IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
January 15, 2002
ELOISE PEPION COBELL, ET AL., PLAINTIFFS,
GALE NORTON, SECRETARY OF THE INTERIOR, ET AL., DEFENDANTS.
The opinion of the court was delivered by: Alan L. Balaran Special Master
FIRST STATUS REPORT OF THE SPECIAL MASTER REGARDING THE SHUTDOWN AND RECONNECTION OF COMPUTER SYSTEMS AT THE DEPARTMENT OF THE INTERIOR
Following plaintiffs' May 17, 2001 filing of their Consolidated Motion for an Emergency Temporary Restraining Order and Motion for a Preliminary Injunction and Motion for Order to Show Cause Why Secretary Norton, Her Employees and Counsel Should Not Be Held in Contempt, the Court instructed the Special Master to investigate possible computer security breaches at the Department of Interior's Office of Information Resources Management. On November 14, 2001, the Special Master filed his Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior ("Special Master Report") chronicling Interior's history of compliance with its fiduciary duty to safeguard and secure individual Indian trust data. The Special Master concluded that Interior was "in derogation of court order, common-law, and statutory and regulatory directives" and that it "demonstrated a pattern of neglect that has threatened, and continues to threaten, the integrity of trust data upon which Indian beneficiaries depend." Special Master Report at 152. The Special Master, as a result of these findings, recommended that the Court "intervene and assume direct oversight .of those systems housing Indian trust data." Id.
The plaintiffs subsequently renewed their motion for a temporary restraining order and, on December 4, 2001, orally moved the Court to order the disconnection of Interior's information technology systems until individual Indian trust data could be. secured. At the Court's direction, plaintiffs filed an Emergency Alternative Motion for a Temporary Restraining Order on December 4, 2001 asking that "defendants immediately disconnect from the Internet all information technology systems which provide access to individual Indian trust data." Following a hearing convened on December 5, 2001, the Court granted plaintiffs' motion and ordered: (1) "that defendants shall immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data"; and (2) "that defendants shall immediately disconnect from the Internet all computer within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." Temporary Restraining Order at 2.
On December 8, 2001, the Court granted defendants' December 7, 2001 Motion for Partial Relief which allowed the United States Geological Service ("USGS") to provide real-time. dissemination of information about floods and droughts and to reconnect the National Interagency Fire Center ("NIFC") to allow BIA/NIFC to respond to fire emergencies.*fn1 In its motion, Interior stated that it "believe[d] that these and other problems would be correctable if Interior is permitted to reconnect to the Internet any information technology system that does not house individual Indian trust data and that does not provide access to individual Indian trust data, even if it did satisfy one of these criteria when the Temporary Restraining Order was entered." Motion for Partial Relief at 3.*fn2 The only condition placed by the Court on its Order Providing Partial Relief from Temporary Restraining Order was that Interior reconnect its systems "within 24 hours of notice to the Special Master and plaintiffs' counsel with appropriate documentation." Order at 1.
On December 17, 2001, the Court entered a Consent Order that, in part, preserved the injunctive relief granted by the temporary restraining order and, in part, offered Interior several vehicles by which technology systems could be: (1) operated on a stand alone basis if disconnected from the Internet; (2) reconnected to the Internet upon successfully demonstrating that such systems did not house or provide access to individual Indian trust data; (3) reconnected to the Internet for specific, limited periods of time in order to facilitate the testing of system security or the payment of individual Indian trust monies; or (4) reconnected to the Internet on a permanent basis if it could be demonstrated that adequate security was provided for individual Indian trust data.
The Consent Order also provided that "Interior Defendants may reconnect to the Internet any information technology system that does not house individual Indian trust data and that does not provide access to individual trust data seventy-two hours (72) after providing actual notice with appropriate documentation to the Special Master and Plaintiffs' counsel or immediately upon concurrences of the Special Master,"(Consent Order at 5-6) and required Interior to secure the approval of the Special Master prior to reconnecting any of the Information Technology ("IT") systems impacted by the Court's Order.
On January 10, 2002, Department of the Interior Assistant Secretary Neal McCaleb published a letter to "Tribal Leaders" outlining Interior's efforts to reconnect those computer systems that were shut down pursuant to the Court's December 5, 2001 Temporary Restraining Order and in accordance with the terms of the Court's December 17, 2001 Order ("McCaleb Memorandum").*fn3 On that same date, Interior published its "US Department of the Interior Impacts of Shutdown of Internet Access as of January 10, 2002" ("Impacts Report"). According to Assistant Deputy Secretary Jim Cason, "[t]he Reports are used to "to secure restoration of this service [and to] inform OMB and Hill officials and to respond to media inquiries about how we are dealing with these restrictions." Memorandum from Tim Cason to Distribution (Subject: "Impacts of Internet Shutdown at the Department of the Interior.").
