UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
July 28, 2003
ELOUISE PEPION COBELL, ET AL., PLAINTIFFS,
GALE A. NORTON, SECRETARY OF THE INTERIOR, ET AL., DEFENDANTS.
The opinion of the court was delivered by: Royce C. Lamberth United States District Judge
This matter comes before the Court on plaintiffs' motion for a preliminary injunction to ensure the protection of individual Indian trust data [2116-2], which was filed on June 26, 2003. Upon consideration of plaintiffs' motion, defendants' brief in opposition thereto, the oral arguments of counsel, and the applicable law, the Court finds that plaintiffs' motion should be granted.
Prior to entering a preliminary injunction, this Court is required to provide written findings in support of its conclusion that such an injunction should be entered. Accordingly, the Court will relate the events leading up to the present opinion in some detail.
I. PROCEDURAL BACKGROUND
A. Events Preceding the Entry of the December 17, 2001 Consent Order
In the April 2001 issue of Government Executive magazine, then-Chief Information Officer of the Bureau of Indian Affairs Dominic Nessi observed: "For all practical purposes, we have no security, we have no infrastructure,.... Our entire network has no firewalls on it. I don't like running a network that can be breached by a high school kid. I don't like running a program that is out of compliance with federal statutes, especially when I have no ability to put it into compliance." Katherine McIntire Peters, Trail of Troubles, GOVERNMENT EXECUTIVE, April 1, 2001, at 100. This Court thereafter ordered the Special Master in this case, Alan Balaran, to*fn1 investigate the integrity of the computer security systems in the custody or control of the Interior Department that might house individual Indian trust data. The Interior defendants raised no objection to this order and did not seek to challenge its implementation before this Court or on appeal. On November 14, 2001, the Special Master filed a 154-page report entitled "Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior" ("Trust Data Security Report"). The conclusion of the report stated: "It is the recommendation of the Special Master that the Court intervene and assume direct oversight of those systems housing Indian trust data. Without such direct oversight, the threat to records crucial to the welfare of hundreds of thousands of IIM beneficiaries will continue unchecked." Trust Data Security Report at 154. The infirmities uncovered in the November 14, 2001 Report of the Special Master have never been questioned. See Cobell v. Norton, 2003 WL 21673009, at *19 (D.C. Cir. July 18, 2003), nor appealed.
On December 5, 2001, this Court entered a temporary restraining order mandating that the Interior Department "immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data" and "immediately disconnect from the Internet all computers within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." The order was amended the next day, following a hearing.
On December 17, 2001, with the consent of the Interior defendants, the Court entered a consent decree entitled "Consent Order Regarding Information Technology Security" ("the Consent Order"), which modified the temporary restraining order. The Consent Order*fn2 mandated, inter alia, that "Interior shall not reconnect any information technology system to the Internet without the concurrence of the Special Master as provided herein" and that the Special Master shall verify compliance with this Consent Order and may conduct interviews with Interior personnel or contractors or conduct site visits wherever information technology systems or individual Indian trust data is housed or accessed.
Each party will have the opportunity to have at least one counsel present at such interviews or site visits, and any additional personnel permitted by the Special Master. The Special Master will provide notice to counsel for both parties in advance of such interviews or site visits, but such notice may be limited to the minimum necessary for counsel to make arrangements to attend. Unless expressly permitted by the Special Mater in writing, counsel shall not inform their clients or any third parties about such interviews or site visits in advance[.] [emphasis added]
B. The Events Preceding the Entry of the June 27, 2003 Temporary Restraining Order
On April 24, 2003, the Special Master sent a letter to Justice Department attorney Glenn Gillett, a member of the Interior defendants' litigation team. The letter stated that on April 9, the Security Assistance Group ("SAG") appointed by the Special Master to verify the Interior Department's compliance with the Consent Order had discovered that a server operated by Interior's Office of Surface Mining ("the OSM server"), a system that housed individual Indian trust data, was accessible from the Internet. The Special Master further reported:
On Apr 18, 2003 SAG conducted a Nessus security scanning test on OSM servers and identified a vulnerability on [the OSM server] that would allow remote unauthorized users to grab copies of files from the file system on the server[.]
On Apr 21, 2003 SAG performed additional tests on this server to ensure that the vulnerability did not reflect a "false-positive" finding. Results of those tests verified the existence of a vulnerability.
The Special Master further stated that on April 22, SAG drafted a plan for further testing in accordance with the protocols developed by the Special Master and the Interior Department ("the Rules of Engagement"), and e-mailed this test plan to the Special Master, Interior Department employee Roger Mahach, Interior Department contractor Jon Pettyjohn, and Justice Department attorney John Warshawsky. The Rules of Engagement identify the last three individuals as "Trusted Points of Contact" who were to be contacted by the Special Master prior to undertaking penetration testing of Interior Department computer systems. The Special Master further stated that on April 23, when SAG began their tests, they were unable to establish any communication with the OSM server, notwithstanding the fact that the server had been operational for the two weeks prior to April 23. The letter concluded: "It is my concern that someone at OSM shut down [the OSM server] less [than] 24 hours after it was identified by SAG. Kindly provide me with a list of all OSM employees who were made privy to SAG's efforts in this matter."
Gillett replied to the Special Master the same day. In his letter, Gillett informed the Special Master:
In response to your letter..., the response is that all trusted points of contact mentioned in your letter deny telling any OSM employees about the testing. Additionally, I asked Hord Tipton [another Trusted Point of Contact] if he informed any OSM employees and he said "no."
I asked Roy Morrison of OSM about the status of the referenced server. He informed me (after making inquiries), that OSM experienced a "cable failure" on April 23, 2003.
I hope this reply is satisfactory.
The Special Master replied on May 6, 2003, informing Gillett that his response, while helpful, does not fully answer the question. My concern is whether any OSM employees with access to [the OSM server], e.g., the system administrator and/or network engineer, was aware that the Special Master, or his agents, was scanning the server in issue. Kindly provide me with a list of employees with such access and let me know whether any were privy to efforts by my office to scan [the OSM server]....
Moreover, while I do not doubt your representation that OSM experienced a "cable failure" on April 23, 2003, I am concerned that this unidentified failure took place less than 24 hours after a test plan was submitted to you, DOJ and SAIC. Please clarify: (1) what type of "cable failure" was experienced by OSM on April 23, 2003; (2) whether OSM had experienced similar or identical failures prior to April 23, 2003 (and, if so, when); (3) how and when the failure was discovered; (4) who discovered the failure; (5) what tests, if any, were performed to determine that there was, in fact, a cable failure; and (6) what steps were taken to fix the failure.
