Friday, November 14, 2014
AFTER HACK, NOAA STILL PLANS TO BUY SUPERCOMPUTERS FROM IBM UNIT SOLD TO CHINESE FIRM
A weather agency hacked by China intends to continue with plans for using forecasting computers provided by an IBM unit recently sold to a Chinese company.
Lawmakers are voicing concerns about the contract, after the National Oceanic and Atmospheric Administration on Wednesday acknowledged attackers breached prediction and satellite systems. But NOAA says IBM’s sale of its supercomputing business to Chinese-based Lenovo will not affect the agency's life-saving prediction capabilities.
"IBM is obligated to continue upgrading the NOAA supercomputer system" and an update is scheduled to complete in January 2015, a NOAA official told Nextgov late Thursday. "This move will in no way impact NOAA’s ability to provide timely and accurate forecasts to maintain public safety."
Earlier in the year, the proposed Lenovo acquisition sparked espionage concerns, amid federal charges that Chinese military members cribbed trade secrets from U.S. organizations’ networks.
But the Committee on Foreign Investment in the United States, which reviews potential security risks posed by foreign takeovers of U.S. companies, cleared the deal. And the sale closed Oct. 1.
Satellite System Plagued by Major Cyber Vulnerabilities
The recently revealed hack and Lenovo controversy follow years of warnings from agency watchdogs about NOAA’s computer insecurities.
This summer, a federal inspector general blasted the agency for long neglecting tens of thousands of major cyber vulnerabilities that could compromise its environmental satellite program, the Joint Polar Satellite System, or JPSS.
The IBM machines spun off to Lenovo, x86 servers, are part of that program.
NOAA officials do not see the transaction as a security issue. "After reviewing the terms of the sale, NOAA determined the sale doesn't present a risk to the JPSS program," NOAA spokeswoman Ciaran Clayton said in an email.
JPSS computers support satellite command and control, and generate forecast data crucial for aviation, emergency response and other daily activities.
Lawmakers and federal investigators say they intend to examine NOAA's reliance on IBM technology now owned by China.
The Government Accountability Office and NOAA will brief House Science Committee staff "on this issue in the near future, and have already been briefed by CFIUS," committee spokesman Zachary Kurz said in an email. "This is an issue we have been tracking for some time and will continue to monitor closely."
As part of routine market research to explore contracting options, NOAA in August issued a request for information to survey all supercomputing vendors about their newest features, agency officials said.
Rep. Wolf 'Troubled' by Lenovo Acquisition
Rep. Frank Wolf, R-Va., told Nextgov that NOAA staff proactively told him IBM would be bidding on future work, because he is vocal on the issue of Chinese cyberespionage.
Wolf said he is "absolutely" troubled by the possibility of national security threats from Lenovo's acquisition of IBM servers.
"I am very concerned about any time a company is taken over by the Chinese," he said. The Chinese government "could put a chip in and do things that even the maintenance men might not be able to find."
After Lenovo bought IBM's personal computer division in 2005, Wolf successfully pressured the State Department to keep the PCs off networks that contain classified material.
“The question of stealing is both a national security issue and it’s also a jobs issue because they look for information so they can use it in their production," he said. "And a lot of their gains in certain areas have been from what they’ve taken, not that they are smartest people in the world. Now, the Chinese people are a wonderful people -- we’re talking about the Chinese government.”
The inspector general at the Commerce Department, which oversees NOAA, "has ongoing work with the JPSS program," IG spokesman Clark Reid said, but declined to comment further.
The number of critical cyber vulnerabilities in the satellite program have spiked by more than 60 percent since 2012, increasing from 14,486 security holes to 23,868 holes, according to an August IG report.
Deal Cleared by U.S. Regulators
IBM officials declined to comment on the NOAA computer project but said the U.S. government deemed the Lenovo sale free of any supply chain risks.
"After a thorough review, the Committee on Foreign Investment in the United States found no conflict with U.S. security interests in the sale of IBM's x86 business to Lenovo," IBM spokesman Clint Roswell said. "IBM does not discuss the specifics of its federal client engagements."
In October, after NOAA reportedly knew of unauthorized satellite system interference, it downplayed the problems. The agency told the public the National Weather Service had not received some satellite data, "potentially impacting" model forecasts and that the system was undergoing unscheduled maintenance.
NOAA did not notify the IG about the intrusion until Nov. 4, Reid said, adding that the inspector is looking into the issue further.
NOAA officials now state four agency websites were breached "in recent weeks" by an "Internet-sourced attack." It was agency staff who detected the infiltrations and “incident response began immediately,” they added.
Not the First Time Chinese Hackers Accused of Breaching Satellites
Wolf said NOAA told him the incident was tied to the Chinese government, but agency officials declined to comment beyond their statement.
The Washington Post first reported the hack Wednesday.
This is not the first time NOAA satellite data has been hacked, nor is it the first time the Chinese have been accused of breaching satellites.
Agency satellite data was stolen from a contractor's personal computer last year, but NOAA could not investigate the incident because the employee refused to turn over the PC, according to a July inspector general report.
Several U.S. Earth observation satellites have also been probed by suspected Chinese hackers in recent years, according to federal officials. A 2011 report by the U.S.-China Economic and Security Review Commission characterized the events as successful interferences that might have been linked to the Chinese government.