Opinion
Beneficiaries of individual Indian money (IIM) trust accounts brought class action against Secretary of the Interior and other trustees, seeking declaratory and injunctive relief for alleged breach of trust and interference with duties of Special Trustee under Indian Trust Fund Management Reform Act. Following plaintiffs' filing of motion for emergency temporary restraining order, motion for preliminary injunction, and motion for order to show cause why Secretary should not be held in contempt, the Court instructed special master to investigate possible computer security breaches at Department of Interior's Office of Information Resources Management. After issuance of report and recommendation of special master regarding security of trust data, the District Court, Lamberth, J., held that report was entitled to deference.
Ordered accordingly.
Keith M. Harper,Native AmericanRights Fund, Washington, DC, Dennis Marc Gingold, Mark Kester Brown, Washington, DC, Elliott H. Levitas, Kilpatrick Stockton, LLP, Washington, DC, for plaintiffs.
Robert D. Luskin, Patton Boggs, L.L.P., Washington, DC, Tom C. Clark, U.S. Dept. of Justice, Land & Natural Resources Division, Washington, DC, Susan Virginia Cook, Washington, DC, Brian L. Ferrell, Andrew M. Eschen, U.S. Department of Justice, Washington, DC, Charles Walter Findlay, III, Sarah D. Himmelhoch, Washington, DC, Sandra Marguerite Schraibman, U.S. Dept. of Justice, Federal Programs Branch, Washington, DC, Connie S. Lundgren, U.S. Dept. of Interior, Washington, DC, Edith R. Blackwell, Washington, DC, John Charles Cruden, Annandale, VA, Lewis Steven Wiener, Henrichsen & Siegel, P.L.L.C., Washington, DC, Mark E. Nagle, Robert Craig Lawrence, Scott Sutherland Harris, U.S. Attorney's Office, Washington, DC, J. Christopher Kohn, U.S. Dept. of Justice, Washington, DC, John Most, Washington, DC, JoAnn Shyloski, Barry Weiner, U.S. Dept. of Justice, Environment & Natural Resources Division, Washington, DC, Terry M. Petrie, Denver, CO, Seth Brandon Shapiro, Washington, DC, Sandra Peavler Spooner, Peter Blaze Miller, Cynthia L. Alexander, Amalia D. Kessler, Mathew J. Fader, Washington, DC, John Stemplewicz, Washington, DC, Herbert Lawrence Fenster, McKenna & Cuneo, LLP, Washington, DC, Elizabeth Wallace Fleming, Preston, Gates, Ellis & Rouvelas Meeds, Washington, DC, B. Michael Rauh, Manatt, Phelps & Phillips, L.L.P., Washington, DC, for defendants.
MEMORANDUM and ORDER
LAMBERTH, District Judge.
On November 14, 2001, the Special Master issued the Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior (" Special Master Report" ). On November 26, 2001, the Department of the Interior filed its response to the Special Master report arguing, inter alia, that the " clearly erroneous" standard of review articulated in Rule 53(e)(2) is inapplicable to the findings of the Special Master's Report, insofar as the investigation did not comport with the type of hearing and due process protections contemplated by the Federal Rules.
At no time has Interior disputed any of the facts disclosed by the Special Master regarding the state of its computer security. To the contrary, Interior has consistently acknowledged " that problems exist with respect to trust data security," Response to the Special Master Report at 1, and that " substantial effort continues to be necessary to ensure that the security of Indian trust-related IT systems is adequate," Response to Plaintiffs' Motion for Temporary Restraining Order as Amended at 4.
Aside from the Interior's request for an emergency hearing to open up the USGS systems, no other emergency motions have been filed.
