Information Security

Defending the digital infrastructure


Data security failure: How the government broke our trust

The government exposed thousands of Native Americans' financial data to hackers. Elouise Cobell forced the government off the Internet.

"Temporarily Unavailable" reads the notice on the Bureau of Indian Affairs Web site. Temporary, in this case, is nearly three years...and counting.

A U.S. District Court judge ordered the Department of the Interior to disconnect from the Internet in 2001 because of concerns raised in a class-action lawsuit filed on behalf of a half-million Native Americans, who are suing the government for mismanaging the Individual Indian Money (IIM) trust fund.

"It's all about broken trust," says Elouise Pepion Cobell, a member of the Blackfeet tribe and the lead plaintiff in the lawsuit (officially known as Cobell v. Norton), which claims the government can't account for as much as $150 billion the fund has collected over the last 117 years.

The disconnection has had an impact. Nearly 10,000 government employees have no Internet or e-mail access and must do business by telephone, snail-mail and fax machines. Interior officials say the ban is driving up operations costs because remote Bureau of Indian Affairs (BIA) employees can't access online applications; some have to drive long distances just to file paperwork.

Next month, the government will head back to court, seeking to have the order lifted. A reversal is the worst possible outcome for Cobell, who says data security is essential if there's ever to be a full accounting of the trust fund.

"The government mandates that financial firms have all sorts of security in place. If they didn't have them, the government would be on them in a New York second," says Cobell, a banker and executive director of the Native American Community Development Corp.

Demand for Full Accounting
Blackfeet Nation is a sprawling 1.5 million-acre reserve in the northwest corner of Montana. It's also one of the nation's 25 poorest regions. At its center is Browning, an outpost of 7,000 residents supported by a hodgepodge of mom 'n pop shops. The town's largest employer is the BIA; the official unemployment rate is more than 75 percent.

This is where 58-year-old Elouise Pepion Cobell was born and raised.

In her youth, Cobell would listen to tribe members talk about how the government had their money. As an adult, she learned the money was part of the IIM, established in 1887 to manage nearly 11 million acres owned by Native Americans (the lawsuit claims 500,000 beneficiaries among 500-plus tribes; the government says 250,000).

The IIM is a byproduct of the American expansion cry of "manifest destiny." As settlers pushed deeper into the western territories, they displaced Native American tribes into remote, desolate regions that were initially deemed undesirable.

The discovery of gold, oil and coal on these reservations changed settlers' attitudes, causing a further erosion of tribal lands. For the Blackfeet, whose territory once stretched across the Great Plains and as far south as New Mexico, this meant being confined to their current reservation on the Canadian border.

"The government didn't think the Indians were intelligent enough to take care of their own lands, so they put [the land] in trust," explains Cobell, who began championing the IIM accounting project nearly a decade ago.

In 1997, she won a MacArthur Fellows Program "genius award" for her work.

The IIM gets its money from leases the BIA grants to private companies for mining, drilling, logging and grazing. To the beneficiaries, though, the periodic disbursements never seem to add up.

"They receive statements and disbursements, but you can't tell what money is coming in or going out," says Geoffrey Rempel, the plaintiff's accountant. "Some Indians don't even know where their land is."

The government's attorneys admit that poor management and accounting practices left numerous gaps in the century-old paper trail. The Interior Department estimates the fund has collected $13 billion since 1909; the lawsuit's claim is much higher.

We've gone from one of the organizations known for not being sophisticated in IT to one of the leading bureaus.


Brian Burns,
 CIOBureau of Indian Affairs

"If J.P. Morgan was operating this trust in this fashion, the controllers wouldn't wait. They'd round the executives up and throw them in jail," Rempel adds.

The Cobell suit demands a full accounting of the IIM and a full disbursement of money owed to beneficiaries. The 1994 Indian Trust Reform Act calls for a full accounting of the IIM, but work didn't begin until U.S. District Court Judge Royce Lamberth ordered it last September. The government estimates the effort will take 10 years to complete and cost from $3 billion to $10 billion.

To ensure that a full accounting is possible, Cobell and her fellow plaintiffs want the surviving data protected. That's where network security comes in.

Message From the Inside
The first inkling that IIM data was in jeopardy came in 1999, when the BIA was relocating its data center from Albuquerque, N.M., to Herndon, Va. Mona Infield, a data center employee, tipped off Cobell's attorneys to the security problems.

"[Infield] told us that the government had no plans to secure the data in transit. It was a Pandora's Box that opened more issues," says accountant Rempel.

Cobell's attorneys petitioned the court for a security review, the results of which were astounding: The Interior Department's network, specifically the BIA's infrastructure, was wide open. No firewalls shielded the networks, and little authentication was required for access.

In December 2001, the court ordered the entire Interior Department to disconnect from the Internet, leaving employees without e-mail, Internet access or the ability to communicate electronically with other government agencies. Although the court amended the disconnection order only to systems that held IIM data, the government couldn't discern which systems these were, thus all BIA systems remain cut off.

