Trust
Lamberth holds hearing on Indian trust security


The federal judge handling the Indian trust fund case moved forward with his oversight of the Interior Department's computer systems on Wednesday in light of new reports of vulnerabilities.

U.S. District Judge Royce Lamberth held a two-hour hearing in Washington, D.C., on the state of information technology at the department. It was his first foray into the subject since a federal appeals court last December lifted an order that disconnected the department's computer systems from the Internet.

In recent testimony to Congress, associate deputy secretary Jim Cason characterized the decision as one of the Bush administration's "victories" in the long-running Cobell v. Norton case. But information technology woes continue to plague the department, with an internal report forcing the Bureau of Land Management to shut down its website due to the "poor state of network security."

Lamberth said he was willing to hold an evidentiary hearing and call witnesses -- potentially including Cason -- to get to the heart of the matter. The appeals court cited the lack of such a hearing when it lifted the shutdown order.

Dennis Gingold, an attorney for the Cobell plaintiffs, said he was ready to go to trial on the issue "next week." He told the court that that billions in individual Indian trust funds are at risk to computer hackers unless the relevant computer systems are removed from the Internet and turned off.

"The consequences are terrible," Gingold said. "You can transfer property, you can transfer money, you can order checks" without being detected, he said.

Glenn Gillette, a Department of Justice attorney, didn't immediately object to holding of the evidentiary hearing. But he suggested it should be delayed until both sides can collect more evidence to determine whether the computer systems are secure.

"Clearly, the individual Indian trust data today is more secure than it has been," Gillette told the court. He said the department has spent $100 million over the past three years to install firewalls, redesign the network and take other measures to beef up the systems.

Lamberth indicated he welcomed some of the changes that have been made, including the department's decision to conduct "penetration" tests to identify security gaps. "It's exactly what I was asking to be done" in ordering the shutdown that was lifted by the appeals court, he said.

But he voiced concerns about Interior's continued management of the Indian trust. In fighting the Internet shutdown, the department complained that its day-to-day operations were harmed, a situation that could be avoided if trust and non-trust data were separated.

"Why doesn't Interior keep the trust data in a separate system?" Lamberth asked. "Why do they want to keep the data intermingled?"

Gillette said the department's long-term goal was to keep the data separate but he didn't know when that would be accomplished. Currently, if all of the systems are shut down, "You have almost no ability to do any work," he told the court.

Lamberth also said he had problems with the department's proposal to keep secret the internal report that prompted the BLM shutdown. "I don't think it's fair to the public," he told Interior Secretary Gale Norton's defense team, who have not provided the entire report to the court or to the Cobell plaintiffs but provided a key detail in a filing.

On April 6, the Inspector General at Interior issued a report that outlined the results of a penetration test at an unknown agency. "Given the poor state of network security at [agency] and the weak access controls we encountered on many systems, it is safe to say that we could have easily compromised the confidentiality, integrity, and availability of the identified Indian Trust data residing on those systems," the document stated, according to the filing.

Two days later, Norton's attorneys asked the court to seal the IG report but Lamberth said their proposed order was "overbroad" and would prevent its release in its entirety. "I'm not going to buy an argument like that," he said before asking the lawyers to draft language that would identify which parts of the report might be redacted and under what standard.

In their filings, Norton's attorneys refused to discuss further details of the security vulnerabilities. But shortly afterward, two computer-related publications reported that the BLM was the agency at issue.

Gillette yesterday did offer additional information when pressed by the court. He said the penetration test found problems with a BLM e-mail server and "other associated servers" that he didn't identify. He said the systems failed due to a lack of "adequate encryption and password protection."

"This penetration test was run under a program initiated by Interior," he told Lamberth. "This testing is well beyond the normal standard done for [similar] systems."

The contractors hired by the IG were able to exploit the vulnerabilities and "get into BLM systems," Gillette acknowledged. "These folks were good," he said, suggesting that an ordinary hacker would not be able to compromise the network.

The IG has issued similar penetration test reports for the Bureau of Indian Affairs, Office of Special Trustee and Office of Hearings and Appeals, and issued another one for the National Business Center in Denver just two days ago, Gillette said. Similar tests are underway for the Minerals Management System, which handles $6 billion in Indian and other royalties a year.

Information technology surfaced as an issue in November 2001 when the former special master in the case hired a computer security firm that was able to break into the Indian trust systems easily. The discovery led to the first Internet shutdown a month later.

Since then, the overwhelming majority of the department's computer systems are back online. The only major exception is the Bureau of Indian Affairs.

The Bush administration, however, has continued to dispute whether Lamberth has the authority to oversee the computer systems. The D.C. Circuit Court of Appeals lifted the most recent shutdown order but supported Lamberth and the Cobell plaintiffs on this point.

"It is indisputable that the Secretary has current and prospective trust management duties that necessitate maintaining secure IT systems in order to render accurate accountings now and in the future," the court said.

Relevant Links:
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
Cobell v. Norton, Department of Justice - http://www.usdoj.gov/civil/cases/cobell/index.htm
Indian Trust, Department of Interior - http://www.doi.gov/indiantrust