Longstanding security lapses lead to hack of NOAA weather computers
This conclusion comes from a report issued last week by the Commerce Department’s inspector general.
In September 2014, NOAA suffered what Allen Crawley, the assistant inspector general for systems acquisition and IT security, said was a “significant cyber attack,” that “compromised important internal NOAA systems,” including those that provide “global environmental data from satellites and other sources to promote, protect and enhance the nation’s economy, security, environment and quality of life.”
The report said the most important of those systems, NOAA’s National Environmental Satellite, Data, and Information Service (NESDIS) were vulnerable because NOAA “had not addressed” security weaknesses, some of which were supposed to have been fixed in 2006.
Crawley said the hackers gained access to three NESDIS systems and gained “complete control of one of them.”
Among the compromised systems that make up NESDIS was at least one “high-impact system,” known as the Environmental Satellite Processing Center.
Crawley’s report said this system is responsible for providing “critical weather satellite data” to the National Weather Service, and the “primary weather forecast centers” for the Navy and Air Force, among others.
Weather forecasters rely on the satellite data from ESPC to “enhance” their forecasts, as well as “increase the accuracy of severe weather warnings.”
A NOAA investigation of the attack found that “at the very least,” hackers “obtained sensitive information, including usernames and passwords (including those of system administrators) and system configuration information.”
NOAA also found the hackers had gained access to the very internal system used to thwart them.
NOAA was “unable to determine the full extent of the data obtained,” and the “full impact of the compromise is still unknown.”
System analysts found and removed malware on the compromised systems, and rerouted internet traffic.
But a second, unrelated attack in October 2104, in which one of NESDIS’s public websites was hijacked, forced NOAA officials to “implement full containment efforts,” including disconnecting the NESDIS system from the internet.
This also took the ESPC system offline for two days, which disrupted the distribution of weather satellite data.
The inspector general said NOAA should take a number of steps to improve its risk management practices, including preforming regular system checks, applying regular software security updates, implementing stronger access controls, and strengthening its firewall security protection to block hackers.
Benjamin Friedman, the deputy under secretary for operations at NOAA, agreed with the report’s recommendations, and said “we acknowledge that additional protections are necessary for our legacy system components” to keep pace with what Friedman said were “the growing sophistication of attack techniques.”
Hackers have increasingly targeted the U.S. government.
In 2016 alone, the Department of Homeland Security, the F.B.I., NASA, and the IRS have all suffered data breaches, resulting in tens, and sometimes hundreds of thousands of pieces on personal information to be publicly divulged online.
While it is still unclear who was behind the attack on NOAA’s systems, Bruce Snell, technical director for Intel Security Japan, wrote in McAfee Labs’ “2016 Threats Predictions” report that even the most vigilant organizations can be vulnerable to attack because safeguards make hackers “try harder."
"No security is 100 percent foolproof,” Snell said. "If attackers really want your data, they will get to it. It takes just time and effort, which ramp up almost exponentially when smart people and good technology are in place."