Internal report contradicts Interior's claims that systems were secure

A year-old internal report that harshly criticized the Interior Department's management of its computer networks, leaving systems wide open to cyberattacks, contradicts recent statements by department officials that they have improved security to protect sensitive information, according to lawyers representing Native Americans in an ongoing lawsuit against Interior.

The report is included in a notice filed in U.S. District Court on Wednesday by lawyers representing American Indians in a multibillion-dollar lawsuit against the government.

The report, written by the department's inspector general in May 2008, said Interior's IT management "is ineffective, costly, wasteful and lacks accountability."

The report concluded, "The department's own chief information officer acknowledged the department is failing. Sweeping reform is required to correct deficiencies in the department's IT program."

The IG office did not publicly release the report. Nextgov received a copy, which was attached to the notice filed by in U.S. District Court on Thursday.

The report was written by former Interior inspector general Earl Devaney, now chairman of President Obama's Recovery Act Transparency and Accountability Board, said a former Interior employee who asked not to be named because of the political implications of the situation.

The problems in IT management were of an urgent nature, the IG said. "In 2008, the department's own CIO warned, 'We are behind and falling further behind. Unless we act now and change how we approach these problems, we will fail.'"

Devaney held on to the report for weeks before delivering it to Dirk Kempthorne, who served as Interior secretary from 2006 to 2009, rather than publish it so Kempthorne would have an opportunity to fix the problems, the former employee said. Kempthorne formed a committee to respond to the recommendations in the report, but the panel's response was not officially published.

"It was allowed to die a quiet death," the employee said, adding Interior officials have yet to address the recommendations in the IG report.

Interior officials and Devaney did not respond to a request for comment.

Poor IT management left Interior networks wide open to cyberattacks, the report concluded. In January 2008, an Interior official discovered that 35 percent of all traffic leaving the department's networks was bound for computers in foreign countries, including China, Vietnam and Russia.

Interior hired a consultant to investigate its traffic patterns. The consultant concluded the department "does not have sufficient visibility into their networking infrastructure to conclusively monitor for potential intrusions or malicious activity. . . . Given the current environment -- as documented by the department's own outside expert -- it is unfathomable anyone could give assurance the department's network is secure."

Lawyers representing American Indians who have sued Interior for mismanaging the royalties it collects from companies that pay fees to extract oil, gas and minerals from tribal land say the report contradicts the assurances department officials gave that its networks -- and the accounting programs that reside on them -- were safe from hackers.

Interior has struggled to secure its systems for years. In December 2001, the department was ordered to disconnect networks from the Internet that had access to Indian trust data managed by the Bureau of Indian Affairs.

Most Interior agencies came back online within two years, but BIA and a few others remained offline until May 2008, when Interior filed a motion in U.S. District Court requesting the last department offices be allowed to reconnect to the Internet.

Mike Howell, then-Interior CIO who is now deputy administrator for e-government information technology at the Office of Management and Budget, told the court that adequate security controls were in place, and Judge James Robertson ordered Interior to reconnect all agencies and offices connections.

When Nextgov asked if he was comfortable with the level of network security at the bureau, Howell said in an e-mail dated May 20, 2008: "Yes. We deliberately designed the security of all of the systems being reconnected to be commensurate with the sensitivity of the information they contain and the risks we face. We have multiple levels of security that were carefully tested and proven before we began reconnecting."

Dennis Gingold, lead counsel for the 500,000 Indian trust beneficiaries involved in the class action lawsuit, said the IG's report shows Interior was less than forthcoming about the state of IT security during the 2008 trial. "They made representations that the systems were trustworthy. The reality is they didn't tell Judge Robertson about this [report]," he said. "On the face, those declarations are in direct conflict with what the CIO informed Earl Devaney."

Robertson awarded the Indian trust $455.6 million in July 2008, but Gingold said the group is appealing the ruling, claiming interest should be is owed and Interior's systems were not as secure as the department officials declared.

"Isn't it interesting that right before a major trial to determine the government's liability, a report comes out and is concealed," Gingold said. "We only got it through good luck, otherwise it would still be concealed today. I've been practicing law since 1974, and I've never known this type of thing to occur where one party can withhold evidence, destroy documents, intimidate witnesses, all of which are part of the court's findings, and be able to proceed as if nothing happened."