[Date Prev][Date Next][Date Index]

Re: E-M:/ EPA web sites closed--Congressional DENIAL OF SERVICE

Enviro-Mich message from "Frank Ambrose" <fambrose@bloomington.in.us>

A bit more update on the shutdown of the EPA web site.  What a horror story!

CONCLUSION:  There is no rationale for the unprecedented shutting down of
the EPA web site and email services, cutting off a major means for the
public to communicate with EPA.   There is no question that EPA has
computer vulnerabilities, but these could have been resolved with good
computer management. In the meantime, Rep. Bliley (R-VA), the chair of the
House Commerce Committee, basically held a gun to EPA's head, effectively
telling EPA to shut down its site or it would put information out about
security risks, making it easier for the public to hack EPA's site, instead
of helping EPA make fixes.  This does not exonerate EPA.  EPA has known
about its computer vulnerabilities for some time and has done little to fix
the problems.  Despite the computer problems at EPA, there was no
"crisis."  The General Accounting Office never recommended shutting down
the EPA site, but Bliley, who has done the bidding of powerful special
interests, has acted to thwart public access.

Some months ago Rep. Thomas Bliley (R-VA), the chair of the House Commerce
Committee, requested the General Accounting Office (GAO) to do a computer
security audit at EPA.  As the audit was coming to a close, GAO was
required to share the information with EPA.  But, reportedly, Bliley was
upset since he didn't want EPA fixing the problems.  Rather, he wanted to
bash EPA.  He required GAO to give him a copy of the letter to EPA and
then, it is rumored, he leaked some portions to the press, making the
problems at EPA sound horrendous.

GAO did, however, find "serious and pervasive problems that essentially
render EPA's agencywide information security program ineffective."  The
problems at EPA mostly dealt with bad to poor computer management:
ineffective firewalls; lack of controls (e.g., passwords); logs that didn't
capture hackers; computer doors that had been left open.  GAO found EPA's
"vulnerabilities...have been exploited by both external and internal
sources."  It appears that GAO was able to take control of the router and
then capture the password of anyone logging on to the system.

GAO does not have evidence of data being tampered with or violations of
trade secrets or enforcement data.  In some cases where there were
violations, it resulted in criminal investigations.  And while there are
big problems, GAO never recommended that EPA shut its web site down.  (In
fact, GAO has found computer security problems at other agencies, such as
State Dept, but it appears no agency has completely and this thoroughly cut
off its Internet connection and email services.)

Bliley planned a hearing today (2/17) on EPA computer security and had
asked GAO to testify.  EPA raised concerns about holding the
hearing.  Reportedly, Bliley gave EPA an ultimatum:  shut down the EPA web
site and all email services or the public would hear about how to hack the
EPA web site.  EPA decided to shut down their Internet services last night.

Bliley postponed the hearing but called a press conference at 1 p.m.
today.  At the press conference, Bliley released the GAO testimony and
supported EPA's decision to shut down the web site.  EPA claims it was
disappointed that it had to shut down.

According to folks in the White House, EPA is quickly trying to put the
public web site back up and sever its connection to the internal
systems.  It is not clear when this will happen.

There are many issues that this "crisis" raises, but two stick out.

First, if EPA had security violations, why didn't Bliley give EPA the time
that is needed to fix the problems that GAO found?  Why did he hold a gun
to EPA's head?  Even if there were computer security problems, it could
have been handled in a manner that did not disrupt public access to the
agency and did not create a "crisis."

This raises questions about Bliley's objectives.  Maybe it is a coincidence
that a number of his campaign contributors are regulated by EPA.  For
example, a large grouping of contributors are from the mining and
electrical gas sectors, which for the first time will need to report to EPA
on toxic releases.  Some of his larger contributors are listed as major
polluters.  Bliley is the same person who pushed the terrorism argument
last summer as a reason to withhold public access to information about
chemical hazards in our communities.  Instead of improving public access,
Bliley has taken a course of thwarting EPA and, hence, public access.

Second, EPA has known for many years that it has computer management
problems.  Inspector General reports since 1997 have raised concerns, but
little has been done to fix the problems.  When GAO showed EPA it had
problems, why didn't it immediately address these problems?

EPA Administrator Browner took the helpful step to create an Information
Office within EPA.  But since then no one has been appointed to run the
office.  Increasingly, the Office is proving to be less than useful, maybe
even a major disappointment.  Why has the Office not taken the leadership
to develop a comprehensive information plan that covers computer management

Gary D. Bass
OMB Watch
1742 Connecticut Ave., N.W., Washington, D.C.  20009
TEL:  (202) 234-8494     FAX: (202) 234-8584

ENVIRO-MICH:  Internet List and Forum for Michigan Environmental
and Conservation Issues and Michigan-based Citizen Action.   Archives at

Postings to:  enviro-mich@great-lakes.net      For info, send email to
majordomo@great-lakes.net  with a one-line message body of  "info enviro-mich"