Late in the evening on Wednesday, February 16, the Environmental Protection Agency (EPA) without any warning shut down its Internet services, including its web site and email services. The public, which monthly racks up millions of visits on EPA's web site, could not access EPA's web site (www.epa.gov), and there has been no way to communicate via email with EPA employees. Rep. Thomas J. Bliley (R-VA), who chairs the powerful House Commerce Committee, has been conducting a McCarthy-like campaign against "cyber-terrorism." Instead of Red-baiting, however, Bliley is Web-baiting. His threats unnecessarily forced EPA to shut down and drew public attention to issues that should have been resolved quietly. Now, once EPA brings its site back online, it will draw the attention of hackers to try to breach EPA security. The shut down of EPA's web site leaves other agency webmasters wondering if their systems could be next. If Rep. Bliley had jurisdiction over Internet security, would he push for a shut down of the entire Internet? EPA also should not escape criticism. EPA has not taken adequate steps to insure computer security. Its actions (and inactions) are indicative of a broader problem the agency has in managing its information resources. The result, coupled with the Bliley-EPA feud, is that the public loses. Impact on People People have grown to depend on EPA's web site to communicate with their government. Even since late Wednesday night, when the site went down, a man in Alaska preparing for a public hearing could not find out about the waste handling record on a local landfill. College students in Florida could not complete a class assignment to analyze the environmental performance of companies. A father in California could not search EPA's Envirofacts to locate polluters in his community. Business and community groups, insurance companies and educators, attorneys and students alike were hurt by this action. The long-term impact on the agency's credibility could be severe. One attorney currently engaged in a lawsuit with big industry believed this shut down would affect his ability to argue his case and hurt the agency's ability to enforce environmental laws and force polluters to operate in the sunshine. Background All this resulted from Bliley's request some months ago for a General Accounting Office (GAO) audit of EPA's computer security. GAO worked closely with EPA staff in the process. As the audit was coming to a close in December, GAO procedures required it to share its findings with EPA. The problems at EPA mostly dealt with bad to poor computer management: ineffective firewalls; lack of controls (e.g., passwords); logs that did not capture hackers; and computer doors that had been left open. GAO found EPA's "vulnerabilities ... have been exploited by both external and internal sources." It appears that GAO was able to take control of a key piece of network security equipment, a "router," and then capture the password of anyone logging on to the computer mainframe computer at Research Triangle Park in North Carolina. Rep. Bliley asked GAO to give him a copy of the letter to EPA and then, on December 20, sent EPA Administrator Carol Browner a letter highlighting problems that GAO found. The letter requests EPA to "report back to me within 10 days ... with a detailed description of the corrective actions EPA intends to take ... [and] the dates upon which EPA anticipates the corrective actions will be implemented..." The Bliley action heightened concerns at EPA because the letter, unlike the GAO communication, became public. EPA responded with information about its corrective actions. Nonetheless, Bliley scheduled a hearing for February 17 to discuss the GAO findings and EPA's response. According to testimony planned for the hearing, GAO found "serious and pervasive problems that essentially render EPA's agencywide information security program ineffective." GAO's testimony, which Bliley released at a February 17 press conference, indicates that EPA had been warned of various computer security problems as early as 1997 through Inspector General reports and had done little to fix the problems. GAO notes that the vulnerabilities "illustrate deficiencies in EPA's ability to detect, respond to, and document security incidents affecting its systems." GAO provided some examples of security problems, including an intruder gaining unauthorized access to a state university computer through the EPA site, the creation of a "chat room" on an EPA computer server for hackers to post notes, and two attacks by hackers that slowed EPA's computer system and may have launched a denial of service attack against an Internet service provider. Other serious intrusions may have occurred, but there is no evidence in the GAO report of violating enforcement or trade secret data. Bliley and Rep. Fred Upton (R-MI), the chair of the Subcommittee on Oversight and Investigations, sent EPA Administrator Carol Browner a letter on February 15 postponing the February 17 hearing and calling on EPA to "Immediately shut down the Internet connection to your Agency data systems until such time as you can provide reasonable assurance that the more vulnerabilities identified by GAO have been at least temporarily corrected or mitigated." Bliley posted the letter on his web site, creating fears at EPA that hackers would now try to breach the EPA system. The next day, on February 16, Bliley issued a press release with the headline, "GAO Finds Cyber Insecurity at EPA" which also called for EPA to shut down its Internet connections because of serious security threats. That evening EPA shut down its web and email Internet services, claiming that Bliley's actions put them in a vulnerable position and implicitly encouraged hackers to attempt breaching the system. Then, on February 17, Bliley called a press conference and released the GAO testimony. The GAO statement, however, never called for EPA to shut down its Internet connection. Bliley was determined to release GAO's sensitive security findings even though not all of them had been provided to EPA and EPA had not been given any