- By Bruce McConnell
- Feb 03, 2002
Before Dec. 5, 2001, the National Park Service Web site (www.nps.gov)
served 700,000 contacts per day. Since that day, service has been limited
to a previously contracted-out campground reservation system. The situation
is similar across most Interior Department sites, and external e-mail is
Did a hacker or terrorist cause this denial of service? No, it was federal
judge Royce Lamberth, in response to demonstrated security vulnerabilities
in the Bureau of Indian Affairs' Web-based trust account information system.
The court mandated that any Interior system that could facilitate unauthorized
access to individual Indian trusts be taken offline until security is guaranteed.
At its worst, the service denial hurts the very plaintiffs the ruling was
meant to protect: 40,000 American Indians' monthly land-lease checks have
The December ruling reflects years of cybersecurity neglect, as chronicled
in a report issued in mid-November by court-appointed Special Master Alan
Balaran. This report is the latest of some two dozen evaluations, including
recent failing grades from Congressman Stephen Horn (R-Calif.), identifying
security flaws in these systems. Last summer, a court-hired security firm,
Predictive Systems Inc., easily penetrated the trust account system on its
first attempt to test its security. In a later hack, its representatives
managed to create and divert funds to a new account.
The department has hired more security help to untangle its web of interconnections,
and isolate and secure subsystems in preparation for bringing them back
up. Meanwhile, vital systems that support fire safety remain down, thousands
of agency employees remain unconnected, and many thousands of citizens and
taxpayers remain unserved, nearly two months after the shutdown.
Three important lessons can be drawn from these events. First, we are
no longer merely becoming an electronic government we are one. Although
we have not transformed the way government serves the public, we underestimate
our critical dependence on technology. The time and opportunities lost are
surely valued in millions of dollars, and the loss of faith in the dependability
of government to serve citizens around-the-clock is incalculable.
Second, our security threat profile has been altered. Until recently,
few realized that a commercial jetliner, a slim letter or a shoe could be
a weapon. Similarly, agency lists of information security threats do not
generally include the judicial system.
Finally, government cannot afford to overreact to threats by taking
down Web sites and denying its own service. As Thomas Jefferson said, "Information
is the currency of democracy." Statute and policy still require maximum
disclosure of information to the public via electronic means. Security considerations
in this area must be balanced, as always, with the needs of a free society.
McConnell, former chief of information policy and technology at the Office
of Management and Budget, is president of McConnell International LLC (www.mcconnellinternational.com). Helena Plater-Zyberk contributed to this column.