record, please email them to the Committee Clerk whose email address was circulated prior to the hearing. Good morning, everyone. I would like to welcome our distinguished panel of witnesses and members and those viewing plotely. Cybersecurity and nasa, ongoing to challenges and emerging issues for increased telework during covid19. In early 2020 the world was caught off guard with the dramatic rapid onset of the coronavirus. It shifted to a telework operations to ensure the health and safety of its more than 17,000 Civil Servant employees. To its credit, nasa prepared for the transition having held an agencywide telework exercise in early march and expanded telework operations. Today 75 to 80 of Civil Servants continue to work remotely handling reviews, oversight, engineering analysis and other activities. The shift to increase telework at nasa raises many questions. Front and center, cybersecurity. What does it mean for protecting nasas intellectual property, identifiable information and operations . How does it affect the agencys overall cyberSecurity Risks and what steps is nasa taking to ensure the effectiveness during the pandemic and beyond . These are some of the questions todays hearing will explore. What is clear is that nasa is a target. I want to pause here for a moment to net that an article in the hill today where the Justice Department has brought charges hacking a u. S. Satellite company. This is the timely. A recent report stated that given nasas mission and valuable technical and intellectual capital it produces, information it maintains presents a high value target for hackers and criminals. N 2019 administrator jim broadenstein said nasa is the most attacked federal Government Agency when it comes to cybersecurity. It has resulted in large amounts of stolen data. Installation and copying and modifying and deleting Sensitive Files and accessing servers. Cybersecurity Infrastructure Security Agency is a very Important Agency has issued specific alerts on vulnerabilities related to telework during the pandemic and encourages organizations to adopt a heightened state of cybersecurity. In april 2020, the agencys then chief Information Officer notified employees of increased hacking attempts on the agencys system. In june 2020, media articles reported that malicious actors congratulated nasa and space exon a temperature stragsestration flight and then they had infected and breached a nasa contractor. If true, it is a concerning report and part of reason were here today. Protecting nasas i. T. And data during the pandemic remains vigilant. However it doesnt begin and end with the covid19 crisis. The workforce has identified weaknesses and ongoing concerns with nasas information security. Further they have ranked this issue as a top agency challenge. Ensuring effective cybersecurity at nasa becomes more pressing given Rapid Advances in i. T. , supply chain risks. The partnership and the overall increase in space activity. Nasa is a national treasure. Its Missions Continue to inspire young and old. Nasas cutting age Space Technology and research is the envy of the world. Nasas accomplishments would not be possible o without computers, software and information system. Will nasa or any organization ever been b 100 risk free from cyberthreat . Probably not. Is there room for improvement . Absolutely there is. Givee todays hearing will understanding and whether or not nasa is mitigating those risks. The bottom line is we need to make sure nasa has the tools it needs and takes the necessary action to ensure the agencys success during covid19 and beyond. I look forward to our witnesses testimony today. I think we are there he is. Everyoneng member babb in. I know it can be a little bit of a challenge. The chair now recognizes Ranking Member babbin and my good friend from texas for an opening statement. We have three computers here. I couldnt get on but i got on one of my telephones. Any way we can do it, im glad to be with you. Innovation and ingenuity. I love it. The success with america shuttle ini, apollo, and International Space programs along with jawdropping robotic probes attract worldwide attention. Unfortunately that attention comes with many challenges. The technologies that nasa develops are sought after by criminal entities, unscrube scrupulous foreign governments and destructive vandals. Many of these technologies have both civil and military applications, these challenges are particularly gray and this is a topic this committee has focused on for decades. Mr. Martin testified before the investigations and oversight subcommittee almost 10 years ago on the topic of information security. At that hearing, he testified that an unencrypt laptop was stole frontline nasa that resulted in the loss of the algorithms used to control the space station and personally identifiable information and intellectual property. Similarly the u. S. China economical Security Review Commission noted in its 2011 report to congress that the satellites experienced at least two separate instances of interference consistency with cyberactivities against their command and control systems. More recently, the nasa i. G. Issued its report in july which found that Information Systems throughout