Indianz.Com
Court forcing Interior on security
WEDNESDAY, JANUARY 23, 2002 Second in a series of articles about the state of trust reform. Among the many changes to the Department of Interior's trust reform update that Secretary Gale Norton personally submitted last week is the addition of a section on information technology and computer security issues. Up until December 5, when a federal judge ordered the department to cut Internet access to individual Indian trust data, security wasn't even on the burner. The High Level Implementation Plan (HLIP), a Clinton-drafted blueprint to trust reform that Norton has officially scrapped, makes no mention of hackers, firewalls or network breaches, an omission senior department officials recognized but wouldn't publicly acknowledge for fear their worst nightmares would come true. Yet for as long as the plan has been around, security has been the subject of considerable debate. When former Assistant Secretary Kevin Gover announced in the spring of 2000 that the Bureau of Indian Affairs computer center, known as the Office of Information Resource Management (OIRM), was moving from New Mexico to suburban Washington, D.C., fixing known vulnerabilities was cited as a primary factor. With the revelation that a court investigator and hackers he hired were able to break into the Individual Indian Money (IIM) system and create, access, modify and delete data, top officials now know that never happened. Norton's status report finally admits it as well. "A large number of security weaknesses have been identified," writes Associate Deputy Secretary James Cason, the department's point man on the issue. "The Special Master demonstrated (twice) that at least one of the key Bureau of Indian Affairs computer systems could be penetrated." But Cason also admits there is no plan to fix the problems. "Some remedial work has been done; however, there is no approved comprehensive project or strategic plan for systematically improving systems security and integrity," he writes. What little work that has been done, he continues, is "unsystematic." From August -- when the OIRM was informed of security breaches -- to the end of December, the efforts "were not guided by an agreed upon information technology systems security strategic plan," he says. Nevertheless, Cason cites a number of tasks done, even if many were just to prepare security plans which were non-existent until last fall. These include: - A department request for "substantial" funding in the fiscal year 2003 budget for information technology. President Bush will release his budget February 4.
- A report to the White House Office of Management and Budget (OMB) on redirection of fiscal year 2002 funds for "Indian Trust Management Systems."
- The hiring of a contractor, SRA International Inc., to assess Indian trust systems.
- The creation of two positions, including one specifically for Indian trust. But Assistant Secretary Neal McCaleb still hasn't hired a Chief Information Officer or a director for OIRM, Cason notes.
- The hiring of Predictive Systems Inc., the firm the special master used to hack into the trust systems, to install firewalls in Albuquerque, N.M.; Phoenix, Arizona, and OIRM in Reston, Virginia.
- The purchase of an "encryption package" for the system that runs the Integrated Records Management System (IRMS). IRMS processes royalty payments for thousands of Indian landowners and has been shut down since last month.
- The purchase of an "encryption package" for the system at the National Business Center in Denver, Colorado, that processes general assistance checks for tribes. The same system also runs software for the Land Records Information System (LRIS) and the National Indian Irrigation Management System (NIIMS).
- Reduction of BIA users allowed to access the IRMS.
- The preparation of numerous plans, of which Cason admits: "Little material progress has been made to implement these plans."
- The hiring of SAIC to provide assistance to the Office of the Special Trustee.
All of these, Cason writes, finally point to an attitude shift of the Interior. "Past views within the Department concerning its trust responsibilities have not led to the development of a robust information technology system security infrastructure," he writes. Cason also writes that the current technology staff department-wide is inadequate. "Generally, the quantity and quality of information technology system technical leadership and support staff are insufficient," he says. In contrast to Cason's apparent candor, a section of the report verified by an assistant to Neal McCaleb is surprisingly short. Bill Roselius notes the "turmoil" the OIRM move caused and said many employees chose not to follow the center to Virginia. Roselius, a former consultant to the state of Oklahoma who was hired by McCaleb in September, does note some physical security improvements at OIRM. He also says the old site in Albuquerque is being sought as a "backup." Today on Indianz.Com:
Indian trust seen in new light (1/23) Other Trust Reform Updates:
Intro (1/22) | Secretary's Observations | Special Trustee Observations | Trust Transition Observations | Departmental Organization | Historical Accounting Get the Report:
Status Report to the Court Number Eight (1/16) Relevant Links:
Indian Trust, Department of Interior - http://www.doi.gov/indiantrust
Indian Trust: Cobell v. Norton - http://www.indiantrust.com
Trust Reform, NCAI - http://130.94.214.68/main/pages/
issues/other_issues/trust_reform.asp Related Stories:
Interior shutdown has wide effects (1/21)
Norton told of security problems (1/18)
Interior's weaknesses not unique (1/17)
Norton effort 'too little, too late' (1/16)
Interior shutdown still unresolved (1/16)
Norton notes 'challenge' of daily work (1/15)
McCaleb tries to explain computer shutdown (1/11)
Interior waited weeks on trust fund shutdown (1/9)
Order on trust fund payments sought (1/8)
Debate continues over trust fund shutdown (1/7)
Speedy trust fund payments sought (1/7)
Interior says working on shutdown (1/7)
Little hope for trust fund payments (1/4)
Computer security charge stands as checks delayed (12/21)
Checks to Great Lakes region delayed (12/20)
For BIA, a working holiday (12/19)
Taking lead on trust reform proves tough (12/19)
Baucus: Delay in checks 'unacceptable' (12/19)
Judge orders Interior reconnect (12/18)
Interior shutdown was 'overreaction' (12/18)
'Not be a very bright Christmas' (12/18)
Cost of Interior shutdown not known (12/17)
Interior computer agreement dropped (12/14)
Interior computer order finalized (12/13)
Editorial: Still ripping off Indians (12/12)
Griles in charge of IT reform (12/11)
Floods more important than Indians (12/10)
Judge holds security hearing (12/8)
DOI Shutdown: 'We're Hurting Tribes' (12/7)
From the top, a gamble in trust (12/7)
Norton acknowledges Internet problems (12/7)
'We're in the Dark' (12/7)
Judge orders Interior to cut Internet access (12/6)
Security contempt charge added (12/6)
Transcript of Dec. 5 trust fund hearing (12/6)
Interior doesn't understand court order (12/6)
Judge cuts trust fund access(12/5)
Report reveals attacks on tribal, Indian trust (12/5)
No Trust: Hacking the Department of Interior (12/5)
Judge holding secret hearings (12/4)
New: Security report released (12/4)