On May 13, 2003, Sandra P. Spooner, the current lead defense counsel for the Interior Department, responded, in pertinent part, as follows:
Although your letter disavows any doubt about the truth of Mr. Gillett's representations, it seeks substantial additional information, including the names and positions of those with acces[s] to the OSM server at issue, through which you apparently seek to investigate the truth of his statements or those of trusted points of contact.*fn3
Your approach suggest [sic] that the protocols under which we are operating are not performing their function – that the "trusted points of contact" are not, in fact, trusted. Therefore, we are therefore [sic] discussing with Interior an appropriate course of action under these circumstances and will communicate with you as soon as possible about this matter.
The Special Master responded that date:
While Interior contemplates "an appropriate course of action," in response to my letter of May 6, 2003 (mistakenly dated April 24, 2003), I will instruct John Kerr of SAG to desist from performing any further functions regarding outstanding requests to re-connect or re-open Interior's systems impacted by the Court's December 5, 2001 Order.
There is nothing in the record indicating what, if any, appropriate course of action was arrived at by Interior.
By letter dated June 11, 2003, Gillett wrote the Special Master and represented the following:
As requested in your letter of May 6, 2003, the clarification of the "cable failure" is provided below:
The referenced server, located in the DMZ, is used by OSM to provide web access. On April 23, 2003, at approximately 1:00 p.m., a user notified OSM's computer support center that he could not access the referenced server. A computer support center representative responded to the user by testing access from the user's terminal, which failed. Next, the representative looked at the server and discovered that the LAN cable seemed to be loose. The representative reseated the LAN cable into the server, tested the server and confirmed that it was in working order. The representative then returned to the user's workstation and confirmed that access had been restored to the server. The work was completed on the same day. OSM reported that maintenance work performed on servers colocated with the referenced server in a server rack is the most likely cause for the loose cable.
We trust that you agree that this matter has been addressed satisfactorily. The Special Master replied on June 15, 2003:
Your explanation of the "cable failure" appears to have been lifted from an unattributed and unattached correspondence or memorandum. Before I agree that the matter has been "addressed satisfactorily," I must have a copy of the document from which you excerpted as well as your personal certification that the representations reflected in said document are accurate. Without both, I will not reinitiate the reconnection process. [emphasis in original]
On June 18, 2003, Spooner replied to the Special Master:
The first indented paragraph (page 2 of our June 11, 2003 letter) provided you detailed information concerning the "cable failure." The substance of this paragraph was taken from draft correspondence between the Department of Interior and the Department of Justice and is subject to a claim of privilege.
No attorney in the Department of Justice can make a "personal certification that the representations reflected in said document are accurate"... because no attorney has direct knowledge that a LAN cable was loose or that reseating the LAN cable cured the problem noticed by an Interior employee. However, we have no reason to question the accuracy of the information provided. Further, the facts and circumstances surrounding the discovery of the outage and quick remedial action support the accuracy of the information.
The previous day, Gillett had sent an email to SAG employee Ty Gast, which was not copied to the Special Master, plaintiffs or the Court, stating the following:
1. In response to your e-mail requesting the SAIC scan data for April 2003, we are considering whether, given the cost to the United States of your examining this data, it makes sense to continue to provide it. The point of contact for this matter is Glenn Gillett.
2. In response to your e-mail providing detailed information about the on-going scanning of Interior systems, please do not provide this information to us. Until there is an agreement on the application of the "rules of engagement" for such scanning, the United States does not consent to the scans and does not consent to any attempt to penetrate the networks. We remain ready to discuss and resolve the difficulties that have arisen concerning the application of the "rules of engagement" to the scans of the networks. However, until the differences are resolved, all "penetration testing" is non-consensual and subject to all legal restrictions on such activity.*fn4
The Special Master responded to Gillett in a letter dated June 17:
As to the first matter, I find no provision of the December 17, 2001 consent order... that hinges Interior's cooperation on the cost of "examining" security information. It is simply not your prerogative to withhold information while "considering" the expense attendant to such a review....
As to the second matter, I admit some surprise. Prior to the Department of Justice's request that I abandon the weekly IT meetings, the Office of the Special Master, Interior, Justice and SAIC labored for months to reach an accommodation that resulted in the rules of engagement that have governed the controlled penetration of Interior's computers.... To date, I have received no communication from your office informing me of "difficulties that have arisen concerning the application of the 'rules of engagement.'" For you to now represent that "the United States does not consent to the scans and does not consent to any attempt to penetrate the networks," based on these unspecified "difficulties" is unacceptable.
Let me be clear. The ability of the Office of the Special Master, through its contractor, to scan Interior's computers systems and share its findings with the parties and the Court is an essential step to ensuring the security of individual Indian trust data. If the "difficulties" and "differences" you reference in your e-mail to Mr. Gast do, in fact, exist, I am directing you to articulate them with specificity and transmit them to my office no later than close-of-business, June 19, 2003.
The Special Master also responded to Spooner's June 18, 2003 letter:
While Mr. Gillett may not have direct knowledge of the Office of Surface Mining "cable failure," by presenting me with an explanation, he was personally "certifying that to the best of [his] knowledge, information, and belief, formed after an inquiry reasonable under the circumstances,... the allegations and other factual contentions" set out in his June 11, 2003 letter had "evidentiary support." Fed.R.Civ.Pro. 11(b)(3). This requirement, as you know, extends to all "pleading[s], written motion[s], or other paper[s]." Id. (Emphasis added.)
Beyond the requirements of Rule 11, the need for personal certification is particularly acute, given Mr. Gillett's reliance on "privileged" "draft correspondence between the Department of the Interior and the Department of Justice." Since it appears, by your correspondence, that Mr. Gillett did not perform the due diligence before signing the June 11, 2003 letter, I assume that I am to accept explanations extracted from "draft" documents of unknown authorship that I am unable to examine. Again, I disagree, and will not recommence the reconnection process until I have reviewed all relevant documentation explaining the events that led to the April 23, 2003 OSM server outage, and am satisfied that the explanation rings true.
On June 19, 2003 Spooner sent a letter to the Special Master:
Despite a good working relationship developed over the evolution of the "rules of engagement," you sent Mr. Gillett [an] accusatory letter that demanded a list of all individuals at the Office of Surface Mining who were privy to the sensitive information revealed only to the Trusted Points of Contact two days earlier (earlier "penetration testing" issues were resolved by telephonic contact without recrimination). Despite Mr. Gillett's prompt and direct reply that none of the Trusted Points of Contact disclosed the sensitive information to anyone at the Office of Surface Mining and that the probable cause of the problem noted by Ty Gast was a "cable failure," you questioned the accuracy of the information and demanded even greater detail about the exact nature of the "cable failure" and the names of the individuals with access to the specified server....
