The Government’s Bioterror-Response Website May Be Leaking Sensitive Data

The U.S. government’s chief tool to coordinate responses to bioterror events has for years suffered from big security problems, according to DHS inspectors and a former employee.

For more than 15 years, the United State’s first line of defense against a major biological incident has been a program called BioWatch. Its sensors, mounted (600 in more than 30 cities across the U.S.), works like canaries in a coal mine. If a terrorist released, say, a deadly aerosolized biological toxin into Grand Central Terminal, sensors would pick up the toxin. Healthcare workers collect samples from the sensors and bring them to BioWatch labs every day.

If the analyzed samples indicate a threat (and not a false alarm, which happens more often than DHS likes to admit) a BioWatch Actionable Result sparks more work and a lot of coordination from local public healthcare workers, law enforcement, and officials. Hopefully, that happens in time to avert a pandemic or other public-health crisis.

That coordination between health workers and government would occur over a website called Biowatchportal.org. It’s a restricted-access website and DHS considers the information on it to be very sensitive. In theory, it’s the sort of information that an adversary could use to compromise the system, find sensor locations to disable or spoof them, and even target the health workers or officials who use the site. That includes officials in the Departments of Defense and State, the FBI and other law enforcement agencies, and many others.

But biowatchportal.org may be exposing this information, according to the DHS inspector general and a former DHS employee.

In 2016, Harry Jackson, the information systems security manager for the BioWatch system, alerted his superiors to the fact that the .org domain wasn’t safe enough for the sort of information that people posted to the site. The portal was being externally hosted outside of the DHS firewall (rather than at a .gov domain, which would have been safer.) That presented a big security problem. He also found five subdomains connected to the portal, each with its own vulnerabilities.

But his superiors weren’t interested, Jackson said in a recent interview. So last year, he published his work in the Journal of Bioterrorism and Biodefense, describing the system’s fundamentally flawed architecture.

He said that program officials tried to pull his security clearance, but that the DHS Chief Security Office determined that he had done nothing wrong.

In November 2017, the DHS Office of Inspector General essentially agreed with Jackson’s conclusions. Their audit  found that the DHS OHA office was failing to secure the sensitive personal information of BioWatch users. What’s more, OHA was undermining their own privacy officer — the person in charge of making sure the site wasn’t leaking important personal information— by denying the officer “adequate authority and resources to carry out the various required privacy management responsibilities.” The report added that the officer did not have the support of leadership.

The report made 11 recommendations for fixing the program, including “Establish a plan of action and milestones to bring the BioWatch system to a moderate rating for confidentiality, including the security controls required to safeguard privacy-sensitive systems,” and “Move the BioWatch system to a trusted domain to comply with system security requirements and thereby safeguard sensitive and personally identifiable information.”

Officials with the DHS’s OIG said that auditors had completed a new review in November. OHA, they said, had fixed some of the problems and had submitted a “corrective action plan” to address the remaining issues.

“In our latest review of OHA’s corrective action plan, we are satisfied with the component’s progress and have formally closed seven of the eleven recommendations. While progress is underway for the remaining four recommendations, they will remain open,” a DHS official said.

The statement is tantamount to an admission that four issues still exist. The OIG declined to say which of those recommendations remained open but Biowatchportal.org remains the portal in use for the program.  

DHS is looking to replace BioWatch with a new system, one that uses sensors to alert the government to the presence of biological weapons in something closer to realtime, rather than every 24 hours (at the earliest.) Until that happens, the U.S. is stuck with BioWatch as its first line of biodefense.