A laptop stolen from NASA last year contained command codes used to control the International Space Station, an internal investigation has found.

The laptop, which was not encrypted, was among dozens of mobile devices lost or stolen in recent years that contained sensitive information, the space agency's inspector general told Congress today in testimony highlighting NASA's security challenges.

NASA

"The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," NASA Inspector General Paul K. Martin said in written testimony (PDF). Another laptop contained sensitive information on the NASA's Constellation and Orion programs, as well as Social Security numbers, he said.

Some 48 agency devices were either lost or stolen between April 2009 and April 2011, resulting in the unauthorized release of sensitive information such as personally identifiable information, third-party intellectual property, and export-controlled data. During 2010 and 2011, NASA experienced 5,408 computer security incidents that resulted in unauthorized access to systems or the installation of unauthorized software, costing the agency an estimated $7 million.

However, because the reporting system is voluntary, these numbers may not represent the full extent of the security threat, Martin said.

"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," he said.

Martin said in 2011 the agency was the target of 47 cyberattacks known as advanced persistent threats (APTs), which are executed by well-resourced individuals or groups intent on stealing or modifying information without being detected.

Of those attacks, 13 successfully compromised agency computers, Martin said. One such intrusion resulted in the theft of user credentials for more than 150 NASA employees that could have been used to gain access to agency computer systems.

Another such attack, which is the subject of an ongoing investigation, targeted the Jet Propulsion Laboratory in Pasadena, Calif. Intruders using China-based IP addresses "gained full access to key JPL systems and sensitive user accounts," Martin said.

Martin paints a discouraging picture of the state of security at the agency, pointing out that while the government-wide rate of mandated encryption was 54 percent, only 1 percent of NASA portable devices have been encrypted.

"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," Martin said.