Despite the detailed, logical and consistent information that we have provided to you on the OSM server incident..., you continue to question the veracity of the information provided to you by Mr. Gillett... Your June 15 letter demands that Mr. Gillett provide you with a copy of the letter or memorandum from which he "lifted" a paragraph detailing the LAN cable problem. Further, you demand that he provide a "personal certification" that the information provided by the Office of Surface Mining is accurate. As we have explained, this "personal certification" is neither possible nor reasonable under these circumstances. Yet you have refused to participate in any further "reconnection" activity until Mr. Gillett complies with both demands....
We cannot and do not consent to "penetration testing" under these circumstances. Your being unwilling to accept the Trusted Points of Contact as individuals who can be trusted not to disclose the sensitive information entrusted to them and your questioning of their veracity (the need for "personal certification") results in a procedure that fails to accomplish its goal and merely puts the Trusted Points of Contact in harm's way.
The Special Master responded on the same day, observing that without the ability to perform scans, I can not be assured that the systems that have been approved for reconnection are secure. In my view, your refusal to permit further penetration testing on the grounds that I would not accept representations by Mr. Gillett and an unnamed Office of Surface Mining employee at face value will undermine the tireless efforts exerted by Interior and the Office of the Special Master to reconnect 95% of Interior's systems within one year of the Court's December 5, 2001 injunction. Again, that is your prerogative. Notwithstanding your representation that you stand ready to discuss the agreement on rules of engagement for penetration testing, your correspondence indicates your willingness to do so only if I abdicate my responsibility to the Court and adhere to your terms. That is unacceptable and I urge you to reconsider.
I am ready to discuss this matter with Associate Deputy Secretary Cason at any time.
Spooner responded the next day:
Through the misstatements, omissions, and unsupported allegations in your letter, you have attempted to create an ethical issue where none exists.
[N]otwithstanding your accusations, you have not suggested that there is even a shred of evidence that runs counter to the information provided to you by Mr. Gillette [sic]. We are confident that the inquiry made prior to the signing of the letter passes muster under Rule 11 standards and you have never given us any basis to question the results of our inquiry.
Inasmuch as your June 19 letter gratuitously defames Mr. Gillett's reputation and professionalism without the slightest basis to support your allegations, the letter should be retracted.... Your recent accusations are so ill-founded and disproportionate as to defy legitimate explanation, absent a fundamental misunderstanding. Under the circumstances, your accusations should be withdrawn immediately.
C. The June 27, 2003 Temporary Restraining Order
On June 26, 2003, plaintiffs filed a motion seeking the entry of a temporary restraining order mandating that the Interior Department disconnect from the Internet all computers and information technology systems that either house or provide access to individual Indian trust data until the Special Master determined that all such data was properly secured. The Court held a hearing on plaintiffs' motion on the following day, Friday, June 27, 2003. During the hearing, the Court granted the plaintiffs' motion and asked the Interior defendants whether they wished to proffer any language to modify the order. Defense counsel responded:
MR. WARSHAWSKY: Your Honor, at the outset I have to say for the record we believe what the Court is doing is wrong.
THE COURT: I am sorry.
MR. WARSHAWSKY: It is wrong and it is not something that in any sense by our setting out some proposed changes do we wish this to be construed as any sort of consent.
THE COURT: I understand. I understand you object, and you have put the ball in my Court. And within the ten days and if I extend it ten days that time, I will have to take this all over and decide it for myself; but you are not willing to work things out with the Special Master so that's the posture we are in. So I am going to halt everything in place until I can have an opportunity to do it. I happen to be in the middle [of] a trial right now so my opportunity to get it all straightened out is pretty limited at the moment.
MR. WARSHAWSKY: As I said, your Honor, we are willing to try to work things out with the Special Master.
THE COURT: Okay. I hope you can.
MR WARSHAWSKY: I certainly hope we do too, your Honor.
THE COURT: I will be glad to vacate this on Monday.
Plaintiffs thereafter suggested that the order exempt any computer system that was essential to protect against fire or any other threat to life or property. The Court modified the order in accordance with plaintiffs' suggestion. Plaintiffs also suggested that the Interior defendants be required to provide a certification, in accordance with the Civil Rules of this Court, that the exempted systems were in fact essential to protect against fire or any other threat to life or property. The Court informed the parties that this second suggestion would be considered when the Court held a hearing on plaintiffs' motion for entry of a preliminary injunction.
D. Relevant Correspondence After the Entry of the June 27, 2003 Temporary Restraining Order
On the day after the temporary restraining order was entered, Justice Department attorney John Warshawsky sent the following email post to the Special Master:
This confirms our telephone conversations today re: the MMS [Minerals Management Service] contractor server used to receive royalty payment information. Pursuant to our discussions, this server will be allowed to remain open and connected to the Internet until you have an opportunity to meet with [plaintiffs' counsel Dennis Gingold] and Interior representatives (DOJ) to discuss it.... Thank you for your attention and consideration regarding this matter.*fn5
On July 1, the Special Master wrote to Spooner:
Thank you for your letter this date concerning a meeting to discuss the restraining order entered into Friday, June 27, 2003. I too am eager to resolve this matter as quickly as possible. As conveyed to [Justice Department attorney John Warshawsky] this morning, however, I believe there are certain issues that need to be resolved before a meeting take place. These include: (1) a resumption of the weekly meetings between the Department of the Interior, the Department of Justice, the Office of the Solicitor, SAIC, SAG, (class counsel, if they choose to attend) and me; and (2) the continued external penetration tests conducted by SAG in accordance with the rules of engagement that have governed these tests to date.
Beyond this, I stand ready, as always, to meet with [Interior Department Associate Deputy Secretary James Cason], plaintiffs and others to discuss all matters related to the safety and security of individual Indian trust data residing on Interior's computer systems. Spooner responded on July 9:
In recent correspondence, you have requested weekly meetings and you have implied that we (representatives of the Justice Department and the Department of the Interior) have refused to meet with you. Our position continues to be clear. We have been and are available to meet with you whenever there is a need to do so.
Regarding penetration testing, our position is also clear: We have cooperated in your penetration testing program for many months and remain willing to cooperate with future testing efforts.
However, as you know, this issue is more complicated. As we have briefed you and the Court, the Consent Order did not authorize the Special Master to conduct "penetration" or "exploitation" testing and 18 U.S.C. § 1030 provides that it is a felony for a person to seek to gain unauthorized access to information housed on Government computer systems. [emphasis in original]
A meeting took place between the parties and the Special Master on July 15, 2003. The transcript of the hearing includes a colloquy between the Special Master and Spooner. In that it sheds light on the events leading up to the entry of the June 27, 2003 temporary restraining order, it warrants quotation at some length:
MR. BALARAN: And the OSM thing -- let me just back this up. I've been doing this long enough that there are certain things that sort of tug at you and say that there's something just sounds wrong. The most recent example I can give you is the thing with the trust data with the training sessions, with whether or not people in training were given out information that may have been proprietary or sensitive trust information. I was given a representation in a monthly report that says, "Yeah, we've taken care of that and sanitized it." And, of course, I asked the follow-up question, because I – I asked a follow-up question and – only to find out that maybe that representation was made in error.