Interior specifically argued that the Special Master Report was not entitled to deference pursuant to Fed.R.Civ.P. 53(e)(2) because it was not accompanied by a " transcript of the proceedings and of the evidence and the original exhibits" ( see Fed.R.Civ.P. 53(e)(1)) and because it failed to identify all of the " government employees and private contractors" interviewed. Response at 3 n. 3. Interior amplified its concerns in its Response to Plaintiffs' Renewed Motion for Temporary Restraining Order As Amended where it contended that " [t]he Special Master's Report identifies a variety of sources of evidence upon which its conclusions are based, including interviews with ‘ government employees and private contractors' and review of thousands of mostly unidentified Interior communications." Id. 6. See also Interior Defendants' Surreply in Opposition to Plaintiffs' Renewed Motion for Temporary Restraining Order at 1 (" Interior Defendants point to three reasons why de novo review is appropriate: (1) the Special Master's factual findings ‘ were not based on hearings conducted after notice; ’ (2) the Special Master relied on ex parte contacts; and (3) the Special Master did not file a record with the Report" (citations omitted)).
On December 20, 2001, the Special Master filed the Supplemental Report of the Special Master Regarding the Security of Trust Data at the Department of the Interior setting out procedures and protocols he employed in obtaining the testimony and documentary information which formed the basis for the Report.
On December 31, 2001, Interior filed the Department of the Interior's Response to Supplemental Report of the Special Master Regarding the Security of Trust Data at the Department of the Interior in which it acknowledged that the Supplemental Report of the Special Master " identified the persons interviewed in drafting the Special Master's Report" and that the " Special Master also provided the parties with all documents which he consulted." Response to Supplemental Report at 1-2. While explicitly reserving " the right to argue that future reports are not entitled to deference if the procedural requirement of Fed.R.Civ.P. 53 and other applicable law are not observed," id. at 2, n. 1 (and while specifically objecting to the appointment of a receiver over computer security measures), Interior conceded that " [t]he Supplemental Report and the provision of the documents which the Special Master consulted address, for purposes of the Special Master's Report, the Interior Defendants' arguments noted above." Id. at 2.
As Interior does not dispute the underlying facts set out in the Special Master Report, and, as it concedes that the Special Master's Supplemental Report adequately addresses the due process concerns it enunciated in previous pleadings, this Court adopts the finding of the Special Master Report and it is hereby entered into the record of this case. See Fed.R.Civ.P. 53(e)(2) ( " In an action to be tried without a jury the court shall accept the master's finding of fact unless clearly erroneous." ) (emphasis added). Interior has not even argued that any of the Special Master's findings are clearly erroneous. Interior did object to the Special Master's failure to note that in September and October, 2001, Interior contracted with Predictive Systems, Inc., the contractor used by the Special Master to penetrate Interior's computer systems, to assist Interior in improving IT security. The Court agrees that this was in fact a positive action by Interior, although it was too little, too late, to enable Interior to avoid emergency injunctive relief.
The Court does not today decide whether appointment of a receiver or other judicial officer, as recommended by the Special Master, in light of his findings, is appropriate. Further proceedings in that regard will be conducted.
SO ORDERED.
FIRST STATUS REPORT OF THE SPECIAL MASTER REGARDING THE SHUTDOWN AND RECONNECTION OF COMPUTER SYSTEMS AT THE DEPARTMENT OF THE INTERIOR
Background
Following plaintiffs' May 17, 2001 filing of their Consolidated Motion for an Emergency Temporary Restraining Order and Motion for a Preliminary Injunction and Motion for Order to Show Cause Why Secretary Norton, Her Employees and Counsel Should Not Be Held in Contempt, the Court instructed the Special Master to investigate possible computer security breaches at the Department of Interior's Office of Information Resources Management. On November 14, 2001, the Special Master filed his Report and Recommendation of the Special Master Regarding the Security of Trust Data at the Department of the Interior (" Special Master Report" ) chronicling Interior's history of compliance with its fiduciary duty to safeguard and secure individual Indian trust data. The Special Master concluded that Interior was " in derogation of court order, common-law, and statutory and regulatory directives" and that it " demonstrated a pattern of neglect that has threatened, and continues to threaten, the integrity of trust data upon which Indian beneficiaries depend." Special Master Report at 152. The Special Master, as a result of these findings, recommended that the Court " intervene and assume direct oversight of those systems housing Indian trust data." Id.
