IP: EPA web site shut down

[Dave Farber <farber@cis.upenn.edu>]

>From: "Rick Blum" <blumr@ombwatch.org>
>To: Farber@cis.upenn.edu
>
>
>Dave --  I'm a long-time lurker on IP.  We sent this around
>yesterday and thought you'd be interested, if you haven't already
>seen the story.
>
>Rick Blum
>OMB Watch
>
>
>Late Wednesday night EPA shut down its entire Internet services,
>including its web site and staff email.
>
>Our conclusion is that there is no rationale for the unprecedented
>shutting down of the EPA web site and email services, cutting off a
>major means for the public to communicate with EPA.   There is no
>question that EPA has computer vulnerabilities, but these could
>have been resolved with good computer management. In the
>meantime, Rep. Bliley (R-VA), the chair of the House Commerce
>Committee, basically held a gun to EPA's head, effectively telling
>EPA to shut down its site or it would put information out about
>security risks, making it easier for the public to hack EPA's site,
>instead of helping EPA make fixes.  This does not exonerate EPA.
>  EPA has known about its computer vulnerabilities for some time
>and has done little to fix the problems.  Despite the computer
>problems at EPA, there was no "crisis."  The General Accounting
>Office never recommended shutting down the EPA site, but Bliley,
>who has done the bidding of powerful special interests, has acted
>to thwart public access.
>
>THE STORY:
>Some months ago Rep. Thomas Bliley (R-VA), the chair of the
>House Commerce Committee, requested the General Accounting
>Office (GAO) to do a computer security audit at EPA.  As the audit
>was coming to a close, GAO was required to share the information
>with EPA.  But, reportedly, Bliley was upset since he didn't want
>EPA fixing the problems.  Rather, he wanted to bash EPA.  He
>required GAO to give him a copy of the letter to EPA and then, it is
>rumored, he leaked some portions to the press, making the
>problems at EPA sound horrendous.
>
>GAO did, however, find "serious and pervasive problems that
>essentially render EPA's agencywide information security program
>ineffective."  The problems at EPA mostly dealt with bad to poor
>computer management: ineffective firewalls; lack of controls (e.g.,
>passwords); logs that didn't capture hackers; computer doors that
>had been left open.  GAO found EPA's "vulnerabilities...have been
>exploited by both external and internal sources."  It appears that
>GAO was able to take control of the router and then capture the
>password of anyone logging on to the system.
>
>GAO does not have evidence of data being tampered with or
>violations of trade secrets or enforcement data.  In some cases
>where there were violations, it resulted in criminal investigations.
>And while there are big problems, GAO never recommended that
>EPA shut its web site down.  (In fact, GAO has found computer
>security problems at other agencies, such as State Dept, but it
>appears no agency has completely and this thoroughly cut off its
>Internet connection and email services.)
>
>Bliley planned a hearing today (2/17) on EPA computer security
>and had asked GAO to testify.  EPA raised concerns about holding
>the hearing.  Reportedly, Bliley gave EPA an ultimatum:  shut
>down the EPA web site and all email services or the public would
>hear about how to hack the EPA web site.  EPA decided to shut
>down their Internet services last night.
>
>Bliley postponed the hearing but called a press conference at 1
>p.m. on Friday.  At the press conference, Bliley released the GAO
>testimony and supported EPA's decision to shut down the web
>site.  EPA claims it was disappointed that it had to shut down.
>
>According to folks in the White House, EPA is quickly trying to put
>the public web site back up and sever its connection to the internal
>systems.  It is not clear when this will happen.
>
>There are many issues that this "crisis" raises, but two stick out.
>
>First, if EPA had security violations, why didn't Bliley give EPA the
>time that is needed to fix the problems that GAO found?  Why did
>he hold a gun to EPA's head?  Even if there were computer
>security problems, it could have been handled in a manner that did
>not disrupt public access to the agency and did not create a
>"crisis."
>
>This raises questions about Bliley's objectives.  Maybe it is a
>coincidence that a number of his campaign contributors are
>regulated by EPA.  For example, a large grouping of contributors
>are from the mining and electrical gas sectors, which for the first
>time will need to report to EPA on toxic releases.  Some of his
>larger contributors are listed as major polluters.  Bliley is the same
>person who pushed the terrorism argument last summer as a
>reason to withhold public access to information about chemical
>hazards in our communities.  Instead of improving public access,
>Bliley has taken a course of thwarting EPA and, hence, public
>access.
>
>Second, EPA has known for many years that it has computer
>management problems.  Inspector General reports since 1997 have
>raised concerns, but little has been done to fix the problems.
>When GAO showed EPA it had problems, why didn't it
>immediately address these problems?
>
>EPA Administrator Browner took the helpful step to create an
>Information Office within EPA.  But since then no one has been
>appointed to run the office.  Increasingly, the Office is proving to be
>less than useful, maybe even a major disappointment.  Why has
>the Office not taken the leadership to develop a comprehensive
>information plan that covers computer management issues?
>------------------------------------------------------
>Rick Blum                      P:       (202) 234-8494
>OMB Watch (CFC #0889)          F:       (202) 234-8584
>1742 Connecticut Ave NW        Em:  blumr@ombwatch.org
>Washington, DC  20009-1171
>Web: ombwatch.org
>Right-To-Know Network: www.rtk.net
>------------------------------------------------------