Internet Vulnerability Documents: OIG Memo 1 | OIG Memo 2 | OIG Findings | Internet Security Systems (ISS) Report

An Internet security expert testified on Tuesday that he was able to hack into computer systems housing Indian trust fund data without detection despite one Bush administration official's claim that the network is "bulletproof."

Scott Miles was the first witness called during an evidentiary hearing in the Cobell v. Norton case. His firm, Internet Security Systems, has been hired by the Interior Department's Inspector General to perform "penetration" tests to determine whether billions of dollars in Indian trust funds are vulnerable to hackers.

In his testimony, Miles gave the most detailed account so far of the department's security weaknesses. He confirmed that not only was he able to break into the Bureau of Land Management, as was previously disclosed, but also the U.S. Geological Survey and the Bureau of Reclamation.

"The goal of the penetration test is to get into the system and see how far you can go," the witness told the court.

Miles, who works out of an office in the Washington, D.C., area, testified that he got pretty far using an Internet connection available to anyone in the world. He said he broke into the BLM by going through the agency's public web server, which has since been taken offline.

Once he accomplished this task, he asked himself, "How far can we get from this point?" he recalled in his testimony. He said he was able to exploit vulnerabilities in the BLM system to gain access to yet another web application server -- but that wasn't the end of his journey.

Once he crossed that barrier, he could see "all of the systems inside the BLM network," he told the court. That's when he noticed he could hack into Indian trust funds, he added.

But Miles cautioned that he didn't actually break into the Indian trust. "I wouldn't characterize it that way," he said when asked about an Inspector General memo that warned of "unauthorized access" to Indian funds.

Yet Miles acknowledged that he was able to gain special access to at least one BLM system. With "administrative" privileges he said he could "do anything to that data -- write, change, delete [or] modify" it, something the Cobell plaintiffs have warned about for years.

"We did obtain administrative status to a least one of the Windows-based servers in the network," Miles told the court, referring to the popular Microsoft operating system.

Dennis Gingold, an attorney for the Cobell plaintiffs, used the testimony to contradict claims by the Bush administration that the Indian trust is secure thanks to a $100 million investment. Jim Cason, the Interior's associate deputy secretary, once told the court that the department has made improvements to "basically bulletproof" the network from hackers.

But Miles, who appeared at times uneasy with being described as a hacker, a term that carries negative connotations, said he probably wouldn't describe the situation that way. He testified his firm was initially blocked by the BLM's security protections but that he was able to fool the agency into letting down its guard by changing attack methods.

"Some of our testing was blocked," he confirmed. But to overcome that, "We moved to another network location to continue testing at a lighter pace," he said. After that, he gained access into BLM without detection, he said, and could have stayed in the system "for days," as Gingold put it.

The testimony filled some of the gaps in the record that has been released to the public so far. The Inspector General has provided copies of documentation related to the BLM hacking, including a critical ISS report, but most of it is heavily redacted.

Still, this isn't the first time that hackers have broken into Interior's network. In the spring and summer of 2001, Alan Balaran, the former special master in the case who was ousted amid a disqualification campaign by the Bush administration and other past and present government officials, hired a computer security firm that hacked into the Bureau of Indian Affairs and gained access to billions in trust funds.

The disclosure was brushed off senior Interior bureaucrats at the time -- much to their dismay. "And we're now in the mess that we're in," said Bob Lamb, a deputy assistant secretary, during the department's first Internet shutdown of winter 2001 that led to delays in trust payments to individual Indians and tribes.

U.S. District Judge Royce Lamberth has since ordered Interior to disconnect its computers from the Interior two times. The most recent shutdown, however, was lifted by an appeals court after being challenged by the Bush administration.

At the same time, the D.C. Circuit Court of Appeals affirmed that Interior has a fiduciary obligation to protect the computer data and the computer systems of the Indian trust. "It is indisputable that the Secretary has current and prospective trust management duties that necessitate maintaining secure IT systems in order to render accurate accountings now and in the future," the court said in December 2004.

The evidentiary hearing is set to continue today in federal court. It is not known how long it will last but the list of witnesses sought by the both the plaintiffs and the Department of Justice includes dozens of people.

Relevant Links:
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
Cobell v. Norton, Department of Justice - http://www.usdoj.gov/civil/cases/cobell/index.htm
Indian Trust, Department of Interior - http://www.doi.gov/indiantrust