Report Says Interior Dept. Failed to Secure Network

By Brian Krebs
Washington Post Staff Writer
Sunday, April 5, 2009

Years after the Interior Department was warned that its computer network was dangerously exposed to hackers and was ordered by a federal judge to fix the problem, the vulnerabilities remained, to the point that the department probably could not tell if outsiders had gained access to its data, according to a newly disclosed internal report.

The report was written last spring by Interior's then-inspector general, Earl A. Devaney, but it became public only Wednesday, when it was filed with a federal appeals court as part of a decade-old, multibillion-dollar lawsuit by Native Americans against the federal government.

"It is unfathomable anyone could give assurance the Department's network is secure," Devaney wrote, adding that the department had "persistently failed to meet minimum standards in information security."

"According to the Department's own analysis, nearly 70% of the network traffic leaving the Department through a single one of its Internet gateways during the month of January 2008 was bound for known hostile countries and the Department lacked the capability to even determine what the traffic was," the report reads.

The report by Devaney appears to challenge statements Interior officials made last summer in federal court that the department's computer network security had been sufficiently improved.

The issue of computer security has been key in the Native Americans' class-action lawsuit. They have accused the government of mismanaging lands that Interior held in trust for them and of failing to adequately account for billions of dollars in royalties for mineral and grazing rights.

U.S. District Judge James Robertson ruled in August, after hearing from the Interior officials, that the Native Americans were entitled to $455 million, rather than the $47 billion they sought. That judgment is being appealed.

Reports of subpar computer security practices at Interior are nothing new. In 2001, the department was challenged over its Trust Asset and Accounting Management System. That system was supposed to automatically keep track of titles, trust accounts and income generated from about 170,000 tracts of land.

But a senior official at Interior's Bureau of Indian Affairs, Dominic Nessi, warned in April 2001 that the bureau's systems were vulnerable to hacking, telling Government Executive magazine, "For all practical purposes, we have no security."

Alan Balaran, a court-appointed special master, soon confirmed that a team of hackers could break into the trust accounting system with relative ease and then write checks on the trust funds. Balaran noted that the bureau had been warned about computer security weaknesses as far back as 1989.

Balaran's report prompted U.S. District Judge Royce C. Lamberth to order Interior to disconnect from the Internet for two months while the problem was addressed. He subsequently ordered additional Internet shutdowns before he was removed from the case in 2006.

Last May, Robertson, Lamberth's replacement, ruled that the Bureau of Indian Affairs, the last Interior agency still offline, could get Internet access back. His ruling came after department officials argued that the agency had substantially improved the security of those systems, to the point that it could reliably protect sensitive information.

Attorneys for Native Americans in the lawsuit said they did not know the Devaney document even existed until they got a copy of it last Sunday.

"IT reports we do are never released publicly because of the sensitive information in them about security issues," said Kris Kolesnik, associate inspector general at the Interior Department.

Then-Interior Secretary Dirk Kempthorne received the IG's report on May 1. He said he immediately convened a meeting with the deputy secretary, all associate secretaries, bureau directors, the solicitor and the chief information officer.

"I personally chaired the first meeting to demonstrate this was a priority to begin the process of identifying what changes needed to be implemented," Kempthorne said. "It was unfortunate this was brought to my attention so late in the administration."

© 2009 The Washington Post Company