The opinion of the court was delivered by: Royce C. Lamberth United States District Judge
This matter comes before the Court on plaintiffs' motion for a preliminary injunction to ensure the protection of individual Indian trust data [2116-2], which was filed on June 26, 2003. Upon consideration of plaintiffs' motion, defendants' brief in opposition thereto, the oral arguments of counsel, and the applicable law, the Court finds that plaintiffs' motion should be granted.
Prior to entering a preliminary injunction, this Court is required to provide written findings in support of its conclusion that such an injunction should be entered. Accordingly, the Court will relate the events leading up to the present opinion in some detail.
A. Events Preceding the Entry of the December 17, 2001 Consent Order
In the April 2001 issue of Government Executive magazine, then-Chief Information Officer of the Bureau of Indian Affairs Dominic Nessi observed: "For all practical purposes, we have no security, we have no infrastructure,.... Our entire network has no firewalls on it. I don't like running a network that can be breached by a high school kid. I don't like running a program that is out of compliance with federal statutes, especially when I have no ability to put it into compliance." Katherine McIntire Peters, Trail of Troubles, GOVERNMENT EXECUTIVE, April 1, 2001, at 100. This Court thereafter ordered the Special Master in this case, Alan Balaran, to*fn1 investigate the integrity of the computer security systems in the custody or control of the Interior Department that might house individual Indian trust data. The Interior defendants raised no objection to this order and did not seek to challenge its implementation before this Court or on appeal. On November 14, 2001, the Special Master filed a 154-page report entitled "Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior" ("Trust Data Security Report"). The conclusion of the report stated: "It is the recommendation of the Special Master that the Court intervene and assume direct oversight of those systems housing Indian trust data. Without such direct oversight, the threat to records crucial to the welfare of hundreds of thousands of IIM beneficiaries will continue unchecked." Trust Data Security Report at 154. The infirmities uncovered in the November 14, 2001 Report of the Special Master have never been questioned. See Cobell v. Norton, 2003 WL 21673009, at *19 (D.C. Cir. July 18, 2003), nor appealed.
On December 5, 2001, this Court entered a temporary restraining order mandating that the Interior Department "immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data" and "immediately disconnect from the Internet all computers within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." The order was amended the next day, following a hearing.
On December 17, 2001, with the consent of the Interior defendants, the Court entered a consent decree entitled "Consent Order Regarding Information Technology Security" ("the Consent Order"), which modified the temporary restraining order. The Consent Order*fn2 mandated, inter alia, that "Interior shall not reconnect any information technology system to the Internet without the concurrence of the Special Master as provided herein" and that the Special Master shall verify compliance with this Consent Order and may conduct interviews with Interior personnel or contractors or conduct site visits wherever information technology systems or individual Indian trust data is housed or accessed.
Each party will have the opportunity to have at least one counsel present at such interviews or site visits, and any additional personnel permitted by the Special Master. The Special Master will provide notice to counsel for both parties in advance of such interviews or site visits, but such notice may be limited to the minimum necessary for counsel to make arrangements to attend. Unless expressly permitted by the Special Mater in writing, counsel shall not inform their clients or any third parties about such interviews or site visits in advance[.] [emphasis added]
B. The Events Preceding the Entry of the June 27, 2003 Temporary Restraining Order
On April 24, 2003, the Special Master sent a letter to Justice Department attorney Glenn Gillett, a member of the Interior defendants' litigation team. The letter stated that on April 9, the Security Assistance Group ("SAG") appointed by the Special Master to verify the Interior Department's compliance with the Consent Order had discovered that a server operated by Interior's Office of Surface Mining ("the OSM server"), a system that housed individual Indian trust data, was accessible from the Internet. The Special Master further reported:
On Apr 18, 2003 SAG conducted a Nessus security scanning test on OSM servers and identified a vulnerability on [the OSM server] that would allow remote unauthorized users to grab copies of files from the file system on the server[.]
On Apr 21, 2003 SAG performed additional tests on this server to ensure that the vulnerability did not reflect a "false-positive" finding. Results of those tests verified the existence of a vulnerability.
The Special Master further stated that on April 22, SAG drafted a plan for further testing in accordance with the protocols developed by the Special Master and the Interior Department ("the Rules of Engagement"), and e-mailed this test plan to the Special Master, Interior Department employee Roger Mahach, Interior Department contractor Jon Pettyjohn, and Justice Department attorney John Warshawsky. The Rules of Engagement identify the last three individuals as "Trusted Points of Contact" who were to be contacted by the Special Master prior to undertaking penetration testing of Interior Department computer systems. The Special Master further stated that on April 23, when SAG began their tests, they were unable to establish any communication with the OSM server, notwithstanding the fact that the server had been operational for the two weeks prior to April 23. The letter concluded: "It is my concern that someone at OSM shut down [the OSM server] less [than] 24 hours after it was identified by SAG. Kindly provide me with a list of all OSM employees who were made privy to SAG's efforts in this matter."
