NASA Official Speaks to Cybersecurity ‘Language Gap’ in the Agency
Achieving cybersecurity at a federal agency means learning to speak the language of the program and the mission managers who actually run the computer systems you are trying to protect against hackers and cyberspies, said Rob Powell, senior cybersecurity advisor at Cybersecurity Office. CIO (LEISURE) a NASA.
“NASA’s culture is that sometimes mission directors speak one language and the corporate CIO, corporate cyber policy, speaks a different language,” he told the audience during a May 13 CyberLEO conference.
Relationships are also vital in this culture, he said: “When I first came to NASA, I had someone tell me, ‘Nothing happens in this agency unless there’s a relationship.’
It was a bit exaggerated, he added: “But I’ll tell you that relationships help absolutely. When you can look at the other side of the table from someone and develop a certain relationship … it makes a big difference.”
Powell said his first job at the job he started in 2016 was to start building bridges and connections and developing relationships.
More importantly, he had to learn to speak with program and mission leaders in his own language to address his priorities. “It forced me to get out of my cybernetics mindset it’s all,” he said. “I eat, sleep and breathe cybernetic. But guess what? For program managers, cybernetics is just one of the many risks they have to balance. … And if you can’t clearly articulate the problem of cybersecurity in terms of the risks of your programs, the potential for failure or success of the mission, they won’t have time for it.
To address this language gap, Powell said the agency had drafted a document outlining the 30 most critical cybersecurity controls based on the threat, likelihood and consequences landscape.
Following comments from mission and flight managers on other best practices and cybersecurity standards enacted at NASA, the new draft was drafted in familiar terms to those managers, Powell said. “We wrote these controls to be specific to the NASA flight community. So they would understand not only what we ask them to implement, but also how they could validate each of these controls as implemented in a flight program environment.” .
The draft is pending comments to the agency, he said, and although NASA leaders hope to release it when it is finalized, it is not currently public.
Other cyber challenges at NASA include issues with how cyber risk is quantified, he said. Although there is a long-established practice of developing risk management plans for NASA programs, some of these plans do not include a cybernetic component, because many program managers did not know how to quantify cyber risk. , he said.
Powell said the CIO’s office worked with program managers to help them understand the different evaluation criteria, critical assets and critical data, and then show them how they can use these tools “so that when the program ‘s risk management boards met, had a clear understanding of cyber risks at the program level, and resources could be allocated as needed. “
New NASA Administrator Bill Nelson pushed for the agency’s commitment to addressing the language gap and other cyber initiatives. “From day one, they made it clear to the OCI leadership and the leadership of the agency’s mission that cybernetics is at the top of its list of priorities.”
Powell added that it is “a great experience to work in an agency where our leadership includes cybernetics, so our mission leaders understand that the leadership of the agency is driving it. That makes my job very easier”.
Read more about CyberLEO coverage:
Task Director of the Cyber Solutions Industry Space Development Agency
LEO operators and manufacturers are struggling with cybersecurity in the supply chain
Space Force offers free cyber scanning to commercial satellite vendors