The court has affirmed its order three times (the last order was issued in March), mostly because the government has failed to show security improvements or has declined security certification by the court-appointed special master.

Today, the only messages on the BIA Web site are a notice about the disconnection and links to active Interior Department sites. The only BIA systems with external connections are the 100 PCs and servers that coordinate firefighting data for 55 million rural acres in 31 states.

"What the court said was, 'You're not doing a good job protecting the data, so you either have to return the data or protect it.' This type of result is inevitable," says Mark Rasch, chief security counsel at MSSP Solutionary and a former Department of Justice computer crime prosecutor.

Not Sitting Idle
Despite the plaintiffs' claims, the government hasn't been idle. The BIA has invested heavily in security improvements and accounting of the trust fund records.

When you're dealing with so many bureaucrats, so many egos, you just can't get anything fixed.


Elouise Pepion Cobell,
 lead plaintiffCobell v. Norton

"While we've been off the Internet, we've been able to focus on our Web capabilities, so we'll be able to go live securely when we do have a Web presence," says Brian Burns, who became the bureau's CIO in 2002.

Burns' team has rebuilt the agency's IT infrastructure and management to make it more secure. They started by centralizing the management and policymaking, instead of allowing its 12 regions and 86 subordinate agencies to implement their own solutions.

The BIA built a security operation center at its Virginia facility, constructed a secure WAN dubbed TrustNet, created a national help desk, centralized patch and configuration management, contracted MCI for security monitoring and standardized workstations with hardened configurations. Burns says the IT staff eliminated 97 percent of the security problems cited in a 2002 audit. The direct cost through fiscal year 2004 is $61.4 million.

"We've gone from one of the organizations known for not being sophisticated in IT to one of the leading bureaus," Burns says.

Nevertheless, the BIA remains offline.

As late as last year, the court's special master, Alan Ballorine, claimed to have hacked into the BIA's network and accessed and manipulated trust data. According to court documents, third-party tests found similar deficiencies. And the Interior Department's own security reports to the Office of Management and Budget noted continuing security deficiencies.

Burns doesn't claim all the security problems are solved and expresses a willingness to work with the courts to get the BIA to an acceptable security level.

The government's lawyers don't share Burns' position. In briefs filed with the appellate court, the lawyers argue that the lower court lacked the authority to impose such draconian measures. Since the Cobell lawsuit is about accurate accounting, according to government lawyers, the court's authority doesn't extend to peripheral issues, such as computer security.

"The government doesn't believe it has the responsibility to protect this data," says accountant Rempel.

Duty to Protect
Private enterprises are subject to fair accounting rules and have a duty to protect financial information under such laws as Sarbanes-Oxley and Gramm-Leach-Bliley. The government, however, argues these rules of trust don't apply to its management of the IIM--especially since there's no evidence of a security breach and no fund beneficiary has suffered a loss.

"The plaintiffs never attempt to explain how common law principles could require a trust to spend millions of dollars of its own money to improve its security system to a standard deemed appropriate by a court, particularly when no beneficiary is known to have suffered any loss as a result of the asserted deficiencies," the government's attorneys state in the court filings.

A ruling for Cobell could embolden a growing number of regulators-particularly the Federal Trade Commission and states' attorneys general-who have already begun enforcement action against companies that fail to adequately provide the security promised to customers.

Victoria's Secret, Tower Records, Ely Lilly and Barnes & Noble have been sanctioned for failing to live up to their security promises. Last month, Gateway Learning, maker of the "Hooked on Phonics" learning system, agreed to pay fines for violating its privacy policy against selling customers' identifying information.

"There are very clear signals from the FTC that they will go after businesses that don't secure their system, even if there's no compromise in the past," says Michael Overly, an attorney specializing in infosecurity law at the Los Angeles firm Foley & Lardner.

Not everyone believes a victory for Cobell or the court's action in this case will have broad implications for private enterprises. Since most enterprises' security problems are results of gaps, not gross mismanagement or negligence, some believe the courts and regulators will limit themselves to fines.

"The courts will provide injunctive relief, require maintaining security program that are audited by a third party and impose fines. But it's not like they'll keep Victoria's Secret from operating on the Internet," explains Marc J. Zwillinger, who specializes in cyberspace law at the Washington law firm Sonnenschein, Nath and Rosenthal.

Miles To Go
Native Americans aren't expecting much from Cobell's case. Their collective history is littered with the U.S. government's unfulfilled promises and broken agreements. Even if Cobell wins the security battle, there's no end in sight for the war over the IIM's accounting.

Cobell remains optimistic, though. With enough time and effort, she believes IIM beneficiaries will get their full accounting. Until then, she and her attorneys aim to keep the BIA and any other government system with trust fund data offline until they're secure.

"We've embarrassed them, but they still won't fix it," she says. "The only way to fix it is to bring the Department of the Interior under receivership. When you're dealing with so many bureaucrats, so many egos, you just can't get anything fixed."

About the author:
Lawrence Walsh is the executive editor of Information Security magazine.

Article 2 of 9

Dig Deeper on Government information security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All