The plaintiffs subsequently renewed their motion for a temporary restraining order and, on December 4, 2001, orally moved the Court to order the disconnection of Interior's information technology systems until individual Indian trust data could be secured. At the Court's direction, plaintiffs filed an Emergency Alternative Motion for a Temporary Restraining Order on December 4, 2001 asking that " defendants immediately disconnect from the Internet all information technology systems which provide access to individual Indian trust data." Following a hearing convened on December 5, 2001, the Court granted plaintiffs' motion and ordered: (1) " that defendants shall immediately disconnect from the Internet all information technology systems that house or provide access to individual Indian trust data" ; and (2) " that defendants shall immediately disconnect from the Internet all computer within the custody and control of the Department of the Interior, its employees and contractors, that have access to individual Indian trust data." Temporary Restraining Order at 2.
On December 8, 2001, the Court granted defendants' December 7, 2001 Motion for Partial Relief which allowed the United States Geological Service (" USGS" ) to provide real-time dissemination of information about floods and droughts and to reconnect the National Interagency Fire Center (" NIFC" ) to allow BIA/NIFC to respond to fire emergencies.1 In its motion, Interior stated that it " believe[d] that these and other problems would be correctable if Interior is permitted to reconnect to the Internet any information technology system that does not house individual Indian trust data and that does not provide access to individual Indian trust data, even if it did satisfy one of these criteria when the Temporary Restraining Order was entered." Motion for Partial Relief at 3. The only condition placed by the Court on its Order Providing Partial Relief from Temporary Restraining Order was that Interior reconnect its systems " within 24 hours of notice to the Special Master and plaintiffs' counsel with appropriate documentation." Order at 1.
The Court's approval was given notwithstanding the supporting statement provided by Interior consultant, SAIC Technical Director Hart Rossman, in support of the Motion for Partial Relief which stated that,
On December 17, 2001, the Court entered a Consent Order that, in part, preserved the injunctive relief granted by the temporary restraining order and, in part, offered Interior several vehicles by which technology systems could be: (1) operated on a stand alone basis if disconnected from the Internet; (2) reconnected to the Internet upon successfully demonstrating that such systems did not house or provide access to individual Indian trust data; (3) reconnected to the Internet for specific, limited periods of time in order to facilitate the testing of system security or the payment of individual Indian trust monies; or (4) reconnected to the Internet on a permanent basis if it could be demonstrated that adequate security was provided for individual Indian trust data.
The Consent Order also provided that " Interior Defendants may reconnect to the Internet any information technology system that does not house individual Indian trust data and that does not provide access to individual trust data seventy-two hours (72) after providing actual notice with appropriate documentation to the Special Master and Plaintiffs' counsel or immediately upon concurrences of the Special Master," (Consent Order at 5-6) and required Interior to secure the approval of the Special Master prior to reconnecting any of the Information Technology (" IT" ) systems impacted by the Court's Order.
On January 10, 2002, Department of the Interior Assistant Secretary Neal McCaleb published a letter to " Tribal Leaders" outlining Interior's efforts to reconnect those computer systems that were shut down pursuant to the Court's December 5, 2001 Temporary Restraining Order and in accordance with the terms of the Court's December 17, 2001 Order (" McCaleb Memorandum" ). On that same date, Interior published its " U.S. Department of the Interior Impacts of Shutdown of Internet Access as of January 10, 2002" (" Impacts Report" ). According to Assistant Deputy Secretary Jim Cason, " [t]he Reports are used to ‘ to secure restoration of this service [and to] inform OMB and Hill officials and to respond to media inquiries about how we are dealing with these restrictions.’ " Memorandum from Jim Cason to Distribution (Subject: " Impacts of Internet Shutdown at the Department of the Interior." ).