This status report is to provide the Court with information that may not be contained in Interior statements to the tribes and the media in an effort to create a more complete record.
As an overarching matter, statements contained in the Impacts Report and the McCaleb Memorandum make no mention of the predicate conditions that led to the Court's December 5, 2001 injunction, i.e., the abysmal state of IT security and the vulnerabilities that have long impacted the security of Indian trust data and that have been institutionally ignored until the Court took direct action on December 5, 2001 and shut down Interior's computer systems. The Court's order is presented, not as one directly emanating from Interior's negligence, but rather as one that generically "stemmed from ongoing litigation regarding Indian trust funds." Impacts of Electronic Shutdown (Cover Page):
A brief analysis of Interior's Impacts Report and a discussion of the current status of Interior's reconnection efforts, as summarized in the McCaleb Memorandum follows:
January 10 2002 Impacts Report.*fn4
The January 10, 2002 Impacts Report categorizes the consequences to Interior systems resulting from the Court's injunction as follows: "Emergency (Public Health and Safety);" "Noncompliance with Laws or Regulations;" "Economic Impacts;" and "Other Impacts." This report will be limited to analyzing the "Emergency (Public Health and Safety)" impacts.*fn5
The Impacts Report describes the December S, 2001 injunction as having dire consequences such as lost access to critical law enforcement databases, the inability of law enforcement operations to receive terrorist threat warnings and the significantly impaired ability of law enforcement personnel to access in-house criminal case management systems. What is not mentioned is that, on December 23, 2001, the Special Master approved Interior's December 21, 2001 request to reconnect of the Law Enforcement. computer systems. The Impacts Report's only acknowledgment of the reconnection is the following statement: "As of December 31, 2001, DOI's Watch Office has been able to reconnect its e-mail system." (Emphasis added.) The delay between the December 23 approval date and the December 31 reconnection date is not explained. Similarly unexplained is why Interior has not requested relief to address those "dire consequences" that may have survived, or were not subsumed in, the Special Master's December 23 approval.
The Impacts Report represents that, as of January 10, 2002, the National Interagency Fire Center web site is not available and that, while the Wildland Fire Management Information System and the Automated Sorting, Conversion and Distribution System was returned to service following certification by the Court (See Order Granting Temporary Relief dated December 8, 2001), "modem access has not been established for technicians to update, troubleshoot and reprogram weather stations used for the Chemical Stockpile Emergency Preparedness Plan." Impacts Report at 3.
If, as represented in its Motion for Partial Relief, Interior "believe[d] that these and other problems would be correctable if Interior is permitted to reconnect to the Internet," and the Court granted that request, why, on January 10, 2002, is "[t]he National Interagency Fire Center web site  not available" Impacts Report at 2. Similarly, why is the National Interagency Coordination Center, located at the National Interagency Fire Center, unable (as of January 10, 2002) to use the Dispatch Messaging System. More importantly, why has Interior requested no relief from the Special Master or the Court to alleviate this problem.
Employee Safety Issues.
The January 10, 2002 Impacts Report discloses that The Safety Management Information System ("SIMS") has been disconnected as a result of the Court's December 5, 2001 injunction. Impacts Report at 4. The impact of this shutdown is that "submission of accident reports and Office of Workman's Compensation Program (OWCP) claims will be delayed." Id. To date, Interior has not requested that this system be reconnected (notwithstanding the fact that it is listed under the category of "emergency public health and safety"). Interior has also not represented whether SIMS "does not house trust data and does not provide access to individual Indian trust data" that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
Office of Aircraft Services.
"The Office of Aircraft Services web site, including the SAFECOM (Safety Communique) system is not available." Impacts Report at 5. To date, there has been no request to open this system despite its classification as one that impacts pubic health and safety. Interior has also not represented whether this system "does not house trust data and does not provide access to individual Indian trust data"that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
Bureau of Reclamation.
As a result of the Court's December 5, 2001 injunction, Interior represents that, among other things, the Bureau of Reclamation (`BOW") is unable to receive security alerts from the FBI or to "respond to potentially damaging earthquakes." Impacts Report at 16. Interior represents that, "[a]ccess could be reestablished using restricted links to USGS through DOINET. " To date, no request has been made of the Special Master to reconnect this system. Given the classification of this system as one impacting "public health and. safety," this omission is troubling as Interior offcials represented to the Special Master that only eight of 1500 computers house trust data in this system to which Special Master responded that, if this data was segregated, a request to reopen BOR would be favorably received. National Park Service.
