It was reported on Wednesday, November 12, 2014 that hackers breached the computer systems at National Oceanic and Atmospheric Administration (NOAA). During the breach, satellite images were not posted by NOAA on their website and were not delivered to other weather agencies around the world, although NOAA continued to issue their own weather forecasts. Parts of NOAA's site were ostensibly taken offline for "maintenance." NOAA's statement reads:
In recent weeks, four NOAA websites were compromised by an internet-sourced attack. NOAA staff detected the attacks and incident response began immediately. Unscheduled maintenance was performed by NOAA to mitigate the attacks. The unscheduled maintenance impacts were temporary and all services have been fully restored. These effects did not prevent us from delivering forecasts to the public. The investigation is continuing with the appropriate authorities and we cannot comment further.
Fortunately, the brief outage did not occur during a major weather event. Still, meteorologists at the European Centre for Medium-Range Weather Forecasts (ECMWF) received no data from NOAA for the two days the site was down. Similarly, the Rutgers University Global Snow Lab produced incomplete reports and forecasts during the outage.
Commercial companies were also impacted by the hack. Airlines,for example, rely on publically available weather information to manage their daily flight plans. When the data is unavailable, other sources must be evaluated and used. In fact, I remember trying to bring up a satellite image for my own research during the outage. I couldn't, of course, and had to look elsewhere to find what I needed.
Whether any business interruption losses from this particular breach would be covered by insurance is something that will be talked about by lawyers who specialize in interpreting every word of an insurance contract, particularly because any loss here was due to a public third-party provider. Other breaches (such as the more familiar Target and Home Depot attacks) lead to somewhat more cut and dry "first-party losses", which are covered by cyber insurance policies. My colleagues and I will discuss these types of attacks in future In Focus posts and articles in AIR Currents.
Although NOAA is investigating the source of the breach and will surely repair the particular flaw that let these hackers in, this attack reminds us how reliant today's world is on computer systems and data. Imagine if there had been a hurricane or other major weather event during the breach. The compromised forecasts and model runs resulting from the unavailability of data could have led to casualties and property damage that could have been prevented with advanced warnings and preparations.