Two days later, a similar chronology was transmitted by Interior " summarizing ... the status of efforts to recommence operation of the information technology systems at the Department of the Interior." January 12, 2002 Letter from Department of Justice, Commercial Litigation Branch Deputy Director Sandra Spooner to Special Master Alan Balaran.
Discussion
This status report is to provide the Court with information that may not be contained in Interior statements to the tribes and the media in an effort to create a more complete record.
As an overarching matter, statements contained in the Impacts Report and the McCaleb Memorandum make no mention of the predicate conditions that led to the Court's December 5, 2001 injunction, i.e., the abysmal state of IT security and the vulnerabilities that have long impacted the security of Indian trust data and that have been institutionally ignored until the Court took direct action on December 5, 2001 and shut down Interior's computer systems. The Court's order is presented, not as one directly emanating from Interior's negligence, but rather as one that generically " stemmed from ongoing litigation regarding Indian trust funds." Impacts of Electronic Shutdown (Cover Page).
A brief analysis of Interior's Impacts Report and a discussion of the current status of Interior's reconnection efforts, as summarized in the McCaleb Memorandum follows:
January 10, 2002 Impacts Report.
As Interior's Impacts Reports are updated on a daily basis, see Letter dated January 10, 2002 from Commercial Litigation Branch Deputy Director Sandra Spooner to Special Master Alan Balaran (" The Associate Deputy Secretary of the Interior, Jim Cason, receives a daily update on the effects on departmental operations of the Court's temporary restraining order of December 5, 2001" ), the January 10, 2002 Report-the most recent and the only Impacts Report provided to the Special Master-reflects Interior's most recent assessment of the consequences resulting from the shutdown of its computer systems.
The January 10, 2002 Impacts Report categorizes the consequences to Interior systems resulting from the Court's injunction as follows: " Emergency (Public Health and Safety); " " Noncompliance with Laws or Regulations; " " Economic Impacts; " and " Other Impacts." This report will be limited to analyzing the " Emergency (Public Health and Safety)" impacts.
It could reasonably be argued that IIM payments should rightly be categorized a " public health and safety" given its collateral impact on the ability of allottees to secure shelter, food and other provisions.
Law Enforcement.
The Impacts Report describes the December 5, 2001 injunction as having dire consequences such as lost access to critical law enforcement databases, the inability of law enforcement operations to receive terrorist threat warnings and the significantly impaired ability of law enforcement personnel to access in-house criminal case management systems. What is not mentioned is that, on December 23, 2001, the Special Master approved Interior's December 21, 2001 request to reconnect of the Law Enforcement computer systems. The Impacts Report's only acknowledgment of the reconnection is the following statement: " As of December 31, 2001, DOI's Watch Office has been able to reconnect its e-mail system." (Emphasis added.) The delay between the December 23 approval date and the December 31 reconnection date is not explained. Similarly unexplained is why Interior has not requested relief to address those " dire consequences" that may have survived, or were not subsumed in, the Special Master's December 23 approval.
Fire Safety.
The Impacts Report represents that, as of January 10, 2002, the National Interagency Fire Center web site is not available and that, while the Wildland Fire Management Information System and the Automated Sorting, Conversion and Distribution System was returned to service following certification by the Court ( See Order Granting Temporary Relief dated December 8, 2001), " modem access has not been established for technicians to update, troubleshoot and reprogram weather stations used for the Chemical Stockpile Emergency Preparedness Plan." Impacts Report at 3.
If, as represented in its Motion for Partial Relief, Interior " believe[d] that these and other problems would be correctable if Interior is permitted to reconnect to the Internet," and the Court granted that request, why, on January 10, 2002, is " [t]he National Interagency Fire Center web site [ ] not available" Impacts Report at 2. Similarly, why is the National Interagency Coordination Center, located at the National Interagency Fire Center, unable (as of January 10, 2002) to use the Dispatch Messaging System. More importantly, why has Interior requested no relief from the Special Master or the Court to alleviate this problem.
