The Washington Post has a stunning reveal today: For several days in September and October, the U.S. National Weather Service was allegedly subject to a cyber-attack from China that forced the agency to shut down critical data systems. Worse yet, it appears the National Oceanic and Atmospheric Agency, which the National Weather Service is part of, kept the breach to itself for days. From the Post:
The intrusion occurred in late September but officials gave no indication that they had a problem until Oct. 20, according to three people familiar with the hack and the subsequent reaction by the National Oceanic and Atmospheric Administration or NOAA, which includes the National Weather Service. Even then, NOAA did not say its systems were compromised.
The inspector general of the Commerce Department—the part of the executive branch NOAA falls under—is currently investigating the incident.
The Post’s revelations come during a particularly difficult year for technical glitches at the National Weather Service. In May, an outage prevented weather warnings from being issued—in the middle of a tornado outbreak. In August, a rogue Android app took down the agency’s main forecasting website. At that time, in an open letter to NWS Director Louis Uccellini, I wondered what might happen if someone deliberately tried to cripple the country’s weather service during a major disaster. Turns out, that was more of a possibility than I realized.
The National Weather Service, in its current state, is broken. I can understand if the agency is having problems keeping up with the 21st century on a limited budget, but intentionally withholding information about its critical vulnerabilities? Come on. The people in the Weather Service do heroic, life-saving work every day. It’s time their leadership gives them the tools to do their job.
Just hours before the news of the Chinese data hack broke, there was yet another glitch: Late Tuesday and early Wednesday, spurious tornado watches from 2010 were issued across several Southeast states.*
It was not immediately whether any of these glitches might have been the result of Chinese hacking. Perhaps, as the Post speculates, hackers were just looking for the easiest way into official U.S. government computers, and found NOAA particularly unguarded*:
The hack may have been aimed less at manipulating weather data, then [sic] finding an opening in a U.S. system to exploit, said Jacob Olcott, a cybersecurity consultant now with Good Harbor Security Risk Management and former Senate staffer on cybersecurity legislation. “The bad guys are increasingly having a hard time getting in the front of these agencies,” he said. “So they figure if I can’t get in the front door, I’d ride along in with someone who has trusted access and maybe ride that connection to bigger agencies.”
The full NOAA statement on the attacks was short on details:
In recent weeks, four NOAA websites were compromised by an internet-sourced attack. NOAA staff detected the attacks and incident response began immediately. Unscheduled maintenance was performed by NOAA to mitigate the attacks. The unscheduled maintenance impacts were temporary and all services have been fully restored. These effects did not prevent us from delivering forecasts to the public. The investigation is continuing with the appropriate authorities and we cannot comment further.
In a follow-up email to Slate, NOAA representative Scott Smullen said there was “no word” yet as to when more details might be available, such as whether additional security systems have been put in place since the initial breach was identified.
I’m by far the only one to point out the growing woes in the government weather world. Last month, author Kathryn Miles wrote a strongly worded op-ed in the New York Times:
An underfunded weather program will ensure that future disasters could be equally catastrophic. This is a matter of national security. If we don’t empower forecasters to do their work, our nation is at risk of losing billions in property and untold numbers of lives. What will make that eventuality all the more tragic is the fact that it will have been almost entirely preventable.
After today’s news, I completely agree.
*Correction, Nov. 12, 2014: This post originally misstated that the National Weather Service was hacked and covered it up. It was the NOAA, the parent organization of the NWS. This post also misstated that spurious tornado warnings were sent by the National Weather Service. They were tornado watches.