Okay. I have an affirmative duty, in my view, to ask these kinds of questions. I don't believe I would be acquitting myself responsibly if I didn't and if I didn't look behind it. Forget about the personality issues and who did what ethically and who didn't. The point is, we've all been around this case long enough to know that this is a large department, and not everybody always does what they're supposed to do, and not always – not everybody always represents to you what, in fact, is true, and certainly not always everybody represents to me. And that has created an odd dynamic, at times. If I think that the question of – and I'm just going to give you this as an example, because I don't want to harp on this particular set of facts as to be the paradigm for everything else, but if I believe that somebody telling me that a cable failure took place is somewhat a curious phenomena, and I ask for a lot of detail behind it, I think I'm justified in doing so, and even if you disagree, if the Department of Interior takes umbrage at it or feels that I'm somehow being personal, then let that be the issue.
You know, all I'm saying is, I think that to throw out the baby with the bath water is really a mistake. I don't – we have never – and when I say "we," I'm talking the Office of the Special Master and its delegates, in terms of SAG – have never deviated one whit from the rules of engagement. We've never – I've never seen anything to that effect in writing. I've never heard of anything to that effect. Nobody's ever contacted me and said we have ever breached a protocol, whatsoever. If we have, it's certainly news to me.
So I'm surprised when, all of a sudden I find out through a round-about channel that, yes, the fact that I've questioned – and maybe asked some questions that you didn't like or somebody at Interior found offensive, and I'm not going to – or somebody at Interior found offensive, all of a sudden that means there's a total breakdown in our ability to continue the penetration test.
I don't want to belabor the OSM issue. I think that we've been around this table long enough that if I want to ask a question, I should be able to do so. If you take offense at it, you should be able to express your offense in as strong terms as you like. I mean, certainly plaintiffs do so when they're offended at something. I have no issue with them.
But the bottom line is -- what's immutable here is, the rules of engagement were never deviated [from]. [They] were non-discretionary rules that were never played with. What was discretionary was my ability to ask certain questions and find out certain things. And why that got impacted, the rules of engagement that we worked so hard at, and that penetration got stopped, I just don't understand. It seems to me that that should never be held hostage to any disagreements we may have, regardless – forget OSM, for a moment. It seems to me we worked so hard at arriving... I mean, we really went around this for many a month. And it seems to me that that should never be held hostage. And that's exactly what happened here.
And I'd like to make sure that we have what I would like to see, in the best of all worlds, is we set up a protocol whereby if we have an honest disagreement about something or you think I'm just straying, you know, off the face of reality, let that be the topic.
MS. SPOONER: You know, I'm a little perplexed, because I don't see the rules of engagement as being held hostage in any sense. It seems to me that the rules of engagement weren't working. As we had said in our letter, we thought we had rules of engagement at least we were willing to live by, and we had hoped that you would sign on to them, too. But it was clear, at least in that one situation, that they weren't working.
And so what we needed to do was to sit down and talk about the rules of engagement and try to arrange – either modify them or arrange them in some way so that they would, in fact, work. And my letter to you said we want to sit down and talk to you about this. That was my letter of – I think it was June 19th. MR. BALARAN: The problem is, we're getting to – we're getting fact-specific about this particular instance.
I don't believe that there was any correspondence that threw the rules of engagement into question. I believe that the rules of engagement worked perfectly. The fact is, let's assume the worst case and I had information to believe that a trusted point of contact on either side had revealed information out of school. Then that doesn't mean that the rules themselves are not working, because exchanging of information, of test [plans] of information and the cooperation that goes behind it, is never impacted.
MS. SPOONER: And we would have assumed that if you had reason to believe that a trusted point of contact was not, in fact, trusted, you would tell us that.
MR. BALARAN: But if –
MS. SPOONER: But it seemed to us that you weren't saying, "I think this trusted point of [contact] lied," or "Here's what" – and, excuse me, let me just finish – "here's why I think I can't trust this trusted point of contact." You would have told us. But that's not what we got. What we got was, "I'm not interested in what the point of contacts have to say to me. What I want is to go beyond the trusted points of contact." And maybe that's the right way to go. It didn't seem to us then that it did. And that's why we wanted to discuss this with you. But we got no indication that there was anything – that you had any reason to not believe these fellows.
MR. BALARAN: The point is, even assuming that that's correct, I should not have heard that there was a problem with the rules of engagement through an e-mail from Ty Gast. That was wrong. If you believed that – yes, that's how I first found out there was a problem with the rules of engagement, that the United States will no longer agree to be penetrated, and there's legal action that's possibly involved. I never got that as a letter from the Department of Justice. I never heard from the Solicitor's Office. I never got that from the Department of Interior. The first time I was told that the United States would no longer agree to be penetrated was when an e-mail was forwarded to me. And not even to John Kerr, to a lower-level functionary of SAG.
MS. SPOONER: Well, I have to say, I have never felt it was wise for your contractors to be e-mailing us. I really – you know, I really think that's not a good way to communicate. I think it's too informal. And I think that if the communications are going to be between one entity, Department of Interior, and another entity, the Special Master, it ought to be through counsel.
MR. BALARAN: Okay, you're raising two separate issues here. I've addressed a completely different one, as to why this was never called to my attention that was a problem. But the fact remains, it was told to me that the person who wrote the e-mail did not want to send this in a letter, because they felt they would have to cc all involved. You're welcome to verify that. That is what I was told. The communications denied – I never told SAG or anybody else, "Contact the Justice Department through e-mails." This was started on your side.
Transcript at 18-25.
The day after the meeting, Warshawsky sent a letter to plaintiffs and to the Special Master:
We understand that plaintiffs have always been invited to attend the period IT meetings and that they have been invited to attend the next meeting, which will take place on the afternoon of July 21, 2003. We suggest that plaintiffs' duties and responsibilities under the rules of engagement be discussed at that time.
The Special Master responded the next day:
As stated during our July 15, 2003 conference, the Office of the Special Master agrees to be bound by the rules of engagement under which it has been operating in tandem with the Department of the Interior, the Department of Justice and the Office of the Solicitor for the past nine months....
Your letter identifies one other topic to be discussed in a meeting tentatively scheduled for the afternoon of July 21, 2003, namely, subjecting plaintiffs "to the same restrictions applicable to existing Trusted Points-of-Contact" (TPOCs). Stated simply, I don't believe it necessary to assemble plaintiffs, senior officials from the Department of the Interior, the Department of Justice and the Office of the Solicitor to discuss this one issue. As indicated during the July 15, 2003 conference, I am anxious to resume our weekly meetings. As you well know, those meetings, which you refer to as "periodic," were attended by technical people and convened to discuss a myriad of issues including past and future site visits, remediation efforts, test plans and the like. The conference you propose for July 21, 2003 is quite different. And while, as a general rule, I stand ready to attend such specialized meetings, I believe, in this instance, the issue of plaintiffs become TPOCs is better resolved through correspondence.
