Despite an investment by the Bush administration of more than $100 million, the Interior Department's computer systems remain vulnerable to hacking, a newly released memo warns.
On September 6, Inspector General Earl E. Devaney reported the results of testing on the department's information network. What he found was far from positive, given the administration's
claims that it has improved systems housing billions of dollars of Indian trust funds and other sensitive government data.
"At the outset of our testing, both the OIG and the department believed the DOI IT networks were prepared to undergo rigorous testing," Devaney told top officials including Jim Cason,
the acting assistant secretary for Indian affairs.
"Unfortunately," he continued, "our testing revealed that several bureaus and offices still suffer from serious weaknesses in their security posture. These weaknesses, in turn, negatively impact
DOI's IT security overall."
Computer security experts hired by Devaney were able to break into Interior's "trusted" network, the memo states. Hackers were able to look at "sensitive personal privacy and financial data" at the National Business Center, an agency that handles more than $9 billion in payroll for more than 200,000 government employees and more than $3 billion in other financial transactions,
"Having done this, we also believe we could have changed bank routing information and other electronic funds records to potentially divert electronic payments to other banks," Devaney warned.
At the National Park Service, hackers were able to obtain "full administrative access" to the internal network, which is supposed to be shielded from public access. "We carried out our testing activities undetected for more than a month," the memo stated.
Despite the severity, Devaney noted that the problems aren't new. As early as the summer of 2001, Interior officials knew of vulnerabilities to Indian trust system and other computer systems, according to government documents and testimony in the Cobell v. Norton lawsuit. The situation prompted a federal judge to order a shutdown of Interior's public Internet connection.
Four years later, Devaney said he is still encountering resistance. He said his office has come under fire for uncovering a less than rosy picture of reform at Interior.
"Rather than simply accepting the results of our testing and prompting addressing the underlying vulnerabilities, the department and bureaus have, to date, expended considerable time and energy
debating our findings, challenging our methodology, and impugning the credentials of our staff and contracts," he wrote.
"I do not wish to repeat this past experience," he said, calling for a department-wide effort to "make DOI's IT systems more secure."
The memo came to light in a court filing made the Bush administration on Wednesday night. It contains several redacted portions in order to protect certain data and systems.
The memo also contains a "scorecard" on testing of various Interior bureaus and offices, including
the Bureau of Indian Affairs and the Office of Special Trustee. But the scores for these two agencies were incomplete due to "limited testing" on their networks, according to the memo.
During the recent trial into IT security at the department, two security experts whose firm, Internet Security Systems, was hired by Devaney testified about the vulnerabilities they encountered.
Phil Brass and Scott Miles said they wouldn't describe the network as "bulletproof" -- a term Cason has used in the court case.
Brass testified that he was obtain personal information Secretary Gale Norton and exploit other
vulnerabilities that led him to "personal data on all the astronauts" at NASA. Miles gained entry into Interior's systems and was able to see Indian trust data, he cold the court.
Cason, however, took the stand and defended the administration's record. "I think we made substantial progress," he said on July 19. Yet he acknowledged that improvements at some bureaus "didn't get done."
Information technology security has been a critical part of the Cobell case since November
2001, when a court official released a report detailing how billions of dollars
in Indian trust funds could be easily accessed from the Internet.
The D.C. Circuit Court of Appeals later ruled that the Interior
Department has a fiduciary obligation to protect the computer data and the
computer systems of the Indian trust. "It is indisputable that the Secretary has
current and prospective trust management duties that necessitate maintaining
secure IT systems in order to render accurate accountings now and in the
future," the court said in December 2004.
Earl E. Devaney Memo
(September 6, 2005)
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
v. Norton, Department of Justice - http://www.usdoj.gov/civil/cases/cobell/index.htm