NASA investigating 2023 theft of astronaut training devices
Months after the discovery that several iPads used for training astronaut crews had been stolen, NASA is still investigating the incident amid ongoing federal security concerns, and specifically the space agency’s approach to device management.
The theft was described as a “Houston SpaceX Unauthorized Access incident where 3 crew training ipads and 2 crew training IPads were stolen,” according to a personally identifiable information incident ticket document that FedScoop obtained via a public records request. The ticket references both the acronym for Johnson Space Center, which is based in Texas, and the Kennedy Space Center, where NASA launches astronauts on SpaceX’s crew module to the International Space Station.
The ticket, which was filed with NASA’s office of the chief information officer, says the theft was discovered on July 24, 2023. The reports obtained by FedScoop also show additional incidents involving PII, including other missing devices.
NASA did not answer FedScoop’s questions about the alleged theft, including whether a police report was filed, what kind of personally identifiable information might be on these devices, and whether they were owned by SpaceX or NASA. The space agency only said the incident was still under investigation and pointed to its procedures on lost devices.
“NASA takes the security of its information and information technology (IT) seriously. All users of NASA IT must read and affirm (and revalidate annually) the NASA Cybersecurity and Privacy Rules of Behavior that require incident reporting whenever government furnished property is lost/stolen or missing,” Jennifer Dooren, the NASA deputy news chief, said in an email. “Users are to immediately report IT security incidents and all suspected or confirmed loss of control over PII (personally identifiable information) or unauthorized disclosures of PII to NASA’s Security Operations Center.”
A message to SpaceX’s media email address did not receive a response. It’s not clear what components within NASA are involved in the investigation. The NASA Office of Inspector General did not provide a comment, and a September 2023 report to Congress did not appear to directly reference the incident.
The civilian space industry isn’t considered critical infrastructure, noted Sean Costigan, the managing director of resilience strategy at the software firm Red Sift, which means it’s not subject to the oversight, reporting and incident response procedures required of the defense industry. He added that it would be speculative to guess what personal information might have been on the devices, or if that personal information would even be valuable. Administrators have “profound ability to locate, lock, and wipe devices,” particularly on devices made by Apple, he noted.
The incident comes amid longstanding concerns about NASA’s cybersecurity and device management practices. Back in 2008, the NASA OIG office flagged in a letter concerns about lost and stolen devices, noting that the loss of one laptop “could have a profound impact on Agency operations.” In 2012, NASA noted that the theft of an encrypted laptop resulted in the loss of algorithms used to control the International Space Station. That was one of 48 incidents involving stolen devices that took place between April 2009 and April 2011, according to NASA testimony to the House of Representatives.
The topic has continued to come up. In 2014, a NASA OIG report found the agency did not, at the time, have an accurate inventory of mobile devices, including tablets. A 2021 NASA OIG report focused on the space agency’s cyber readiness, noting that lost and stolen equipment can be a “common attack vector” for cyber incidents and pointed to hundreds of instances of “loss/theft of equipment” annually.
A Government Accountability Office review published in 2018 found major issues with NASA’s cybersecurity operations, too.
“One would hope that the stolen iPads would have been encrypted and password protected so that the sensitive training information inside is preserved,” said Greg Falco, an aerospace and systems engineering professor at Cornell who focuses on aerospace cybersecurity. “iPads are interesting theft targets because while many devices are stolen for data, iPads are also stolen just for a high resale value. This theft could have been anything from someone trying to make a quick buck on the black market or a nation-state threat actor seeking sensitive data about how to train US astronauts.”
There have been other cybersecurity issues at NASA beyond lost devices. For instance, NASA confirmed to FedScoop that at one point, it deployed “mitigations” in response to three breaches of its social agency accounts that took place before 2021, though no other details were provided. Still, this incident raises questions about the extent to which NASA has addressed its lost device challenge — particularly as the agency expands its work with private companies, like SpaceX.
“Whether defense or civilian sector, the space industry is a prime target for cyber bad actors ranging from criminals to nation-states,” Costigan told FedScoop. “Given the dependencies and interactions with the physical world, the space industry needs to prepare for cyber incidents it is likely to have in the future.”
At the same time, lost and stolen devices remain an ongoing cybersecurity concern for the federal government more broadly. Last month, FedScoop reported on incidents involving employees with the Federal Emergency Management Agency that took their devices abroad, including to countries like China and Iraq, without authorization.
