IN THE UNITED STATES DISTRICT COURT

                   FOR THE DISTRICT OF COLUMBIA



__________________________________________

ELOUISE PEPION COBELL, et al.,          	 	 )  

							 )	

	Plaintiffs,					 )

							 )

                         	v.                 	 ) Case No. 1:96CV01285

          						 ) (Judge Lamberth)

GALE A. NORTON, Secretary of the Interior, et al., 	 )

							 )

	Defendants.					 )

__________________________________________  		 )



      DEFENDANTS’ OPPOSITION TO PLAINTIFFS’ CONSOLIDATED 

MOTION FOR TEMPORARY RESTRAINING ORDER AND PRELIMINARY INJUNCTION

	

	Pursuant to Rule 65 of the Federal Rules of Civil Procedure and Local Civil Rule 65.1,

Defendants respectfully submit the following opposition to Plaintiffs’ Consolidated Motion for

Temporary Restraining Order and Preliminary Injunction (Dkt. No. 2926) (filed Apr. 11, 2005) 

(“Plaintiffs' Motion” or “Pl. Mot.”), which seeks an order requiring that “the Interior Defendants shall

immediately disconnect from the Internet and terminate the operation of all information technology

systems within the custody and control of the Department of the Interior, its employees, agents, and

contractors that house or provide access to Trust Data.”  Pl. Mot., Ex. 1 (proposed order).

	Plaintiffs’ Motion Should Be Denied Because Plaintiffs Cannot  Establish 

	Any of the Elements Required for Issuance of Such an Order.

	In their motion, Plaintiffs seek the broadest and most damaging of orders to-date with respect

to Interior’s Information Technology (“IT”) systems:  Plaintiffs seek an order to disconnect such IITD

systems from the Internet and to shut down their operations entirely.  Pl. Mot. at 6; Ex. 1.  In seeking

such relief, Plaintiffs devote only a slim portion of their motion to a discussion of the elements that this

Court must consider before entering a temporary restraining order or a preliminary injunction.  See Pl.

Mot. at 29-34.

	As this Court is aware, in considering whether to grant an application for a temporary

restraining order or a preliminary injunction, this Court must examine (1) whether a substantial

likelihood exists that the plaintiff would succeed on the merits, (2) whether the plaintiff would suffer

irreparable injury if the injunctive relief is denied, (3) whether the granting of injunctive relief would

substantially injure the other party, and (4) whether the public interest would be served by the granting

of the injunctive relief.  E.g., Davenport v. Int’l Bhd. of Teamsters, AFL-CIO, 166 F.3d 356, 360-61

(D.C. Cir. 1999) (citing Serono Lab., Inc. v. Shalala, 158 F.3d 1313, 1317-18 (D.C. Cir. 1998));

Kudjodi v. Wells Fargo Bank, 181 F. Supp. 2d 1, 2 n. 2 (D.D.C. 2001).  Simply put, Plaintiffs have

failed to establish any of these elements and, accordingly, no basis exists for a temporary restraining

order or a preliminary injunction.

               A.   Plaintiffs Have Not Established a Substantial Likelihood of Success on

          the Merits.



	Plaintiffs assert that the notice filed by Defendants on April 8, 2005 (the “April Notice”) and

the purported “admissions” of Interior’s Chief Information Officer, W. Hord Tipton, provide sufficient

evidence to find that a substantial likelihood exists that Plaintiffs will succeed on the merits of their claim

that individual Indian trust data (“IITD”) on Interior’s IT systems is insecure and that there is an

imminent risk of loss, destruction or corruption of IITD.  Pl. Mot. at 30.  Neither the April Notice nor

the unsigned transcript from Mr. Tipton’s yet-to-be-completed deposition meets their burden.

