Hackers from China breached the federal weather network recently, forcing cybersecurity teams to seal off data vital to disaster planning, aviation, shipping and scores of other crucial uses, officials said.
The intrusion occurred in late September but officials gave no indication that they had a problem until Oct. 20, according to three people familiar with the hack and the subsequent reaction by the National Oceanic and Atmospheric Administration or NOAA, which includes the National Weather Service. Even then, NOAA did not say its systems were compromised.
Officials also said that the agency did not notify the proper authorities when it learned of the attack.
NOAA officials declined to discuss the suspected source of the attack, whether it affected classified data and the delay in notification. NOAA said publicly in October that it was doing “unscheduled maintenance” on its network, without saying a computer hack made that necessary.
In a statement released Wednesday, NOAA spokesman Scott Smullen acknowledged the hacks and said “incident response began immediately.” He said all systems were working again and that forecasts were accurately delivered to the public. Smullen declined to answer questions beyond his statement, citing an investigation into the attack.NOAA's satellites provide the bulk of the information for generating weather models, advisories and warnings to the nation and world. Maintaining the operations and data acquisition from these satellites is a 24/7 process. This video was filmed at the NOAA Satellite Operations Facility in Suitland, Md., where command, control and data distribution systems are located. (NOAA/YouTube)
But the agency confirmed to U.S. Rep. Frank Wolf (R-Va.) that China was behind the attack, the congressman said. Wolf has a long-standing interest in cybersecurity and asked NOAA about the incident after an inquiry from The Washington Post.
“NOAA told me it was a hack and it was China,” said Wolf, who also scolded the agency for not disclosing the attack “and deliberately misleading the American public in its replies.”
“They had an obligation to tell the truth,” Wolf said. “They covered it up.”
Commerce Department Inspector General Todd Zinser said his office was not notified of the breach until Nov. 4, well after he believes the hack occurred. He said that is a violation of agency policy requiring any security incident to be reported to his office within two days of discovering the problem.
“We’re in the process of looking into the matter, including why NOAA did not comply with the requirements to notify law enforcement about the incident,” Zinser said.
Wolf said he did not know if the breach involved classified material or what information was accessed.
Confirmation of the NOAA hack followed an admission Monday by the United States Postal Service that a suspected Chinese attack-- also in September-- compromised data of 800,000 employees, including letter carriers on up through the postmaster general.
NOAA officials also would not say whether the attack removed material or inserted malicious software in its system, which is used by civilian and military forecasters in the U.S. and also feeds weather models at the main centers for Europe and Canada.
NOAA’s National Ice Center Web Site also was down for a week in late October. The center is a partnership with the U.S. Navy and U.S. Coast Guard to monitor conditions for navigation.
The two-day outage skewed the accuracy of National Weather Service long-range forecasts slightly, according to NOAA.
The attack in September hit a web server that connects to many NOAA computers, according to one person familiar with the incursion. The server had security protections, but the person compared the security to leaving a house protected by “just a screen door.”
Smullen’s statement said that four sites were hit by the breach.
Weather satellites orbit hundreds to thousands of miles above the Earth and offer continuous views of weather systems such as hurricanes, thunderstorms and cold fronts while also measuring temperature and moisture at different altitudes --all crucial bits that get fed into prediction models. To get that information to the public, NOAA makes satellite data and imagery available through the Web as well as file transfer networks for downloads.
NOAA has characterized its decision to cut off satellite images as causing a minimal . However, it has previously touted those same systems as intrinsic to the nation’s “environmental intelligence.”
NOAA satellites “provide critical data for forecasts and warnings that are vital to every citizen and to our economy as a whole,” NOAA Administrator Kathryn Sullivan said a year ago.
The hack may have been aimed less at manipulating weather data, then finding an opening in a U.S. system to exploit, said Jacob Olcott, a cybersecurity consultant now with Good Harbor Security Risk Management and former Senate staffer on cybersecurity legislation. “The bad guys are increasingly having a hard time getting in the front of these agencies,” he said. “So they figure if I can’t get in the front door, I’d ride along in with someone who has trusted access and maybe ride that connection to bigger agencies.”
Wolf said a hack could steal technical insights or cull isolated information “ that may not look significant until they’re put with something else and then they become valuable. The Chinese are stealing us blind,” Wolf said.
The attack on NOAA joins a spate of cyber espionage on federal systems revealed recently including an attack suspected from Russia that breached unclassified White House computer networks.
The October satellite data outage meant the National Weather Service and centers around the world did not receive large amounts of information.
“All the operational data sent via NOAA, which is normally an excellent service, was lost,” said Stephen English, head of the satellite section at the European Center for Medium-range Forecasting located in Reading, Great Britain. The center is renowned for running a highly advanced global weather prediction model that during Superstorm Sandy, for example, aided evacuations and preparations in the U.S. when it signaled the storm would hit, not hook out to sea.
Rutgers University Global Snow Lab, which provides daily snow cover updates for researchers and forecasters using a data feed from the Ice Center, posted a notice on its Web site that its reports were incomplete throughout the outage.
Commercial interests also were affected by the breach.
Delta Airlines overcame the loss of data it normally incorporates into pilot briefings about aviation hazards. But its flying customers were spared trouble by the added work of the airline’s meteorologists and information technology specialists who used alternative sources of information, spokesperson Morgan Durrant said.
In Melbourne, Fla., the satellite images bolster the ocean fishing forecasting service run by Mitchell Roffer.
His company downloads images “constantly” and immediately realized around Oct. 20 that the information was out of date. “We went up the chain asking when we could expect it back and no one was talking for several days.”
A July report on NOAA by the Inspector General for the Commerce Department--where NOAA sits--criticized an array of “high-risk vulnerabilities” in the security of NOAA’s satellite information and weather service systems.
The report echoed the views of a 2009 audit from the IG that said the primary system that processes satellite data from two environmental and meteorological systems had “significant” security weaknesses, and that “a security breach could have severe or catastrophic adverse effects...”
The watchdog’s previously unreleased report, obtained by The Post under a Freedom of Information Act request, called for “immediate management attention” and said NOAA’s security planning was so poor the agency had little idea how vulnerable its system was.