time to prepare for the release of the findings. It should be noted that GAO does not have evidence of data being tampered with or violations of trade secrets or enforcement data. In some cases where there were violations, they resulted in criminal investigations, although EPA had to be notified by the Justice Department of the violations. Bliley was correct in pursuing computer security problems at EPA. The fact that GAO was able to penetrate the router, then easily obtain certain passwords is an indication of serious problems. And he may have been at wit's end to get EPA to take corrective action, especially since EPA has known about computer security glitches for some time and done little to fix them. But going public was the wrong answer. EPA had been cooperating with GAO on the security investigation. It had provided detailed system specifications to assist their investigation. Moreover, EPA took no special steps to track GAO's "hacking" attempts but studiously avoided interfering with GAO's work. Why Go Public? GAO never recommended shutting down the Internet connection. And GAO pointed out that since December, when it notified EPA of certain security problems, it "resulted in quick actions" by EPA. The fact is that EPA had already begun to move forward to fix the "firewall" problems and appointed a "Technical Information Security Staff" to address the GAO findings. Bliley was informed of this but still went forward with a public call to shut down EPA's Internet connection. Why? His actions raise speculation about ulterior motives. For a decade now, EPA has been running a very successful right-to-know program that discloses to the public industrial toxic chemical releases into the air, land and water. Public disclosure of polluters' activities under the Toxics Release Inventory (TRI) program has led to a 43% reduction in the release of chemicals included in the program. In the next few weeks, EPA will release data on toxic chemical pollution from major new sources, including mining and electrical utilities, in conjunction with its annual TRI release. The shut down of EPA's web site will most likely delay release of this new data. According to the Center for Responsive Politics, Bliley also happens to receive significant campaign contributions from oil and gas, mining, electrical utilities, and chemical manufacturing companies. Searches of EPA's Toxics Release Inventory on RTK NET find that many of these same companies -- including Union Carbide, Texaco, Shell, Eli Lilly, Rhone-Poulenc, and Eastman Kodak – report large amounts of chemical pollution. Why is it, then, that computer security at government agencies worries Rep. Bliley more than physical plant security at some of the country's biggest chemical plants? Last summer, Rep. Bliley helped industry hide from the public the harm communities faced in potential worst-case chemical accidents at tens of thousands of chemical manufacturing, processing or storage facilities. A government study found that physical security problems at these plants paralleled the computer security problems found at EPA. But Chairman Bliley continued to fight efforts to beef up security at these plants and pushed efforts to squash disclosure of this information. Why is he focusing so much on EPA's computer security while ignoring physical security at these chemical plants? EPA Should Share Blame At the same time, we should not exonerate EPA. When GAO brought these problems to the attention of EPA officials, why did the agency not immediately address these problems? In the face of reports dating as far back as 1997 raising concerns over computer security problems, EPA did little until recently to solve its problems. And why has EPA not taken the leadership to develop a comprehensive information plan that covers computer management issues? EPA Administrator Browner last year took the helpful step of creating a new office within EPA devoted solely to collecting, managing and providing public access to information to protect human health and the environment. But since then no one has been appointed to run the office and the agency has become bogged down in rearranging staff and budgets. Next Steps EPA could take a number of steps to strengthen the public's right to know about environmental hazards and threats to human health. For example, EPA should:

• Develop a program to reduce the public's burden in obtaining, understanding and using environmental information to promote environmental protections. Such a program should include training and assistance grants, telephone assistance "hot lines," collaborations with libraries and others in providing data, and improvements to the Web site to make it more user- friendly and information easier to find;
• Require those who submit information to EPA (e.g., industrial facilities) to justify requests to withhold information from the public in order to safeguard trade secrets.
• Set an expiration date on trade secret shields. The potency of trade secrets comes from the timeliness of the information. An industry competitor's ten-year-old business plan is irrelevant compared with one developed last month. After a specified time period information shielded from the public should be disclosed to the public.
• Create an index of all EPA's information on its web site in order to comply with legal requirements. Most federal agencies do not even list of information they make available to the public. Amendments to the Freedom of Information Act passed in 1996 require all federal agencies to make an index of all information products and either link to the information itself or explain how the information can be obtained. Such an index would be helpful to the public in locating information as well as helpful to the agency in understanding what information is or is not available.

We urge the President to exercise leadership and make this new information office a showpiece for all federal agencies. He should ensure EPA is adequately funded and managed to make the best use of modern information technology. And he should ensure that the public right to know is never again compromised.