National | Technology | Trust

Bureau of Indian Affairs still failing on online security measures

Mike Black, the acting Assistant Secretary for Indian Affairs, addresses the winter session of the National Congress of American Indians in Washington, D.C., on February 14, 2017. Photo by Indianz.Com / Available for use under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

More than 15 years after a computer shutdown sent Indian Country into turmoil, the federal government is still failing to protect its online systems, according to a new watchdog report.

In December 2001, the Bureau of Indian Affairs was forced to disconnect its computers from the internet because billions of dollars in Indian trust funds were vulnerable to loss. Despite widespread attention to the problem by the media, the courts and Congress, the agency is still struggling to address it.

The Department of the Interior's Office of Inspector General in fact called security efforts at the BIA "immature" in the new report. The agency, along with its Bureau of Indian Education, was singled out as consistently failing to correct "thousands" of information technology vulnerabilities.

"We found that the BIA's management practices failed to detect critical and high-risk vulnerabilities" on one particular system, the report stated.

The OIG did not identify which system was at major risk -- the name was redacted from report. But it was described as "high-value IT asset that contains personally identifiable information," indicating it could be one that houses the trust data of individual Indians or tribes, or one with information about BIA employees, the overwhelming majority of whom are tribal citizens.

The problem wasn't isolated either. According to the report, the agency "left thousands of critical and high-risk vulnerabilities unmitigated for years on other BIA and BIE systems."

The BIA in fact never installed systems-management software on any of the 209 BIE devices that were tested in 2016 as part of the OIG's review. The reason? No one bothered to find the money for the effort, the report stated.

"This occurred because Indian Affairs, which includes both BIA and BIE, did not fund the purchase of IBM BigFix licenses for BIE systems," the OIG said.

The BIA has since promised to complete the installation of the software on the 209 BIE devices by April, according to the report. Most devices in fact already have BigFix, former acting assistant secretary Larry Roberts and another top official said in a letter signed in the waning days of the Obama administration.

But the overall effort appears to be slow-moving. According to Roberts, the target date for ensuring all devices at the BIA and the BIE are covered is more than a year away, or June 30, 2018.

"Until BIA improves its IT security practices and [the Office of Chief Information Office at DOI] strengthens its oversight role, BIA high-value IT assets will remain at high risk of compromise, the results of which could have a serious adverse effect on DOI operations and cause the loss of sensitive data," the report said.

The BIA wasn't the only agency at Interior with IT management issues, though. The report cited a March 2016 incident in which a "power outage" caused problems for the BIA, the Department of Health and Health and Human Services and the Office of Special Trustee for American Indians.

The entity responsible for that outage was redacted in the report but it appears to be one with a very short acronym. The incident was the result of "inadequate contingency planning and plan testing" by said entity, the OIG asserted.

The 2001 shutdown at BIA came during the throes of the Cobell trust fund lawsuit after a federal judge found that hackers were able to penetrate systems containing the data of hundreds of thousands of individual Indians. A security expert later testified how he was easily able to exploit weaknesses at Interior through the public internet.

It took four years of additional shutdowns and repeated trips to a federal appeals court before the BIA and other DOI entities came back online. During the interim, trust fund payments to individual Indians and even to tribes were delayed, causing hardship throughout the nation.

Interior spends about $1 billion a year on information technology, according to the report. But the Indian trust shutdown, while it had a large impact at the time, has largely faded from public view since former Republican president George W. Bush left office.

A Republican, Donald Trump, is back in the White House and Interior is awaiting the arrival of Ryan Zinke, a Republican Congressman from Montana, as its new leader. His nomination will finally be considered by the Senate next week.

Office of Inspector General Report:
Information Technology Security Weaknesses at a Core Data Center Could Expose Sensitive Data (February 2017)