Employee Safety Issues.
The January 10, 2002 Impacts Report discloses that The Safety Management Information System (" SIMS" ) has been disconnected as a result of the Court's December 5, 2001 injunction. Impacts Report at 4. The impact of this shutdown is that " submission of accident reports and Office of Workman's Compensation Program (OWCP) claims will be delayed." Id. To date, Interior has not requested that this system be reconnected (notwithstanding the fact that it is listed under the category of " emergency public health and safety" ). Interior has also not represented whether SIMS " does not house trust data and does not provide access to individual Indian trust data" that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
Office of Aircraft Services.
" The Office of Aircraft Services web site, including the SAFECOM (Safety Communique) system is not available." Impacts Report at 5. To date, there has been no request to open this system despite its classification as one that impacts public health and safety. Interior has also not represented whether this system " does not house trust data and does not provide access to individual Indian trust data" that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
Bureau of Reclamation.
As a result of the Court's December 5, 2001 injunction, Interior represents that, among other things, the Bureau of Reclamation (" BOR" ) is unable to receive security alerts from the FBI or to " respond to potentially damaging earthquakes." Impacts Report at 16. Interior represents that, " [a]ccess could be reestablished using restricted links to USGS through DOINET." To date, no request has been made of the Special Master to reconnect this system. Given the classification of this system as one impacting " public health and safety," this omission is troubling as Interior officials represented to the Special Master that only eight of 1500 computers house trust data in this system to which Special Master responded that, if this data was segregated, a request to reopen BOR would be favorably received.
National Park Service.
From a health and safety perspective, Interior represents that the " [l]ack of internet access precludes the use of ... sensors" that ultimately makes roads more hazardous. In addition, " [d]etectives/officers cannot collect and disseminate anti-terrorist intelligence information needed to provide optimal level of officer safety and effective prevention of harm to citizens and visitors." Impacts Report at 23. Yet, despite these grave consequences, Interior, despite inquiries regarding their intent to do so, has filed no application with the Special Master asking that any of the National Park Service systems be reconnected. There has also been no representation whether this system " does not house trust data and does not provide access to individual Indian trust data" that would allow it to be reconnected pursuant to the Consent Order dated December 17, 2001.
IIM-Related Systems
In addition to the December 21, 2001 request to reconnect Law Enforcement systems, that was granted on December 23, 2001 and the December 17, 2001 request to reconnect the Social Service Automated System that was granted December 19, 2001, the following reconnection requests impacting trust data remain outstanding.
Office of Surface Mining (" OSM" ).
Of the three systems currently awaiting Special Master approval, Interior's request to open the Office of Surface Mining serves as the most glaring example why caution must be used in assessing these requests and why the Special Master will take no action until receiving technical approval from his retained contractor.
On Tuesday, January 8, 2002 the Special Master retained the services Chris Daly, principal of the IBM Federal Sector Security Consulting Practice.
On December 21, 2001, Interior notified the Special Master of its intention to reconnect OSM to the Internet. The request was supported by the December 18, 2001 statement of OSM's Acting Director Glenda Owens who proffered that OSM's application systems, servers and workstations house no individual Indian trust data with the exception of data that relates to the McKinley mine in Gallup, New Mexico; and that the McKinley mine information had been removed from OSM's IT systems. Interior also provided a declaration from Deputy Assistant Secretary for Indian Affairs James McDivitt concluding that " the only place where BIA would expect to find individual trust data in OSM's systems is the McKinley mine near Gallup, NM."
On January 2, 2002, Mr. McDivitt clarified that, " [a]s for the normal activities of OSM, the only place he was aware of where mining activities were occurring on individual Indian lands was the McKinley mine near Gallup, NM. There are other sites on the Navajo, Hopi and Crow reservations where mining or reclamation is occurring, but the specific lands or mineral rights are tribally owned, not individual allotments. " (Emphasis added.)
