Politics Plays Prominent in Government Denial of Service Attack on Itself
<-- Terrorism and Industrial Chemicals
Let Representative Tom Bliley Know What You Think! ([email protected]).
See Also:
The Real Threat is the Internet and Environmentalism (U.S. Chamber of Commerce)
Hack Attacks Raise Specter of Government Intervention (Center for Democracy and Technology)
EPA's Computers Said Vulnerable (LA Times)
EPA's computers accessible through Web site, lawmaker says (Associated Press)
CMA Statement (E-Wire Press Release)
To join the omb watch's ctw listserv and learn more about the
shutdown of EPA's website
Click Here. Once you've joined you can read the archived messages as well as receive new ones.
Representative Bliley has also been active, encumbering our Right-To-Know about the "worst case scenario" of chemical accidents.
For more information see our Chemical Accident Preparedness Maps and join RMP-Watch.
Politics Plays Prominent in Government Denial of Service Attack
on Itself: An OMB Watch Analysis of EPA Web Site Shut Down
February 22, 2000
(For the various reports, letters, and information this analysis
references, go to www.ombwatch.org.)
Late in the evening on Wednesday, February 16, the Environmental
Protection Agency (EPA) without any warning shut down its
Internet services, including its web site and email services. The
public, which monthly racks up millions of visits on EPA's web site,
could not access EPA's web site (www.epa.gov), and there has
been no way to communicate via email with EPA employees.
Rep. Thomas J. Bliley (R-VA), who chairs the powerful House
Commerce Committee, has been conducting a McCarthy-like
campaign against "cyber-terrorism." Instead of Red-baiting,
however, Bliley is Web-baiting. His threats unnecessarily forced
EPA to shut down and drew public attention to issues that should
have been resolved quietly. Now, once EPA brings its site back
online, it will draw the attention of hackers to try to breach EPA
security. The shut down of EPA's web site leaves other agency
webmasters wondering if their systems could be next. If Rep. Bliley
had jurisdiction over Internet security, would he push for a shut
down of the entire Internet?
EPA also should not escape criticism. EPA has not taken
adequate steps to insure computer security. Its actions (and
inactions) are indicative of a broader problem the agency has in
managing its information resources. The result, coupled with the
Bliley-EPA feud, is that the public loses.
Impact on People
People have grown to depend on EPA's web site to communicate
with their government. Even since late Wednesday night, when the
site went down, a man in Alaska preparing for a public hearing
could not find out about the waste handling record on a local
landfill. College students in Florida could not complete a class
assignment to analyze the environmental performance of
companies. A father in California could not search EPA's
Envirofacts to locate polluters in his community. Business and
community groups, insurance companies and educators, attorneys
and students alike were hurt by this action.
The long-term impact on the agency's credibility could be severe.
One attorney currently engaged in a lawsuit with big industry
believed this shut down would affect his ability to argue his case
and hurt the agency's ability to enforce environmental laws and
force polluters to operate in the sunshine.
Background
All this resulted from Bliley's request some months ago for a
General Accounting Office (GAO) audit of EPA's computer
security. GAO worked closely with EPA staff in the process. As
the audit was coming to a close in December, GAO procedures
required it to share its findings with EPA.
The problems at EPA mostly dealt with bad to poor computer
management: ineffective firewalls; lack of controls (e.g.,
passwords); logs that did not capture hackers; and computer doors
that had been left open. GAO found EPA's "vulnerabilities... have
been exploited by both external and internal sources." It appears
that GAO was able to take control of a key piece of network
security equipment, a "router," and then capture the password of
anyone logging on to the computer mainframe computer at
Research Triangle Park in North Carolina.
Rep. Bliley asked GAO to give him a copy of the letter to EPA and
then, on December 20, sent EPA Administrator Carol Browner a
letter highlighting problems that GAO found. The letter requests
EPA to "report back to me within 10 days ... with a detailed
description of the corrective actions EPA intends to take ... [and]
the dates upon which EPA anticipates the corrective actions will be
implemented..." The Bliley action heightened concerns at EPA
because the letter, unlike the GAO communication, became
public.