the agency faced an unnecessarily high level of risks that threatens the the report concluded it is imperative the agency continue efforts to strengthen the Risk Management and government practices to safeguard its data from cybersecurity threats, unquote. Last month the i. G. Issued another report of nasas use of nonagency it devices and found nasa is not adequately securing its networks from unauthorized access of it devices, unquote. The nasa i. G. Is currently tracking 25 open recommendations from the office of the chief Information Officer. These do not include it and cybersecurity recommendations o mission direct rits or other observations in the nasa enterprise. Its startling but many reasons the recommendations remain open. For instance Agency Guidelines and best practices are often general rules and principles not optimized to the agencys expertise and challenges. For instance, nasa is the world leader in designing, building, operating and communicating with spacecraft. This expertise resides within the Mission Directorates and within the centers who cultivated this expertise over many decades. In some instances they develop the software and Information Systems and underlying Technologies Industries adopted and embraced. Even more extreme circumstances they continue to use one off operating systems that while perhaps not compliant with o. M. B. Governmentwide guidance are arguably more secure because of their uniqueness and obscurity. Efforts to bring these technologies into compliance with a one size fits all cookie cutter approach for development of enter price systems could actually introduce more risk into the system. This isnt to excuse the shortcomings identified by the g. A. O. Over the years. Lost laptops, unsecured devices and unauthorized access to systems and authorizations to operate and poor Inventory Management are all cause for concern which brings us to the situation that nasa currently faces. The covid 19 challenge requires most employees and contractors to work remotely and nasa has embraced teleworking for years, the standard of this practice introduces a larger target and more vulnerabilities for malicious actors to explode. In addition to teleworking challenges, im also interested in understanding what level of insight nasa has for contract cybersecurity as nasa moves to publicprivate partnerships. Finally, its worth noting President Trump recently issued space policy directive number five. Focused on Cybersecurity Principles for space systems. While its not covid inspectioned specifically, its particularly timing given todays hearing and demonstrates the administrations forward looking leadership on this very topic. I look forward to hearing more about these important issues and what nasa plans to do to mitigate as well as what congress and the administration can do to help. So with that, madam chair, i yield back. Thank you, Ranking Member babin, for your opening statement. We share many of the same concerns in this area and excited and grateful for the opportunity for this hearing today. If there are any members who wish to submit additional opening statements, the statements will be added to the record at this point. And now id like to introduce our witnesses. Our first witness today is mr. Jeff seton. In april of 2020 he was named nasas chief acting chief acting chief Information Officer. Lets see if i can get that out right. Prior to his current position he served as nasas chief Information Officer and spent seven years as the chief Information Officer at Nasas Langley research center. He began his career with nasa in 1991 as a Research Engineer designing robotic systems for space based applications and also served as langley chief Technology Officer and deputy c. I. O. He received a bachelors degree and masters degree in Electrical Engineering from virginia tech. Welcome. Were glad youre with us today. Our next witness is mr. Paul martin, Inspector General for the National Aeronautics and space administration. Mr. Martin has been the nasa Inspector General since define 2009. Before to his appointment he served on the department of justice and spent 13 years at the u. S. Sentencing commission including six years as the Commission Deputy staff director. Mr. Martin received a bachelor degree from journalism from Pennsylvania State university and a jurist doctorate from Georgetown University law center. Welcome, mr. Martin. Our third and final witness today is dr. Diana burly. In july 2020 she was appointed as vice provost for research and director of Public Administration at American University. Prior to her current position dr. Burly spent 13 years as a professor of human and organizational learning at George Washington university where she was the inaugural chair for the organizational and learning department and checktive leadership doctor at program and also managed a multimillion dollar computer education and portfolio for the National Science foundation. She received a bachelors degree of economics from the Catholic University of america, masters in Public Management and policy from Carnegie Melon University and masters and doctoral degrees in organizational science and information policy also from Carnegie Melon University. Welcome, dr. Burly. As