On January 7, 2002, during contempt proceedings, Principal Deputy Special Trustee Thomas Thompson testified to the existence of coal leases on several individual Indian trust land sites. When plaintiffs raised this discrepancy in support of the proposition that the Special Master " should reject the false certification and declarations of Secretary Norton and her counsel and not reconnect Office of Surface Mining information technology systems," Mr. Thompson executed a declaration, at the request of the Special Master, explaining that he " misunderstood the question to refer to ‘ Tribal trust lands', not ‘ Individual Indian trust lands'." Following subsequent discussions between the Special Master and Interior regarding the existence of other " active" mines on Navajo and Crow reservations, Ms. Owens, on January 11, 2002 executed a second declaration that offered a slightly different explanation than that given by Mr. McDivitt. Unlike Mr. McDivitt's contention that the McKinley mine is the only site " where mining activities were occurring on individual Indian lands" Ms. Owens asserted that " [w]hile OSM may possess other individual Indian trust data, none of it is in computerized form and therefore none of it is housed on OSM's IT systems." Owens Declaration at ¶ 4. (Emphasis added). This apparent contradiction begs the question whether Interior is seeking to reconnect of OSM on the grounds that McKinley is the only site that generates IIM data (McDivitt) or that it is the only site whose data is encoded on OSM's computer systems (Owens).
See Thompson Declaration attached to January 9, 2002: Spooner OSM letter to Special Master (Incorrectly dated January 8, 2002)
Beyond this, Interior's representation that individual Indian trust data emerging from active mines is not computer encoded raises additional concerns such as how that information ultimately makes its way into the IIM disbursement cycle or why such data is maintained entirely on paper. It is curious that IIM data would be committed to paper for some mines and not for others. This question is further complicated by Interior's December 7, 2001: Notice of Actions Taken by the Department of the Interior to Comply with December 5, 2001 Temporary Restraining Order. In that filing, Interior represented that the following OSM systems were shut down in response to the Court's Order:
• " AFBACS-This system allows OSM to track information (accounts receivable) on funds owed to the Abandoned Mine Land Reclamation Fund based on the results of audits of coal companies. The system was developed to capture AML fees receivable (and associated fines, penalties, and interest) identified during the audit of an operator." See attachment regarding OSM at 1.
• " FEEBACS-This system (accounts receivable) maintains information for approximately 25,000 mines, of which approximately 3,700 are actively producing coal. It keeps track of mines and their operational status. The system issues an OSM-1 form on a quarterly basis to every active mining operation for mine operators to use when filling their quarterly production data and payment. " Id. (emphasis added).
• " ABACIS-This is OSM's Core Administrative Accounting System. OSM uses this system as its system of record for all administrative accounting transactions processed by the Bureau. These transactions include obligations, invoices, payments, grants, receipts, investments, and bills processed by OSM. " Id. (emphasis added).
• " AVS-This system is used by OSM and the State Surface Mining Regulators to determine whether a permit applicant and its owner/controllers are responsible for any unabated federal or state violations of surface mining law, and/or have outstanding unpaid civil penalties, Abandoned Mine Land Fees or audits." Id. at 2.
This submission suggests that information relating to " every active mining operation" and to " all administrative accounting transactions" is parked on OSM's systems.
It is questions such as these that demand a careful review of Interior's requests to connect its computer systems. Statements are made that are later recanted and corrected. Explanations are given that appear inconsistent with others. This is not to suggest any duplicity on the part of any official. Rather, it is the speed with which Interior feels constrained to reconnect its IT systems that militates in favor of prudence by the Special Master and the concurrence of the Special Master's contractor.
