October 31, 2012 - Linda Cureton, Chief Information Officer of NASA, at Washington Post Live's Cybersecurity Summit. (Jeff Martin)

I think that any agency has seen tremendous assets stolen. We find out about it when we see it going, or we find out about it from the outside. We find out about it a lot of ways. Our role is to make sure that we contain the damage as much as we can. We make sure that we protect the availability and integrity of the data to the maximum extent we can. NASA has data that we want to give away. We have some data that we don’t want to give away. Anybody that says, “I’ve never had any data stolen,” they just don’t know.

But [government] agencies, just like industries and companies, are not going to go and just give the roadmap to our data and say, “Here, my vulnerabilities are here. My vulnerability is there.” We’re going to be very reticent about what’s going on. So, yes, we’ve had data stolen. Every federal agency has. Every corporation, I would say, has. Do you protect it as much as you can? You contain as much as they can get, and you just keep upping the ante. And they [cyber criminals] keep upping it too.

I think that [computer] protection is something that you’re doing constantly. Constantly, you approach it asymptotically, you never get there. The goal is to be always vigilant, always aware, be resilient for when the attack happens — not if it happens. I think that as a federal CIO, we’ve struggled with pressure on us that whenever there’s an attack, we haven’t done all that we can. But in essence, it’s not enough money in the world, there are not enough resources, we don’t have enough resources in the world. We have to choose what to protect based on our highest risk, the most serious threat, and what are our most important assets and protect in that kind of priority.

So we do things like have the multilayered defense. We do penetration tests ourselves. We find vulnerabilities. We fix it. But then, again, federal CIOs have governance problems. We have to cajole, convince, persuade, blackmail, bargain — all of those things with our customers to convince them that they have things that they need to protect and things they need to close up. Then it’s a constant, constant, constant battle that I don’t think that we ever win.