The US government's bioterrorism response group, BioWatch, has 600 sensors in more than 30 US cities that are checked daily to see if they have picked up any signs of airborne biological toxins.
If one tests positive for a toxin — and it isn't a false alarm — then a "BioWatch Actionable Result" kicks off, according to Next Gov. That entails coordination between public health care workers, law enforcement and government officials.
They would then work together through a website called biowatchportal.org, a restricted-access website that hosts "very sensitive" information, according to the Department of Homeland Security (DHS).
According to Next Gov, biowatchportal.org could contain information helpful to US adversaries, especially in the event of a biological weapons attack. There is a risk of an attacker locating the sensors to "disable or spoof" them, according to Next Gov. Another potential vulnerability is hackers targeting the health workers, police or officials who use the website during a coordinated response.
Officials who use the site include Defense Department personnel, FBI agents and other law enforcement officers.
In any case, whatever is on the website risks being exposed, according to the DHS Office of Inspector General (OIG) and a whistleblower.
In 2016, BioWatch's Information Systems Security Manager Harry Jackson told his bosses that because the website was hosted with a.org domain outside of the Homeland Security firewall, instead of the typical.gov domain used by the US government, it wasn't safe.
The website also had five subdomains that each had their own vulnerabilities.
Jackson's warning fell on deaf ears, however, so in December 2016 he submitted a report on the system's vulnerabilities to the Journal of Bioterrorism and Biodefense. Which published it in January 2017. According to the whistleblower, BioWatch program officials tried to have his security clearance revoked, but the DHS Chief Security Office found no wrongdoing.
A November 2017 report from the DHS OIG mostly corroborated Jackson's findings, including that the DHS Office of Health Affairs wasn't securing sensitive, personal information of people who used the website.
The report recommended 11 changes in order to get the faulty system up to speed, which included moving the website over to a secure domain.
DHS OIG officials say that auditors finished their review in November and had fixed some of the problems, while a "corrective action plan" was issued on the remaining ones.
"In our latest review of OHA's corrective action plan, we are satisfied with the component's progress and have formally closed seven of the 11 recommendations. While progress is underway for the remaining four recommendations, they will remain open," a DHS official told Next Gov.
That means four vulnerabilities still exist, the outlet noted.
DHS is seeking to replace BioWatch with a new system that gives alerts to the presence of biological agents in near real-time rather than relying on sensors to be picked up and handed over to BioWatch laboratories for daily testing.