For ISS and air travel alike, layered defenses are best
By Ben Iannotta|October 2020
This will sound odd, but our cover story about cybersecurity and the International Space Station brought to mind my one and only flight during the covid-19 pandemic.
On Sept. 6, my wife and I were among the 689,630 passengers who flew domestically in the United States that day, about a third of what would be expected any other year. We were on our way back to Northern Virginia from California, after saying goodbye to our younger daughter who is a first-year college student. We dropped our rental car at LAX and headed toward the shuttle bus, where a sign declared a strict 12-person limit for the ride to the terminals. We doubled up our masks and stepped aboard with a handful of fellow travelers who, like us, wore masks. At one stop, a man hopped on maskless, and just like that, a new risk, however small, was injected into our travels. This was true, despite the fact we were headed for an aircraft cabin that would be treated with adenosine triphosphate to verify an operating-room lack of pathogens after cleaning, according to the airline. The cabin air would be circulated through high-efficiency particulate air filters.
Human behavior, it seems, remains the great wild card in safety, no matter how much science and technology we apply to flying across country during a pandemic or securing the ISS crew and their experiments from cyber intrusions.
The best defense is a layered one of education, monitoring and engagement. If the man on the shuttle bus was bound for a plane, he would be required to don a mask in the terminal. If he got through the terminal, he would not be permitted to board the plane without wearing a mask.
NASA’s information security apparatus needs the equivalent of this layering. As our cover story shows, ISS is cordoned off from the public internet, but contractors, workers and components must cross in and out of this bubble. That might not be so concerning, except that last year NASA scored a 2 out of 5 on a government information security scale, level 5 representing “optimized” information security in which “policies, procedures, and strategies are fully institutionalized,” according to the NASA Office of Inspector General.
Somewhere at NASA, there could well be the information-security equivalent of a man hopping on a shuttle bus without a mask. Humans are fallible. This will happen. A level 5 agency would catch this, but a level 2 agency might not.
As for our flight home, it was eventless. We sat in first class seats for distancing and because they cost what coach seats normally do. I did not crane my neck, but as far as I could tell everyone kept their masks on. About one in 10 passengers wore face shields too, and we were among them. I can’t say I was not a little nervous for the next 14 days, but seeing all the signage, the fellow travelers in masks, and the cleanliness of the plane made me confident, though not cocky. I would fly again if the reason were good enough.
NASA needs to achieve the equivalent in its information security posture.