Auditors hack Interior's financial and personal data -- again

Lapses in the Interior Department's oversight allowed government-hired hackers to infiltrate the agency’s systems, according to a Sept. 6 Interior memo.

Since November 2004, Interior’s inspector general has been independently testing the department’s network security.

“Due to vulnerabilities in several bureaus’ information technology systems, [Interior] internal networks, as a whole, are vulnerable to unauthorized access,” Earl Devaney, Interior’s IG, wrote in his most recent assessment.

The agency has not welcomed the IG's findings so far, Devaney said. “Rather than simply accepting the results of our testing and promptly addressing the underlying vulnerabilities, the department and bureaus have, to date, expended considerable time and energy debating our findings, challenging our methodology and impugning the credentials and integrity of our staff and contractors," he wrote.

Most recently, IG employees hacked National Park Service (NPS) systems and personal and financial data on National Business Center (NBC) systems -- again. They had broken into the center’s systems last spring.

The report states that evaluators “penetrated a National Park Service system and created a Web page to indicate our control over the server.”

IG employees also added and deleted data to what appeared to be a grant application. Then, from within NPS, the hired hackers got into NBC’s systems, revealing that Interior officials did not fix security breakdowns found in previous testing.

“We made – and then corrected – an address change in the Federal Personnel/Payroll System,” the report states. “Having done this, we also believe we could have changed bank routing information and other electronic funds records to potentially divert electronic payments to other banks.”

Devaney harshly scolded NBC management in this most recent memo.

“Based on our ability to successfully traverse from another bureau into the very same sensitive NBC systems suggests that a change in response -- and attitude -- may be required,” he wrote.

Interior’s IT security has been the focus of a nine-year class-action lawsuit that criticizes Interior's oversight of Indian trust funds. Plaintiffs have accused department officials of doing a poor job of protecting data from hackers.

Agency officials took the Bureau of Land Management’s Web sites off-line for two months this spring after Interior’s IG issued a report warning that the agency’s IT systems are vulnerable to cyberattacks.

In 2001, U.S. District Judge Royce Lamberth ordered Interior to disable Internet connections on all computers that could be used to access trust fund data. He ordered two subsequent shutdowns, although Internet access has returned to the department following a federal appeals court ruling that blocked Lamberth’s latest order.

The IG’s Sept. 6 memo was filed with the court Wednesday.

Interior IT officials say the memo fails to mention that they have been cooperating with – and paying – the Office of the IG to do the penetration testing.

“All of that testing was done at our request,” said Hord Tipton, Interior’s chief information officer today. “It was done at our expense.”

Tipton could choose between letting his staff assess the systems or handing the operation over to the IG’s staff.

“We decided to do it as a partnership so that when Interior goes to court, it doesn’t look like Interior is testing itself,” he said. “It’s just unfortunate that the reference to the collaborative nature of this testing did not get in his report.”

Tipton commended the most recent report for answering his questions.

“As far as what the testing revealed, that’s very helpful to us,” he said, adding that he wanted to know what parts of the systems were vulnerable. “The inspector’s contractors did a very good job.”

No system shutdowns will result from this assessment, he said.

“In this particular situation, we didn’t have to shut down anything.… There was no Indian data exposed,” Tipton said.

He will not consider management changes within his division, Tipton added.

“From my view of it, as a CIO, I would want to stay away from a debate with the IG as to who’s paying enough attention” to his findings, Tipton said. “To my knowledge, there has been no suggestion that we need to make personnel changes."

Interior spokesman Dan DuBray said the agency will respond to the report in writing by Oct. 23.

Meanwhile, the department will "continue its aggressive program to monitor and strengthen the perimeter of its IT systems."