From a health and safety perspective, Interior represents that the "[l]ack of internet access precludes the use of... sensors" that ultimately makes roads more hazardous. In addition, "[d]etectives/officers cannot collect and disseminate anti-terrorist intelligence information needed to provide optimal level of officer safety and effective prevention of harm to citizens and visitors." Impacts Report at 23. Yet, despite these grave consequences, Interior, despite inquiries regarding their intent .to do so, has filed no application with the Special Master asking that any of the National Park Service systems be reconnected. There has also been no representation whether this system "does not house trust data and does not provide access to individual Indian trust data"that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
IIM Related Systems
In addition to the December 21, 2001 request to reconnect Law Enforcement systems, that was granted on December .23, 2001 and the December 17, 2001 request, to reconnect the Social Service Automated System that was granted December 19, 2001, the following reconnection requests impacting trust data remain outstanding.
Office of Surface Mining ("OSM").
Of the three systems currently awaiting Special Master approval, Interior's request to open the Office of Surface Mining serves as the most glaring example why caution must be used in assessing these requests and why the Special Master will take no action until receiving technical approval from his retained contractor.*fn6
On December 21, 2001, Interior notified the Special Master of its intention to reconnect OSM to the Internet. The request was supported by the December 18, 2001 statement of OSM's Acting Director Glenda Owens who proffered that OSM's application systems, servers and workstations house no individual Indian trust data with the exception of data that relates to the McKinley mine in Gallup, New Mexico; and that the McKinley mine information had been removed from OSM's IT systems. Interior also provided a declaration from Deputy Assistant Secretary for Indian Affairs James McDivitt concluding that "the only place where BIA would expect to find individual trust data in OSM's systems is the McKinley mine near Gallup, NM."
On January 2, 2002, Mr. McDivitt clarified that, "(a]s for the normal activities of OSM, the only place he was aware of where mining activities were occurring on individual Indian lands was the McKinley mine near Gallup, NM. There are other sites on the Navajo, Hopi and Crow reservations where mining or reclamation is occurring, but the specific lands or mineral rights are tribally owned. not individual allotments." (Emphasis added.)
On January 7, 2002, during contempt proceedings, Principal Deputy Special Trustee Thomas Thompson testified to the existence of coal leases on several individual Indian trust land sites. When plaintiffs raised this discrepancy in support of the proposition that the Special Master "should reject the false certification and declarations of Secretary Norton and her counsel and not reconnect Office of Surface Mining information technology systems," Mr. Thompson executed a declaration, at the request of the Special Master, explaining that he "misunderstood the question to refer to `Tribal trust lands', not `Individual Indian trust lands'."*fn7
Following subsequent discussions between the Special Master and Interior regarding the existence of other "active" mines on Navajo and Crow reservations, Ms. Owens, on January 11, 2002 executed a second declaration that offered a slightly different explanation than that given by Mr. McDivitt. Unlike Mr. McDivitt's contention that the McKinley mine is the only site "where mining activities were occurring on individual Indian lands" Ms. Owens asserted that "[w]hile OSM may possess other individual Indian trust data, none of it is in computerized form and therefore none of it is housed on OSM's IT systems." Owens Declaration at 1 4. (Emphasis added). This apparent contradiction begs the question whether Interior is seeking to reconnect of OSM on the grounds that McKinley is the only site that generates IIM data (McDivitt) or that it is the only site whose data is encoded on OSM's computer systems (Owens).
Beyond this, Interior's representation that individual Indian trust data emerging from active mines is not computer encoded raises additional concerns such as how that information ultimately makes its way into the IIM disbursement cycle or why such data is maintained entirely on paper. It is curious that IIM data would be committed to paper for some mines and not for others. This question is further complicated by Interior's December 7, 2001: Notice of Actions Taken by the Department of the Interior to Comply with December 5, 2001 Temporary Restraining, Order. In that filing, Interior represented that the following OSM systems were shut down in response to the Court's Order:
ù "AFBACS - This system allows OSM to track information (accounts receivable) on funds owed to the Abandoned Mine Land Reclamation Fund based on the results of audits of coal companies. The system was developed to capture AML fees receivable (and associated fines, penalties, and interest) identified during the audit of an operator." See attachment regarding OSM at 1.
ù "FEEBACS - This system (accounts receivable) maintains information for approximately 25,000 mines, of which approximately 3,700 are actively producing coal. It keeps track of mines and their operational status. The system issues an OSM-1 form on a quarterly basis to every active mining operation for mine operators to use when filling their quarterly production data and payment." Id. (emphasis added).
ù "ABACIS - This is OSM's Core Administrative Accounting System. OS M uses this system as its system of record for all administrative accounting transactions processed by the Bureau. These transactions include obligations; invoices. payments, grants, receipts. investments, and bills processed by OSM." Id. (emphasis added).
