Wednesday, June 25, 2014

NASA Hacking Issues: Unauthorized Access to it's Technologies

A few days ago the U.S. Government Accountability Office (GAO) released its findings related to unauthorized access to NASA's technologies by foreign entities.

Auditors found weaknesses in NASA's export control policy and implementation of foreign-national-access procedures at some centers.

While NASA policies allow Center Directors wide latitude in implementing export controls at their centers, federal internal control standards call for clearly defined areas of authority and establishment of appropriate lines of reporting.

However, NASA procedures do not clearly define the level of Center Export Administrator (CEA) authority and organizational placement, leaving it to the discretion of the Center Director.

GAO found that seven of the 10 CEAs have organizational positions that are at least three levels removed from the Center Director.

Three of these seven CEAs stated that their organizational placement detracted from their ability to implement export control policies, because such positioning makes it difficult to maintain visibility to staff, communicate concerns to the Center Director and obtain needed resources.

Both the GAO and the NASA Inspector General reported instances in which two centers did not comply with NASA policy on foreign national access to NASA technologies.

For example, during a four-month period in 2013, one center allowed foreign nationals on a major program to fulfill the role of sponsors for other foreign nationals, including determining access rights for themselves and others. Of course, each such instance risks damage to national security.

Due to access concerns, the NASA Administrator restricted foreign national visits in March 2013, and directed each center to evaluate compliance with foreign national access restrictions and develop corrective plans.

By June 2013, six centers identified corrective actions, but only two set time frames for completion and only one planned to assess the effectiveness of actions taken.

Without plans and time frames to monitor corrective actions, it will be difficult for NASA to ensure that corrective actions are effective.

The GAO further stated that export control officials and CEAs at NASA headquarters lack a comprehensive inventory of the types and location of export-controlled technologies, and officials have not addressed deficiencies raised in oversight tools, limiting their ability to take a risk-based approach to compliance.

Export compliance guidance from the regulatory agencies of State and Commerce Departments states the importance of identifying controlled items and continuously assessing risks.

While NASA headquarters officials acknowledge the benefits of identifying controlled technologies, they have stated that current practices, such as foreign national screening, are sufficient to manage risk and that they lack resources to do more.

But, recently identified deficiencies in foreign national visitor access discussed above suggest otherwise.

Nevertheless, three CEAs have established early efforts to better identify technologies which could help focus compliance on areas of greatest risk.

For example, one CEA is working with NASA's Office of Protective Services Counterintelligence Division to identify the most sensitive technologies at the center to help tailor oversight efforts.

Such approaches, implemented NASA-wide could enable the agency to better target existing resources to protect sensitive technologies.

NASA and all other government agencies, U.S. companies and U.S. citizens must be aware of technology export controls.

There is a comprehensive set of U.S. laws and implementing regulations that govern the distribution to foreign nationals and foreign countries of strategically important technology, services and information for reasons of foreign policy and national security.

Licenses from the Department of State or Department of Commerce may be required to export certain technologies.

In such cases an "export" is any oral, written, electronic or visual disclosure, shipment, transfer or transmission of commodities, technology, information, technical data, assistance or software codes to any person or entity outside the U.S. including a U.S. citizen, a non U.S. individual wherever they are and a foreign embassy or affiliate.

Enforcement is the responsibility of the: Department of State for International Traffic in Arms Regulations (ITAR);Department of Commerce for Export Administration Regulations (EAR); and Department of Treasury: Office of Foreign Assets Control (OFAC).

ITAR deals with the transfer and export of inherently military technologies. EAR deals with the transfer and export of "dual use" equipment, materials and technologies.

OFAC deals with the prohibition of certain transactions with countries subject to boycotts, trade sanctions and embargoes.

Every U.S. entity or person that is concerned, or deals, with the export of technology must be aware of the laws and penalties associated with improper handling of such technologies. Launchspace can help through its offering of a one-day course on "Facilitating Export Licensing of Space Systems."

This course offers a detailed look at the U. S. Government's controls over the export of space systems and related technologies. Topics include an introduction to export licensing, required agreements and licensing exemptions.

The latest developments and changes to these laws are discussed. This course can be presented at your facility when you need it.

No comments:

Post a Comment