WASHINGTON - The federal judge in the Cobell lawsuit recently ordered Interior Department computers that house trust fund data to be disconnected from the Internet, with two exceptions. Judge Royce Lamberth issued a preliminary injunction on July 28, extending a temporary order he had granted plaintiffs at the end of June.
Some computer systems are exempt if the Interior Department can certify they are needed for protection against fires or other threats to life or property. Also, systems that have been reconnected since the judge's first shutdown order in December 2001 may remain on-line if the Department can demonstrate they have security measures to protect against unauthorized Internet access.
Lamberth's injunction came 10 days after an appeals court overturned his September 2002 contempt citations against Interior Secretary Gale Norton and former Assistant Secretary Neal McCaleb. Is the renewed "lockdown" the revenge strategy of a cranky judge, imposing impossibly high standards for information security against a struggling government agency?
Caroline Hamilton is chairman and founder of RiskWatch Inc., a Maryland-based security risk assessment software company. Hamilton has never heard of any other federal agency being ordered by a judge to take its computers off-line.
She says that even with new laws concerning the privacy of citizens' medical and financial information, "nobody is doing anything that they are told to do. There are legal requirements and federal agencies are still not always complying with these regulations."
Hamilton thinks the problem is money. "They don't have the funds to do it. A lot of these requirements on federal agencies are what they call unfunded mandates."
The judge's opinion that accompanies the injunction begins with a quote taken from an April 2001 issue of Government Executive. Former BIA Information Officer Dominic Nessi said, "For all practical purposes, we have no security, we have no infrastructure ? Our entire network has no firewalls on it."
Robert Richardson is the editorial director at the Computer Security Institute, a San Francisco-based company that offers classes and publications on network security. CSI, working with the FBI, publishes an annual survey about computer crime and security in private corporations and government agencies.
Richardson says that 98 percent of the 530 respondents to their most recent survey use firewalls. In 2001 when Nessi was interviewed, 95 percent used firewalls.
"I don't think that there is a single commercial entity of any size that doesn't have numerous firewalls. It's just standard practice. I have a firewall in my office at home."
Are firewalls that expensive? And have they been added to the Interior Department's computer system by now? "Not that expensive," says Hamilton. "They should have done that."
But whether or not firewalls are up is a secret. Dennis Gingold, the lead attorney for the Cobell plaintiffs, said this information is sealed to deter hackers. "If you tell the world what's wrong with [the computer system] then you'll be able to get into it."
Gingold says that the Interior Department has not satisfied the Office of Management and Budget's computer security requirements for transmitting financial information.
When Lamberth yanked Interior's computers off the Internet the first time, in early December 2001, it was in response to court-appointed Special Master Alan Balaran's scathing report about the security of trust data. The document cites seven reports, including Balaran's own site visit to the Reston, Va. data center. These risk assessments, performed by both outside contractors and government agencies, gave the department very poor marks.
The Government Accounting Office's "Computer Security Report Card" (issued in September 2000) gave Interior an F. Granted, the department was in good company; fellow security failures included the Departments of Justice, Health and Human Services, Agriculture, Labor, the Small Business Administration, and the Office of Personnel Management.
Balaran ended his report with this recommendation: Given that computer data security was as deplorable as it had been 10 years ago, due to the Interior Department's negligence, the Court should assume direct oversight of the systems housing the Indian trust data.
Lamberth shut down the computers shortly after that, and havoc ensued. Department employees could not be contacted via e-mail. The BIA's Web site went down. And the Christmas royalty checks to Indian trust beneficiaries were neither cut nor mailed.
To keep the wheels of the Indian trust machine (and the BIA) from grinding to a halt, Lamberth issued a consent order on Dec. 17, 2001, which allowed the department's computer systems back on-line after Special Master Balaran had checked and approved each one.
Dan DuBray, an Interior Department spokesperson, says that since the order a year and a half ago, four out of five department employees are now reconnected to the Internet.
The reasons for putting trust data computers off-line again, as stated in the opinion accompanying Lamberth's most recent injunction, involve the department's reluctance to let Balaran test the security of its reconnected computer systems. The judge's 35-page opinion quotes at length the snippy exchanges between Justice Department attorneys and the special master.
Sandra Spooner, the lead defense attorney, assured Balaran in correspondence of July 9, 2003, that Interior had cooperated with his testing program in the past and was willing to do so in the future. But she also said:
"As we have briefed you and the Court, the Consent Order did not authorize the Special Master to conduct "penetration" or "exploitation" testing and 18 U.S.C. Section 1030 provides that it is a felony for a person to seek to gain unauthorized access to information housed on Government computer systems."
As quoted in the judge's injunction opinion, the defendants filed a July 9 brief with the court, which said: "The Consent Order does not provide authorization for the Special Master to conduct intrusive and potentially destructive "penetration" and "exploitation" testing upon systems whose reconnection the Master has already approved."
Interior stated that its own contractor, Science Applications International Corporation, had tested the security of the reconnected computer systems. But Lamberth would not accept this as a substitute because SAIC, which is paid by Interior, did not operate independently of the department.
"In sum, the parties continue to be at an impasse as to the manner in which the Consent Order should be implemented," Lamberth wrote. The judge took matters into his own hands.
"Henceforth, instead of relying upon the Special Master to determine whether the Interior Department's systems either are secure from unauthorized Internet access or do not house or afford access to trust data, the Court will make such determinations directly."
These contrasting interpretations of Lamberth's orders now extend to how plaintiffs and defendants are interpreting the preliminary injunction. DuBray of the Interior Department says that the injunction does not order immediate disconnection of any systems. "What this order does require is a recertification of systems that have been reconnected," he says.
Plaintiffs' lawyer Gingold says the order requires the computers to be taken off-line immediately.
Bill McAllister, spokesperson for the Cobell Indian trust group, says the Interior Department has drawn a line in the sand. "Clearly what we see is they've decided to take a hard line. They're not going to cooperate or help any court officials resolve these issues. They're going to contend that it's only the executive branch that can do it, and the judge doesn't have any right to do a lot of what he's been doing."
Does the judge have a right to do what he's done? After all, the Interior Department does not stand alone among government agencies in its failures regarding computer security. Government reports issued by the GAO attest to this.
CSI's Richardson is not aware of any other situation where a court has issued this kind of injunction. But he sees several factors in the equation besides having a big enough budget. One must choose a standard of reasonable data security. "You would like to have perfect security," he said, "but it doesn't exist. This is what security professionals do all day, is figure out what level of trust they are willing to live with."
For Gingold, the bar is set higher when it comes to protecting Indian trust data. "There's no federal agency other than the Treasury Department that is a trustee delegate. The fiduciary responsibility that the United States owes these beneficiaries is unique and attributable to Treasury and Interior. The difference is Treasury has secure systems."
About the question of whether the judge is a crank, Richardson says, "Whether or not it's reasonable for a judge to issue an injunction really hinges on the degree to which it can be demonstrated that the data is not secure ... The judge has to weigh whether or not reasonable security has been implemented."
Richardson says shutting down the computers of a branch of government might be the only way to put teeth into making the government take responsibility for information security.
"How else are you going to force them? It sure gets their attention," he said.