IT Security Issues Discussed in Recent Federal Decision

FindLaw

By Andrew Zangrilli

Despite the Department of the Interior’s repeated failures to meet network security standards, a federal appeals court recently vacated an order requiring the agency to disconnect its computers from the internet and internal networks. The detailed and specific IT security aspects mentioned in the opinion are noteworthy in light of recent and widespread data security breaches at government and private organizations. The decision also provides guidance for any organization seeking to improve its network security.

In Cobell v. Kempthorne, the U.S. Court of Appeals for the District of Columbia Circuit ruled that the broad equitable relief of computer disconnection exceeded the court’s authority.

The order from the district court required all Department of Interior technology systems that housed or provided access to the Individual Indian Trust Data (IITD) to be disconnected from the internet and from all intranet connections. Reconnection to internal and external networks was permitted only upon court approval. This order was the third computer disconnection injunction issued in the long-standing suit between beneficiaries of the Indian trust and the Department of Interior regarding the agency’s performance of trust obligations.

Although the decision to overturn the disconnection order was ultimately premised on limitations of the Administrative Procedures Act and the equitable law of trusts and trustees, the vulnerabilities of the agency’s network security occupy a substantial portion of the opinion. This article will highlight some of the methods used to test Interior’s IT network security and what applications those methods may have for private businesses.

IT System Security

The strength of Interior’s Information Technology Systems was tested on four separate times in response to IITD security concerns stemming from the lawsuit. In 2002, 2003, 2004 and 2005, security auditors and the Inspector General (IG) performed extensive testing of Interior’s Information Technology System security, which included everything from formal Federal Information Security Management Act (FISMA) verification, to covert penetration attempts, to monitoring wireless network vulnerabilities.

To frame the technology discussion, the district court broadly defined “Information Technology System” as “Any computer, server, equipment, device, network, intranet, enclave, or application, or any subsystem thereof, that is used by Interior or any of its employees, agents, contractors, or other third parties in the electronic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or other information, including without limitation computers, wireless devices (e.g. Blackberrys) and networks, voice over the Internet protocol (VOIP), ancillary equipment, devices, or similar services or protocols, including support services, software, firmware, and related resources.”

The wide breadth and scope of IT Systems is the first notable point for organizations seeking to bolster network security. The many applications, platforms, hardware and personnel involved in IT systems renders security a complex proposition. Ideal IT security must cover electronics as well as people.

Federal Information Security Management Act (FISMA)

Organizations needing guidance on IT security can look to federal government standards relating to data security management. Three of the four inspections of the agency’s networks were conducted pursuant to FISMA. The statute was enacted to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.” 44 U.S.C. § 3541(1).

Notably absent from the FISMA, however, is the explicit power of judicial review. As the court states, “We are far from certain that courts would ever be able to review the choices an agency makes in carrying out its FISMA obligations…”

Although FISMA is an important aspect of any discussion of government IT security, Cobell is “not a FISMA case.” While the D.C. Circuit renders no opinion on the agency’s compliance with the act, it does not foreclose the possibility that the agency’s network security issues might subsequently be addressed under an FISMA action.

Use of Outside Contractor-Attackers

The use of outside contractors to perform a "friendly attack" on its systems is one way an organization can get an honest assessment of its IT security weaknesses. In the 2005 audit by the IG, outside contractors were used to conduct external penetration testing, designed to identify the IT networks’ vulnerabilities by simulating attacks by outside parties with little prior knowledge of the agency’s computer systems.

Businesses employing contractors for this purpose should be careful to set strict parameters to avoid costly damage to the systems and data under attack. As Cobell describes: “Under the “Rules of Engagement” governing the testing, the contractors could use a wide variety of tools, including licensed security software, publicly-available freeware, custom developed utilities, and social engineering techniques. Although the contractors were prohibited from modifying files, disabling users, or denying service, their goal was to gain “administrator” or “root” privileges, which would enable them to control the targeted systems.”

One contractor testing the Bureau of Land Management was able to gain administrator privileges to two systems after penetration of the network, including an email archiving system. Another contractor assigned to attack the Interior’s National Business Center (NBC) was able to enter NBC’s most sensitive networks and gain access to the personal information of over 72,000 Interior employees. “For dramatic effect, he assembled dossiers on several high-level officials, including data such as social security numbers and even a list of bank card charges.”

As the foregoing example illustrates, the use of outside contractors in this capacity can sometimes yield embarassing results.

Wireless Network Technology Testing

In addition to wired networks, Interior’s wireless network security was also found to be lacking. In 2004, the agency issued a moratorium on wireless technology, “although apparently some offices may not be complying with the directive.”

The decision’s brief section on wireless testing reveals some general tips that can be used by any organization to assess the vulnerability of its wireless networks:

  1. Do you have a complete inventory of wireless devices?
  2. Do you manage the range of wireless signals?
  3. Do you use security controls on wireless networks?
  4. Is there physical security in locations with wireless networks?

Conclusion

Although Interior’s computer security problems were numerous, the D.C. Circuit was not willing to cripple the agency’s normal functioning by disconnecting networked computers in order to address general IT issues.

“We do not mean to understate the dangers of lax IT security, but as the district court acknowledged, “it is generally considered impossible to create a perfectly secure IT environment.” The inherently imperfect nature of IT security means that if we granted injunctive relief here, based only on Interior’s security vulnerabilities and not on a showing of some imminent threat or specific reason to be concerned that IITD is a target, we would essentially be justifying perpetual judicial oversight of Interior’s computer systems.”

Under Cobell, in order to successfully obtain a computer disconnection injunction over a governmental agency, aggrieved parties must proffer “more than a list of vulnerabilities” to show they may be harmed by flawed IT security. In relation to private industry, on the other hand, a list of vulnerabilities may be precisely what is needed to bolster IT security.

Allowing general fears of data insecurity to provide the basis for a disconnection order is a road the Court did not want to travel. Doing so, it reasoned, would render “nearly any system administrator who maintains data for private trusts. . .in danger of facing similar claims for relief, as only the unreachable goal of perfect security would be sufficient to counter general fears of data tampering by internal threats or external hackers.” Here the court offers some insight for the IT security requirments of private trust data maintenance.

Unfortunately, the decision gives little guidance as to particular conduct that would tip the scales in favor of a disconnection order over a public agency. Evidence that someone has already altered the data by exploiting the flawed security is one cited example. Given the “significant harm” a disconnection order would cause the agency, the data security threat would have to be specific, imminent and "so extensive as to prevent the class members from receiving the accounting to which they are entitled." It is unclear whether the same analysis would apply to a disconnection order for a private institution.


Andrew H. Zangrilli is an attorney and senior producer in the Sunnyvale office of FindLaw.

Networking and Storage

© 2006 FindLaw

Technology Tools

  • E-Discovery Guide
    Dive into the specifics of the E-Discovery process with our interactive guide.
     
  • E-Discovery Wizard
    FindLaw's interactive tool to help you understand the new Federal Rules for electronic discovery.
     
  • Articles & Releases
    News, analysis and product releases to help keep you informed on legal technology developments.
     
  • Legal Technology Events
    Events, conferences and webinars on the subject of legal technology.
     
  • Technologist Blog
    The latest law technology news and developments.
     
  • RSS feeds
    Subscribe to an RSS feed of the latest Legal Technology Articles and Releases.

Search


Ads by FindLaw