Thursday, November 13, 2014

NOAA Can't Predict Weather, Can't Secure Their Systems

NOAA is the The National Oceanic and Atmospheric Administration. It's part of the Department of Commerce, and contains the following "Line Offices"

  • The National Oceanic and Atmospheric Administration
  • National Environmental Satellite, Data, and Information Service
  • National Marine Fisheries Service
  • National Ocean Service
  • National Weather Service
  • Office of Oceanic and Atmospheric Research
  • Office of Program Planning and Integration

Of course, there is a lot more stuff in there. Here are a couple of examples. The National Environmental Satellite, Data, and Information Service (NESDIS) provides feeds to the Navy and Air Force weather prediction systems, and the National Ocean Service (NWS). The NWS operates the Space Weather Prediction Center, which is of interest to operators of communications systems and and/or satellites, and the forecasts that your favorite broadcast news outlet likely reads and embellishes. Plus things like The Storm Prediction Center (useful to those of you in tornado country), and The National Hurricane Center (ditto for anyone on or near the Atlantic or Gulf coasts).

It's important.

I have a bit of a problem with NOAA, or least the NWS piece of it, because they can't seem to predict the weather. I don't expect miracles; accurate prediction for much more than a week in the future is impossible due to the nature of complex dynamical systems with a sensitive dependence on initial conditions. read any good reference on Chaos Theory. Personally, I enjoyed CHAOS Making a New
Science by James Gleick. Chaos Theory was pioneered by Edward Lorenz, a mathematician and meteorologist who was trying to model simple weather on an early computer at MIT.

So, this stuff was invented here in the US. Though lately we have fallen behind, as we have in so many other areas.

I can offer an example of that with the NWS having completely blown my local forecast (not an unusual thing) for the past couple of days with temperature misses on both the high (at least one) and low (2) sides. When they forecast 22°F, and it doesn't even freeze, that is a blown forecast.

It's even important enough that we should keep those systems secure, and indeed the federal government is required to secure their systems by the Federal Information Security Management Act of 2002. Here is U.S. Code, Title 44, Chapter 35,  Subchapter III, § 3541

The purposes of this subchapter are to—
(1) provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets;
(2) recognize the highly networked nature of the current Federal computing environment and provide effective governmentwide management and oversight of the related information security risks, including coordination of information security efforts throughout the civilian, national security, and law enforcement communities;
(3) provide for development and maintenance of minimum controls required to protect Federal information and information systems;
(4) provide a mechanism for improved oversight of Federal agency information security programs;
(5) acknowledge that commercially developed information security products offer advanced, dynamic, robust, and effective information security solutions, reflecting market solutions for the protection of critical information infrastructures important to the national defense and economic security of the nation that are designed, built, and operated by the private sector; and

(6) recognize that the selection of specific technical hardware and software information security solutions should be left to individual agencies from among commercially developed products.

For a few years I tracked the report cards, which were created in addition to the Office of Management and Budget annual report to Congress. Here are the results for the Department of Commerce, which 'owns' NOAA.

2003 2004 2005 2006 2007
C- F D+ F D+

Shortly after that the metrics were changed. In fairness, they needed to; threats and defenses were both evolving rapidly. And now most departments are doing at least fairly well. On paper, at least. I have my doubts, given the history of breaches, that they are they doing sufficiently well.

According to the most recent OMB report to Congress (FY 2013). 2328 security incidents were reported to US-CERT from Department of Commerce between 10/1/2012 and 9/30/13.

Is that datum worth anything? Are things reliably reported? According to Chinese hack U.S. weather systems, satellite network (Washington Post, November 12, 2014), NOAA managers are quite capable of covering up a breach which occurred in September, announcing only "unscheduled maintenance" in October, and failing to follow Department of Commerce  policy of notifying the Commerce Department Inspector General law enforcement within two days of any security incident, and notifying law enforcement.

The WaPo piece also mentions that NOAA declined to discuss any of this, or whether or not classified information was compromised. NOAA cited an ongoing investigation for not discussing it, and I am fine with that. But there was likely to have been another reason as well: they are in such horrible shape that they did, indeed could not, know fundamental things.

Two months before the breach, on July 15, 2014, The Office of Audit and Evaluation, part of the Department of Commerce Office of Inspector General, released
FINAL REPORT NO. OIG-14-025-A Significant Security Deficiencies in NOAA’s Information Systems Create Risks in Its National Critical Mission. This report is a bit of a horror story. For instance, 47% of their security control assessments were deficient, "... and may not have provided the AO with an accurate implementation status of the system’s security controls." Note that AO is jargon for 'authorizing official'; the person who signs the Authorization to Operate a government system.

So for some time, NOAA (specifically including the AO) did not accurately know their security posture, and did not know that they did did not know. Which made the Authorization to Operate less useful than a random piece of scrap paper, which is at least not actively damaging.

Coming on the heals of Monday's United States Postal Service breach, this does not inspire trust in government systems.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.