U.S. District Court Orders Interior Department Computers Disconnected from the Internet Based on Security Concerns
Posted by K.M. Das
In a 205 page Memorandum Opinion, Judge Lamberth of the United State District Court for the District of Columbia blasted the lack of security of the Interior Department ("Department") computers that contain data relating to Indian Trust assets.
In a separate order, issued on October 20, 2005, Judge Lambert ordered that the Department:
[F]orthwith shall disconnect all Information Technology Systems that House or provide Access to Individual Indian Trust Data:
1. from the Internet;
2. from all intranet connections, including but not limited to the VPX, ESN, or any other connection to any other Interior bureau or office;
3. from all other Information Technology Systems; and
4. from any contractors, Tribes, or other third parties.
The extremely broad definition of Information Technology Systems includes
Any computer, server, device, network, intranet, enclave, or application . . . that is used by [the Department] or any of its employees, agents, contractors, or other third parties in the electronic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or other information, including without limitation computers, wireless devices (e.g. Blackberrys) and networks, . . . [and] VOIP . . . .
Within twenty days the Department must submit declarations to the Court regarding those Information Technology Systems that the Department asserts do not house or provide access to individual Indian Trust Data, explaining why they don't house or provide access to such data.
Judge Lamberth's order was based to some degree on the "grades" that the state of IT security at the Department received from outside evaluators. The Department's own Inspector General, Earl Devaney, graded the Department's IT security an "F." Roger Mahach, who formerly headed the Department's IT security department, "testified that he grades it one notch lower than an て,' so he called it a て'." Judge Lamberth acknowledged that he expected the Department to appeal his order immediately. He added, however, that he hoped "that [the Department] will recognize the problems inherent in its IT infrastructure, both technical and managerial, and choose to address those problems rather than merely stall for time and continue to bandage its IT security bullet wounds." During the three-month evidentiary hearing there was testimony for numerous computer experts that it was easy to hack into the Department's computer systems, including those containing Indian Trust data, despite the Department having spent almost $100 million in computer security over the past three years. Members of the Department's own IT security team testified, however, that the $100 million was not necessarily properly allocated to address the most pressing needs and risks.
Throughout the Memorandum Opinion, Judge Lamberth harkened back to his earlier rulings noting that "[t]his Court previously expressed its view that [the Department's] failure to disclose the true status of its trust reform efforts constitutes fraud on the Court. From the three-month evidentiary hearing conducted on IT security, it appears that little has changed in terms of truthful reporting."
The Washington Post reports that the Department's spokesperson, John Wright, said that Judge Lamberth's order would affect as many as 6,000 computers that contain Indian trust data. The order also affects "an undetermined number" of other computers, including Blackberrys. Wright also said that the order would affect the Department's "ability to collect, process, and distribute rents and royalty payments for both Indian beneficiaries and the federal government." In his Memorandum Order, Judge Lamberth recognized the reach of his order. He quoted a witness, however, as testifying that "てt takes catastrophe' to get [the Department] to focus on the most pressing issues. Sometimes it takes eye-opening events . . . to actually get the people to pay attention."