It is arguably this dispatch which resulted in a certification being sent to all OST employees defining " Individual Indian trust data" to be " information in a digital format, stored in computer or other electronic information retrieval system that is a Federal Record as defined in 44 U.S.C. § 3301 ..." rather than the definition adopted by the Court in its December 17, 2001 Order: " [a]ll data stored in an information technology system upon which the Government must rely to fulfill its trust duties to Native Americans pursuant to the Trust Fund Management Reform Act of 1994 (P.L. No. 103-412), other applicable statutes and orders of this Court ..." To avoid additional delay, the Special Master " agreed that [Interior] would not have to transmit a new set of certifications but that a memorandum could issue with the new definition." January 4, 2002 Letter from Alan Balaran to Sandra Spooner. In the view of the Special Master, the fact " certifications [ ] were initially distributed contained language that was crafted only by Interior and was never sanctioned by the court or plaintiffs' counsel" was, in great part, responsible for any " delay in the implementation of the Consent Order." Id.
Mineral Management Service (" MMS" ).
On December 21, 2001, Interior provided notice of intent to reconnect MMS' IT systems. On January 3, 2002, the Special Master met with Jim Cason and Hart Rossman to discuss MMS-specific security issues. During that meeting, Mr. Rossman opined that MMS was secure enough to warrant reconnection. In response to the Special Master's inquiry as to the basis for this representation, Mr. Rossman asserted that it was based on his review of documents such as the system security plans and discussion with contractors. Mr. Rossman acknowledged that he never visited any site to personally confirm the veracity what he had read or been told.
The Special Master requested that Mr. Rossman provide him with a copy of all the documentation upon which he based his recommendation to which Mr. Rossman opined that contractors would be hesitant to turn over their security plans on the grounds that the information was proprietary and that it would amount to a " box of documents." The Special Master agreed to privately review whatever the volume of records were over the upcoming weekend if the documents could be procured. Subsequent discussions with Interior and defendants' counsel revealed that MMS' contractor Accenture would not release its system security plans for such review unless under certain stringent conditions were set in place.
To expedite the process, on January 10, 2002, the Special Master sent a letter to the parties articulating the terms of a protective order that would address Accenture's concerns. These protocols were imposed notwithstanding the fact that the documents being sought were generated by contractors for Interior and discussed security measures relevant to Interior systems. Mr. Daly is to review these documents in accordance with these limitations on January 14, 2002.
The Special Master drafted the following terms: (1) The MMS Documents will be provided for the sole review of IBM's Chris Daly; (2) Prior to reviewing any of the MMS Documents, Mr. Daly will execute a non-disclosure agreement that prevents him from disclosing any of the information he may glean from his review of the MMS Documents with anyone other than myself, the Court or Interior consultant Hart Rossman; (3) Mr. Daly will review the documentation alone or with Hart Rossman; (4) Mr. Daly will return all of the MMS Documents upon completion of his review; (5) No copies will be made of any of the MMS Documents, however, Mr. Daly will be permitted to take notes of any information contained in those documents that he deems relevant to his recommendation; (6) Mr. Daly will prepare two reports. The first report will be made public and will set forth his recommendation concerning the reconnection of MMS and articulate a brief statement of his reasons without referencing or citing to any of the MMS Documents he has reviewed. The second report will be a more detailed technical report which will be submitted only to the Special Master and the Court; (7) Fourteen (14) days following his submission of the reports, Mr. Daly will destroy all notes upon which he based his recommendations. Mr. Daly will retain his notes during this period so that he may respond to any questions the Special Master may have concerning his recommendations.
Information Resources Management System (" IRMS" ).
On December 17, 2001, Interior advised the Special Master of its " inten[t] to recommence operation of its Integrated Resources Management System (‘ IRMS')." The only supporting documentation supplied by Interior consisted of a one-line statement from BIA Acting CIO Debbie Clark that " [t]he Bureau of Indian Affairs Integrated Management System (IRMS) has been disconnected from the Internet."
