Today's coronavirus whodunit: Who hacked HHS -- and why?

Did Donald Trump invoke the Stafford Act to order a “national lockdown”? Not at all, especially since nothing in the Stafford Act gives a president that kind of authority. The message apparently originated as part of a hack into the Health and Human Services Department, the purpose and perpetrators of which are still unknown:

The U.S. Health and Human Services Department suffered a cyber-attack on its computer system Sunday night during the nation’s response to the coronavirus pandemic, according to three people familiar with the matter.

The attack appears to have been intended to slow the agency’s systems down, but didn’t do so in any meaningful way, said the people, who asked for anonymity to discuss an incident that was not public.

The National Security Council’s tweet on Sunday night was related to the hacking and the release of disinformation, according to the people. The government realized Sunday that there had been a cyber intrusion and false information was circulating.

NSC tweeted just before midnight: “Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19.”

What’s the point of hacking HHS now? The idea that malicious actors want to slow down their coronavirus response is perhaps a guess, but it doesn’t make a whole lot of sense. Who gains by slowing down HHS’ response to a pandemic? Even for the most malicious of hackers, the calculation that a slower response puts everyone at higher risk — including themselves — isn’t too hard to figure out.

It might be an attempt at undermining confidence in whatever response is being provided, or perhaps just an opportunity to spread a little panic, as was apparently the case with the “Stafford Act shutdown” message. That might interest some outsiders, as Florida’s Rep. Michael Waltz suggested on Twitter this morning:

That’s only a guess, too, but it’s probably not a bad one. Unless the hackers also went after some personnel data to further an identity-theft scheme, there aren’t too many commercial motives for a hack into HHS. ABC’s homeland-security analyst also suspects that the intrusion may have come from outsiders, or perhaps homegrown extremists:

“As federal state and local governments focus on handling the current public health crisis, national security officials are also tracking other threats — in particular those posed by terrorist or extremist groups and foreign adversaries who may seek to take advantage of all of the attention being focused on the coronavirus and conduct an attack,” said John Cohen, a former acting Undersecretary of the Department of Homeland Security and contributor to ABC News.

It may not have been an actual intrusion, Bloomberg later clarified, but a denial-of-service attack:

Administration officials assume that it was a hostile foreign actor, but there is no definitive proof at this time. The administration has not yet confirmed who was behind the attack, according to a U.S. official. The hack involved overloading the HHS servers with millions of hits over several hours.

In the meantime, stop wondering about “national lockdowns,” and ignore any messages that claim one is coming. Presidents don’t have authority to order public places shut down. However, governors do have that authority, and more of them are starting to flex that muscle to enforce social distancing. Kentucky’s Andy Beshear added his state this morning to the growing list that are requiring bars to close and restaurants to serve take-out only:

Kentucky Gov. Andy Beshear will put out an order today to close all restaurants and bars, as part of new steps the state is taking to reduce the spread of the novel coronavirus.

“We’re going to have exceptions in there for drive-thru, for delivery but we are to the point now that this is a step that we have to take,” Beshear said. …

Earlier today, Michigan announced it was closing all bars and restaurants. Ohio, California and New York City, among other areas, announced similar bans yesterday.

What happens if they don’t comply? The states could revoke their business licenses. Although that might get tied up in court to see just how far that authority extends, it would probably extend long enough for them to completely fail before getting permission to re-open.

Anyway, Trump’s not ordering a lock-down, but maybe HHS should when it comes to its internal computer systems. If this turns out to be just a DDOS attack, then there’s not a whole lot to be done about it. If it’s an actual hack, though, then it means we still haven’t made much progress years after China penetrated the Office of Personnel Management and the Pentagon, among other systems. That wouldn’t instill much confidence in the federal government’s data hygiene in the time of coronavirus, or any other time.