Jeanette Hanna-Ruiz, CISO, NASA
There’s no organization in the universe quite like NASA. Jeanette Hanna-Ruiz is the chief information security officer at the agency. Her job is to handle the ever-growing task of digital defense while the agency’s army of technicians and research scientists figure out how to send people to Mars. The data passing through NASA is uniquely valuable, making it a target for foreign states and industrial espionage in an age where space is increasingly meeting industry.
What are some of the unique challenges that the agency but also you as the CISO face given that NASA is singular not just in government but also, almost, in the world?
In terms of being a government agency, there’s a few things. One, it’s not necessarily unique in that we’re federated. There’s a lot of agencies, like DHS, that have both TSA, CBP, ICE and these other places. The equivalent to NASA would be the centers.
The challenge for NASA is we do a lot of research and development. You could almost think of us as a community of scientists, almost like research scientists at a university. I think that poses a unique challenge because a lot of research needs to happen and you have to ask yourself the question: Is that going to happen on your corporate network where you’re collaborating with people all around the world that you may not necessarily know or does that happen in another setting that is not on your corporate network? Those are some of the things we’re talking about looking at. What is the best way to manage this very diverse system?
Then you look at the fact that we’re putting things into space. You look at some of the cool things NASA does like the Orion project or the space station and the collaboration that has to happen with the international community. Different than if you’re the State Department and you’re collaborating on international policy and standards. Here we’re actually collaborating with the Europeans, Russians, people in Asia to send things to space and get data back. Whether it’s data or human beings or instruments, NASA is collaborating and that is part of the supply chain of IT.
And so the integrity of the data getting beamed back here, how fast is it coming back, is security introducing latency, is that latency merited? Even just ensuring the intellectual property that could monetized by another foreign state or a person committing industrial espionage. Sharing out information with those that we want to share with is one thing but [we have to keep] making sure that we’ve safeguarded our data is paramount for us.
We’ve talked to a lot of people in the private sector about both the technical challenges they face as well as the people challenges. They’ll have to deal with people that don’t have IT or security training and so there’s a whole mountain of challenges there. How do you get, from a people perspective, thinking about security to your satisfaction? Is it easier than the average person, is it a unique challenge?
I think it’s probably the same challenge we’re facing everywhere in government and private industry all over the world. People are our greatest strength and probably our greatest weakness. We’re curious, we like to click on phishing links that pull at us emotionally. It happens everywhere. When we look at that, what we have to do as security professionals is make security the white noise of people’s daily lives. It’s happening in the background and it’s not something you, the user, a security expert so you don’t make a bad move and jeopardize the whole ecosystem.
When we do that, we put way too much onus on the user and we’re setting them up for failure because it’s untenable for them. At NASA, the people who come to work here are doing cool things like growing lettuce on the space station, they’re looking at how we get people to live for an extended period of time on Mars. I want them to stay focused on that, I want security to be built in and embedded in the work they’re doing. Not only the work they’re sending up there but from how they’re doing it day-to-day on their desktop.
If I have them worry about security as much as I worry about security, then it’s taking away from what they actually came here to do at NASA which is to grow lettuce or go to Mars or do whatever they’re doing. I think our challenge as professionals is to figure out how do we safeguard this data and not solely put the onus on people.