This is quite something. From Judge Lamberth's order, additional
insight into the behavior of a contractor we know well:
It is unfortunate, therefore, that Interior proposes that
�[e]ach bureau or office for which reconnection is intended
will take steps to verify its representation that the IT
system is secure from Internet access by unauthorized users.�
Interior Proposal at 7. In support, Interior plans to submit
documentation to the Court that �will incorporate the data
necessary to support a riskbased decision on Internet
reconnection. The assessment may include, as appropriate: (1)
network mapping and enumeration; (2) SANS/FBI Top 20
Vulnerability List Comparison; (3) vulnerability assessment;
and (4) penetration testing.� Id. at 7. Interior further
offers that the above assessment will be performed by
�Interior or its contractor.� Id. at 7 n.9. �Interior�s
current contractor is Science Applications International
Corporation (�SAIC�).� Id. at 8 n.11. As this Court already
noted: �SAIC is a contractor that is paid by the Interior
Department� and as such �it cannot be considered to be a
testing agency that operates independently of the Interior
Department.� 274 F.Supp.2d at 133. Furthermore, the Court
observes that SAIC�s long history as an Interior contractor in
this area and the simple fact that Interior�s IT security
remains poor makes this Court reticent to rely on their
judgment. Allowing Interior or SAIC to provide the
verification of representations made by its bureaus on the
adequacy of their IT security does not offer this Court any
party without a conflict of interest or a track record of
incompetency and is an insufficient method of verifying IT
security. The Court�s desire is simple and specific. The Court
wants Interior to propose and the Court to approve 1) an
entity with no prior relationship to Interior, 2) that
possesses the requisite expertise in IT security, 3) whose
only work for Interior will be performing the tasks set forth
for it in the preliminary injunction issued this date, and 4)
who will report all its findings to the Court. The Court does
not mandate that such an entity work for the Court, in fact
they can be paid and supervised directly by Interior. In this
regard the Court is now making and continues to make every
effort to allow the department to manage its own affairs
without Court intervention. But the Court must absolutely have
an entity not tainted by the history of falsehoods and
deceptions that has plagued this litigation, nor otherwise
dependent upon Interior for its revenues and livelihood, to
provide honest appraisals of the security of individual Indian
trust data ...
Interior truly brought this on themselves. Accordingly, the
Office of Inspector General, the Minerals Management Service,
the Bureau of Land Management, the Bureau of Reclamation, the
Office of the Special Trustee, Fish and Wildlife, the Bureau
of Indian Affairs, the Office of Surface Mining, and the
National Business Center must disconnect all of their
respective computer systems from the Internet. This includes
every single IT system within that bureau whether or not that
IT system houses or provides access to individual Indian trust
data. In contrast, the National Park Service, the Office of
Policy Management and Budget, and the United States Geological
Survey do not have to disconnect any currently connected
system from the Internet. Lastly, no system essential for the
protection against fires or other threats to life or property
should be disconnected from the Internet.