EPA responded with information about its corrective actions.
Nonetheless, Bliley scheduled a hearing for February 17 to discuss
the GAO findings and EPA's response. According to testimony
planned for the hearing, GAO found "serious and pervasive
problems that essentially render EPA's agencywide information
security program ineffective."
GAO's testimony, which Bliley released at a February 17 press
conference, indicates that EPA had been warned of various
computer security problems as early as 1997 through Inspector
General reports and had done little to fix the problems. GAO notes
that the volnerabilities "illustrate deficiencies in EPA's ability to
detect, responde to, and document security incidents affecting its
systems." GAO provided some examples of security problems,
including an intruder gaining unauthroized access to a state
university computer through the EPA site, the creation of a "chat
room" on an EPA computer server for hackers to post notes, and
two attacks by hackers that slowed EPA's computer system and
may have launched a denial of service attack against an Internet
service provider. Other serious intrusions may have occurred, but
there is no evidence in the GAO report of violating enforcement or
trade secret data.
Bliley and Rep. Fred Upton (R-MI), the chair of the Subcommittee
on Oversight and Investigations, sent EPA Administrator Carol
Browner a letter on February 15 postponing the February 17
hearing and calling on EPA to "Immediately shut down the Internet
connection to your Agency data systems until such time as you
can provide reasonable assurance that the more vulnerabilities
identified by GAO have been at least temporarily corrected or
mitigated." Bliley posted the letter on his web site, creating fears at
EPA that hackers would now try to breach the EPA system.
The next day, on February 16, Bliley issued a press release with
the headline, "GAO Finds Cyber Insecurity at EPA" which also
called for EPA to shut down its Internet connections because of
serious security threats. That evening EPA shut down its web and
email Internet services, claiming that Bliley's actions put them in a
vulnerable position and implicitly encouraged hackers to attempt
breaching the system.
Then, on February 17, Bliley called a press conference and
released the GAO testimony. The GAO statement, however, never
called for EPA to shut down its Internet connection. Bliley was
determined to release GAO's sensitive security findings even
though not all of them had been provided to EPA and EPA had not
been given any time to prepare for the release of the findings.
It should be noted that GAO does not have evidence of data being
tampered with or violations of trade secrets or enforcement data. In
some cases where there were violations, they resulted in criminal
investigations, although EPA had to be notified by the Justice
Department of the violations.
Bliley was correct in pursuing computer security problems at EPA.
The fact that GAO was able to penetrate the router, then easily
obtain certain passwords is an indication of serious problems. And
he may have been at wit's end to get EPA to take corrective action,
especially since EPA has known about computer security glitches
for some time and done little to fix them. But going public was the
wrong answer.
EPA had been cooperating with GAO on the security investigation.
It had provided detailed system specifications to assist their
investigation. Moreover, EPA took no special steps to track GAO's
"hacking" attempts but studiously avoided interfering with GAO's
work.
Why Go Public?
GAO never recommended shutting down the Internet connection.
And GAO pointed out that since December, when it notified EPA of
certain security problems, it "resulted in quick actions" by EPA.
The fact is that EPA had already begun to move forward to fix the
"firewall" problems and appointed a "Technical Information Security
Staff" to address the GAO findings. Bliley was informed of this but
still went forward with a public call to shut down EPA's Internet
connection.
Why? His actions raise speculation about ulterior motives.
For a decade now, EPA has been running a very successful right-
to-know program that discloses to the public industrial toxic
chemical releases into the air, land and water. Public disclosure of
polluters' activities under the Toxics Release Inventory (TRI)
program has led to a 43% reduction in the release of chemicals
included in the program.
In the next few weeks, EPA will release data on toxic chemical
pollution from major new sources, including mining and electrical
utilities, in conjunction with its annual TRI release. The shut down
of EPA's web site will most likely delay release of this new data.
