Will Security Lapse Bring Another EPA Data Blackout?

More than a decade ago, on February 17, 2000, the entire EPA website was taken down for two weeks because of data security concerns raised by the House Energy Committee. There are faint hints that such events may be in the offing again.

EPA's website was quickly restored in 2000, but industry allies on House Energy did succeed in damaging public confidence in the security of EPA's site at a time when industry wanted to give less data to EPA.

EPA has spent a decade upgrading its computer systems and the security of its sprawling network. At the request of House Energy leaders, the Government Accountability Office (GAO) this summer finished (on July 19, 2012) another report chiding EPA for network security flaws still unfixed. The report was given to House Energy, but apparently not released, under a longstanding protocol that GAO reports are not released publicly until they have gone to Congressional requesters. This gives Congress a chance to release the reports, occasionally spun by accompanying press releases.

Then news occurred. On August 2, reporter Jill R. Aitoro at Washington Business Journal broke a story that a significant breach of EPA's network security had happened in March 2012.

Although official information is scarce, it appears that the breach came from a link to a contractor's computer and would potentially have harmed mainly EPA employees. There is currently no evidence that any actual harm occurred. More than two weeks later, on August 20, House Energy leaders released a press release about the GAO report. GAO released the report the same day. The release said system security flaws could be "jeopardizing the agency’s ability to protect confidential and sensitive information" — which translates at House Energy as industry secrets.

• "Information Security: Environmental Protection Agency Needs to Resolve Weaknesses," Government Accountability Office, July 19, 2012, GAO 12-696.
• "Was the EPA Data Breach a Failure of Cybersecurity 101?" Federal Computer Week, August 3, 2012, by Amber Corrin.
• "Government Watchdog Identifies Vulnerabilities in EPA's Information Security," House Energy and Commerce Committee, Press release of August 20, 2012.
• "EPA Security Breach Exposes Personal Information of 8,000 People," Washington Business Journal, August 2, 2012, by Jill R. Aitoro.
• "EPA Blackout Advances Industry Agenda," SEJournal, Spring 2000, pp. 20-21, by Joseph A. Davis; see also Rep. Bliley response at same location.
• "EPA Web Site Shut Down Draws Criticism," EHS Today, February 21, 2000.
• "Politics Plays Prominent in Government Denial of Service Attack on Itself," OMB Watcher, OMB Watch, February 26, 2000.