Politics Plays Prominent in Government Denial of Service Attack on Itself
Late in the evening on Wednesday, February 16, the Environmental Protection Agency (EPA)
without any warning shut down its Internet services, including its web site and email services.
The public, which monthly racks up millions of visits on EPA's web site, could not access EPA's
web site (www.epa.gov), and there has been no way to
communicate via email with EPA
Rep. Thomas J. Bliley (R-VA), who chairs the powerful House Commerce Committee, has been
conducting a McCarthy-like campaign against "cyber-terrorism." Instead of Red-baiting,
however, Bliley is Web-baiting. His threats unnecessarily forced EPA to shut down and drew
public attention to issues that should have been resolved quietly. Now, once
EPA brings its site back online, it will draw the attention of hackers to
try to breach EPA security. The shut down of EPA's web site leaves other agency webmasters
wondering if their systems could be next. If Rep. Bliley had jurisdiction over Internet security,
would he push for a shut down of the entire Internet?
EPA also should not escape criticism. EPA has not taken adequate steps to insure computer
security. Its actions (and inactions) are indicative of a broader problem the agency has in
managing its information resources. The result, coupled with the Bliley-EPA feud, is that the
Impact on People
People have grown to depend on EPA's web site to communicate with their government. Even
since late Wednesday night, when the site went down, a man in Alaska preparing for a public
hearing could not find out about the waste handling record on a local landfill. College students
in Florida could not complete a class assignment to analyze the environmental performance of
companies. A father in California could not search EPA's Envirofacts to locate polluters in his
community. Business and community groups, insurance companies and educators, attorneys and
students alike were hurt by this action.
The long-term impact on the agency's credibility could be severe. One attorney currently
engaged in a lawsuit with big industry believed this shut down would affect his ability to argue
his case and hurt the agency's ability to enforce environmental laws and force polluters to operate
in the sunshine.
All this resulted from Bliley's request some months ago for a General Accounting Office (GAO) audit of EPA's computer security. GAO worked closely with EPA staff in the process. As the audit was coming to a close in December, GAO procedures required it to share its findings with EPA.
The problems at EPA mostly dealt with bad to poor computer management: ineffective firewalls;
lack of controls (e.g., passwords); logs that did not capture hackers; and computer doors that had
been left open. GAO found EPA's "vulnerabilities ... have been exploited by both external and
internal sources." It appears that GAO was able to take control of a key piece of network security
equipment, a "router," and then capture the password of anyone logging on to the computer
mainframe computer at Research Triangle Park in North Carolina.
Rep. Bliley asked GAO to give him a copy of the letter to EPA and then, on December 20, sent
EPA Administrator Carol Browner a letter highlighting problems that GAO found. The letter
requests EPA to "report back to me within 10 days ... with a detailed description of the corrective
actions EPA intends to take ... [and] the dates upon which EPA anticipates the corrective actions
will be implemented..." The Bliley action heightened concerns at EPA because the letter, unlike
the GAO communication, became public.
EPA responded with information about its corrective actions. Nonetheless, Bliley scheduled a
hearing for February 17 to discuss the GAO findings and EPA's response. According to
testimony planned for the hearing, GAO found "serious and pervasive problems that essentially
render EPA's agencywide information security program ineffective."
GAO's testimony, which Bliley released at a February 17 press conference, indicates that EPA
had been warned of various computer security problems as early as 1997 through Inspector
General reports and had done little to fix the problems. GAO notes that the vulnerabilities
"illustrate deficiencies in EPA's ability to detect, respond to, and document security incidents
affecting its systems." GAO provided some examples of security problems, including an intruder
gaining unauthorized access to a state university computer through the EPA site, the creation of a
"chat room" on an EPA computer server for hackers to post notes, and two attacks by hackers
that slowed EPA's computer system and may have launched a denial of service attack against an
Internet service provider. Other serious intrusions may have occurred, but there is no evidence in
the GAO report of violating enforcement or trade secret data.
Bliley and Rep. Fred Upton (R-MI), the chair of the Subcommittee on Oversight and
Investigations, sent EPA Administrator Carol Browner a letter on February 15 postponing the
February 17 hearing and calling on EPA to "Immediately shut down the Internet connection to
your Agency data systems until such time as you can provide reasonable assurance that the more
vulnerabilities identified by GAO have been at least temporarily corrected or mitigated." Bliley
posted the letter on his web site, creating fears at EPA that hackers would now try to breach the
The next day, on February 16, Bliley issued a press release with the headline, "GAO Finds Cyber
Insecurity at EPA" which also called for EPA to shut down its Internet connections because of
serious security threats. That evening EPA shut down its web and email Internet services,
claiming that Bliley's actions put them in a vulnerable position and implicitly encouraged
hackers to attempt breaching the system. Then, on February 17, Bliley called a press conference
and released the GAO testimony. The GAO statement, however, never called for EPA to shut
down its Internet connection. Bliley was determined to release GAO's sensitive security findings
even though not all of them had been provided to EPA and EPA had not been given any time to
prepare for the release of the findings.
