UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
February 5, 2002
ELOISE PEPION COBELL, ET AL., PLAINTIFFS
GALE NORTON, SECRETARY OF THE INTERIOR, ET AL., DEFENDANTS
The opinion of the court was delivered by: Alan L. Balaran Special Master
SECOND STATUS REPORT OF THE SPECIAL MASTER REGARDING THE SHUTDOWN AND RECONNECTION AND/OR RESUMPTION OF COMPUTER SYSTEMS AT THE DEPARTMENT OF THE INTERIOR
On November 14, 2001, the Special Master filed the Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior ("Special Master Report") chronicling Interior's failure to safeguard and secure individual Indian trust data. In response, the Court ordered defendants: (1) to "immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data"; and (2) to "immediately disconnect from the Internet all computers within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." Temporary Restraining Order ("TRO") dated December 5, 2001, at 2.
On December 17, 2001, the Court entered a second order that, in part, preserved the injunctive relief granted by the TRO and, in part, offered Interior several alternative methods by which it could reconnect and/or resume the operations of its technology systems. The Court held, in relevant part, that Interior,
(1) "may operate any information technology system that is not connected to the Internet, . . . following submission of reasonable assurances to the Special Master, and Interior shall not reconnect any information technology system to the Internet without the concurrence of the Special Master" (Order at 5) ("Provision 1");
(2) "may reconnect to the Internet any information technology system that does not house individual Indian trust data and that does not provide access to individual Indian trust data seventy-two (72) hours after providing actual notice with appropriate documentation to the Special Master and Plaintiffs' counsel or immediately upon concurrence of the Special Master" (Order at 5-6) ("Provision 2");
(3) "may reconnect to the Internet, for specified periods, any information technology system that houses or provides access to individual Indian trust data, for the limited purposes of" (a) "testing the security of the information technology systems," or (b) "performing those functions necessary to receive, account for, and distribute trust funds of appropriated funds, or to provide other necessary services." Under this provision, Interior would provide "at least seventy-two (72) hour notice" with "appropriate documentation" and shall provide its plan for the Special Master's review and inquiry (Order at 6) ("Provision 3"); and
(4) "may reconnect to the Internet any information technology system that houses or provides access to individual Indian trust data" upon "actual notice" with "appropriate documentation" which shall be given "at least seventy-two (72) hours before reconnecting" and shall provide its reconnection plan to the Special Master for his review and inquiry. Order at 7 ("Provision 4"). December 17 Order at 5-8. *fn1
The Court further ordered the Special Master to verify compliance with the December 17 Order, as necessary, by interviewing Interior personnel or contractors and by conducting site visits "wherever technology systems or individual Indian trust data is housed or accessed. Id. at 7. Finally, the Court provided that the order be vacated once it "has determined that Interior Defendants are in full compliance" and "Interior's relevant information technology systems are in compliance with the applicable standards outlined in OMB Circular A-130." Order at 8. *fn2 Id. at 8.
Requests Submitted Prior to the Filing of the First Report On January 15, 2002, the Special Master filed the First Status Report of the Special Master Regarding the Shutdown and Reconnection of Computer Systems at the Department of the Interior ("First Status Report"). The First Status Report discussed Interior's efforts to reconnect or recommence operation of those information technology ("IT") systems impacted by the December 17 Order. Interior, at that time, had requested that the Special Master consider the reconnection and/or resumption of operation of : (1) the Integrated Resources Management System ("IRMS") (December 17, 2001); (2) the Social Services Automated System ("SSAS") (December 17, 2001); (3) the Law Enforcement Watch Office (December 21, 2001); (4) the Office of Surface Mining ("OSM") systems (December 21, 2001); and (5) the Mineral Management Service ("MMS"). *fn3
On December 19 and 21, 2001, respectively, the Special Master approved Interior's request to recommence operation of SSAS and the Law Enforcement Watch Office. On January 22, 2002, approved Interior's request to reconnect OSM to the Internet and to recommence operation of IRMS.
Second Status Report.
As in the First Status Report, this Second Status Report will detail the posture of Interior's outstanding requests. In addition, it will address Interior's January 31, 2002 representations before the Court regarding the present status of its requests before the Special Master.
Status of Current Requests.