The next letter from Warshawsky to the Special Master is dated July 21:
We regret the miscommunication which led to our believing that you still wanted to hold a meeting to discuss IT security matters, including a continuation of our discussion about penetration testing and the draft rules of engagement, at 1:00 p.m. today.
Your decision not to meet today does provide all parties with an opportunity to review, before we meet again, the intervening opinion of the D.C. Circuit Court of Appeals insofar as it addresses the appropriate scope of a special master's duties. Please advise whether you wish to meet to discuss these issues prior to the expiration of the TRO on July 28, 2003.
The Special Master responded the next day:
Your letter dated July 16, 2003 set out two issues to be discussed during a meeting tentatively scheduled to "take place on the afternoon of July 21, 2003,"... By letter dated June 17, 2003, I expressed my agreement to the rules of engagement that we have been operating under for [the] past nine months and informed you that it was unnecessary to assemble a special meeting to discuss the sole remaining topic.
As you did not respond to this letter, I was surprised when a court reporter arrived at my office on Monday, July 21, 2003 for a conference she stated was scheduled by you for 1:00 PM. In the first place, my letter clearly indicated that a special meeting to discuss "plaintiffs becoming TPOCs" was unnecessary as this was a matter better resolved informally. Beyond this, I never received written confirmation that a precise time for commencement of this meeting had been set. To the extent you did send such a confirmation, I am requesting another copy.
I remain, as always, ready to meet with Mr. Cason and others to discuss the agency's IT-related concerns. I ask only, as Interior did prior to the July 15, 2003 meeting, that the agency provide to me, in advance, an agenda listing proposed topics for discussion.
There is no indication that any written confirmation of the meeting allegedly scheduled for July 21 was ever sent to the Special Master, and no correspondence indicating that a further meeting between the parties and the Special Master was ever scheduled or held. However, on July 25, 2003, the Interior defendants filed a statement with this Court representing that it is their position that "Special Master Balaran must be disqualified from acting in any capacity in this case."
The Court held a hearing on plaintiffs' motion for a preliminary injunction on July 28, 2003, the date on which the temporary restraining order was due to expire.
As explained above, the Interior defendants decided to resolve the issue of computer security at the Interior Department by entering into the December 17, 2001 Consent Order. The Court approved the Consent Order because it deemed that the testing of the computer security systems contemplated by the Order would provide the Court with satisfaction that the systems were secure before being reconnected to the Internet. Additionally, the Court authorized the systems to be reconnected based on the understanding that the Special Master would be permitted to continue monitoring the systems that had been reconnected, in order to ensure that the systems that housed or permitted access to individual Indian trust data continued to be secure from unauthorized Internet access.
At the June 27, 2003 hearing, it became apparent to the Court that the parties had reached an impasse on the implementation of the Consent Order. Therefore, the Court entered a temporary restraining order.
Neither plaintiffs nor the Interior defendants have represented to the Court that this impasse has been resolved. Moreover, given the Interior defendants' recently-stated position that "Special Master Balaran must be disqualified from acting in any capacity in this case," it does not appear that this impasse is likely to be resolved. However, the Special Master has represented that "without the ability to perform scans, [he] can not be assured that the systems that have been approved for reconnection are secure." It appears that this impasse has rendered it impossible for a key provision of the Consent Order to be implemented, namely, the requirement that the "the Special Master shall verify compliance with this Consent Order."
Additionally, the Interior defendants have apparently adopted a restrictive interpretation of the Consent Decree, namely, that once Interior Department computer systems have been reconnected to the Internet, no further testing of those systems is either necessary or permissible. In a brief filed on July 9, 2003, the Interior Department asserts:
With the exception of special procedures applicable to temporary reconnections for testing and the provision of certain necessary services, the Consent Order generally provides that Interior Defendants may reconnect systems following notice to the Special Master if such systems (a) do not house or provide access to individual Indian trust data or (b) house or provide access to individual Indian trust data, provided adequate security exists. Where the systems house or provide access to individual Indian trust data, the Consent Order provides, "The Special Master shall review the plan [for reconnection] and perform any inquiries he deems necessary to determine if it provides adequate security for individual Indian trust data." Finally, the Consent Order expressly provides that "the Special Master shall verify compliance with this Consent Order and may conduct interviews with Interior personnel or contractors or conduct site visits wherever information technology systems or individual Indian trust data is housed or accessed."
Plaintiffs assert... that the Consent Order essentially permitted the Special Master free rein to scan Interior's information technology systems. Interior Defendants, however, have reasonably taken the position that the Consent Order does not provide authorization for the Special Master to conduct intrusive and potentially destructive "penetration" and "exploitation" testing upon systems whose reconnection the Master has already approved. (internal citations omitted).
During the July 28, 2003 hearing, counsel for the Interior defendants affirmed that their position is that once the Special Master has authorized reconnection of Interior computer systems to the Internet, no further testing of those systems is permitted. As noted above, this was not the understanding of the Court at the time that it entered the Consent Order. It would certainly seem to be irrational to interpret the Consent Order to preclude the opportunity for such testing to take place. Such an interpretation would mean that, once the computer systems had been reconnected, no procedure would be in place to verify the systems later to ensure that the reconnected systems that house or permit access to trust data continue to be secure from unauthorized Internet access. Without any such means of verification, the Court would have no assurance that the reconnected systems could not be accessed by unauthorized users.
In sum, the parties continue to be at an impasse as to the manner in which the Consent Order should be implemented. Given the representations of the Interior defendants made during the July 28 hearing, and in their recent filings and correspondence with the Special Master, the Court has no confidence that this impasse will be resolved. In response to the continued impasse, the plaintiffs have moved for the entry of a preliminary injunction that would return the parties to the status quo that existed prior to the entry of the Consent Order.
When considering a request for injunctive relief, a court must consider four factors: (1) whether the movant has demonstrated a substantial likelihood of success on the merits; (2) whether the movant would suffer irreparable injury if the requested relief is not granted; (3) whether the injury to the movant if the injunction is not granted outweighs the injury to other interested parties who will be affected by the injunction; and (4) whether the issuance of the preliminary injunction would further the public interest. See Al-Fayed v. CIA, 254 F.3d 300, 303 (D.C. Cir. 2001); George Washington Univ. v. District of Columbia, 148 F. Supp.2d 15, 17 (D.D.C. 2001). These factors will be analyzed separately.
