Our national weather system has been hacked—and officials say the breach has been a long time in coming. Worst of all, they worry it may have serious implications for national security.
This week, the National Oceanic and Atmospheric Administration announced that at least four of its websites have been compromised by what NOAA spokesperson Scott Smullen calls "an internet-sourced attack." The breaches occurred in September, but NOAA didn't publicly announce them until late Tuesday. In fact, initially the organization claimed that the network outages were part of routine maintenance, and at least one governmental official is questioning why the breach wasn't immediately reported to the Department of Homeland Security, as any federal organization is required to do in such an instance.
Smullen won't say why the agency hid the breach, nor will he comment on how the attack occurred and what information was compromised. Industry insiders speculate that some of the information probably related to weather satellites ground networks. They say the NWS warning service could have been affected as well.
Representative Frank Wolf (R-VA) told the Washington Post yesterday that China was responsible for the attack. No one else has confirmed that, but Wolf's assertion is the most recent in a series of accusations. A 2013 report by the Department of Defense alleged that China was exploiting its robust computer network to spy on the United States. A similar study published by the US-China Economic and Security Review Commission implicated China in security breaches involving two NASA satellites, saying these assaults were "consistent with authoritative Chinese military writings." Mandiant, a private security firm specializing in cyber threats, released a report that pointed to hundreds of recent breaches in both the private and public sector, all of which emanated from Shanghai IP addresses and used Chinese keyboard settings.
There are plenty of reasons to hack into our national weather information system. Satellites are our constant eye on the world. Weather warnings give communities enough time to save themselves, and so, in the wrong hands, creating false threats or hiding real ones could be an effective form of terrorism. Malicious or accidental, bad weather information creates chaos. (Just yesterday, for example a series of false tornado warnings issued when someone intercepted the National Weather Service Storm Prediction Center sent many in the South running for cover, and questioning the efficacy of the NWS).
And, because at least one of the NOAA satellite networks is tied to the Department of Defense, a hack into NOAA could also be used as an attempt to breach military security or another branch of the government.
Marshall Shepherd, Director of Atmospheric Sciences at the University of Georgia and past president of the American Meteorological Society, says it's too soon to say who is responsible for the most recent hack or why it happened. The important thing, he says, is that it raises much larger infrastructure questions for the nation.
"Every sortie flown in the name of national security relies on weather information and intelligence. If you value Homeland Security, you have to value weather. That means we have to protect it as much as we do anything else."
Revelations that weather security has been compromised comes as no surprise — this isn't the first time NOAA has been violated. In 2013, a hacker accessed sensitive NOAA data using a contractor's personal laptop. The NOAA computer incident response team reported that they thought the breach occurred with malware, but they couldn't confirm it because the contractor wouldn't allow his computer to be inspected.
Three years before that incident, the Department of Commerce Inspector General's Office issued a report identifying what they called "thousands" of vulnerabilities in NOAA's computer networks—many of which have been publicly disclosed for more than a decade. A similar report issued that same year by the Government Accountability Office indicated that the ground systems for the NOAA satellite program did not meet contemporary security standards. This past summer, a new Inspector General report reiterated that many of the previous vulnerabilities still have not been addressed. A spokesperson for that office said investigators there are investigating the current breach.
In the meantime, NOAA may well be hacked again. And again. David Titley, who served as NOAA's chief operating officer from 2012-2013 and is currently the director of Penn State's Center for Solutions to Weather and Climate Risk, says the threat of those intrusions will continue until NOAA gets a much-needed injection of cash.
"It's pretty well documented that NOAA doesn't have enough money to do what it wants to do the way it wants to do it," he says. "Security is only of those issues. This is an example of how things in the federal government start to break when they're ignored."
Titley says he is particularly concerned about NOAA's older systems—these networks are at high risk because they were created over a decade ago.
"Cyber security just wasn't an issue when they were created," he says. "This incident is a wake up call. And we need to heed it."
