[Dioxin-l] a bit more on epa web shutdown

[Michael Meuser]

A bit more on the issue.  An LA times story is available at
http://www.mapcruzin.com/scruztri/docs/cep0217002.htm

mike

------- Forwarded Message Follows -------
Date sent:      	Thu, 17 Feb 2000 17:04:43 -0500
To:             	"Federal information policy listserv" <gov-info-
access@lyris.ombwatch.org>
From:           	"Gary D. Bass" <bassg@ombwatch.org>
Subject:        	Update on EPA shutting down its Web site
Send reply to:  	"Federal information policy listserv" <gov-info-
access@lyris.ombwatch.org>

[ Double-click this line for list subscription options ]

A bit more update on the shutdown of the EPA web site.  What a 
horror story!

CONCLUSION:  There is no rationale for the unprecedented 
shutting down of the EPA web site and email services, cutting off a 
major means for the public to communicate with EPA.   There is no 
question that EPA has computer vulnerabilities, but these could 
have been resolved with good computer management. In the 
meantime, Rep. Bliley (R-VA), the chair of the House Commerce 
Committee, basically held a gun to EPA's head, effectively telling 
EPA to shut down its site or it would put information out about 
security risks, making it easier for the public to hack EPA's site, 
instead of helping EPA make fixes.  This does not exonerate EPA. 
 EPA has known about its computer vulnerabilities for some time 
and has done little to fix the problems.  Despite the computer 
problems at EPA, there was no "crisis."  The General Accounting 
Office never recommended shutting down the EPA site, but Bliley, 
who has done the bidding of powerful special interests, has acted 
to thwart public access.  

THE STORY: Some months ago Rep. Thomas Bliley (R-VA), the 
chair of the House Commerce Committee, requested the General 
Accounting Office (GAO) to do a computer security audit at EPA.  
As the audit was coming to a close, GAO was required to share 
the information with EPA.  But, reportedly, Bliley was upset since 
he didn't want EPA fixing the problems.  Rather, he wanted to bash 
EPA.  He required GAO to give him a copy of the letter to EPA and 
then, it is rumored, he leaked some portions to the press, making 
the problems at EPA sound horrendous.  

GAO did, however, find "serious and pervasive problems that 
essentially render EPA's agencywide information security program 
ineffective."  The problems at EPA mostly dealt with bad to poor 
computer management: ineffective firewalls; lack of controls (e.g., 
passwords); logs that didn't capture hackers; computer doors that 
had been left open.  GAO found EPA's "vulnerabilities...have been 
exploited by both external and internal sources."  It appears that 
GAO was able to take control of the router and then capture the 
password of anyone logging on to the system.  

GAO does not have evidence of data being tampered with or 
violations of trade secrets or enforcement data.  In some cases 
where there were violations, it resulted in criminal investigations.  
And while there are big problems, GAO never recommended that 
EPA shut its web site down.  (In fact, GAO has found computer 
security problems at other agencies, such as State Dept, but it 
appears no agency has completely and this thoroughly cut off its 
Internet connection and email services.)  

Bliley planned a hearing today (2/17) on EPA computer security 
and had asked GAO to testify.  EPA raised concerns about holding 
the hearing.  Reportedly, Bliley gave EPA an ultimatum:  shut 
down the EPA web site and all email services or the public would 
hear about how to hack the EPA web site.  EPA decided to shut 
down their Internet services last night.  

Bliley postponed the hearing but called a press conference at 1 
p.m. today.  At the press conference, Bliley released the GAO 
testimony and supported EPA's decision to shut down the web 
site.  EPA claims it was disappointed that it had to shut down.  

According to folks in the White House, EPA is quickly trying to put 
the public web site back up and sever its connection to the internal 
systems.  It is not clear when this will happen.  

There are many issues that this "crisis" raises, but two stick out.

First, if EPA had security violations, why didn't Bliley give EPA the 
time that is needed to fix the problems that GAO found?  Why did 
he hold a gun to EPA's head?  Even if there were computer 
security problems, it could have been handled in a manner that did 
not disrupt public access to the agency and did not create a 
"crisis."  

This raises questions about Bliley's objectives.  Maybe it is a 
coincidence that a number of his campaign contributors are 
regulated by EPA.  For example, a large grouping of contributors 
are from the mining and electrical gas sectors, which for the first 
time will need to report to EPA on toxic releases.  Some of his 
larger contributors are listed as major polluters.  Bliley is the same 
person who pushed the terrorism argument last summer as a 
reason to withhold public access to information about chemical 
hazards in our communities.  Instead of improving public access, 
Bliley has taken a course of thwarting EPA and, hence, public 
access.  

Second, EPA has known for many years that it has computer 
management problems.  Inspector General reports since 1997 have 
raised concerns, but little has been done to fix the problems.  
When GAO showed EPA it had problems, why didn't it 
immediately address these problems?  

EPA Administrator Browner took the helpful step to create an 
Information Office within EPA.  But since then no one has been 
appointed to run the office.  Increasingly, the Office is proving to be 
less than useful, maybe even a major disappointment.  Why has 
the Office not taken the leadership to develop a comprehensive 
information plan that covers computer management issues?  


--------------------------------------------
Gary D. Bass
OMB Watch
1742 Connecticut Ave., N.W., Washington, D.C.  20009
TEL:  (202) 234-8494     FAX: (202) 234-8584
bassg@ombwatch.org
http://www.ombwatch.org


---
You are currently subscribed to gov-info-access as: meuser@enviroknowledge.com
To unsubscribe send a blank email to leave-gov-info-access-
25297J@lyris.ombwatch.org

Gov-Info-Access, is an open electronic mailing list launched by the 
Public 
Access Working Group. Gov-Info-Access should be used to post 
information 
relevant to public access to federal government information, and for 
the occasional 
exchange of views on this subject. 




Michael R. Meuser,
Environmental Sociologist
meuser@mapcruzin.com

http://www.mapcruzin.com/
Environmental Communication, GIS, RTK
Environmental & Sociodemographic Research
"Making Data Make Sense"