Summary: Pursuant to a congressional request, GAO reviewed the National Aeronautics and Space Administration's (NASA) Space Physics Analysis Network (SPAN), focusing on: (1) SPAN characteristics; (2) instances of unauthorized use of the SPAN system; and (3) steps NASA took to minimize unauthorized SPAN use.
GAO found that: (1) SPAN was a worldwide computer network that the scientific community used to conduct NASA space and earth sciences research; (2) although SPAN did not contain any classified or sensitive data, NASA designated it a sensitive system because recovery from unauthorized access or viruses could potentially cost over $100,000; (3) NASA could prosecute any unauthorized access to the system, but had no mechanism to ensure that the more than 6,000 node managers implemented the security guidelines or that each node did not contain classified or sensitive data; (4) although SPAN began operating in 1981, NASA did not require formal reporting and investigations of computer security incidents until 1988; (5) NASA reported two incidents that occurred before 1988 but filed 27 reports after it established the reporting system, reporting that unauthorized users successfully gained access to SPAN 67 times; (6) except for any damage to scientific data and disruption of services to users, NASA incurred only the costs associated with computer and staff time to investigate the incidents; (7) NASA took various actions in response to the security incidents, but did not perform a required risk analysis to ensure that its actions provided adequate security protection for SPAN; and (8) NASA continued to report a computer security internal control weakness in its annual report to Congress because of existing deficiencies in the conduct of risk assessments and incidents of unauthorized access to SPAN.
