An Internet security expert testified on Tuesday that he was able to hack into computer systems housing Indian trust fund data without detection despite one Bush administration official's
claim that the network is "bulletproof."
Scott Miles was the first witness called during an evidentiary hearing in the Cobell v. Norton case. His firm, Internet Security Systems
has been hired by the Interior Department's Inspector General to perform "penetration"
tests to determine whether billions of dollars in Indian trust funds are vulnerable to hackers.
In his testimony, Miles gave the most detailed account so far of the department's
security weaknesses. He confirmed that not only was he able to break into the Bureau of Land Management, as was previously disclosed, but also the U.S. Geological Survey and the
Bureau of Reclamation.
"The goal of the penetration test is to get into the system and see how far you can go," the witness told the court.
Miles, who works out of an office in the Washington, D.C., area, testified that he got pretty far using an Internet connection available to anyone in the world. He said he broke into the BLM by going through the agency's public web server, which has since been taken offline.
Once he accomplished this task, he asked himself, "How far can we get from this point?" he recalled in his testimony. He said he was able to exploit vulnerabilities in the BLM
system to gain access to yet another web application server -- but
that wasn't the end of his journey.
Once he crossed that barrier, he could see "all of the systems inside the BLM network," he told the court. That's when he noticed he could hack into Indian trust funds, he added.
But Miles cautioned that he didn't actually break into the Indian trust. "I wouldn't characterize it that way," he said when asked about an Inspector General memo that warned of
"unauthorized access" to Indian funds.
Yet Miles acknowledged that he was able to gain special access to at least one BLM system. With
"administrative" privileges he said he could "do anything to that data -- write, change, delete [or] modify" it, something the Cobell plaintiffs have warned about for years.
"We did obtain administrative status to a least one of the Windows-based servers in the network," Miles told the court, referring to the popular Microsoft operating
Dennis Gingold, an attorney for the Cobell plaintiffs, used the testimony to contradict claims by the Bush administration that the Indian trust is secure thanks to a $100 million investment. Jim Cason, the Interior's associate deputy secretary, once told the court that the department has made improvements to "basically bulletproof" the network from hackers.
But Miles, who appeared at times uneasy with being described as a hacker, a term that carries negative connotations, said he probably wouldn't describe the situation that way.
He testified his firm was initially blocked by the BLM's
security protections but that he was able to fool the agency
into letting down its guard by changing attack methods.
"Some of our testing was blocked," he confirmed. But to
overcome that, "We moved to another network location to
continue testing at a lighter pace," he said. After that,
he gained access into BLM without detection, he said,
and could have stayed in the system "for days," as
Gingold put it.
The testimony filled some of the gaps in the record that has
been released to the public so far. The Inspector
General has provided copies of documentation related
to the BLM hacking, including a critical ISS report,
but most of it is heavily redacted.
Still, this isn't the first time that hackers have broken into
Interior's network. In the spring and summer of 2001,
Alan Balaran, the former special master in the case who was ousted
amid a disqualification campaign by the Bush administration
and other past and present government officials, hired
a computer security firm that hacked into the
Bureau of Indian Affairs and gained access to billions
in trust funds.
The disclosure was brushed off senior Interior bureaucrats at the
time -- much to their dismay.
"And we're now in the mess that we're in," said Bob Lamb, a deputy
assistant secretary, during the department's
first Internet shutdown of winter 2001
that led to delays in trust payments to individual Indians
U.S. District Judge Royce Lamberth has since ordered Interior
to disconnect its computers from the Interior two times.
The most recent shutdown, however, was lifted by an appeals
court after being challenged by the Bush administration.
At the same time, the D.C. Circuit Court of Appeals
affirmed that Interior has a fiduciary obligation to
protect the computer data and the computer systems of the Indian trust.
"It is indisputable that the Secretary has current and
prospective trust management duties that necessitate
maintaining secure IT systems in order to render accurate
accountings now and in the future," the court said in December 2004.
The evidentiary hearing is set to continue today in federal
court. It is not known how long it will last but the list of
witnesses sought by the both the plaintiffs and the Department
of Justice includes dozens of people.
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
v. Norton, Department of Justice - http://www.usdoj.gov/civil/cases/cobell/index.htm
Trust, Department of Interior - http://www.doi.gov/indiantrust