A. Substantial Likelihood of Prevailing on the Merits
Perhaps the best explanation of the relevance of the first factor is that "the need for the court to act is, at least, in part, a function of the validity of the applicant's claim." 11A CHARLES ALAN WRIGHT & ARTHURR. MILLER, FEDERALPRACTICE AND PROCEDURE § 2948.3, at 184 (2d ed. 1995). By its very nature, a preliminary injunction is entered before a full trial on the merits has occurred. It is therefore necessary for the district court to make some determination as to whether the movant has demonstrated a substantial likelihood that it will prevail on the merits, in order to minimize the risk of unwarranted injury to the party against whom the injunction will be issued. Nevertheless, the degree of likelihood of success is not a determinative factor.
In the present case, plaintiffs have already prevailed on the merits in the first phase of the litigation. Cobell v. Babbitt, 91 F.Supp.2d 1 (D.D.C. 1999), aff'd sub nom. Cobell v. Norton, 240 F.3d 1081 (D.C. Cir. 2001). Therefore, in light of their previous success on the merits, the Court finds that plaintiffs have demonstrated a substantial likelihood that they will prevail on the merits.
B. Irreparable Injury
The Interior defendants have asserted that no irreparable injury to plaintiffs will result if this Court fails to issue a preliminary injunction, in that the Office of Surface Mining's computer systems were reconnected to the Internet in January of 2002 pursuant to the Consent Order's provision applicable to systems that neither house nor provide access to individual Indian trust data. However, the Court does not understand the issue to be so limited. As noted above, the Interior defendants have withdrawn their consent for the Special Master to engage in penetration testing of its computer systems, which the Special Master has represented to be necessary in order for him "to verify compliance with [the] Consent Order." Specifically, the Special Master has represented that "without the ability to perform scans, I can not be assured that the systems that have been approved for reconnection are secure." The issue is thus whether plaintiffs will suffer irreparable harm if the present situation remains in effect, namely, one in which no steps are presently being undertaken to verify whether the Interior defendants are complying with the terms of the Consent Order.
In its December 1999 opinion, this Court held that "[t]he information contained in and processed by the [Interior Department's] computer systems must be monitored and verified." Cobell, 91 F. Supp.2d at 45. In the time since the Court's statement, numerous individuals have attested to the danger to individual Indian trust data residing on computer systems that have not been determined to be secure. In addition to the statements by former Bureau of Indian Affairs ("BIA") official Dominic Nessi in Government Executive magazine and the November 14, 2001 Trust Data Security Report filed by the Special Master, a number of government officials have testified as to the absence of adequate security measures to control and detect unlawful access to restricted data on the Interior Department's computer systems. Charlene Lattier, former chief of the BIA Branch of Operations and Data Management, provided an affidavit stating that "[t]he absence of any firewall at BIA poses a serious and imminent risk to the individual Indian trust data and assets as any intruder with knowledge that BIA has no firewalls and a modest level of proficiency could invade the Individual Indian trust systems. Such intrusion would likely go undetected because of the absence of firewalls." Justice Department attorney Phillip A. Brooks, former lead trial counsel for the Interior Department, stated during a March 29, 2000 hearing:
I mean, my goodness, how can you not have a security plan? I've got – the contractors are telling me there's not a fire wall. They said, "We don't need the access codes. If we want in there, we hack in. It might take us a few minutes." That's what we've got. We have an unsecure system, here, and I don't want to go into, although we could submit some things in-camera.... This is not okay, Judge. I can't represent to you that everything is okay or that it is about to be okay.
THE COURT: How do we get there though?
MR. BROOKS: How do we get there? I think that the plan –
THE COURT: We have no security plan now?
MR. BROOKS: That's correct.*fn6 On February 9, 2001, the Information Technology Security Manager for the Assistant Secretary of Indian Affairs issued a document entitled "The Bureau of Indian Affairs Information Technology Security Program." The document described the BIA's Information Technology Security Program ("ITSP") as providing "the basis for an agency-wide response to meeting the statutory and practical requirements that accompany the use of IT processing, storage, and transmission capabilities." The document further noted that
[t]he IT security risks of not meeting these requirements include systems and information stores that are readily subjected to unauthorized disclosure, non-approved modification, and lost availability. Resultant losses to the Bureau include a continuation of those risks already realized including resources consumed by court litigation, losses from financial fraud, loss of financial audit credibility, expenses for recovering from system compromises, unavailable IT services, and public embarrassment.*fn7
The document also included nineteen points entitled "Generally Acceptable Practices for Security Information Technology System." Three of the points contained self-assessments of the BIA's computer security system:
7. Computer Security Incident Handling.
A computer security incident can result from a computer virus, other malicious code, or a system intruder, either inside or outside. The Bureau currently handles incidents in a semi-ad hoc manner. We have made arrangements with FEDCIRC [Federal Computer Incident Response Center], but currently lack the capabilities to respond in a complete and consistent manner to incidents.
16. Intrusion Detection and Monitoring
Intrusion detection and monitoring (IDS) has traditionally been considered part of system audit capabilities, but has developed itself as a distinct practice in IT security. The Bureau makes extensive use of the Internet and Internet-style technology. The Bureau has been the victim of various internal and external based attacks. Currently, our IDS response is incomplete and inconsistent.
19. Malicious Code Detention, Prevention, and Eradication Also referred to as viruses, Trojans, macro-viruses, worms, mail bombs, etc.[,] malicious code incidents have become almost daily occurrences. Highly connected organizations like the Bureau that make extensive use of popular operating systems and applications [are] vulnerable to malicious code incidents. The effects of malicious code incidents can be severe and costly to completely contain. Further, system and [sic] applications used by the Bureau mean that a virus incident could quickly spread. The Bureau current approach to malicious code management is generally not complete or comprehensive.
On March 12, 2001, the Special Master filed a report with the Court entitled "Site Visit Report of the Special Master to the Office of Information Resources Management" (the "Site Visit Report"). The Special Master reported that when he had visited the Interior Department's Office of Information Resources Management ("OIRM") in Reston, Virginia the previous month, accompanied by a Justice Department attorney, the two were able to enter the facility via a construction entrance. After entering, the two passed by the front security desk without being detected, questioned, or detained, and the employee at the desk did not ask either man to produce any identification. No security cameras were visible near the security desk. The OIRM deputy director, who met the two men, expressed no surprise at the ease with which they gained entrance to the facility, and acknowledged that security at the facility was "terrible." The area where OIRM employees were working on various trust systems could be accessed without a passkey or special identification, and the door leading to the area had no handle or lock.
Additionally, at least thirty reports have been issued by both governmental and private entities addressing the security weaknesses of the Interior Department's information technology systems. These entities include the Interior Department's Office of the Inspector General, the General Administration Office, a subcommittee of the U.S. House of Representatives, and Arthur Andersen & Co. The findings in these reports were summarized in the Trust Data Security Report issued by the Special Master on November 14, 2001.