According to the Center for Responsive Politics, Bliley also
happens to receive significant campaign contributions from oil and
gas, mining, electrical utilities, and chemical manufacturing
companies. Searches of EPA's Toxics Release Inventory on RTK
NET find that many of these same companies -- including Union
Carbide, Texaco, Shell, Eli Lilly, Rhone-Poulenc, and Eastman
Kodak report large amounts of chemical pollution.
Why is it, then, that computer security at government agencies
worries Rep. Bliley more than physical plant security at some of
the country's biggest chemical plants? Last summer, Rep. Bliley
helped industry hide from the public the harm communities faced in
potential worst-case chemical accidents at tens of thousands of
chemical manufacturing, processing or storage facilities. A
government study found that physical security problems at these
plants paralleled the computer security problems found at EPA.
But Chairman Bliley continued to fight efforts to beef up security at
these plants and pushed efforts to squash disclosure of this
information. Why is he focusing so much on EPA's computer
security while ignoring physical security at these chemical plants?
EPA Should Share Blame
At the same time, we should not exonerate EPA. When GAO
brought these problems to the attention of EPA officials, why did
the agency not immediately address these problems? In the face of
reports dating as far back as 1997 raising concerns over computer
security problems, EPA did little until recently to solve its
problems.
And why has EPA not taken the leadership to develop a
comprehensive information plan that covers computer management
issues? EPA Administrator Browner last year took the helpful step
of creating a new office within EPA devoted solely to collecting,
managing and providing public access to information to protect
human health and the environment. But since then no one has
been appointed to run the office and the agency has become
bogged down in rearranging staff and budgets.
Next Steps
EPA could take a number of steps to strengthen the public's right
to know about environmental hazards and threats to human health.
For example, EPA should:
* Develop a program to reduce the public's burden in obtaining,
understanding and using environmental information to promote
environmental protections. Such a program should include training
and assistance grants, telephone assistance "hot lines,"
collaborations with libraries and others in providing data, and
improvements to the Web site to make it more user- friendly and
information easier to find;
* Require those who submit information to EPA (e.g., industrial
facilities) to justify requests to withhold information from the public
in order to safeguard trade secrets;
* Set an expiration date on trade secret shields. The potency of
trade secrets comes from the timeliness of the information. An
industry competitor's ten-year-old business plan is irrelevant
compared with one developed last month. After a specified time
period information shielded from the public should be disclosed to
the public; and
* Create an index of all EPA's information on its web site in order
to comply with legal requirements. Most federal agencies do not
even list of information they make available to the public.
Amendments to the Freedom of Information Act passed in 1996
require all federal agencies to make an index of all information
products and either link to the information itself or explain how the
information can be obtained. Such an index would be helpful to the
public in locating information as well as helpful to the agency in
understanding what information is or is not available.
We urge the President to exercise leadership and make this new
information office a showpiece for all federal agencies. He should
ensure EPA is adequately funded and managed to make the best
use of modern information technology. And he should ensure that
the public right to know is never again compromised.
------------------------------------------------------
Rick Blum P: (202) 234-8494
OMB Watch (CFC #0889) F: (202) 234-8584
1742 Connecticut Ave NW Em: [email protected]
Washington, DC 20009-1171
Web: www.ombwatch.org
Right-To-Know Network: www.rtk.net
See Also:
The Real Threat is the Internet and Environmentalism (U.S. Chamber of Commerce)
Hack Attacks Raise Specter of Government Intervention (Center for Democracy and Technology)
EPA's Computers Said Vulnerable (LA Times)
EPA's computers accessible through Web site, lawmaker says (Associated Press)
CMA Statement (E-Wire Press Release)
<-- Terrorism and Industrial Chemicals
Didn't find what you are looking for? We've been online since 1996 and have created 1000's of pages. Search below and you may find just what you are looking for.
Michael R. Meuser
Data Research & GIS Specialist
MapCruzin.com is an independent firm
specializing in GIS project development and data research.
We created the first U.S. based
interactive toxic chemical facility
maps on the internet in 1996 and we
have been online ever since. Learn more about us and our services.
Have a project in mind? If you have data, GIS project or custom shapefile needs contact Mike.
Contact Us
Report Broken Links
Subscribe for Updates
| 