Since tendering its initial requests on December 17 and 21, 2001, Interior filed no requests with the Special Master until January 24, 2002 when it provided notice to the Special Master that the National Business Center in Reston, Virginia (NBC Reston) intended to reconnect its local area network pursuant to Provision 2 of the December 17 Order. On February 4 and 5, 2002, IBM proposes to assess Interior's request to reconnect NBC-Reston's internal network to the Internet and to forward its recommendations to the Special Master shortly thereafter. *fn4
On January 24, 2002, Interior advised the Special Master of its intent to power up its Novell file and print server located in its Twin Cities field office pursuant to Provision 1 of the December 17 Order. To avoid any delay that might be associated with traveling to the Twin Cities, IBM will first attempt to connect from the Reston facility to the Twin Cities field office to check for Internet connectivity. Absent any unforeseen obstacles, the IBM team anticipates conducting this test on Feb. 5 or 6, 2002 and forwarding its recommendation to the Special Master shortly thereafter.
On January 25, 2002, Interior provided notice that its National Business Center, Office of Aircraft Services' (NBC/OAS) intent to reconnect to the Internet its information technology systems pursuant to Provision 2 of the December 17 Order. *fn5 To avoid any delay that might be associated with traveling to Boise, IBM will attempt to conduct a LAN connectivity test from the NBC-Reston facility. If unable to do so, IBM will dispatch a member of its team to Boise to conduct the same network scan that was conducted at NBC-Reston. Absent any unforeseen obstacles, the IBM team anticipates conducting this test on Feb. 5 or 6, 2002 and forwarding its recommendation to the Special Master shortly thereafter.
On January 24, 2002, Interior provided notice that, pursuant to Provision 3 of the December 17 Order, the Bureau of Indian Affairs "seeks to reconnect to the Internet for the limited purpose of configuring, testing, and qualifying its Firewalls and Intrusion Detection Systems (IDS) at its three Internet Points of Presence ("POP") at Reston, Virginia; Phoenix, Arizona; and Albuquerque, New Mexico." *fn6 The tests originally scheduled to commence on February 1, 2002 were delayed upon receipt of a communication from SAIC Hart Rossman indicating that Predictive Systems, Inc. and its sub-contractor RIPTECH needed three to five days to prepare for such a test. Absent any unforeseen obstacles, IBM anticipates being able to conduct this test on Feb. 5 or 6, 2002 and forwarding its recommendation to the Special Master shortly thereafter.
On January 26, 2002, Interior notified the Special Master that the National Park Service intends to reconnect its IT systems to the internet pursuant to Provision 1 of the December 17 Order. On January 28, 2002, the Special Master posed several questions to the agency regarding the procedures by which individual Indian trust data would be segregated from servers and terminals with access to the Internet. *fn7 On February 1, 2002, Interior provided responses to those questions. Simultaneous with the Special Master's review of these submissions *fn8 , IBM proposes to conduct a network scan to ensure that NPS systems are disconnected from the BIANet and to verify that any servers and PCs that may contain trust data are disconnected from NPS' intranet. Absent any unforeseen obstacles, IBM anticipates conducting these tests and reporting its recommendation to the Special Master shortly thereafter.
On January 28, 2002, Interior provided notice that the Bureau of Reclamation ("BOR") intended to reconnect its IT systems to the Internet pursuant to Provision 2 of the December 17 Order. *fn9 IBM and SAIC are currently scheduling a time to undertake these tests.
On January 28, 2002, Interior provided notice that the Bureau of Land Management intends to reconnect its IT systems to the Internet pursuant to Provision 2 of the December 17 Order. On January 29, 2002, Interior requested that the Special Master defer consideration of this request pending the inclusion of additional information. *fn10
Interior's January 31, 2002 Representations to the Court
On January 31, 2002, Interior conveyed its frustration with the pace at which its requests have been adjudicated. As detailed below, it is the view of the Special Master that this frustration stems from a fundamental misunderstanding of the scope of the December 17 Order and the responsibilities that Order imposes on the Special Master.
On one level, the Special Master agrees with Interior's perspective that the Consent Order anticipated a process,
whereby the Interior Department would do the work that it needed to do to ensure that for one of the four listed reasons in the consent order, it could operate its - certain of its information technology systems without danger, undue danger, undue danger to individual Indian trust data. And [that] Interior would do its work to see what it could do, either by segregating individual Indian trust data or by coming off the Internet, or some more hybrid kind of proposal to present that proposal to the Special Master, and that the Special Master, after that, would review [its] proposal and see if it was adequate. January 31, 2001 Transcript at 3160-61.
That being said, the Special Master finds puzzling the fact that Interior did not envision that in addition to looking at our documentation to see if the proposal we made was accurate, including whatever declarations we submitted, the Special Master has begun to look at the individual systems to ensure himself, with his own investigation, that the systems - that the individual Indian trust data is protected or that we are in fact off the internet. Id. at 3161.
