Indianz.Com Interior's security weaknesses not unique THURSDAY, JANUARY 17, 2002 Secretary of Interior Gale Norton and her senior aides were aware last summer of computer security weaknesses similar to ones that led to a court-ordered shutdown that has crippled the department's daily business and suspended critical royalty payments to Indian landowners. In a July report addressed to Norton, Congressional investigators told her that the information technology systems at Interior's financial center in Denver, Colorado, suffered from several vulnerabilities. Although attempts were made to fix known deficiencies, the General Accounting Office (GAO) still found numerous problems, including the inability to detect intrusions, lack of sufficient access control measures, poorly configured software, weak password protections and the lack of a contingency plan. These problems, said the GAO, posed a risk to the financial data housed at the National Business Center. NBC-Denver in 2000 processed $9 billion in payroll for more than 200,000 government employees and more than $3 billion in other financial transactions, according to the report. "These weaknesses placed critical department operations, such as financial management, personnel, and other operations, at greater risk of misuse and disruption," the GAO wrote. The department's response was to assure the GAO that it had corrected many of the issues raised. In a letter written by Bob Lamb, a career official who at the time was acting Assistant Secretary for Policy, Management and Budget, he said the Interior was "aggressively moving" to correct the failings. "While audits do identify opportunities for improvement, the impetus for security controls has always been internally driven," Lamb stated in the June 14 letter. "We take information system controls very seriously." But within weeks of Lamb's letter, a court investigator was able to break into IT systems housing the assets of 300,000 American Indians. Exploiting holes identical to ones laid out by the GAO, special master Alan Balaran, and hackers he later hired, were able to access, create, modify and delete individual Indian trust data. Lamb, too, had a response, but it turned out to be somewhat misguided, he now admits. In testimony this week during Norton's contempt trial -- of which IT security is a key issue - he told a federal judge he was snookered by a "credible" subordinate who told senior management that nothing was wrong. "And we're now in the mess that we're in," he said. With the Internet shutdown well into its second month without a resolution in sight for a number of computer systems, the state of security is looming for Norton and her contempt trial. U.S. District Judge Royce Lamberth has informed her lawyers that the burden is on them to fight the charge. Meanwhile, Associate Deputy Secretary James Cason continues to negotiate with Balaran to reconnect systems, including ones that process payments to thousand of Indian beneficiaries. Balaran has stated he won't accept shortcuts and a status report released this week chastised the department for its handling of the debacle. "Statements are made that are later recanted and corrected," he wrote. "Explanations are given that appear inconsistent with others. This is not to suggest any duplicity on the part of any official. Rather, it is the speed with which the Interior feels constrained to reconnect its IT systems that militates in favor of prudence." ______________________________________________________________________ To subscribe TO the Indian Trust mailing list, please paste the following link into your browser: http://www.indiantrust.com/