Chairwoman Eddie Bernice Johnson (D-TX),submitted the following opening statement for the record.
Good morning Chairwoman Horn, Ranking Member Babin, and Members of the Subcommittee. To our witnesses, welcome and thank you for being here.
As we ushered in 2020 and a new decade, none of us could have predicted that we’d be here today, six months into a new way of living and working in order to protect our own and others’ health from COVID-19.
Thanks to the internet, information technology, and communication services, many Americans can continue to interact with family and friends—albeit virtually—and work remotely. That includes NASA’s workforce.
To its credit, NASA is accomplishing a lot in this virtual, telework environment, though some mission-essential employees are still working on-site.
NASA and its partner, SpaceX, successfully carried out a commercial crew demonstration mission to the International Space Station;
the Orion program completed key reviews to certify that the crew vehicle is ready for flight;
engineers are operating some science spacecraft from their homes; and
the OSIRIS-REx team successfully completed a final dress rehearsal in advance of collecting samples from asteroid Bennu next month.
I’m pleased that NASA’s can-do spirit is prevailing, despite the challenges of this pandemic. But with so many important NASA operations being carried out away from the institutional security of NASA facilities, I’m concerned about cybersecurity.
Space is hard and risky, and NASA has exceptional skills at managing risk. When it comes to cybersecurity and information technology management, however, NASA struggles.
The agency continues to lack a cybersecurity risk management strategy, as recommended by GAO, and both GAO and the NASA Inspector General have cited information security as a top challenge for NASA.
Unfortunately, NASA’s lagging performance on cybersecurity isn’t new, it’s a continuing problem. For many years, NASA IG and GAO reports have identified deficiencies and management challenges in NASA’s information security.
And now, with COVID, NASA—like other organizations—must protect against cyber criminals and malicious actors who are increasing their efforts to access government, business, and personal data and IT systems while employees work from home.
I have no doubt that NASA officials are working hard to keep the agency’s IT systems and data safe, and I understand they are making some progress.
However, long-standing, recommended actions to improve NASA’s cybersecurity have been left undone. In addition, the agency’s approach to IT security is fragmented and the Chief Information Officer continues to lack the ability to manage NASA’s cybersecurity efforts across the agency. NASA can and must to better.
In closing, NASA is a catalyst for inspiration, an engine of discovery and innovation, and a world leader in the peaceful uses and exploration of outer space.
We can’t afford to let bad actors and cyber criminals threaten the safety and success of NASA’s science, aeronautics research, space technology, and human spaceflight programs.
I look forward to hearing from our witnesses on what is needed to ensure that robust and effective cybersecurity protections are in place at NASA now, during COVID-19, and into the future.