North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 3 strikes - Interior Department ordered offline again

  • From: Fred Heutte
  • Date: Mon Mar 15 21:56:51 2004

This is quite something.  From Judge Lamberth's order, additional
insight into the behavior of a contractor we know well:

  It is unfortunate, therefore, that Interior proposes that 
  “[e]ach bureau or office for which reconnection is intended
  will take steps to verify its representation that the IT
  system is secure from Internet access by unauthorized users.”
  Interior Proposal at 7. In support, Interior plans to submit
  documentation to the Court that “will incorporate the data
  necessary to support a riskbased decision on Internet
  reconnection. The assessment may include, as appropriate: (1)
  network mapping and enumeration; (2) SANS/FBI Top 20
  Vulnerability List Comparison; (3) vulnerability assessment;
  and (4) penetration testing.” Id. at 7. Interior further
  offers that the above assessment will be performed by
  “Interior or its contractor.” Id. at 7 n.9. “Interior’s
  current contractor is Science Applications International
  Corporation (“SAIC”).” Id. at 8 n.11. As this Court already
  noted: “SAIC is a contractor that is paid by the Interior
  Department” and as such “it cannot be considered to be a
  testing agency that operates independently of the Interior
  Department.” 274 F.Supp.2d at 133. Furthermore, the Court
  observes that SAIC’s long history as an Interior contractor in
  this area and the simple fact that Interior’s IT security
  remains poor makes this Court reticent to rely on their
  judgment. Allowing Interior or SAIC to provide the
  verification of representations made by its bureaus on the
  adequacy of their IT security does not offer this Court any
  party without a conflict of interest or a track record of
  incompetency and is an insufficient method of verifying IT
  security. The Court’s desire is simple and specific. The Court
  wants Interior to propose and the Court to approve 1) an
  entity with no prior relationship to Interior, 2) that
  possesses the requisite expertise in IT security, 3) whose
  only work for Interior will be performing the tasks set forth
  for it in the preliminary injunction issued this date, and 4)
  who will report all its findings to the Court. The Court does
  not mandate that such an entity work for the Court, in fact
  they can be paid and supervised directly by Interior. In this
  regard the Court is now making and continues to make every
  effort to allow the department to manage its own affairs
  without Court intervention. But the Court must absolutely have
  an entity not tainted by the history of falsehoods and
  deceptions that has plagued this litigation, nor otherwise
  dependent upon Interior for its revenues and livelihood, to
  provide honest appraisals of the security of individual Indian
  trust data ...

  Interior truly brought this on themselves. Accordingly, the
  Office of Inspector General, the Minerals Management Service,
  the Bureau of Land Management, the Bureau of Reclamation, the
  Office of the Special Trustee, Fish and Wildlife, the Bureau
  of Indian Affairs, the Office of Surface Mining, and the
  National Business Center must disconnect all of their
  respective computer systems from the Internet. This includes
  every single IT system within that bureau whether or not that
  IT system houses or provides access to individual Indian trust
  data. In contrast, the National Park Service, the Office of
  Policy Management and Budget, and the United States Geological
  Survey do not have to disconnect any currently connected
  system from the Internet. Lastly, no system essential for the
  protection against fires or other threats to life or property
  should be disconnected from the Internet.