our witnesses, you should know you each have five minutes for your spoken testimony. The written testimony will be included in the record for this hearing. Bhu have completed your spoken testimony we will begin with questions and each member will have five minutes to question the panel. Well start with mr. Seton. Mr. Seton, youre recognized for five minutes. Mr. Seton thank you chairwoman horn and Ranking Member babin and the subcommittee for space aeronautics allowing me to talk about nasa sec knowledge infrastructure and our efforts to manage and protect the infrastructure during the covid19 pandemic. Thankfully due to Strategic Investments made the last several years nasa was well positioned to keep our Missions Moving Forward to shift our work to telework. As a result nasa never has been closed and our work force has continued to work in a creative manner despite the highly contagious covid19 virus. With strict protocols in place nasa is allowing more employees on sight based on local conditions and guidance from the c. D. C. And other partners. The safety of our work force remains our top priority. At the same time protecting and effectively operating our it infrastructure continues to be another top nasa focus. It plays a krill cat Critical Role in nasas missions. However, effective it management is not an easy task. As nasas chief officer, it is my job to balance it capabilities with Operational Efficiency and effective cybersecurity to guard against evolving threats. During the pandemic, the demands and expectations placed on nasas infrastructure has been incredibly high and threats from external actors remain an ongoing concern. However, with hard work, dedication and innovation, nasas c. I. O. Team has risen to the challenge of keeping our Missions Moving Forward. For example, i. C. O. Developed software to track cases of on site covid19 exposures and also meeting all Security Privacy requirements. Additionally nasa continues to hire onboard new employees, contractors and interns with innovative approaches to provisioning and maintaining it systems and tools remotely. For nasa employees, the pandemic changed the way we worked. Some employees teleworked occasionally before the pandemic, having 90 teleworking salt the same time is Game Changing and theyve increased their use of virtual tools such as webx and Microsoft Teams to share face to face and share workplaces. Employees are dependent on nasas private network to connect to other systems. Our highest v. P. N. Rate was 12,000 users on a sing 8 day and today is supporting almost 40,000 daily users with an availability exceeding 99 . Thanks to architectural and capacity improvements implemented the past 24 months. Like other agencies, nasas infrastructure is under constant attack from well resourced and domestic and foreign adversaries and we main a popular target today. We continue to strengthen our capability to proactively defend and protect our systems and data. The reported number of cyberincidents continues to increase because we have greater visibility into our network, im confident nasa is strengthening our response to these threats. In fiscal year 2020 nasa developed a continuity operations capability to further enhance our Security OperationsCenter Located at the Ames Research center. Previously if operations were interrupted we had a limited ability to identify tech and respond to incidents. Today nasa sok operations allow us to remain 24 by seven operations at all times if there is a isolated disruption. With strength and tools and capabilities nasa is transitioning to a largely reactive to proactive cybersecurity posture. In april nasa removed the sok to ensure employee safety and did so without impacting our cybersecurity capabilities. In closing, i want to personally thank not only my oco staff and leadership but the entire nasa work force for the hard work and personal sacrifices theyve made during this challenging time. Our employees are finding new ways to keep Missions Moving Forward, support each other, balance work and family pressures and dedicate their expertise and personal time to developing technologies that are aiding in the National Response to the coronavirus. While no one is sure what the future holds, nasa Senior Leaders including myself are committed to keeping the nasa work force safe and providing them with the it tools and infrastructure they need to continue executing our missions. I want to assure you protecting and evolving nasas it infrastructure is and will remain a top agency priority. Thank you for the opportunity to testify before you today and i look forward to answering any of your questions. Thank you. Thank you very much, mr. Seton. Mr. Martin, youre now recognized for your testimony. Mr. Martin thank you. The nasa office of Inspector General has conducted a significant amount of oversight work to help nasa improve its Information Technology governance while securing its networks and data from cyberattacks. Over the past five years we issued 16 audit reports with 72 recommendations related to it governance and security. During the same period, weve conducted more than 120 investigations involving intrusions, service attacking and data breaches on nasa networks, s