Interior's security weaknesses not unique
Facebook Twitter Email

Secretary of Interior Gale Norton and her senior aides were aware last summer of computer security weaknesses similar to ones that led to a court-ordered shutdown that has crippled the department's daily business and suspended critical royalty payments to Indian landowners.

In a July report addressed to Norton, Congressional investigators told her that the information technology systems at Interior's financial center in Denver, Colorado, suffered from several vulnerabilities. Although attempts were made to fix known deficiencies, the General Accounting Office (GAO) still found numerous problems, including the inability to detect intrusions, lack of sufficient access control measures, poorly configured software, weak password protections and the lack of a contingency plan.

These problems, said the GAO, posed a risk to the financial data housed at the National Business Center. NBC-Denver in 2000 processed $9 billion in payroll for more than 200,000 government employees and more than $3 billion in other financial transactions, according to the report.

"These weaknesses placed critical department operations, such as financial management, personnel, and other operations, at greater risk of misuse and disruption," the GAO wrote.

The department's response was to assure the GAO that it had corrected many of the issues raised. In a letter written by Bob Lamb, a career official who at the time was acting Assistant Secretary for Policy, Management and Budget, he said the Interior was "aggressively moving" to correct the failings.

"While audits do identify opportunities for improvement, the impetus for security controls has always been internally driven," Lamb stated in the June 14 letter. "We take information system controls very seriously."

But within weeks of Lamb's letter, a court investigator was able to break into IT systems housing the assets of 300,000 American Indians. Exploiting holes identical to ones laid out by the GAO, special master Alan Balaran, and hackers he later hired, were able to access, create, modify and delete individual Indian trust data.

Lamb, too, had a response, but it turned out to be somewhat misguided, he now admits. In testimony this week during Norton's contempt trial -- of which IT security is a key issue - he told a federal judge he was snookered by a "credible" subordinate who told senior management that nothing was wrong.

"And we're now in the mess that we're in," he said.

With the Internet shutdown well into its second month without a resolution in sight for a number of computer systems, the state of security is looming for Norton and her contempt trial. U.S. District Judge Royce Lamberth has informed her lawyers that the burden is on them to fight the charge.

Meanwhile, Associate Deputy Secretary James Cason continues to negotiate with Balaran to reconnect systems, including ones that process payments to thousand of Indian beneficiaries. Balaran has stated he won't accept shortcuts and a status report released this week chastised the department for its handling of the debacle.

"Statements are made that are later recanted and corrected," he wrote. "Explanations are given that appear inconsistent with others. This is not to suggest any duplicity on the part of any official. Rather, it is the speed with which the Interior feels constrained to reconnect its IT systems that militates in favor of prudence."

Get IT Reports:
GAO Report | Special Master Status Report (1/15) | Special Master Report and Recommendations Regarding the Security of Trust Data (12/4)

Relevant Links:
Indian Trust, Department of Interior -
Indian Trust: Cobell v. Norton -

Related Stories:
Norton effort 'too little, too late' (1/16)
Interior shutdown still unresolved (1/16)
Norton notes 'challenge' of daily work (1/15)
McCaleb tries to explain computer shutdown (1/11)
Interior waited weeks on trust fund shutdown (1/9)
Order on trust fund payments sought (1/8)
Debate continues over trust fund shutdown (1/7)
Speedy trust fund payments sought (1/7)
Interior says working on shutdown (1/7)
Little hope for trust fund payments (1/4)
Computer security charge stands as checks delayed (12/21)
Checks to Great Lakes region delayed (12/20)
For BIA, a working holiday (12/19)
Taking lead on trust reform proves tough (12/19)
Baucus: Delay in checks 'unacceptable' (12/19)
Judge orders Interior reconnect (12/18)
Interior shutdown was 'overreaction' (12/18)
'Not be a very bright Christmas' (12/18)
Cost of Interior shutdown not known (12/17)
Interior computer agreement dropped (12/14)
Interior computer order finalized (12/13)
Editorial: Still ripping off Indians (12/12)
Griles in charge of IT reform (12/11)
Floods more important than Indians (12/10)
Judge holds security hearing (12/8)
DOI Shutdown: 'We're Hurting Tribes' (12/7)
From the top, a gamble in trust (12/7)
Norton acknowledges Internet problems (12/7)
'We're in the Dark' (12/7)
Judge orders Interior to cut Internet access (12/6)
Security contempt charge added (12/6)
Transcript of Dec. 5 trust fund hearing (12/6)
Interior doesn't understand court order (12/6)
Judge cuts trust fund access(12/5)
Report reveals attacks on tribal, Indian trust (12/5)
No Trust: Hacking the Department of Interior (12/5)
Judge holding secret hearings (12/4)
New: Security report released (12/4)