A familiar scenario

So the flap at Interior sounds familiar? Two years ago, the Environmental Protection Agency went off-line after an audit by the General Accounting Office found security weaknesses.

Unlike Interior, which disconnected from the Internet upon the orders of U.S. District Judge Royce Lamberth, the EPA acted at the request of then-House Commerce Committee Chairman Thomas Bliley (R-Va.), who asked for the audit. The shutdown occurred Feb. 16, 2000.

"Overall, our review found serious and per.vasive problems that essentially render the EPA's agencywide information security program ineffective," said David McClure, now GAO's director of information technology management issues, in testimony submitted at the time of the shutdown to the Commerce Committee's Subcommittee on Oversight and Investigations. "Current security program planning and management is largely a paper exercise that has done little to substantively identify, evaluate and mitigate risks to the agency's data and systems."

The EPA had about 80 percent of its site back up and running within five months.

"The GAO review was a wake-up call," said Al Pesachowitz, the EPA's chief information officer at the time of the shutdown. "It focused the issue. Our folks were able to get the agency's Internet site up on a limited basis within a few days."

The agency also underwent a cultural change, making security a priority. "Every time you improve your security, you have to be looking ahead to the next problem. It's a continuous effort," said Pesachowitz, who is now practice area director, civilian agency consultant at Grant Thornton LLP. "I would say there's been a significant improvement in security at EPA."