It is based on this single statement that, on January 12, 2002, Interior posited: " we believe the IRMS submission we made to you on December 17 fully complied with the Consent Order, and you have not suggested otherwise." January 12, 2002 Letter from Sandra Spooner to Alan Balaran at 2.
On December 20, 2001, the Special Master requested additional assurances regarding the steps taken to ensure that personal computers were no longer connected to the Internet; Interior responded with a memoranda from the Deputy Secretary and the Associate Deputy Secretary firmly articulating Interior's prohibition against Internet use. These memoranda and a " Notice to All Users of Information Technology Systems Supporting Individual Indian Trust Data" were e-mailed via Interior's intranet to all employees.
It must be emphasized that Interior has responded to the Special Master's repeated requests for additional assurances and has voluntarily proposed additional precautionary measures. For example, Interior " propose[d] to operate its Integrated Resources Management Systems (IRMS), permitting limited access only, on Monday through Friday between the hours of 7 a.m. and 7 p.m., EST, for transaction processing only." McDivitt Declaration at ¶ 3.
Interior proposed that, " [a]ccess to IRMS will be available only via the BIANET through a Raptor firewall. This firewall was installed in front of the Unisys NX equipment" and that " [t]he firewall access control list (ACL) will be configured to only allow access by specific Internet Protocol (IP) addresses on the stated days between the stated hours." Id.
However, some responses raise additional questions. For example, Interior stated that the BIANet is currently connected only to Interior's National Business Center in Denver, Colorado, through a Private Virtual Circuit, and is not connected to any other DOI bureau or organization. January 10, 2002 Letter from Justice Attorney Matthew Fader to Special Master at ¶ 2 ( citing McDivitt Declaration at ¶ 6) (emphasis added). However, McDivitt's declaration goes further when it states that, " The BIANet maintains a connection to DOI's National Business Center in Denver, Colorado through a ‘ Private Virtual Circuit’ (PVC). The PVC provides the BIANet access into Departmental Administrative Systems such as the Federal Finance System and the Federal Payroll and Personnel System. The BIANet is no longer able to connect to any other Departmental Bureau or organization through the PVC, or through any other means. " Id. at ¶ 8 (emphasis added). It is this last statement that appears to be internally inconsistent and that warrant additional examination.
Conclusion
Interior's representations to the press and others, while not inaccurate, fail to adequately convey the delicate and extremely difficult process currently underway to bring IT systems on line. Ensuring the security of individual Indian trust data (on systems that were completely lacking in all measurable respects) in a manner consistent with federal regulation requires careful scrutiny. It would be precipitous to proceed otherwise.
" [w]hen possible, physical re-configuration of the topology has been used to ensure traffic separation. When this was not possible, virtual separation has been achieved by creating separate Virtual LANs (VLANs), a commonly used method to logically separate traffic traveling over the same physical wire; and through the use of static routes in Cisco Pix Firewalls. Although this method for logical separation of network traffic is a commonly used and accepted practice, it does not provide 100% assurance of security. A determined ‘ hacker’ with the proper tools and time may be able to circumvent a VLAN. "
and that,
In a single case, BIA EDNet, there was no possible way to independently verify the DOI Personnel test results at the time of this writing due to the inability of SAIC personnel to gain physical or logical access to the BIA EDNet network devices to conduct the tests. Therefore, results from the other tests demonstrating a lack of connectivity to the BIA EDNet have been substituted.Emphasis added.
During my testimony on January 7, 2002, under questioning by counsel for Plaintiffs regarding the Office of Surface Mining, the following colloquy occurred:
Q: Are you aware whether or not there are coal leases on individual Indian trust lands?
A: I'm aware there are.
Q: More than one site?
A: More than one site, yes.
I misunderstood the question to refer to ‘ Tribal trust lands', not ‘ Individual Indian trust lands.’ Upon review of that testimony, a correct response by me to the question posted would have been ‘ I'm not aware there are’ and ‘ Not that I am aware.’Thompson Declaration at ¶ 3.