NASA breach shows there is something wrong with data rules

Two months ago, the US National Aeronautics and Space Administration (NASA) got hacked, yesterday it told employees. For just over eight weeks, employees were blissfully unaware they were the victim of cyber-crime.

In an internal memo sent to staff on December 18, the NASA management team informed employees servers containing personal information on current and former employees had been hacked on October 23. The agency still does not know the full extent of the breach, though personal information has been compromised, included social security numbers.

For those involved in the breach, nothing might happen. Or, the personal information stolen could be used for a number of different things including ruining credit scores or open credit card and bank accounts in the individuals name. In this instance, the effected individuals have not been able to do anything to protect themselves.

“Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within,” the memo states.

“NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.”

This is the issue with data protection and privacy laws at the moment. NASA may have wanted to inform employees and the world about the incident at the time, but they might not have. There are also rules in the US which dictate NASA could have been forced to keep quiet about the incident by law enforcement agencies during an investigation. While this might be the best way to catch the hackers, that will come as no comfort to those who are potentially impacted by the incident. They were left in the dark.

This is an example of government sacrificing the individual for the greater good. Authorities might be able to justify such actions by catching the hacker, thus making the world a slightly safer place for everyone else, but what compensation is that for the people who get hurt. This rule might fit into the bigger picture scenario of government, but if even one person has been ripped off because of this delayed information, NASA and the law enforcement agencies failed that person. For us, that is not good enough.

Perhaps there is a middle ground. The employees are informed but held under some sort of non-disclosure agreement. The individual can take action to protect themselves while simultaneously allowing the law enforcement agencies to act without fear the hacker will go underground.

More than anything else, this incident perhaps shows the inadequacies of rules and regulations today. The speed at which damage can be done in the digital world is startling, and people need to be as vigilant as possible. This means having all the available information to make informed decisions. This rule might have worked in a previous era, but it is outdated in today’s digital society. Let’s hope no-one feels the sharp end of the stick.

Even Google can get hacked… maybe

For those security staff who feel insecure or embarrassed about getting hacked, news that Google may have been disrupted by an external irritant will come as some comfort.

On November 12 for approximately 30 minutes as some services became unavailable after traffic was being rerouted through other networks. The company has not disclosed the specific nature of the disturbance, though it also hasn’t ruled out nefarious individuals.

“The issue with Google Cloud IP addresses being erroneously advertised by internet service providers other than Google has been resolved for all affected users as of 14:35 US/Pacific,” the company stated.

“Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence.”

Network intelligence company ThousandEyes reported problems with its own G-Suite services, noting internet traffic from its own San Francisco office was traversing through China and Russia on its way back to Google, sparking some concerns. Unfortunately for ThousandEyes, this wasn’t a problem limited to the San Francisco office and was affecting all locations around the world.

No company is immune to the shady corners of the internet, though some would assume an organization as savvy and powerful as Google would be safer than most. Although the disturbance only lasted for a short period of time, for 30 minutes traffic was traversing through some countries which have a history of monitoring communications lines.

While this would be a perfect opportunity to jump on the ‘China is evil’ bandwagon, what is worth noting is traffic would drop upon hitting the Great Firewall of China, according to ThousandEyes’ investigation. Therefore it is logical to assume the attack was either an internal glitch from Google, or an external attack from someone aside from China.

For those who are constantly battling against the dark forces of the internet to keep customers and employees safe from prying eyes, take some comfort that even Google can get rocked by hackers, potentially…