Establishing Digital Trust: Don't Sacrifice Security for Convenience
Unnamed officials told the Post that NOAA did not acknowledge that there was a problem until October 20, 2014, and even then, it didn't acknowledge that its systems had been compromised, and failed to notify the proper authorities of the attack.
Commerce Department Inspector General Todd Zinser told the Post his office wasn't notified of the breach until November 4, 2014, despite a requirement that his office be notified of any security incident within two days.
"We're in the process of looking into the matter, including why NOAA did not comply with requirements to notify law enforcement about the incident," Zinser said.
While NOAA hasn't stated whether classified data was accessed, the Post notes that data vital to disaster planning, aviation, shipping and other crucial uses may have been affected -- in late October, the Post reported that some satellite data had been blocked "due to an apparent network outage."
In a statement provided to eWeek, NOAA spokesman Scott Smullen said four NOAA websites had been compromised by an attack in recent weeks. "NOAA staff detected the attacks, and incident response began immediately," the statement read. "Unscheduled maintenance was performed by NOAA to mitigate the attacks. The unscheduled maintenance impacts were temporary, and all services have been fully restored."
"The investigation is continuing with the appropriate authorities, and we cannot comment further," the statement added.
Still, Rep. Frank Wolf (R-Va.) told the Post that NOAA had confirmed to him that China was responsible for the breach.
"NOAA told me it was a hack and it was China," Wolf said.
The news of the NOAA breach comes days after the U.S. Postal Service acknowledged that a separate breach had exposed over 800,000 employees' personal information. The Washington Post reported that Chinese government hackers are also believed to have been responsible for that attack.
Good Harbor Security Risk Management principal Jacob Olcott told the Post that these breaches are likely aimed at searching for ways into other, more sensitive government systems.
"The bad guys are increasingly having a hard time getting in the front of these agencies," Olcott said. "So they figure if I can’t get in the front door, I'd ride along in with someone who has trusted access and maybe ride that connection to bigger agencies."
Regardless of the attackers' intentions, Tripwire security analyst Ken Westin told eSecurity Planet by email that the NOAA breach should serve as a clear warning for a wide range of organizations.
"This attack points out the need for government and private industry to take cyber espionage seriously, particularly when the system and services is critical infrastructure," Westin said. "If cyberattackers can compromise a network or system that has an impact on military, shipping and aviation, the impact may have a huge ripple effect.”