Interior allowed to reconnect to Internet

Judge rules six-year disconnect order not valid, but still worries that the department’s computer security practices are inadequate.

After working for more than six years under a court ruling not allowing certain Interior Department employees to use the Internet, a U.S. District judge ruled this week that the affected departmental agencies could get back online.

Comment on this article in The Forum.District Judge James Robertson granted on May 14 motions filed by Interior requesting that the Bureau of Indian Affairs, the Office of Hearings and Appeals, the Office of the Special Trustee, and the Office of Historical Trust Accounting be allowed to reconnect their networks to the Internet.

In December 2001, U.S. District Court Judge Royce Lamberth ordered Interior to disconnect from the Internet all information technology systems that had access to Indian trust data managed by Interior's Bureau of Indian Affairs. The ruling was part of a class action lawsuit accusing the government of mismanaging thousands of Indian trust accounts. The lawsuit also alleged that BIA had failed to protect account holders' personal information stored in its databases. Court-appointed specialists had hacked into the department's systems and accessed the data. Since then, most Interior agencies have come back online, but BIA and the other affected agencies remained offline.

Robertson ruled that the order to disconnect from the Internet, which laid out conditions for what the bureaus had to do to reconnect, no longer was valid. "I find that the consent order is of no further use and must be vacated," Robertson wrote in his ruling. "The . . . disconnected offices and bureaus may be connected."

He added that his ruling was based not on evidence but "on a legal conclusion that it is not my role to weigh IT security risks."

Interior Chief Information Officer Michael Howell welcomed the ruling. "After nearly six and a half years, the Bureau of Indian Affairs, Office of the Special Trustee, and other Interior offices will be able to reconnect to the Internet," he wrote in an e-mail responding to a request for comment. "While we have done our best to provide services in the interim, this will significantly improve our ability to serve our customers and stakeholders and improve our ability to communicate and coordinate efficiently among all of Interior's bureaus and offices."

Interior employees who were disconnected from the Internet were forced to develop workarounds to access and receive information. "For six years, these employees (for two years, I was among them) have sat in front of lonely computers, sending e-mails only to co-workers on an internal system, and limiting themselves to work-related content," wrote Maria Streshinsky for The Atlantic Web site. "To manage, various workarounds were developed. The Office of Personnel Management had to establish a separate system to deliver paycheck stubs and human-resources news to those who had been cut off. No wireless devices were allowed in affected offices. BIA's law-enforcement offices had no access to cross-bureau security and safety information."

Howell said the department now would be able to communicate electronically with tribes and other agencies and post information directly to its Web sites. In addition, employees will be able to access online applications and services and respond quicker to customers' requests.

Interior has crafted a plan to restore Internet connectivity, while ensuring adequate security, according to Howell. He said the plan calls for a phased implementation, including four components, during the next several months. In the first phase, which began this week, Interior will reconnect employees in the Washington metro area. Interior will proceed to reconnect employees in field locations by September, if not sooner.

In his ruling, Robertson wrote that under the 2002 Federal Information Security Management Act, it was the responsibility of the executives in charge of agencies to make sure the agency had adequate security to prevent unauthorized access of information. The judiciary had no role in determining what that adequate information security was. He also said he had no reason not to believe the top officials from the affected agencies who asserted that they were compliant with FISMA.

But Robertson acknowledged that Interior's IT security may still be inadequate. "The congressional and inspector general reports indicating that the Interior Department, overall, continues to receive failing grades on its IT report card are troubling, but I have no authority to act in response to them, nor do I have any colorable suggestion that the declarations before me … were made in bad faith," he wrote.

Interior received a failing grade for its compliance with FISMA in 2007 and 2006, according to a report card released by Rep. Tom Davis, R-Va., on Tuesday. Interior was one of eight agencies that received an F.

When asked if he was comfortable with the level of network security at BIA, Howell responded that Interior had "deliberately designed the security of all of the systems being reconnected to be commensurate with the sensitivity of the information they contain and the risks we face."

He added the bureau had tested multiple levels of security before reconnecting to the Internet and Interior planned to monitor security on an ongoing basis, taking appropriate actions when needed.