Given its disgraceful legacy protecting Indian trust data, Interior could not realistically have envisioned that the Special Master would not exhaust every reasonable avenue to assure himself and the Court that Indian trust data was as secure as present circumstances allow. The December 17 Order, by its terms, requires "the Special Master [to] verify compliance with this Consent Order and  conduct interviews with Interior personnel or contractors or conduct site visits wherever information technology systems or individual Indian trust data is housed or accessed." December 17 Order at 7 (emphasis added). Indeed, the Special Master's obligation to conduct independent investigations stems directly from the August 12, 1999 Order empowering the Special Master to "oversee the Interior Department's retention and protection from destruction of IIM Records through, among other things, on-site visits to any location where IIM Records are not being protected from destruction or threatened destruction." It can not rationally be argued that an inquiry into the execrable conditions described in the Special Master Report (i.e., the lack of perimeter protection, trained staff, hardware/software capable of monitoring network activity and security personnel) does not falls squarely within the scope of the Special Master's responsibility. *fn11
That said, it is difficult to comprehend Interior's frustration with the Special Master's decision, for example, to independently verify TFAS' disconnection from the Internet rather than blindly accept Etta Frank's one-line statement issued on behalf of Division of Trust Fund Systems Robert McKenna that "The Trust Funds Accounting System (TFAS) is Not Connected to the Internet." *fn12 It is similarly inconceivable that Interior would have expected the Special Master to permit a key system such as IRMS to be reconnected based on a one-line affirmation from Acting Chief Information Officer Debbie L. Clark. *fn13
Supporting statements such as these do not relieve the Special Master of his obligation to conduct an independent inquiry. This is so for two reasons. First, the decentralized nature of Interior's IT systems and the vast number of servers, terminals and PCs impacted by the Order of December 17 requires more than generalized assurances. Interior's request to reconnect OSM, for example, cites to Glenda Owens' declaration that, "was made on the basis of reasonable inquiry . . . . because there is no practical way, given the substantial volumes of information contained in some systems, to evaluate every document or data set stored in each database individually, the certifications are based on a standard of reasonableness." Letter dated December 21, 2001 Letter from Sandra P. Spooner to Alan L. Balaran (emphasis added). Unfortunately, "reasonable inquiries,"without more, may not be sufficient in all instances and can not supplant a fiduciary's obligation to independently and thoroughly investigate. See In re Unisys Sav. Plan, 74 F.3d 420, 434 (3rd Cir. 1996)("the most basic of [a trustee's] investment fiduciary duties [is] the duty to conduct an independent investigation into the merits of a particular investment."). See also Austin W. Scott, THE FIDUCIARY PRINCIPLE, 37 Cal. L. Rev. 539, 541 (1949) (the greater the fiduciary's authority, the greater the duty).
Second, on more than one occasion in this litigation, declarations have not fared well under scrutiny, thus rendering it necessary to engage in a more critical examination. See, e.g., October 1, 2001 Opinion of the Special Master regarding Plaintiffs' Motion For Order To Show Cause Why Secretary Norton And Her Counsel Should Not Be Held In Contempt And For Sanctions For Violating The Special Master's February 8, 2001 Order And The Court's Orders Of February 24, 1999 and August 12, 1999; and the October 28, 2001 Supplement thereto. This is not to cast aspersions on any of the declarations submitted in support of the instant requests or to suggest that the declarants have been less than scrupulously honest. The reality is, however, that these declarations often stand on the shoulders of certifications that, in turn, rely on the representations of hundreds, if not thousands, of employees. The stakes are simply too high for the Special Master not to conduct his own investigation to reasonably verify these statements.
Finally, Interior's tepid reception of the Special Master's "own investigations" (January 31, 2002 Transcript at 3161), suggests a sea change from the enthusiasm with which it initially embraced the Special Master's decision to retain IBM as an independent consultant: THE COURT: I will say the Special Master gave me a briefing when I left the bench yesterday, and he told me about this expert that he's retained to talk to your expert, and that he was hoping that he could approve that by late today.
MS. SPOONER: That would be -- that would be very wonderful, Your Honor. We are very pleased that the Special Master has retained an expert. Transcript dated January 9, 2002 at 2272 (emphasis added).
Notwithstanding what appears to be a shift in position vis a vis the Special Master's retention of an expert, IBM will continue to conduct investigations in conjunction with the Special Master.
The Special Master's Response to Interior's Requests
Similarly perplexing is Interior's representation that it has gotten into a system that's taking an extremely long time, because what we are doing is trying to reach, if not a state of perfection, at least a state where absolutely no stone is unturned, so that, you know, - and certainly we have tried to do that. Transcript dated January 31, 2002 at 3162.