In sum, at the time that the Court entered the temporary restraining order on December 5, 2001 directing that the Interior Department's computer systems be disconnected from the Internet, it had received evidence from a variety of sources indicating that the agency could not guarantee that individual Indian trust data housed on the agency's computer systems was secure from access by unauthorized users of the system. In fact, a number of sources had expressly testified to the inadequacy of the computer security systems at the Interior Department. At the time that the December 5, 2001 order expired, the Court elected not to afford the plaintiffs preliminary injunctive relief, not because it had made any finding that such relief was unwarranted, but because the Interior defendants had proposed that the Court enter the Consent Order in lieu of granting the preliminary relief requested by plaintiffs. Since the Consent Order was entered, the Special Master has authorized the reconnection of a number of Interior Department computer systems to the Internet. However, not all of the systems have been reconnected, nor have the parties moved to vacate the Consent Order. It therefore seems reasonable to assume that at least some of the computer systems at the Interior Department have not been determined by the Special Master to be secure.
The Court finds that the continued operation of computer systems connected to the Internet that either house or provide access to individual Indian trust data, and which have not been demonstrated to be secure from Internet access by unauthorized persons, constitutes further and continuing an irreparable injury to plaintiffs. Their continued operation provides an opportunity for undetectable unauthorized persons to access, alter, or destroy individual Indian trust data via an Internet connection. The alteration or destruction of any of the trust data would further prevent the beneficiaries of the individual Indian money (IIM) trust from receiving the payments to which they are entitled, in the correct amount. Although money damages might provide adequate compensation for this injury, it manifestly cannot provide adequate compensation if neither the Interior Department nor the beneficiaries are aware that such information has been altered or destroyed. Additionally, the alteration or destruction of any of this information would necessarily further render any accounting of the individual Indian trust inaccurate and imprecise, and therefore inadequate. Again, the risk that such an alteration or destruction might never be discovered renders this harm one for which money damages are manifestly inadequate. The Court thus concludes that plaintiffs have demonstrated that they would be further irreparably harmed if the Court were to permit the continued operation of the Interior Department's computer systems that either house or provide access to individual Indian trust data, and which have not been demonstrated to be secure from Internet access by unauthorized persons.
C. Balance of Hardships
During the July 28, 2003 hearing, plaintiffs argued that no harm to the Interior Department could result from the grant of injunctive relief, in that the Interior defendants were merely being asked to honor their obligations under the Consent Order. This argument is somewhat overstated. Ordering the disconnection of the Interior Department's computer systems from the Internet will doubtlessly result in injury to the Interior defendants in terms of time, cost, and convenience. The issue, however, is not whether harm to other interested parties will result from the issuance of a preliminary injunction, but whether this harm is outweighed by the harm to plaintiffs if the Court does not issue the injunction.
As explained above, if the Court permits the continued operation of the Interior Department's computer systems that house or provide access to IIM trust data, and that have not been shown to be secure from Internet access by unauthorized persons, plaintiffs will be irreparably harmed. The potential harm to plaintiffs is the risk that an unauthorized person or persons will alter or destroy individual Indian trust data, having obtained access to that data through an unsecured Internet connection. This harm is particularly severe because it will be impossible to compensate the plaintiffs for the loss of data unless (1) the unauthorized access is detected and (2) the data exists in some other medium, enabling the Interior defendants to restore the data on the corrupted system to its original form. The risk that the harm will be irreversible weighs against waiting until a final adjudication on the merits to award injunctive relief.
The Court does not wish to appear to minimize the harm to the Interior defendants and to others that would result from the issuance of a preliminary injunction. It will certainly be burdensome to the Interior Department if its computer systems are disconnected from the Internet for any length of time. But the Interior defendants have not demonstrated that this harm will be either irreparable or irreversible prior to a final adjudication of this litigation. Upon balancing the respective hardships to the parties, therefore, the Court finds that the potential harm to plaintiffs if the injunctive relief sought is not awarded outweighs the potential harm to the Interior defendants if the Court grants plaintiffs' motion for a preliminary injunction.
D. Furtherance of the Public Interest
The final factor to be weighed is whether the issuance of the preliminary injunctive relief sought by plaintiffs would advance the interests of the public. It cannot be denied that, if the relief is granted, individuals who are unable to gain access to the Interior Department's web sites during the time that they are down will be frustrated and inconvenienced. But it is certainly in the interest of the more than three hundred thousand current beneficiaries of the individual Indian trust for this Court to take reasonable steps to protect the integrity of the trust data residing on the Interior Department's computer systems. Additionally, it is difficult to understand how the continued operation of a government agency's computer systems that are subject to "hacking" or other unlawful access is in the best interest of the public. It is true that the public interest would be harmed if particular departmental computer systems whose continued operation is necessary to protect U.S. citizens against the threat of fire, or any other threat to life or property, were disconnected from the Internet. But it is certainly feasible to mandate that such systems be exempted from preliminary relief ordered by the Court. Therefore, the Court finds that the public interest will be advanced by the issuance of the preliminary injunctive relief sought by the Indian plaintiffs.
E. The Nature of the Relief to be Granted
Having determined that plaintiffs have demonstrated their entitlement to preliminary injunctive relief, the Court must still determine the precise nature of that relief. Plaintiffs seek an order disconnecting from the Internet all Interior Department computer systems that either house or permit access to individual Indian trust data, with an exemption for systems whose continued connection to the Internet is necessary to protect against fires and other threats to life or property. Such relief will redress the irreparable harm that would otherwise befall plaintiffs, and the exemption will ensure that the public interest will not be unduly harmed. Of course, it will be necessary for the Interior defendants to furnish evidence that the systems continuing to function actually fall within this exemption. Therefore, the Court will direct the Interior defendants themselves to submit a certification to this Court stating that the systems that are continuing to function are essential to protect against fires or other threats to life or property and describing in detail why each such system is so essential.
During the July 28 hearing, counsel for the Interior defendants argued persuasively that the definition of "individual Indian trust data," as set forth in plaintiffs' proposed preliminary injunction, is far too broad. Therefore, the Court will utilize a definition of "individual Indian trust data" derived from an April 30, 2003 memorandum entitled "Definition of Indian Fiduciary Trust Records" from Deputy Interior Secretary Steven Griles to all Interior Department assistant secretaries, bureau directors, and office heads.*fn8
A difficulty arises, however, in that the Special Master has been authorizing the reconnection of some Interior Department computer systems on the premise that the systems neither house nor provide access to "individual Indian trust data," as that term was defined in the December 17, 2001 Consent Order. But the Griles memorandum makes clear that the Interior Department does not utilize such a universal definition of "individual Indian trust data" -- rather, each agency is instructed to utilize a different flowchart in order to determine whether or not a document contains "individual Indian trust data." In other words, the definition utilized by the Interior Department is agency-specific. This situation demonstrates to the Court that the Consent Order is inadequate, in that the definition of "individual Indian trust data" that it contained --and that was relied upon by the Special Master in determining that particular computer systems neither house nor provide access to such data -- is not the definition used by the Interior Department. As such, any computer systems that were reconnected based on the premise that they did not house or provide access to "individual Indian trust data" were reconnected based on a different definition.
