The great divide

Two months after a federal judge in a long-running case ordered the Interior Department to disconnect from the Internet, most of the department's sites remain off-line.

The problem stems not from bits and bytes or even the caprice of the law, but from the simple fact that the agency is struggling to manage the imposition of 21st-century technology on a 19th-century accounting system, according to Interior officials and security and federal information technology experts.

"We've been operating with a cart and donkey. All of a sudden, we now have 'Star Trek,'" said Neal McCaleb, an assistant secretary at Interior and director of the Bureau of Indian Affairs. The bureau's multimillion-dollar trust accounting computer system, which was set up less than two years ago to handle money generated by some 54 million acres of American Indian land, is at the core of the problem.

The fact that BIA has had a chief information officer for less than 22 months compounds the problem, according to Interior officials. The bureau's Indian trust accounting system covers 12 regional offices across the United States and 85 remote offices, many of which house only one field agent and link to the system via local Internet service providers.

"These 12 regions are in different states of readiness to embrace information technology. Some of them have tried to be ahead of the curve because they can see what IT can do for them," said Debbie Clark, acting CIO for the bureau. "But in doing that they may not have [implemented technology] in the absolute best way. There are lots of good intentions out there, but everybody's not in the same place."

Many of the American Indians who are beneficiaries of the trust don't see Interior's IT problems in the same light, however. "Most of the policies of the Interior Department are based on concepts of Indians that are rooted in the 19th century, and we're in the 21st century," said David Lester, executive director of the Council of Energy Resource Tribes, a Denver-based organization representing the 45 U.S. tribes whose lands contain substantial coal, oil and natural gas reserves.

With the current trust accounting system, Interior is "trying to make a Model T operate as if it were a new car. That won't work, and [Interior] has to start from scratch," Lester added. "We [American Indians] want to hold on to our property like other Americans. After all, we're not exactly attacking wagon trains any more."

The tribes do not believe Interior's IT officials have bad intentions, said Dennis Gingold, lead attorney for the plaintiffs in the case. "These people aren't malicious," he said. "They just don't know what the hell they're doing."

A Poor Accounting

Interior has held American Indian-owned lands in trust for more than 100 years, leasing the properties and managing revenues earned from farming and oil drilling on the lands. Five years ago, a group of American Indian trust beneficiaries filed a class-action lawsuit in U.S. District Judge Royce Lamberth's court, contending that neglectful management over the years has made it impossible for landowners and their descendants to determine how much money is in their accounts. They estimate that the lost funds total as much as $10 billion.

On Dec. 5, Lamberth ordered Interior to disconnect all of its IT systems from the Internet to protect data maintained under BIA's Trust Asset and Accounting Management System (TAAMS), citing a report that showed the system easily could be breached by hackers. After an emergency hearing three days later, Lamberth agreed to allow Interior to reconnect the U.S. Geological Survey and National Interagency Fire Center sites to the Internet.

TAAMS — originally deployed in 2000 by then-Interior Secretary Bruce Babbitt — was designed to replace two of the department's legacy systems: the Land Records Information System, which tracks such data as land ownership, and the Integrated Records Management System (IRMS), which holds a wide variety of data, including information on oil and gas leases and royalties, and is used to distribute royalty payments to more than 300,000 American Indians.

Even before Interior began attempting to intertwine the old and new systems, however, the General Accounting Office predicted trouble.

"According to Interior, [these] two mainframe- based systems are not integrated, have no electronic interfaces and duplicate much of the same information," GAO officials reported to Congress in September 2000. Moreover, "the accuracy, availability and completeness of trust fund records has been a long-standing problem. Tens of thousands of records on trust fund accounts, for example, contain incorrect addresses for the account holders or lack social security or taxpayer identification numbers."

McCaleb acknowledges that for decades, BIA's field agents kept track of the lands in their care any way they could.

"You can imagine historically how each agent with a quill pen and a ledger kept his own records," he said. "For a while, each [of the 12 BIA] regional offices had its own computer system and its own platform, which was different from the others. It's only in last few years that we've had a central system that translates what each of these systems are saying to each other."

Because of these disparate platforms, BIA needs to standardize IT operations in all of its regions as soon as possible, Clark said, and address the tough questions of whether an age-old practice is still the best practice.

"Over the past year and a half, we've hired a handful of people to try to get some policies in place, but we still have only 10 people in the CIO office," she said. "For an organization of 10,000 people spread over 200 locations, that's tough."

No Quick Fix

Other IT experts agree. Although all but one of the experts contacted inside and outside the government for this story declined to speak on the record, most said that without a sound system architecture and good information-flow policies across the organization, little would be changed by applying last-minute security fixes.

"You need to develop a more holistic security program all the way from training employees to ensuring passwords to reducing the number of people with rights to developing appropriate firewalls to monitoring," said Al Pesachowitz, who was CIO at the Environmental Protection Agency when it temporarily shut down its Web site two years ago after a GAO audit found security problems.

Along the same lines, ensuring the safekeeping of the American Indian trust data isn't a matter of merely turning off the switch on BIA's major Internet connections, provided by Reston, Va.-based UUNet, Clark said.

"There are some stragglers in Indian country that still have their own ISP connections," she said. "If an individual has a modem on their PC and a phone line, they could theoretically plug in to our systems — although they've been told not to do that. We can't be 100 percent sure."

This lack of enforcement authority plagues every agency CIO, IT experts maintain. The Clinger-Cohen Act of 1996, which calls on agencies to reform their IT policies and develop enterprise architectures, doesn't invest CIOs with legal authority to compel agency employees to follow security policies, so those policies carry very little weight, according to several experts.

"Up until recently, it was hard to get top management's attention to security in the IT arena," said Pesachowitz, now practice area director, civilian agency consultant with Grant Thornton LLP.

Even if Clark had the clout to enforce tough new rules immediately, that wouldn't bring Interior's Web sites back up right away, said Lawrence Rogers, a nationally recognized computer security expert with the CERT Coordination Center at Carnegie Mellon University. Organizations typically study their network traffic for 18 months to two years before they put firewalls in place, he said.

"Figuring out the right policy, and then implementing that policy, can be a time-consuming task," Rogers said. Instead, "it's fairly easy to put a firewall in that denies all access. But then people can't do their work."

That's apparently what happened at Interior.

Last year, Lamberth appointed Washington lawyer Alan Balaran to act as special master, or court-appointed fact- finder and investigator, in the Indian trust fund lawsuit and charged him with investigating potential security breaches in the TAAMS system.

After his appointment, Balaran, with Lamberth's approval, hired computer security firm Predictive Systems Inc. to test the TAAMS system. A Predictive Systems team hacked into Interior computer servers and accessed the BIA networks in late June.

When Interior officials questioned the company's findings, Balaran scheduled another attack. This time, the Predictive team broke into Interior's systems, created an account in Balaran's name and, reportedly, cut him a check from Indian trust funds.

When he heard about the second hacking incident, Lamberth shut down Interior's Internet connections. On Dec. 17, he issued an order allowing Interior to restart computer systems that don't connect to Indian trust fund data, but only with Balaran's approval.

Meanwhile, e-mail connections were down throughout Interior and employees resorted to the relatively old-fashioned communications media of telephone and postal mail to get their daily business done. In some departments, time sheets were filled out by hand — a method not used in decades, sources said.

On Jan. 22, Balaran authorized BIA to bring back up the IRMS system to send checks to 43,000 American Indian trust beneficiaries who have been waiting for them since early December.

Uncertain Prognosis

McCaleb and Clark said BIA officials are working hard to build firewalls, other security devices and procedures around the TAAMS data so that Balaran will approve the reconnecting of the National Park Service's online camping reservations system and other Interior Web sites popular with the American public.

"I'm not making excuses. I'm just saying the job is large and we are addressing it vigorously," McCaleb said. "We hope we have an opportunity to complete these efforts."

There's a possibility that Interior might not get that opportunity. The trust beneficiaries who filed the lawsuit asked Lamberth last October to place thousands of individual American Indian trust accounts in receivership — meaning that the court, not Interior, would have the final say over how they are managed.

Lamberth has already indicated in open court that he is annoyed with Interior's failure to bring its high-traffic sites back up. Lawyers representing the trust beneficiaries in the case insist that there is no reason for them still to be inaccessible.

When TAAMS was devised, Interior connected it to every Web portal the department had available to make it easier for local BIA offices to access the data, Gingold said. Unfortunately, those widespread connections also made TAAMS easy prey for hackers, he said, so Interior needs to go back and disconnect TAAMS from those portals so the public cannot access the system.

Like many of the American Indians he represents, Gingold also fears that Interior has another reason to drag its feet on efforts to give trust beneficiaries a more complete accounting of the money they are due.

Tribal lands contain 30 percent of the coal in the western United States, 5 percent of the country's onshore oil and 10 percent of its known onshore natural gas reserves, according to the Council of Energy Resource Tribes. "Given the history of how the use of these lands has been accounted for, it makes you wonder," Gingold said.

The BIA could also lose control of the system at the hands of Interior Secretary Gale Norton, who proposed in November that trust fund duties be consolidated into a new Bureau of Indian Trust Asset Management.

Even Congress may get into the act, either by throwing its weight behind Norton's proposal or by forming a separate entity to take over the management of American Indian holdings — on the model of the Resolution Trust Corp., which handled failed savings and loan institutions in the 1980s.

The House Resources Committee will hold an oversight hearing Feb. 5 on the problems with the trust system. "The trust reform effort has been ongoing for several years now, and it's only natural that the fatigue factor has begun to set in," said Paul Moorehead, minority staff director and chief counsel, Senate Committee on Indian Affairs. "This is true not only for the department and the tribes, but also for Congress. We need to look at the performance standard the U.S. is being asked to satisfy and what tools it has — financial, legal and otherwise — to do that job. Otherwise, we'll never get around to focusing on the solutions to these problems."

"The situation Interior is facing is not unique," Rogers said. "A lot of people have been forced to get into the 'click and mortar' game without understanding the full ramifications of it, and it sounds like the Interior Department is yet another one who's done that."

With the push toward e-commerce, both private-sector and government entities have been pushed out of a traditional paper-based system into a virtual one before they're ready, he added.

"You just stand up and do the right thing. I believe that's what the Department of Interior is trying to do right now," Pesachowitz said. "The real lesson learned is a difficult one: to better manage the resources and priorities of security."

***

A strong regional history

The Interior Department's inability to put its Web sites back online stems in part from problems faced by the agency's Bureau of Indian Affairs in imposing new technology on its complex office network, Interior officials say.

BIA has 12 regional offices across the United States (see map below) and 85 remote offices, many of which house only one field agent responsible for tracking coal, oil and gas revenues from lands the bureau has long held in trust for American Indians.

For decades, most field agents recorded those revenues by hand, on paper ledgers, and much of that data is missing. Also, until recently, each of BIA's regional offices had a separate computer system, running on platforms that differed from those at other offices. Folding data from these sources into a secure, state-of-the-art network is a daunting task, Interior officials say.