As demonstrated below, responses to Interior's requests have not taken "an extremely long time and have not been held to a standard of "perfection."
Response to Interior's December Requests.
While the time it has taken to open Interior's IT systems may appear insufferable to the agency, the suggestion that the process of reconnecting or recommencing operation of IT systems has taken an "extremely long time" simply does not stand up to review. Permission to open both SSAS and Law Enforcement was granted within two days of being requested. Once Glenda Owens submitted a second declaration on Friday, January 18, 2002 that adequately addressed the concerns expressed by the Special Master in the First Status Report, approval was given to recommence operation of OSM on Tuesday, January 22, 2002. *fn14 Regarding Interior's request to recommence operation of its IRMS systems, there was a need to proceed cautiously commensurate with the fact that this system processes data that includes individual account information, property ownership, and leasing transactions that result in payment to individual Indians for farming and grazing lands, oil gas and mineral sales and per capita payments. (And, as stated, earlier, a one-line affirmation from the Acting Chief Information Officer was facially inadequate to grant Interior's request.) Nevertheless, less than two weeks after IBM was retained by the Special Master, protocols were put into place to allow IBM access to all necessary facilities. *fn15 On January 22, 2002, the IBM team traveled to Reston, conducted router configuration and connectivity tests and advised the Special Master that IRMS was, in fact, disconnected from the Internet. That very day, the Special Master informed Interior Associate Deputy Secretary James Cason that Interior may recommence operation of that system.
Regarding MMS, the process underway to reconnect those systems has taken an "extremely long time." However, the responsibility for any delay falls squarely on Interior. When the agency first requested that MMS be reconnected, the Special Master asked to review the documents upon which SAIC contractor Hart Rossman based his opinion that the system was safe for reconnection. Mr. Rossman responded that he did not believe that the Special Master and his contractor would be permitted to review the same security information to which he was readily given access. And, in fact, Mr. Rossman was correct. It would be difficult to imagine a greater abrogation of responsibility than for the Special Master to have simply accepted Mr. Rossman's reassurance that all was "safe" and allowed a system teeming with sensitive Indian trust data to be reconnected to the Internet without first reviewing all relevant security records. To expedite the process, however, the Special Master, on January 10, 2002 imposed an onerously limiting protective order on plaintiffs and on his own contractor. *fn16 Notwithstanding, Interior did not produce any responsive documents until January 31, 2002. *fn17
Standard of Review
Finally, Interior's concern that it might be tethered to an unrealistic standard of review is unsupported by the record. If the Special Master insisted on "perfection" or a "state of the art" security system, Interior would be in the identical position it was on December 6, 2001 - the day following the Court's granting of plaintiffs' request for a temporary restraining order. Rather, as Interior is well aware, there has long been a recognition by the Special Master that OMB A-130 compliance is simply not possible in the near future given Interior's current budget, resources and infrastructure (see fn. 2, supra). The Special Master has accepted "Interior Defendants' represent[ation] that they intend to bring relevant individual Indian trust information technology systems into compliance with applicable standards outlined in OMB Circular A-130," (December 17 Order at 5), and has repeatedly emphasized that immediate reconnection and/or resumption of operations will not hinge on full compliance. That being said, permitting Interior time to ramp up to achieve ultimate A-130 compliance does not mean that immediate reconnection and/or resumption of operations will be permitted without adequate safeguards.
Interior is correct when it asserts that "the consent order meant that we would provide the plan, the reasonable assurances to the Special Master, and he would tell us whether our proposal, given the affidavits and so forth that we gave him, were reasonable assurances" (Transcript at 3163). What constitutes "reasonable assurance" pursuant to Provision 1 of the December 17 Order (or "appropriate documentation pursuant to Provisions 2, 3 and 4), however, must remain a decision within the province of the Special Master and the Court. The historical lack of protections afforded individual Indian trust data removes Interior from consideration as the arbiter of what is "reasonable" (or "appropriate").
The process of reconnecting and resuming operations of IT systems is a painstaking one that understandably frustrates all parties and the Court. Interior has consistently been responsive to the requests of the Special Master for more information and for greater assurances. The Special Master remains in constant contact with his contractors so that issues and problems that arise may be addressed expeditiously. With individual Indian trust data at risk, however, caution is required. The process contemplated by the Court can not, and will not, be guided by political expediency. The December 17 Order is designed to verify that Indian trust data is being protected after years of neglect. The Office of the Special Master remains committed to working with Interior to discharge the letter and spirit of that order - nothing more, and, certainly, nothing less.