Just a few months after a blistering internal report warned of serious technology security problems in the agency that oversees the National Weather Service, the agency confirmed Wednesday that it was recently the victim of a cyberattack on four of its websites — an attack that one of the agency's congressional overseers said was orchestrated by China.
The National Oceanic and Atmospheric Administration, or NOAA — which not only provides satellite data for climate researchers and weather forecasters, but also helps manage the network of GPS satellites critical to business and military operations — said that the attack was detected "in recent weeks" and that "unscheduled maintenance" addressed the problem.
NOAA gave no further details because an investigation is continuing.
But "NOAA told me it was a hack and it was China," Rep. Frank Wolf, R-Virginia, chairman of the House Appropriations subcommittee that oversees NOAA, told The Washington Post. Wolf accused NOAA of "deliberately misleading the American public in its replies."
"They had an obligation to tell the truth," Wolf told the newspaper. "They covered it up."
NOAA's own records show that it issued seven technical alerts reporting significant "network problems" on Oct. 19 and 20, which caused the loss of some weather data and delays in satellite data transmissions affecting email and Internet connectivity. It said the outage was resolved through "unscheduled maintenance" — the same wording it used in confirming the recent cyberattack.
The problems affected four agencies for which NOAA provides or coordinates data, two of them related to the military — the Air Force Weather Agency, the Navy's fleet meteorology center, the SNPP polar-orbiting environmental satellite system and the products division of the National Environmental Satellite Data and Information Service.
It's that last office — the environmental satellite data service, or NESDIS — that an inspector general's report sharply took to task in July for "significant security deficiencies" that threaten a "risk in its national critical mission."
The report (PDF) from the internal watchdog of the Commerce Department, NOAA's home agency, faulted NESDIS for inadequately applying security measures across workstations and servers, most notably in systems that relay distress signals to search and rescue operations and systems that are connected to other government networks, which it said "could provide an attacker with access to these critical assets."
Poor security in NESDIS' information systems "increase the risk of cyber attacks," the report concluded.
NOAA eventually agreed with most of the report's recommendations, but only after a delay so it could review potentially classified material involving the Air Force — one of the services involved in the October outage.