Re: 3 strikes - Interior Department ordered offline again
This is quite something. From Judge Lamberth's order, additional insight into the behavior of a contractor we know well: It is unfortunate, therefore, that Interior proposes that [e]ach bureau or office for which reconnection is intended will take steps to verify its representation that the IT system is secure from Internet access by unauthorized users. Interior Proposal at 7. In support, Interior plans to submit documentation to the Court that will incorporate the data necessary to support a riskbased decision on Internet reconnection. The assessment may include, as appropriate: (1) network mapping and enumeration; (2) SANS/FBI Top 20 Vulnerability List Comparison; (3) vulnerability assessment; and (4) penetration testing. Id. at 7. Interior further offers that the above assessment will be performed by Interior or its contractor. Id. at 7 n.9. Interiors current contractor is Science Applications International Corporation (SAIC). Id. at 8 n.11. As this Court already noted: SAIC is a contractor that is paid by the Interior Department and as such it cannot be considered to be a testing agency that operates independently of the Interior Department. 274 F.Supp.2d at 133. Furthermore, the Court observes that SAICs long history as an Interior contractor in this area and the simple fact that Interiors IT security remains poor makes this Court reticent to rely on their judgment. Allowing Interior or SAIC to provide the verification of representations made by its bureaus on the adequacy of their IT security does not offer this Court any party without a conflict of interest or a track record of incompetency and is an insufficient method of verifying IT security. The Courts desire is simple and specific. The Court wants Interior to propose and the Court to approve 1) an entity with no prior relationship to Interior, 2) that possesses the requisite expertise in IT security, 3) whose only work for Interior will be performing the tasks set forth for it in the preliminary injunction issued this date, and 4) who will report all its findings to the Court. The Court does not mandate that such an entity work for the Court, in fact they can be paid and supervised directly by Interior. In this regard the Court is now making and continues to make every effort to allow the department to manage its own affairs without Court intervention. But the Court must absolutely have an entity not tainted by the history of falsehoods and deceptions that has plagued this litigation, nor otherwise dependent upon Interior for its revenues and livelihood, to provide honest appraisals of the security of individual Indian trust data ... Interior truly brought this on themselves. Accordingly, the Office of Inspector General, the Minerals Management Service, the Bureau of Land Management, the Bureau of Reclamation, the Office of the Special Trustee, Fish and Wildlife, the Bureau of Indian Affairs, the Office of Surface Mining, and the National Business Center must disconnect all of their respective computer systems from the Internet. This includes every single IT system within that bureau whether or not that IT system houses or provides access to individual Indian trust data. In contrast, the National Park Service, the Office of Policy Management and Budget, and the United States Geological Survey do not have to disconnect any currently connected system from the Internet. Lastly, no system essential for the protection against fires or other threats to life or property should be disconnected from the Internet.
participants (1)
-
Fred Heutte