IP: EPA web site shut down

[Dave Farber <farber () cis upenn edu>]

> From: "Rick Blum" <blumr () ombwatch org>
> To: Farber () cis upenn edu
>
>
> Dave --  I'm a long-time lurker on IP.  We sent this around
> yesterday and thought you'd be interested, if you haven't already
> seen the story.
>
> Rick Blum
> OMB Watch
>
>
> Late Wednesday night EPA shut down its entire Internet services,
> including its web site and staff email.
>
> Our conclusion is that there is no rationale for the unprecedented
> shutting down of the EPA web site and email services, cutting off a
> major means for the public to communicate with EPA.   There is no
> question that EPA has computer vulnerabilities, but these could
> have been resolved with good computer management. In the
> meantime, Rep. Bliley (R-VA), the chair of the House Commerce
> Committee, basically held a gun to EPA's head, effectively telling
> EPA to shut down its site or it would put information out about
> security risks, making it easier for the public to hack EPA's site,
> instead of helping EPA make fixes.  This does not exonerate EPA.
>  EPA has known about its computer vulnerabilities for some time
> and has done little to fix the problems.  Despite the computer
> problems at EPA, there was no "crisis."  The General Accounting
> Office never recommended shutting down the EPA site, but Bliley,
> who has done the bidding of powerful special interests, has acted
> to thwart public access.
>
> THE STORY:
> Some months ago Rep. Thomas Bliley (R-VA), the chair of the
> House Commerce Committee, requested the General Accounting
> Office (GAO) to do a computer security audit at EPA.  As the audit
> was coming to a close, GAO was required to share the information
> with EPA.  But, reportedly, Bliley was upset since he didn't want
> EPA fixing the problems.  Rather, he wanted to bash EPA.  He
> required GAO to give him a copy of the letter to EPA and then, it is
> rumored, he leaked some portions to the press, making the
> problems at EPA sound horrendous.
>
> GAO did, however, find "serious and pervasive problems that
> essentially render EPA's agencywide information security program
> ineffective."  The problems at EPA mostly dealt with bad to poor
> computer management: ineffective firewalls; lack of controls (e.g.,
> passwords); logs that didn't capture hackers; computer doors that
> had been left open.  GAO found EPA's "vulnerabilities...have been
> exploited by both external and internal sources."  It appears that
> GAO was able to take control of the router and then capture the
> password of anyone logging on to the system.
>
> GAO does not have evidence of data being tampered with or
> violations of trade secrets or enforcement data.  In some cases
> where there were violations, it resulted in criminal investigations.
> And while there are big problems, GAO never recommended that
> EPA shut its web site down.  (In fact, GAO has found computer
> security problems at other agencies, such as State Dept, but it
> appears no agency has completely and this thoroughly cut off its
> Internet connection and email services.)
>
> Bliley planned a hearing today (2/17) on EPA computer security
> and had asked GAO to testify.  EPA raised concerns about holding
> the hearing.  Reportedly, Bliley gave EPA an ultimatum:  shut
> down the EPA web site and all email services or the public would
> hear about how to hack the EPA web site.  EPA decided to shut
> down their Internet services last night.
>
> Bliley postponed the hearing but called a press conference at 1
> p.m. on Friday.  At the press conference, Bliley released the GAO
> testimony and supported EPA's decision to shut down the web
> site.  EPA claims it was disappointed that it had to shut down.
>
> According to folks in the White House, EPA is quickly trying to put
> the public web site back up and sever its connection to the internal
> systems.  It is not clear when this will happen.
>
> There are many issues that this "crisis" raises, but two stick out.
>
> First, if EPA had security violations, why didn't Bliley give EPA the
> time that is needed to fix the problems that GAO found?  Why did
> he hold a gun to EPA's head?  Even if there were computer
> security problems, it could have been handled in a manner that did
> not disrupt public access to the agency and did not create a
> "crisis."
>
> This raises questions about Bliley's objectives.  Maybe it is a
> coincidence that a number of his campaign contributors are
> regulated by EPA.  For example, a large grouping of contributors
> are from the mining and electrical gas sectors, which for the first
> time will need to report to EPA on toxic releases.  Some of his
> larger contributors are listed as major polluters.  Bliley is the same
> person who pushed the terrorism argument last summer as a
> reason to withhold public access to information about chemical
> hazards in our communities.  Instead of improving public access,
> Bliley has taken a course of thwarting EPA and, hence, public
> access.
>
> Second, EPA has known for many years that it has computer
> management problems.  Inspector General reports since 1997 have
> raised concerns, but little has been done to fix the problems.
> When GAO showed EPA it had problems, why didn't it
> immediately address these problems?
>
> EPA Administrator Browner took the helpful step to create an
> Information Office within EPA.  But since then no one has been
> appointed to run the office.  Increasingly, the Office is proving to be
> less than useful, maybe even a major disappointment.  Why has
> the Office not taken the leadership to develop a comprehensive
> information plan that covers computer management issues?
> ------------------------------------------------------
> Rick Blum                      P:       (202) 234-8494
> OMB Watch (CFC #0889)          F:       (202) 234-8584
> 1742 Connecticut Ave NW        Em:  blumr () ombwatch org
> Washington, DC  20009-1171
> Web: ombwatch.org
> Right-To-Know Network: www.rtk.net
> ------------------------------------------------------