Given that, when the Special Master authorized the reconnection of certain Interior Department computer systems to the Internet, he was utilizing a different definition of "individual Indian trust data" than that employed by the Interior Department, it would seem to follow that the Court should direct the Interior Department to disconnect all of its computer systems currently accessible through the Internet. Logically, the Interior Department should disconnect even those systems that the Special Master has authorized to be reconnected, because the definition of "individual Indian trust data" presently utilized by the Interior Department was not in effect at the time that the Special Master made such authorizations, and because the Special Master has been unable for some weeks now to verify that the computer systems are secure from unauthorized access.
However, plaintiffs have not demonstrated to the satisfaction of the Court that the reconnected systems are not presently secure from unauthorized Internet access. The failure to present such evidence certainly weighs against directing that the reconnected systems be immediately disconnected. On the other hand, the Interior defendants have failed to demonstrate to this Court that the reconnected systems are, in fact, secure from such unauthorized access. Without any evidence that the systems are secure, it would be an act of folly for this Court simply to permit them to remain connected.
The situation clearly calls for the Court to adopt some middle ground between the two extreme steps of disconnecting all of the reconnected systems and permitting their continued operation without any demonstrated showing of security. Therefore, the Court will direct the Interior defendants to submit a certification to this Court with respect to each individual Interior Department system that the Special Master has authorized to be reconnected to the Internet. Each such certification should state in specific terms the reasons why the Interior Department presently believes either that (1) the individual system does not house or provide access to "individual Indian trust data," as that term is defined in the preliminary injunction, or (2) if the system does either house or provide access to such data, that the system is secure from unauthorized Internet access. Each such certification should also state in specific terms the security measures that are in place to protect the data on systems that do either house or provide access to individual Indian trust data. If certifications meeting these requirements are submitted within fifteen (15) days of the entry of the preliminary injunction, the Court will not, at that time, order the systems thus certified to be immediately disconnected from the Internet.
The difficulty, of course, is that the Interior defendants have not represented to the Court that any procedures are currently being implemented by any entity independent from control or interference by the Interior Department to ensure that the reconnected systems either do not house or provide access to individual Indian trust data or are secure from unauthorized Internet access. Although counsel for the Interior defendants has represented that Science Applications International Corporation (SAIC) has conducted tests of the systems, SAIC is a contractor that is paid by the Interior Department. In making this observation, the Court is not suggesting that the SAIC's tests are flawed or inaccurate. Rather, it is merely pointing out the obvious fact that, as a paid contractor of the Interior Department, it cannot be considered to be a testing agency that operates independently of the Interior Department.
The most obvious solution would be to permit the Special Master to conduct tests to determine whether the reconnected systems are either secure from unauthorized Internet access or, in the alternative, neither house nor provide access to trust data. Indeed, plaintiffs request that this Court include in any preliminary injunction an order authorizing the Special Master to make determinations as to whether individual computer systems should be reconnected to the Internet, and spelling out in greater detail the powers at the disposal of the Special Master to make such determinations. But plaintiffs have not demonstrated that the presence of the Special Master in the determination process is indispensable. The only reason that the Interior defendants are obliged to permit the Special Master to verify that their computer systems are secure is that the Consent Order supplies such an obligation.
However, the Interior defendants have taken the position that the Special Master be precluded from acting in any capacity in this case. Additionally, the most recent communication from the Interior defendants to the Special Master indicates that they possess some misgivings as to the "appropriate scope of a special master's duties" in this litigation, in light of the July 18, 2003 opinion of the D.C. Circuit in this case. It is certainly true that one of the grounds on which a court may modify a consent decree is that a change in controlling law renders the decree impermissible. See Rufo v. Inmates of Suffolk County Jail, 502 U.S. 367, 388 (1992) ("A consent decree must of course be modified if, as it later turns out, one or more of the obligations placed upon the parties has become impermissible under federal law."). However, because the role of the Special Master is so thoroughly integrated into the Consent Order -- nine of its twelve provisions relate to his duties -- any substantial reduction of his role would render the Consent Order essentially unworkable.
Therefore, the Court will order that the Consent Order be stayed, effective immediately. Henceforth, instead of relying upon the Special Master to determine whether the Interior Department's systems either are secure from unauthorized Internet access or do not house or afford access to trust data, the Court will make such determinations directly.
The determination process shall proceed as follows. The Court will order all Interior Department systems to be immediately disconnected from the Internet, except for (1) systems whose continued connection to the Internet are certified to be necessary to protect against fires and other threats to life or property and (2) systems that the Special Master has previously authorized to be reconnected to the Internet, and with respect to which the Interior Department has submitted the above-described certifications. Following the receipt of the certifications for the reconnected computers, the Court will permit plaintiffs an opportunity to respond with comments upon the representations made in the certifications.
Within fifteen (15) days thereafter, the Interior defendants shall file with the Court a method of approving individual reconnections of disconnected Interior computer systems, and of determining whether the systems that the Special Master has previously allowed to be reconnected should stay reconnected. Plaintiffs will be afforded an opportunity to comment. Any such proposal must have three features. First, it must demonstrate a method of providing to the Court adequate evidence that the computer system sought to be reconnected (or to stay reconnected) is, in fact, secure against Internet access by unauthorized users. Second, it must provide the Court with the means to verify the representation that the computer system has been thus secured. The nature of such independent tests may either be borrowed from an existing set of testing standards, such as that developed by the National Institute of Standards and Technology, or determined by either an independent contractor with whom the Court is satisfied or a separate government agency, such as computer experts from the Department of the Treasury. Third, and finally, the proposal must allow for the continued monitoring of systems that have been reconnected, in order to determine whether the systems continue to be secure from unauthorized Internet access.*fn9
When this Court approved the Consent Order entered into by the parties on December 17, 2001, it hoped that the problem of security of the Interior Department's computer systems would be appropriately addressed. It is apparent from the representations made by the parties during the June 27 and July 28, 2003 hearings that this is not the case. The Court now sees that the Consent Order is manifestly inadequate to ensure the security of individual Indian trust data on the Interior Department's computer systems. Therefore, the Court will stay the Consent Order and enter preliminary injunctive relief in favor of plaintiffs.
A separate order consistent with the foregoing shall issue this date.