Lights (Still) Out at the Department of Interior

Even before the holidays, patience was wearing thin among employees of the National Park Service, just one of the federal agencies affected by a Dec. 5 court order that forced the Department of Interior to shut down its Internet access until it could prove that it had fixed major security problems. Now, for employees who’ve been without Internet access and external e-mail for almost two months, the frustration is palpable. “We’re still un-Internetable,” says one exasperated manager, searching for the right word. She found out, via the fax machine, that she’d had a research paper accepted by a professional organization that had almost given up on reaching her. “It just is so horrible,” she continues. “It’s funny the way e-mail is just a part of business.”

Not that anyone’s really laughing not the DOI’s thousands of employees, not its constituents, and certainly not the American Indians embroiled in a years-long court case over the alleged mismanagement of Indian trust funds. Plaintiffs in a class-action lawsuit want the government to account for billions of dollars of royalties from grazing, mining, logging and oil drilling on Indian lands that have been managed by the U.S. government for the past century.

The latest chapter of the saga: dangerously inadequate information security surrounding the trust funds, which hold $500 million a year in revenues. Court-appointed Special Master Alan Balaran uncovered evidence of long-term security problems and detailed how CIO Daryl White failed to fix them. A security firm hired to do penetration testing was able to easily access and change financial information using “free tools and utilities, which are widely available on the Internet.” In response, a district court judge ordered the shutdown of all computers that touch trust funds data on Dec. 5.

Two months later, the DOI is still in the midst of certifying that each and every personal computer and server should be connected to the Internet. Because of concerns over public safety, the U.S. Geographical Survey and the National Fire and Safety Center got special permission to go back online shortly after the temporary restraining order was issued. As of this week, the Bureau of Indian Affairs had gotten certification to bring up its intranet, and the Office of Surface Mining had been able to reconnect to the Internet. But that leaves the DOI a long way from being fully operational.

White’s office refers reporters to public affairs for comment. Says spokesperson John Wright: “It’s unclear when our systems might be up, but our IT folks are working aggressively, sometimes 18, 20 hours a day, to make sure that our systems meet the specifications of the Special Master and to protect the integrity of our data.”

The case, set to resume this week, is significant because it shows that organizations can be held legally accountable for negligent information security practices. But it also illustrates that exactly which organizations will be held up as examples is somewhat arbitrary.

Last November, Interior flunked a security test given by a House panel. But so did the departments of Agriculture, Commerce, Education, Justice, Treasury, Defense, Labor and Transportation, among others. It just so happened that Interior was already in the midst of a bitter court case in which faulty security could play a role.

What’s more, there’s little evidence that many businesses could survive the same kind of public scrutiny that federal agencies are subjected to. “Everyone else is just as bad,” security guru Bruce Schneier says. “I think if you gave that same grading to corporate America, you’d see all the Fs also.”

For employees and citizens who expect government agencies to be plugged into the Internet, it’s painfully obvious that the DOI has serious flaws with its information security. But might we suggest that it is also at least a little unlucky?