ù "AVS - This system is used by OSM and the State Surface Mining Regulators to determine whether a permit applicant and its owner/controllers are responsible for any unabated federal or state violations of surface mining law, and/or have outstanding unpaid civil penalties, Abandoned Mine Land Fees or audits." Id. at 2.
This submission suggests that information relating to "every active mining operation" and to "all administrative accounting transactions" is parked on OSM's systems.
It is questions such as these that demand a careful review of Interior's requests to connect its computer systems. Statements are made that are later recanted and corrected. Explanations are given that appear inconsistent with others. This is not to suggest any duplicity on the part of any official., Rather, it is the speed with which Interior feels constrained to reconnect its IT systems that militates in favor of prudence by the Special Master and the concurrence of the Special Master's contractor.*fn8
Mineral Management Service ("MMS").
On December 21, 2001, Interior provided notice of intent to reconnect MMS' IT systems. On January 3, 2002, the Special Master met with Jim Cason and Hart Rossman to discuss MMS-specific security issues. During that meeting, Mr. Rossman opined that MMS was secure enough to warrant reconnection. In response to the Special Master's inquiry as to the basis for this representation, Mr. Rossman asserted that it was based on his review of documents such as the system security plans and discussion with contractors. Mr. Rossman acknowledged that he never visited any site to personally confirm the veracity what he had read or been told.
The Special Master requested that Mr. Rossman provide him with a copy of all the documentation upon which he based his recommendation to which Mr. Rossman opined that contractors would be hesitant to turn over their security plans on the grounds that the information was proprietary and that it would amount to a "box of documents." The Special Master agreed to privately review whatever the volume of records were over the upcoming weekend if the documents could be procured. Subsequent discussions with Interior and defendants' counsel revealed that MMS' contractor Accenture would not release its system security plans for such review unless under certain stringent conditions were set in place.
To expedite the process, on January 10, 2002, the Special Master sent a letter to the parties articulating the, erms of a protective order that would address Accenture's concerns.*fn9 These protocols were imposed notwithstanding the fact that the documents being sought were generated by contractors for Interior and discussed security measures relevant to Interior systems. Mr. Daly is to review these documents in accordance with these limitations on January 14, 2002.
Information Resources Management Stem ("IRMS").
On December 17, 2001, Interior advised the Special Master of its "inten[t] to recommence operation of its Integrated Resources Management System ("IRMS"). The only supporting documentation supplied by Interior consisted of a one-line statement from BIA Acting CIO Debbie Clark that "[t]he Bureau of Indian Affairs Integrated Management System (IRMS) has been disconnected from the Internet."*fn10
On December 20, 2001, the Special Master requested additional assurances regarding the steps taken to ensure that personal computers were no longer connected to the Internet; Interior responded with a memoranda frond the Deputy Secretary and the Associate Deputy Secretary firmly articulating Interior's prohibition against Internet use. These memoranda and a "Notice to All Users of Information Technology Systems Supporting Individual Indian Trust Data" were emailed via Interior's intranet to all employees.
It must be emphasized that Interior has responded to the Special Master's repeated requests for additional assurances and has voluntarily proposed additional precautionary measures, For example, Interior "propose[d] to operate its Integrated Resources Management Systems (IRMS), permitting limited access only, on Monday through Friday between the hours of 7 a.m. and 7 p.m., EST, for transaction processing only." McDivitt Declaration at T 3.*fn11
However, some responses raise additional questions. For example, Interior stated that the BIANet is currently connected only to Interior's National Business Center in Denver, Colorado, through a Private Virtual Circuit, and is not connected to another DOI bureau or organization." January 10, 2002 Letter from Justice Attorney Matthew Fader to Special Master at 12 chin McDivitt Declaration at 1 6) (emphasis added). However, McDivitt's declaration goes further when it states that, "The BIANet maintains a connection to DOI's National Business Center in Denver, Colorado through a `Private Virtual Circuit' (PVC). The PVC provides the BIANet access into Departmental Administrative Systems such as the Federal Finance System and the Federal Payroll and Personnel Stem. The BIANet is no longer able to connect to any other Departmental Bureau or organization through the PVC, or through any other means." Id. at 1 8 (emphasis added). It is this last statement that appears to be internally inconsistent and that warrant additional examination.
Interior's representations to the press and others, while not inaccurate, fail to adequately convey the delicate and extremely difficult process currently underway to bring IT systems on line. Ensuring the security of individual. Indian trust data (on systems that were completely lacking in all measurable respects) in a manner consistent with federal regulation requires careful scrutiny. It would be precipitous to proceed otherwise.
© 1992-2002 VersusLaw Inc.