DHS officials ignored repeated warnings about security of U.S. bioterrorism defenses, not sure if it was hacked

The Department of Homeland Security stored sensitive data from the nation’s bioterrorism defense program on an insecure website where it was vulnerable to attacks by hackers for over a decade, according to government documents obtained by the LA Times.

The data included the locations of at least some BioWatch air samplers, which are installed at subway stations and other public locations in more than 30 U.S. cities and are designed to detect anthrax or other airborne biological weapons, Homeland Security officials confirmed. It also included the results of tests for possible pathogens, a list of biological agents that could be detected and response plans that would be put in place in the event of an attack

The information — housed on a dot-org website run by a private contractor — has been moved behind a secure federal government firewall, and the website was shut down in May. But Homeland Security officials acknowledge they do not know whether hackers ever gained access to the data.

Internal Homeland Security emails and other documents show the issue set off a bitter clash within the department over whether keeping the information on the dot-org website posed a threat to national security. A former BioWatch security manager filed a whistleblower complaint alleging he was targeted for retaliation after criticizing the program’s lax security.

The website shared information among local, state and federal officials. It was easily identifiable through online search engines, but a user name and password were required to access sensitive data.

A security audit completed in January 2017 found “critical” and “high risk” vulnerabilities, including weak encryption that made the website “extremely prone” to online attacks. The audit concluded that there “does not seem to be any protective monitoring of the site,” according to a Homeland Security report summarizing the findings.

An inspector general’s report published later that year said sensitive information had been housed on the BioWatch portal since 2007 and was vulnerable to hackers. The report recommended moving the data behind the government’s firewall and said Homeland Security officials had agreed to do so.

It is unclear how valuable the data would have been to a terrorist group or enemy state. Scientists have warned that the BioWatch technology is unreliable. The system recognizes only a narrow range of microbes, and it struggles to differentiate between typical environmental bacteria and dangerous threats.

Still, several biodefense experts said it was disturbing that Homeland Security officials failed to adequately secure sensitive information from one of the nation’s anti-terrorism programs.

“Advertising your vulnerabilities is never a good thing. Letting your adversaries readily access your vulnerabilities — that’s a national security risk, in my judgment,” said Tom Ridge, who as the nation’s first secretary of Homeland Security oversaw the 2003 launch of BioWatch but has since denounced the program as ineffective. “Every American citizen would wonder, ‘What else is so easily accessible by the rest of the world?’”

James F. McDonnell, an assistant secretary appointed by President Trump to oversee Homeland Security’s new Countering Weapons of Mass Destruction Office, which includes BioWatch, said the data that were housed outside the secure government firewall were not important enough to cause a national security threat, but he said officials have taken steps to strengthen cybersecurity across the department. He noted that the problem predated his appointment.

“What happened before, happened before. You can’t put the genie back in the bottle,” he said. “There’s been a real ramping-up on concerns about cybersecurity.”