Gillett replied to the Special Master the same day. In his letter, Gillett informed the Special Master:
In response to your letter..., the response is that all trusted points of contact mentioned in your letter deny telling any OSM employees about the testing. Additionally, I asked Hord Tipton [another Trusted Point of Contact] if he informed any OSM employees and he said "no."
I asked Roy Morrison of OSM about the status of the referenced server. He informed me (after making inquiries), that OSM experienced a "cable failure" on April 23, 2003.
I hope this reply is satisfactory.
The Special Master replied on May 6, 2003, informing Gillett that his response, while helpful, does not fully answer the question. My concern is whether any OSM employees with access to [the OSM server], e.g., the system administrator and/or network engineer, was aware that the Special Master, or his agents, was scanning the server in issue. Kindly provide me with a list of employees with such access and let me know whether any were privy to efforts by my office to scan [the OSM server]....
Moreover, while I do not doubt your representation that OSM experienced a "cable failure" on April 23, 2003, I am concerned that this unidentified failure took place less than 24 hours after a test plan was submitted to you, DOJ and SAIC. Please clarify: (1) what type of "cable failure" was experienced by OSM on April 23, 2003; (2) whether OSM had experienced similar or identical failures prior to April 23, 2003 (and, if so, when); (3) how and when the failure was discovered; (4) who discovered the failure; (5) what tests, if any, were performed to determine that there was, in fact, a cable failure; and (6) what steps were taken to fix the failure.
On May 13, 2003, Sandra P. Spooner, the current lead defense counsel for the Interior Department, responded, in pertinent part, as follows:
Although your letter disavows any doubt about the truth of Mr. Gillett's representations, it seeks substantial additional information, including the names and positions of those with acces[s] to the OSM server at issue, through which you apparently seek to investigate the truth of his statements or those of trusted points of contact.*fn3
Your approach suggest [sic] that the protocols under which we are operating are not performing their function – that the "trusted points of contact" are not, in fact, trusted. Therefore, we are therefore [sic] discussing with Interior an appropriate course of action under these circumstances and will communicate with you as soon as possible about this matter.
The Special Master responded that date:
While Interior contemplates "an appropriate course of action," in response to my letter of May 6, 2003 (mistakenly dated April 24, 2003), I will instruct John Kerr of SAG to desist from performing any further functions regarding outstanding requests to re-connect or re-open Interior's systems impacted by the Court's December 5, 2001 Order.
There is nothing in the record indicating what, if any, appropriate course of action was arrived at by Interior.
By letter dated June 11, 2003, Gillett wrote the Special Master and represented the following:
As requested in your letter of May 6, 2003, the clarification of the "cable failure" is provided below:
The referenced server, located in the DMZ, is used by OSM to provide web access. On April 23, 2003, at approximately 1:00 p.m., a user notified OSM's computer support center that he could not access the referenced server. A computer support center representative responded to the user by testing access from the user's terminal, which failed. Next, the representative looked at the server and discovered that the LAN cable seemed to be loose. The representative reseated the LAN cable into the server, tested the server and confirmed that it was in working order. The representative then returned to the user's workstation and confirmed that access had been restored to the server. The work was completed on the same day. OSM reported that maintenance work performed on servers colocated with the referenced server in a server rack is the most likely cause for the loose cable.
We trust that you agree that this matter has been addressed satisfactorily. The Special Master replied on June 15, 2003:
Your explanation of the "cable failure" appears to have been lifted from an unattributed and unattached correspondence or memorandum. Before I agree that the matter has been "addressed satisfactorily," I must have a copy of the document from which you excerpted as well as your personal certification that the representations reflected in said document are accurate. Without both, I will not reinitiate the reconnection process. [emphasis in original]
On June 18, 2003, Spooner replied to the Special Master:
The first indented paragraph (page 2 of our June 11, 2003 letter) provided you detailed information concerning the "cable failure." The substance of this paragraph was taken from draft correspondence between the Department of Interior and the Department of Justice and is subject to a claim of privilege.
No attorney in the Department of Justice can make a "personal certification that the representations reflected in said document are accurate"... because no attorney has direct knowledge that a LAN cable was loose or that reseating the LAN cable cured the problem noticed by an Interior employee. However, we have no reason to question the accuracy of the information provided. Further, the facts and circumstances surrounding the discovery of the outage and quick remedial action support the accuracy of the information.
