2000 CPEO Military List Archive

From: CPEO Moderator <cpeo@cpeo.org>
Date: Thu, 17 Feb 2000 14:58:09 -0800 (PST)
Reply: cpeo-military
Subject: [CPEO-MEF] Update on EPA shutting down its Web site
 
[This was posted to the listserve by Gary D. Bass, bassg@ombwatch.org]

A bit more update on the shutdown of the EPA web site.  What a horror 
story!

CONCLUSION:  There is no rationale for the unprecedented shutting down 
of the EPA web site and email services, cutting off a major means for 
the public to communicate with EPA.   There is no question that EPA has 
computer vulnerabilities, but these could have been resolved with good 
computer management. In the meantime, Rep. Bliley (R-VA), the chair of 
the House Commerce Committee, basically held a gun to EPA's head, 
effectively telling EPA to shut down its site or it would put 
information out about security risks, making it easier for the public to 
hack EPA's site, instead of helping EPA make fixes. This does not 
exonerate EPA.  EPA has known about its computer vulnerabilities for 
some time and has done little to fix the problems.  Despite the computer 
problems at EPA, there was no 
"crisis."  The General Accounting Office never recommended shutting down 
the EPA site, but Bliley, who has done the bidding of powerful special 
interests, has acted to thwart public access.

THE STORY:
Some months ago Rep. Thomas Bliley (R-VA), the chair of the House 
Commerce Committee, requested the General Accounting Office (GAO) to do 
a computer security audit at EPA.  As the audit was coming to a close, 
GAO was required to share the information with EPA.  But, reportedly, 
Bliley was upset since he didn't want EPA fixing the problems.  Rather, 
he wanted to bash EPA.  He required GAO to give him a copy of the letter 
to EPA and then, it is rumored, he leaked some portions to the press, 
making the problems at EPA sound horrendous.

GAO did, however, find "serious and pervasive problems that essentially 
render EPA's agencywide information security program ineffective."  The 
problems at EPA mostly dealt with bad to poor computer management: 
ineffective firewalls; lack of controls (e.g., passwords); logs that 
didn't capture hackers; computer doors that had been left open.  GAO 
found EPA's "vulnerabilities...have been exploited by both external and 
internal sources."  It appears that GAO was able to take control of the 
router and then capture the password of anyone logging on to the system.

GAO does not have evidence of data being tampered with or violations of 
trade secrets or enforcement data.  In some cases where there were 
violations, it resulted in criminal investigations.  And while there are 
big problems, GAO never recommended that EPA shut its web site down.  
(In fact, GAO has found computer security problems at other agencies, 
such as State Dept, but it appears no agency has completely and this 
thoroughly cut off its Internet connection and email services.)

Bliley planned a hearing today (2/17) on EPA computer security and had 
asked GAO to testify.  EPA raised concerns about holding the 
hearing.  Reportedly, Bliley gave EPA an ultimatum:  shut down the EPA 
web site and all email services or the public would hear about how to 
hack the EPA web site.  EPA decided to shut down their Internet services 
last night.

Bliley postponed the hearing but called a press conference at 1 p.m. 
today.  At the press conference, Bliley released the GAO testimony and 
supported EPA's decision to shut down the web site.  EPA claims it was 
disappointed that it had to shut down.

According to folks in the White House, EPA is quickly trying to put the 
public web site back up and sever its connection to the internal 
systems.  It is not clear when this will happen.

There are many issues that this "crisis" raises, but two stick out.

First, if EPA had security violations, why didn't Bliley give EPA the 
time that is needed to fix the problems that GAO found?  Why did he hold 
a gun to EPA's head?  Even if there were computer security problems, it 
could have been handled in a manner that did not disrupt public access 
to the agency and did not create a "crisis."

This raises questions about Bliley's objectives.  Maybe it is a 
coincidence that a number of his campaign contributors are regulated by 
EPA.  For example, a large grouping of contributors are from the mining 
and electrical gas sectors, which for the first time will need to report 
to EPA on toxic releases.  Some of his larger contributors are listed as 
major polluters.  Bliley is the same person who pushed the terrorism 
argument last summer as a reason to withhold public access to 
information about chemical hazards in our communities.  Instead of 
improving public access, Bliley has taken a course of thwarting EPA and, 
hence, public access.

Second, EPA has known for many years that it has computer management 
problems.  Inspector General reports since 1997 have raised concerns, 
but little has been done to fix the problems.  When GAO showed EPA it 
had problems, why didn't it immediately address these problems?

EPA Administrator Browner took the helpful step to create an Information 
Office within EPA.  But since then no one has been appointed to run the 
office.  Increasingly, the Office is proving to be less than useful, 
maybe even a major disappointment.  Why has the Office not taken the 
leadership to develop a comprehensive information plan that covers 
computer management issues?

--------------------------------------------
Gary D. Bass
OMB Watch
1742 Connecticut Ave., N.W., Washington, D.C.  20009
TEL:  (202) 234-8494     FAX: (202) 234-8584
bassg@ombwatch.org
http://www.ombwatch.org

You can find archived listserve messages on the CPEO website at 

http://www.cpeo.org/lists/index.html.

If this email has been forwarded to you and you'd like to subscribe, please send a message to: 

cpeo-military-subscribe@igc.topica.com

_____________________________________________________________
Who will win the Oscars? Spout off on our Entertainment list!
http://www.topica.com/lists/showbiztalk

  Prev by Date: [CPEO-MEF] EPA Website
Next by Date: Re: [CPEO-MEF] Congressional DENIAL OF SERVICE
  Prev by Thread: [CPEO-MEF] EPA Website
Next by Thread: [CPEO-MEF] more info on EPA website shutdown

CPEO Home
CPEO Lists
Author Index
Date Index
Thread Index