October 24, 2005
(Computerworld)
One day after being ordered to disconnect much of its computer network and Web sites from the Internet because of ongoing IT security concerns, the U.S. Department of the Interior received an administrative stay from a U.S. appeals court.
The stay, issued Friday by the U.S. Court of Appeals for the District of Columbia Circuit, means the agency can keep its systems online for now.
The appeals court acted after officials from the Interior Department asked that they be allowed to temporarily delay complying with the order (download PDF) issued Thursday by U.S. District Court Judge Royce C. Lamberth.
Lamberth ruled that despite attempts to improve IT security over the past five years, the Interior Department still had not proved that its systems are secure against hacker or other attacks that could allow outsiders to alter or destroy trust-fund records kept for American Indians.
The stay will give the court time to consider the merits of the Interior Department's opposition to Lamberth's ruling. No timeframe was given for when the appeals court might act.
In his ruling, Lamberth wrote: "In light of evidence that Interior's IT security was seriously deficient, the court has found it necessary to disconnect Interior's IT systems from the Internet more than once before and has granted various other forms of relief to protect electronic Individual Indian Trust Data (IITD)," Lamberth wrote in his latest ruling. "As early as April 4, 2000, the court noted problems with Interior's ability to secure electronic trust data. The Court was 'alarmed and disturbed,' for example, 'by the revelation that the Bureau of Indian Affairs has no security plan for the preservation of [Indian trust] data.'"
A special master appointed by the court investigated the situation and determined in a 154-page report on Nov. 14, 2001, that the IITD records were stored on Interior Department systems that didn't use firewalls and had no network monitoring systems to defend against attacks.
Last Thursday's court order is one of many such orders to be issued since the case was filed in 1996 by Elouise Cobell, a member of the Blackfeet Tribe in Montana. Cobell is the lead plaintiff in the class-action lawsuit, which claims that the U.S. government has mismanaged the Indian land trust funds. The suit asks the federal government to account for billions of dollars belonging to approximately 500,000 American Indians and their heirs. The money has been held in trust since the late 19th century under the Dawes Act of 1887.
In his ruling, Lamberth discounted government arguments that disconnecting the Interior Department network from the Internet would cause more harm than good for the plaintiffs, which potentially includes thousands of people for whom the government acts as trustee.
"These Indians cannot protect their trust records themselves ... and thus cannot by self-help prevent the harm of their loss, because Interior holds an information monopoly," Lamberth wrote. "The court concludes that injunctive relief may be fashioned that minimizes the impact of disconnection on Interior's ability to function and service its customers, financially and otherwise."
Lamberth in his ruling allowed the Interior Department to temporarily reconnect its systems under certain conditions, including for wildfire management, to manage Indian trust funds as needed and for related purposes in protecting life and property -- provided it can show that the systems are secure. "These provisions should mitigate the hardship to Interior," he wrote. "Interior will be able to work around the absence of Internet connectivity in the short term to continue to provide services to the Indians while it secures their IITD."
Dan DuBray, an Interior Department spokesman, had said on Friday that an emergency appeal would be filed, but he was unavailable today for comment.
Lamberth's original order would have affected about 6,000 computers that house individual Indian trust data and an undetermined number of other computers that may provide indirect access to IT systems that house individual Indian trust data, DuBray said last week.
Cobell said today she is disappointed that a stay has been issued.
"We feel there's all types of irregularities with this emergency stay," she said.
The attorney for the plaintiffs, Dennis Gingold, could not be reached for comment late today.
Cobell said last week that the Interior Department has shown that it is "unfit" to be the trustee for the land trust. "The judge has given them so many chances to fix things. The Department of the Interior does not care about the beneficiaries of these accounts."
In December 2001, Lamberth handed down his first order to disconnect Interior Department computers from the Internet due to security concerns (see "Judge shutters Interior Department IT systems, Web sites").
In April, the Bureau of Land Management (BLM), an agency in the Interior Department, shut down its Web site because of security fears that followed an internal IT systems audit by the U.S. Inspector General's Office (see "Land Management agency shuts Web site over security fears"). The audit, which comprised random security tests, revealed potential weaknesses, according to the BLM. No systems or data were compromised before the shutdown.
The BLM IT systems include information on oil and gas leases on American Indian lands in Western states. Critics have contended for years that the BLM and Interior Department IT systems weren't secure enough to maintain the integrity of the data for the leases, which could allow hackers to go in and change data, reducing royalties paid into the American Indian trust funds. The oil and gas production figures in the BLM IT systems determine the amount of monies paid to American Indian trust funds.