The previous day, Gillett had sent an email to SAG employee Ty Gast, which was not copied to the Special Master, plaintiffs or the Court, stating the following:
1. In response to your e-mail requesting the SAIC scan data for April 2003, we are considering whether, given the cost to the United States of your examining this data, it makes sense to continue to provide it. The point of contact for this matter is Glenn Gillett.
2. In response to your e-mail providing detailed information about the on-going scanning of Interior systems, please do not provide this information to us. Until there is an agreement on the application of the "rules of engagement" for such scanning, the United States does not consent to the scans and does not consent to any attempt to penetrate the networks. We remain ready to discuss and resolve the difficulties that have arisen concerning the application of the "rules of engagement" to the scans of the networks. However, until the differences are resolved, all "penetration testing" is non-consensual and subject to all legal restrictions on such activity.*fn4
The Special Master responded to Gillett in a letter dated June 17:
As to the first matter, I find no provision of the December 17, 2001 consent order... that hinges Interior's cooperation on the cost of "examining" security information. It is simply not your prerogative to withhold information while "considering" the expense attendant to such a review....
As to the second matter, I admit some surprise. Prior to the Department of Justice's request that I abandon the weekly IT meetings, the Office of the Special Master, Interior, Justice and SAIC labored for months to reach an accommodation that resulted in the rules of engagement that have governed the controlled penetration of Interior's computers.... To date, I have received no communication from your office informing me of "difficulties that have arisen concerning the application of the 'rules of engagement.'" For you to now represent that "the United States does not consent to the scans and does not consent to any attempt to penetrate the networks," based on these unspecified "difficulties" is unacceptable.
Let me be clear. The ability of the Office of the Special Master, through its contractor, to scan Interior's computers systems and share its findings with the parties and the Court is an essential step to ensuring the security of individual Indian trust data. If the "difficulties" and "differences" you reference in your e-mail to Mr. Gast do, in fact, exist, I am directing you to articulate them with specificity and transmit them to my office no later than close-of-business, June 19, 2003.
The Special Master also responded to Spooner's June 18, 2003 letter:
While Mr. Gillett may not have direct knowledge of the Office of Surface Mining "cable failure," by presenting me with an explanation, he was personally "certifying that to the best of [his] knowledge, information, and belief, formed after an inquiry reasonable under the circumstances,... the allegations and other factual contentions" set out in his June 11, 2003 letter had "evidentiary support." Fed.R.Civ.Pro. 11(b)(3). This requirement, as you know, extends to all "pleading[s], written motion[s], or other paper[s]." Id. (Emphasis added.)
Beyond the requirements of Rule 11, the need for personal certification is particularly acute, given Mr. Gillett's reliance on "privileged" "draft correspondence between the Department of the Interior and the Department of Justice." Since it appears, by your correspondence, that Mr. Gillett did not perform the due diligence before signing the June 11, 2003 letter, I assume that I am to accept explanations extracted from "draft" documents of unknown authorship that I am unable to examine. Again, I disagree, and will not recommence the reconnection process until I have reviewed all relevant documentation explaining the events that led to the April 23, 2003 OSM server outage, and am satisfied that the explanation rings true.
On June 19, 2003 Spooner sent a letter to the Special Master:
Despite a good working relationship developed over the evolution of the "rules of engagement," you sent Mr. Gillett [an] accusatory letter that demanded a list of all individuals at the Office of Surface Mining who were privy to the sensitive information revealed only to the Trusted Points of Contact two days earlier (earlier "penetration testing" issues were resolved by telephonic contact without recrimination). Despite Mr. Gillett's prompt and direct reply that none of the Trusted Points of Contact disclosed the sensitive information to anyone at the Office of Surface Mining and that the probable cause of the problem noted by Ty Gast was a "cable failure," you questioned the accuracy of the information and demanded even greater detail about the exact nature of the "cable failure" and the names of the individuals with access to the specified server....
Despite the detailed, logical and consistent information that we have provided to you on the OSM server incident..., you continue to question the veracity of the information provided to you by Mr. Gillett... Your June 15 letter demands that Mr. Gillett provide you with a copy of the letter or memorandum from which he "lifted" a paragraph detailing the LAN cable problem. Further, you demand that he provide a "personal certification" that the information provided by the Office of Surface Mining is accurate. As we have explained, this "personal certification" is neither possible nor reasonable under these circumstances. Yet you have refused to participate in any further "reconnection" activity until Mr. Gillett complies with both demands....
We cannot and do not consent to "penetration testing" under these circumstances. Your being unwilling to accept the Trusted Points of Contact as individuals who can be trusted not to disclose the sensitive information entrusted to them and your questioning of their veracity (the need for "personal certification") results in a procedure that ...