printer friendly version
Interior warned of computer security risks again
Friday, September 30, 2005
Despite an investment by the Bush administration of more than $100 million, the Interior Department's computer systems remain vulnerable to hacking, a newly released memo warns.
On September 6, Inspector General Earl E. Devaney reported the results of testing on the department's information network. What he found was far from positive, given the administration's
claims that it has improved systems housing billions of dollars of Indian trust funds and other sensitive government data.
"At the outset of our testing, both the OIG and the department believed the DOI IT networks were prepared to undergo rigorous testing," Devaney told top officials including Jim Cason,
the acting assistant secretary for Indian affairs.
"Unfortunately," he continued, "our testing revealed that several bureaus and offices still suffer from serious weaknesses in their security posture. These weaknesses, in turn, negatively impact
DOI's IT security overall."
Computer security experts hired by Devaney were able to break into Interior's "trusted" network, the memo states. Hackers were able to look at "sensitive personal privacy and financial data" at the National Business Center, an agency that handles more than $9 billion in payroll for more than 200,000 government employees and more than $3 billion in other financial transactions,
"Having done this, we also believe we could have changed bank routing information and other electronic funds records to potentially divert electronic payments to other banks," Devaney warned.
At the National Park Service, hackers were able to obtain "full administrative access" to the internal network, which is supposed to be shielded from public access. "We carried out our testing activities undetected for more than a month," the memo stated.
Despite the severity, Devaney noted that the problems aren't new. As early as the summer of 2001, Interior officials knew of vulnerabilities to Indian trust system and other computer systems, according to government documents and testimony in the Cobell v. Norton lawsuit. The situation prompted a federal judge to order a shutdown of Interior's public Internet connection.
Four years later, Devaney said he is still encountering resistance. He said his office has come under fire for uncovering a less than rosy picture of reform at Interior.
"Rather than simply accepting the results of our testing and prompting addressing the underlying vulnerabilities, the department and bureaus have, to date, expended considerable time and energy
debating our findings, challenging our methodology, and impugning the credentials of our staff and contracts," he wrote.
"I do not wish to repeat this past experience," he said, calling for a department-wide effort to "make DOI's IT systems more secure."
The memo came to light in a court filing made the Bush administration on Wednesday night. It contains several redacted portions in order to protect certain data and systems.
The memo also contains a "scorecard" on testing of various Interior bureaus and offices, including
the Bureau of Indian Affairs and the Office of Special Trustee. But the scores for these two agencies were incomplete due to "limited testing" on their networks, according to the memo.
During the recent trial into IT security at the department, two security experts whose firm, Internet Security Systems, was hired by Devaney testified about the vulnerabilities they encountered.
Phil Brass and Scott Miles said they wouldn't describe the network as "bulletproof" -- a term Cason has used in the court case.
Brass testified that he was obtain personal information Secretary Gale Norton and exploit other
vulnerabilities that led him to "personal data on all the astronauts" at NASA. Miles gained entry into Interior's systems and was able to see Indian trust data, he cold the court.
Cason, however, took the stand and defended the administration's record. "I think we made substantial progress," he said on July 19. Yet he acknowledged that improvements at some bureaus "didn't get done."
Information technology security has been a critical part of the Cobell case since November
2001, when a court official released a report detailing how billions of dollars
in Indian trust funds could be easily accessed from the Internet.
The D.C. Circuit Court of Appeals later ruled that the Interior
Department has a fiduciary obligation to protect the computer data and the
computer systems of the Indian trust. "It is indisputable that the Secretary has
current and prospective trust management duties that necessitate maintaining
secure IT systems in order to render accurate accountings now and in the
future," the court said in December 2004.
Relevant Documents::
Earl E. Devaney Memo (September 6, 2005)
Relevant Links:
Indian Trust: Cobell v. Norton -
http://www.indiantrust.comCobell
v. Norton, Department of Justice -
http://www.usdoj.gov/civil/cases/cobell/index.htm
Related Stories:
Bush calls for new judge in Cobell v. Norton
case (08/16)
BLM CIO threatened with demotion in Cobell
case (08/02)
Appeals court stays
Lamberth order on notices (7/29)
DOI mum
on settlement figure for Cobell v. Norton (7/27)
Cobell apologizes for comments on trust bill
(7/27)
Opinion: McCain, Dorgan lowball
Indians on trust (7/27)
Cobell calls
trust reform bill a win for Interior (7/22)
Cason takes stand in Cobell trust fund hearing
(07/20)
Second expert describes hack of
Interior Department (05/10)
Hacker tells
court how he broke into DOI systems (5/4)
Trust fund hearing dispute causes delay in
testimony (5/3)
Lamberth to hold hearing
on trust fund security (5/2)
Interior
ordered to trial on trust fund security (4/26)
Cobell: Ross Swimmer and the truth rarely mix
(4/22)
Trust fund security again an
issue in Cobell case (4/21)
Lamberth
schedules hearing on computer systems (4/20)
Norton blocking information technology report
(4/18)
Appeals court supports Lamberth's
authority on IT (12/06)
Lamberth
critical of Norton's 'bad faith' on trust fund (10/25)
NCAI 04 Wrapup: Day 2 (10/13)
Interior denies attempt to halt trust fund
payments (10/05)
Swimmer: Communication
with account holders on hold (10/04)
Bush administration challenges trust fund
ruling (09/16)
Appeals court takes on
Cobell trust fund case (9/15)
Richardson
pushes Norton to protect trust fund (08/16)
Small percentage of Interior's IT systems
secure (08/10)
Johnson promises
'meaningful' investigation of OST (06/21)
BIA takes advantage of Internet shutdown
(05/11)
DOI's Internet connection shut
down for third time (03/16)
BIA shows
off information technology facility (3/2)
Anderson touts benefits of Cobell trust fund
case (02/25)
Lamberth orders DOI to
turn over IT reports (12/12)
DOI
fares poorly on computer security report card (12/11)
Judge seeks to break impasse over trust
systems (07/29)
BIA incident
prompts high-level recommendation (03/27)
Court report blasts McCaleb for
destroying records (01/27)
Court: McCaleb 'fabricated' e-mail
story (1/24)
BIA aides
circumventing court (12/16)
Martin's role in incident surfaces
(12/16)
BIA aides e-mail use
prompts inquiry (12/17)
McCaleb admits to e-mail
'misunderstanding' (10/23)
Burns takes on BIA problems in
stride (08/23)
McCaleb gets
new computer official (6/5)
Retaliation charged as BIA official
jumps ship (7/25)
Copyright © 2000-2005 Indianz.Com
