A December Interior IG report shows numerous cases in which the agency did not take proper steps to secure wireless traffic.
Lawyers representing a group of American Indians suing the Interior Department say wireless Internet service could grant unauthorized access to Indian trust fund account information. But Interior plans to issue a solicitation notice for departmentwide wireless service soon.
Interior lawyers are reviewing the final version of the notice and would not comment on its contents.
Last Tuesday, lawyers gave a federal judge a report published in December by Interior’s inspector general on wireless management and security. It details how easily hackers could manipulate trust accounts held by 500,000 American Indians.
Between October 2003 and April 2004, inspectors found that Interior networks sometimes intersected with other networks and broadcasted information to inappropriate areas and people.
Last month, Interior shut down the Bureau of Land Management’s Web site after the IG issued a report warning that its information technology systems were vulnerable to cyberthreats. The shutdown was the latest in a long-running dispute about the security of Indian trust fund information.
December’s report notes that at the BLM Boise, Idaho, District Office, a wireless network that was supposed to bridge the district office directly to a building about a mile away, broadcasting the network signal to everyone within a mile radius. Inspectors observed that more than 3,000 other commercial and residential wireless networks occupied that radius.
Other instances of BLM sloppiness appear throughout the IG’s report. “We observed approximately 148 users connecting to [a BLM] wireless network during non-business hours; however, BLM indicated that there were only about 10 authorized users,” the report states.
The report adds that officials may have alleviated some security concerns by issuing the April 2004 memo that required insecure Interior agencies to disconnect their wireless networks.
But the IG report states that the memo is “silent on how DOI should handle what may be the inevitable use of wireless technology in the future.”
Interior officials have not disclosed information about the new wireless initiative because of the current litigation and bidding protocol.
Interior spokespersons released a statement. “To understand our position regarding the commercial wireless [cellular] services program under DOI's Wireless initiative, the Office of the Chief Information Officer and the Office of Acquisition and Property Management offices partnered. Significant progress has been made, and a solicitation will soon be issued. This partnership is the department's direct response to the March 2004 GAO Report ‘Agencies Can Achieve Significant Savings on Purchase Card Buys.’”
The project’s synopsis states that Interior must establish an enterprisewide contract vehicle to acquire cost-effective nationwide commercial wireless services, coverage and management. The notice pertains to commercial mobile wireless services.
The IG report warns that the agency must take steps to improve security of wireless services. The report found, for example, that the wireless signals are available after business hours and are also identifiable. Inspectors quickly recognized that a wireless network was BLM’s because it broadcast a unique network name.
“Additionally, we found at one BLM and one [Fish and Wildlife Service] location that wireless networks remained in operation during non-business hours,” the report stated “This, in conjunction with the networks broadcasting unique identifying information that is easily identifiable to DOI, accelerates a hacker’s ability to compromise DOI networks.”
At a Bureau of Reclamation facility, inspectors identified wireless signals in three parking lots outside the network’s perimeter.
In addition, Interior could not account for all wireless network devices. Specifically, six network access points at two BLM locations, were not inventoried.
An earlier court order disconnected the Bureau of Indian Affairs from the Internet, but the IG report found that contractors at a BIA office used non-Interior laptops that had wireless capabilities. Wireless-enabled laptops could be connected to Interior’s wired networks and expose those networks and data to unauthorized users, the report states.
NEXT STORY: Payne leaves Qwest