The U.S. government’s chief tool to coordinate responses to bioterror events has for years suffered from big security problems, according to Homeland Security Department inspectors and a former employee.
For more than 15 years, the United State’s first line of defense against a major biological incident has been a program called BioWatch. Its sensors, mounted (600 in more than 30 cities across the U.S.), works like canaries in a coal mine. If a terrorist released, say, a deadly aerosolized biological toxin into Grand Central Terminal, sensors would pick up the toxin. Health care workers collect samples from the sensors and bring them to BioWatch labs every day.
If the analyzed samples indicate a threat (and not a false alarm, which happens more often than Homeland Security likes to admit) a BioWatch Actionable Result sparks more work and a lot of coordination from local public health care workers, law enforcement, and officials. Hopefully, that happens in time to avert a pandemic or other public health crisis.
That coordination between health workers and government would occur over a website called Biowatchportal.org. It’s a restricted-access website and Homeland Security considers the information on it to be very sensitive. In theory, it’s the sort of information that an adversary could use to compromise the system, find sensor locations to disable or spoof them, and even target the health workers or officials who use the site. That includes officials in the departments of Defense and State, the FBI and other law enforcement agencies, and many others.
But biowatchportal.org may be exposing this information, according to the Homeland Security inspector general and a former Homeland Security employee.
In 2016, Harry Jackson, the information systems security manager for the BioWatch system, alerted his superiors to the fact that the .org domain wasn’t safe enough for the sort of information that people posted to the site. The portal was being externally hosted outside of the Homeland Security firewall (rather than at a .gov domain, which would have been safer.) That presented a big security problem. He also found five subdomains connected to the portal, each with its own vulnerabilities.
But his superiors weren’t interested, Jackson said in a recent interview. So last year, he published his work in the Journal of Bioterrorism and Biodefense, describing the system’s fundamentally flawed architecture.
Our IP Address: