Taking no chances at Interior

Bureau of Land Management officials have established an Incident Command Center to strengthen the agency's computer systems defenses and restore Internet access.

Senior agency officials cut off BLM's Internet access last month after the Interior Department's inspector general issued a report warning that the agency's computer systems are susceptible to cyberattacks.

The April 8 shutdown, which came two days after the report's release, is the latest blow in a long-running dispute about securing Indian trust fund data stored on departmental computers. Interior's IG found that poor network security and weak access controls could easily compromise "the confidentiality, integrity and availability of the identified Indian trust data residing on such systems."

Similar vulnerabilities are common in government, several security analysts said about BLM's recent problems.

Interior officials released a heavily censored version of the IG's report after a court request in an almost 9-year-old class-action lawsuit that criticizes the department's oversight of Indian trust funds.

The lead attorney for the plaintiffs, who reviewed the full contents of the now-redacted IG report, called the document powerful evidence in his clients' case.

"The IG report on the inadequacy of the security of IT systems administered by BLM. ... demonstrates that the government has willfully exposed trust data to catastrophic degradation, corruption, and loss; has covered-up its ongoing malfeasance; and has lied to both the US District Court and Court of Appeals in that regard," stated Dennis Gingold, counsel for Elouise Cobell, a member of the Blackfeet tribe, one of the plaintiffs in the lawsuit against then-Interior Secretary Bruce Babbitt and the government. Secretary Gale Norton inherited the suit.

In an internal memo to BLM employees last week, Kathleen Clarke, the agency's director, outlined her repair strategy. Clarke told employees that the Incident Command Center will oversee the process of restoring Internet access, but she warned that restoration will take some time. Jim Rolfes, information resource management adviser for communications, will be the center's director.

According to the memo, Internet access, whenever it is restored, will be brought back on a staggered basis. Clarke has asked bureau executives to prioritize the Web sites and information systems under their authority and to recommend which ones should regain Internet connectivity first.

The agency's National Information Resource Management Center staff will be involved in efforts to harden security and move BLM Web sites "into a better-protected environment," Clarke wrote in the memo. "Sites will be independently tested by external experts to confirm and clearly demonstrate that our information is secure."

Several cybersecurity analysts who read the censored version of the IG's report concluded poor vulnerability management and inadequate security training at BLM are to blame for the security weaknesses.

Paul Proctor, vice president of the risk and privacy practice at Gartner, said the IG's report and Clarke's memo to employees set expectations too high. In BLM's case, he said, a federal court must ultimately decide how much security is enough, because 100 percent compliance is impossible to achieve.

Based on the redacted IG's report, Proctor said, security experts tested software patch levels, performed manual exploitations of identified vulnerabilities, inspected BLM's processes, executed social engineering attacks and looked at configurations. "If you take even the most secure organization, and you do this type of analysis, you're going to find a way in," he said.

Security expert Lynn McNulty, director of government affairs at the International Information Systems Security Certification Consortium, said BLM officials may have overreacted to the IG's report. But such a reaction is understandable, he said, given the degree to which agency officials are acting under the court's microscope.

Alan Paller, research director at the SANS Institute, wrote in an e-mail message that system administrators, with better training and repeated configuration testing, will find a solution. "BLM and the department should get kudos for the top management participation and management focus on solving the technical problems," he said.