For more than a decade, the Department of Homeland Security failed to properly secure sensitive information on the primary BioWatch information portal, which contained bioterrorism surveillance testing information and response plans that would be put in place in the event of an attack.
In August 2016, Harry Jackson, who worked for a branch of Homeland Security that deals with information security, was assigned to the BioWatch program. Three months later, he learned about biowatchportal.org and demanded the agency stop using it, arguing that it housed classified information and that the portal’s security measures were inadequate.
A security audit completed in January 2017 found “critical” and “high risk” vulnerabilities, including weak encryption that made the website “extremely prone” to online attacks.
Internal Homeland Security emails and other documents reviewed by the Los Angeles Times show the security issue set off a bitter clash within the department over whether keeping the information on the dot-org website run by Logistics Management Institute posed a threat to national security.
Officials argued that treating the information as classified — and therefore triggering stricter access guidelines — would require security clearances for some 1,000 local officials who are involved in gathering and analyzing data from the air-collection units.
Independent of classification status, a successful hacker could “monitor the system, manipulate data, and create false flags so as to stake out federal, state and local response to a possible incident,” according to one of Jackson’s whistleblower report filings.
The BioWatch information has been moved behind a secure federal government firewall, and the biowatchportal.org website was shut down in May.
Read the full story by Emily Baumgaertner at the Los Angeles Times: It was sensitive data from a U.S. anti-terror program – and terrorists could have gotten to it for years, records show.