Security gaps defy easy fixes

Hackers from the computer security firm Predictive Systems Inc. had no trouble late last year breaking into the Bureau of Indian Affairs' $40 million trust accounting system — they went in through a "back door" of the Interior Department's many Web sites.

That exploit reportedly made U.S. District Judge Royce Lamberth so angry that he issued the order to disconnect all of Interior's computer systems from the Internet. Since then, Lamberth has ordered Interior to get approval from Alan Balaran, the court's special master, before reconnecting its sites.

Balaran so far has demanded that Interior meet a high standard for security on any systems related to Indian trust data. Ensuring the security of this data on systems that were lacking in all measurable aspects requires "careful scrutiny," he wrote in a report filed Jan. 16 with the court.

Still, how long can it possibly take to put up firewalls and other security devices on Interior's systems? After all, the agency is one of the smallest in the federal government.

Security, however, isn't nearly as easy as it looks, experts in the field say.

"A firewall is simply a bunch of rules about what data traffic is allowed through that someone could use to gain access to the routers, servers and workstations on the network that are inside the firewall. It sounds more robust than it really is," said Clint Kreitner, president and chief executive officer of the Center for Internet Security.

"There are no silver bullets. A firewall isn't the one and only answer," said Lawrence Rogers of the CERT Coordination Center at Carnegie Mellon University.

"The security continuum runs from 'secure' to 'usable.' The challenge that systems administrators face is where to position themselves on that line," Rogers said. "The most secure system is the one that's turned off and sitting over in the corner. But it's not particularly useful."

Interior is still using one of the two legacy systems that the BIA's Trust Asset and Accounting Management System was supposed to replace, and that exacerbates the security problem, the experts add.

"Retrofitting meaningful security into database code that was not initially designed for that purpose is lengthy and difficult work," said Jon Lasser of Cluestick Consulting, a local computer-security consulting firm.

"Most [legacy] databases were designed before the Internet, back when everyone who worked on them was in a single building and could all know and trust each other," Lasser said. "Adapting from this small-town mentality to the big-city mentality of the Internet requires deep change."