EPA Web site shut down

Published April 1, 2000

Late on the night of Wednesday, February 16, the U.S. Environmental Protection Agency shut down its public Web site. The move was demanded by House Commerce Committee Chairman Tom Bliley (R-Virginia), who warned hackers could easily use the site to access some of the nation’s most critical business and national security secrets.

The Web site was up and running days later but without its ties to the rest of the EPA computer systems. Notes EPA, “the Web site is back on-line to serve HTML pages, but at this time several other systems that support the Agency Web site are not yet ready to be reattached to the Internet server. Each of these systems will be made available as soon as the necessary system upgrades have been completed. If you experience difficulty in connecting to a specific site, please contact the appropriate Program Office.”

For seven years, Bliley and others have expressed concern over the Clinton-Gore administration’s lack of attention to computer security–concerns that were ignored as EPA continued to collect sensitive industry information, while maintaining that the data fed into its computers were secure.

But on February 15, the General Accounting Office (GAO) reported it had easily “hacked” EPA computers as part of an investigation requested by Bliley. According to Bliley, GAO hackers then used the EPA Web site to gain access to “. . . not only data worth hundreds of millions of dollars, but trade secrets and sensitive data that could put our national and economic security at risk.”

As Bliley wrote to EPA Administrator Carol Browner, “We are particularly concerned that your agency’s computer data and systems may be highly vulnerable to penetration, misuse, or attack by unauthorized users via the Internet, including law enforcement-sensitive data, proprietary and confidential business information, Privacy Act data and financial and accounting systems.

“Indeed, even the chemical accident worst-case scenario database, with its national security implications, may not be fully protected–despite the mandate of a bi-partisan law passed last year at our urging to stop your agency from carrying through on its risky plan to post this data on your public Web site.”

“Sum of all fears”

“Worst-case scenarios” are contained in a compilation of Risk Management Plans (RMP) covering 250 chemicals, ranging from highly explosive methyl ether to phosgene. In addition to the amount, location, and method of storage for each chemical inventoried, manufacturers and others affected by EPA’s reporting mandate must divulge a “worst case scenario,” providing detailed information about how the chemicals are stored and how they might be “ignited, exploded or otherwise released into the environment.” Experts have told Environment & Climate News that in some instances, these worst-case scenarios could be made reality at long range, ignited by such readily available devices as marine-safety parachute flares. The worst-case scenario outlines must also include the type and extent of the damage that would result; the number of people killed and injured; the total area that would be affected; the number of schools, shopping centers, and other public gathering places in the affected area; as well as such helpful details as the optimum wind direction for maximum casualties.

FBI, CIA, and other security experts warned about the danger of this information falling into the hands of foreign and domestic terrorists, such as the Earth Liberation Front. In a rare move, both houses of Congress passed last year, by unanimous consent, a bill authored by Senator James Inhofe (R-Oklahoma) to prohibit EPA from publishing the data.

Now there appears to be a strong possibility that “worst-case scenario” information was, in fact, easily available through the security sieve of EPA’s Web site.

Solutions will be difficult

Protecting EPA’s computers will be difficult, raising the question of whether information such as “worst-case scenarios” should be in them at all. Hackers penetrate the highly sophisticated national defense and law enforcement computers on a regular basis, according to CIA Director George Tenet. The Pentagon estimates its computers are hacked nearly 250,000 times a year. While most of these are relatively innocent penetrations, the Pentagon estimates about 500 are sophisticated attempts to obtain classified information.