It should be noted that GAO does not have evidence of data being tampered with or violations of
trade secrets or enforcement data. In some cases where there were violations, they resulted in
criminal investigations, although EPA had to be notified by the Justice Department of the
Bliley was correct in pursuing computer security problems at EPA. The fact that GAO was able
to penetrate the router, then easily obtain certain passwords is an indication of serious problems.
And he may have been at wit's end to get EPA to take corrective action, especially since EPA has
known about computer security glitches for some time and done little to fix them. But going
public was the wrong answer.
EPA had been cooperating with GAO on the security investigation. It had provided detailed
system specifications to assist their investigation. Moreover, EPA took no special steps to track
GAO's "hacking" attempts but studiously avoided interfering with GAO's work.
Why Go Public?
GAO never recommended shutting down the Internet connection. And GAO pointed out that
since December, when it notified EPA of certain security problems, it "resulted in quick actions"
by EPA. The fact is that EPA had already begun to move forward to fix the "firewall" problems
and appointed a "Technical Information Security Staff" to address the GAO findings. Bliley was
informed of this but still went forward with a public call to shut down EPA's Internet connection.
Why? His actions raise speculation about ulterior motives.
For a decade now, EPA has been running a very successful right-to-know program that discloses
to the public industrial toxic chemical releases into the air, land and water. Public disclosure of
polluters' activities under the Toxics Release Inventory (TRI) program has led to a 43%
reduction in the release of chemicals included in the program.
In the next few weeks, EPA will release data on toxic chemical pollution from major new
sources, including mining and electrical utilities, in conjunction with its annual TRI release. The
shut down of EPA's web site will most likely delay release of this new data.
According to the Center for Responsive Politics, Bliley also happens to receive significant campaign contributions from oil and gas, mining, electrical utilities, and chemical manufacturing
companies. Searches of EPA's Toxics Release Inventory on RTK NET find that many of these same companies -- including Union
Carbide, Texaco, Shell, Eli Lilly, Rhone-Poulenc, and Eastman Kodak – report large amounts of
Why is it, then, that computer security at government agencies worries Rep. Bliley more than
physical plant security at some of the country's biggest chemical plants? Last summer, Rep.
Bliley helped industry hide from the public the harm communities faced in potential worst-case
chemical accidents at tens of thousands of chemical manufacturing, processing or storage
facilities. A government study found that physical security problems at these plants
paralleled the computer security problems found at EPA. But Chairman Bliley continued
to fight efforts to beef up security at these plants and pushed efforts to squash disclosure of this
information. Why is he focusing so much on EPA's computer security while ignoring physical
security at these chemical plants?
EPA Should Share Blame
At the same time, we should not exonerate EPA. When GAO brought these problems to the
attention of EPA officials, why did the agency not immediately address these problems? In the
face of reports dating as far back as 1997 raising concerns over computer security problems, EPA
did little until recently to solve its problems.
And why has EPA not taken the leadership to develop a comprehensive information plan that
covers computer management issues? EPA Administrator Browner last year took the helpful
step of creating a new office within EPA devoted solely to collecting, managing and providing
public access to information to protect human health and the environment. But since then no one
has been appointed to run the office and the agency has become bogged down in rearranging staff
EPA could take a number of steps to strengthen the public's right to know about environmental
hazards and threats to human health. For example, EPA should:
environmental information to promote environmental protections. Such a program should
include training and assistance grants, telephone assistance "hot lines," collaborations with
libraries and others in providing data, and improvements to the Web site to make it more user-
friendly and information easier to find;
requests to withhold information from the public in order to safeguard trade secrets.
from the timeliness of the information. An industry competitor's ten-year-old business plan is
irrelevant compared with one developed last month. After a specified time period information
shielded from the public should be disclosed to the public.
requirements. Most federal agencies do not even list of information they make available to
the public. Amendments to the Freedom of Information Act passed in 1996 require all federal
agencies to make an index of all information products and either link to the information itself or
explain how the information can be obtained. Such an index would be helpful to the public in
locating information as well as helpful to the agency in understanding what information is or is
We urge the President to exercise leadership and make this new information office a showpiece
for all federal agencies. He should ensure EPA is adequately funded and managed to make the
best use of modern information technology. And he should ensure that the public right to know
is never again compromised.