	The April Notice refers to a memorandum entitled “IT Security Penetration Testing -

Notification of Potential Finding and Recommendation” provided to the Bureau of Land Management

(“BLM”) on April 6, 2005 (the “April Report”).  As the April Notice explained, the penetration testing

(conducted by a contractor supervised by the Office of the Inspector General (“OIG”) independently of

BLM or the rest of Interior) is part of a larger, comprehensive program which Interior has established

to monitor and assess security controls placed on Interior’s IT systems, in compliance with

requirements of the continuous monitoring final phase of the Certification and Accreditation (“C&A”)

described in NIST SP 800-37.  The potential for discovery, during the continuous monitoring phase,

that security controls are not as effective as intended is specifically contemplated by NIST SP 800-37:

                    If the results of the security assessment indicate that selected controls

          are less than effective in their application and are affecting the security

          of the information system, corrective actions should be initiated and the

          plan of action and milestones updated.



Id. at 45.  As the April Notice reflects, “all vulnerabilities identified by the Inspector General either have

been or will be addressed promptly.” April Notice at 2.	The immediate risk to IITD which resulted from the potential security control vulnerability in the

BLM network has been mitigated or eliminated in the short-term by the disconnection of the majority of

the BLM network from Internet access.  As the attached Levine declaration demonstrates, the longer-

term solution to protecting IITD is to permit those portions of the network housing or accessing IITD to

have Internet access restored only after corrective actions are taken, additional security is in place and

a new security control assessment is completed, including further assessment by the OIG.  Levine Decl.

at 10.  Thus, for the BLM IT systems covered by the April Notice, Interior has already taken the steps

necessary to protect IITD and is implementing short-term and long-term solutions to resolve the issues

identified by the OIG penetration test.

	While Plaintiffs’ Motion seeks an order to disconnect and terminate the operation of all Interior

systems housing or accessing IITD, their motion provides no factual basis for such a sweeping, harsh

and draconian order.  The April Report contains no information concerning potential vulnerabilities or

weaknesses that threaten any IITD in any non-BLM IT systems housing or accessing IITD.  Lacking

any direct evidence on the security of the IITD on IT systems other than BLM, Plaintiffs rely on the

Office of the Inspector General’s Annual Evaluation of the Information Security Program of the

Department of the Interior (the “OIG Annual Evaluation”) and the deposition testimony of Mr. Tipton. 

Neither source supports their assertion that an Internet disconnection or a total termination of all Interior

IITD IT systems is required to protect IITD.

	Despite Plaintiffs’ attempt to characterize the OIG Annual Evaluation in terms of their view of

the C&A process, the Inspector General, whose investigators examined the enumerated systems,

came to a different conclusion.  The Inspector General stated:

                    We found that DOI has effectively designed its information security

          management program to meet the requirements of FISMA and

          continued to improve security over its information systems.  DOI

          developed its information security program based on OMB policies,

          NIST standards and guidelines, and DOI policies established through

          departmental directives.



OIG Annual Report at 3 (citations omitted).  Although the OIG noted that problems existed, including

the failure of bureaus to uniformly follow DOI guidance in implementing their security policies and the

C&A process, the OIG Annual Evaluation rated the Interior C&A process as satisfactory.  Thus,

Interior clearly has made significant improvement in IT security, as evidenced by the independent report

from the Inspector General, and the overall situation is markedly different from that which prevailed in

2001.  Plaintiffs’ reliance upon that outdated historical material should be rejected outright as not being

probative of Interior’s IT security today.

	Plaintiffs either ignore or gratuitously characterize as false, misleading or deceptive the

considerable weight of the evidence showing that Interior’s IT security has improved greatly over the

past three-plus years.  The extensive testing done by the Special Master’s well-qualified IT security

consultants prior to the reconnection of many IT systems, reflects the improvement of the security of

Interior’s IT systems since December 2001.  This demonstrated improvement cannot be dismissed

through a casual allegation that Interior “gamed” the Special Master or declaration that, almost two

years after the last approved reconnection, the Special Master’s determinations are suspect. 

Interior’s security posture did not stagnate once approval was obtained to reconnect to the Internet. 

Interior committed more than $100 million to improving the security  of its IT systems since the

December 17, 2001 Consent Order, increased its IT Security Program seven-fold and obligated $12

million to its C&A program.  See infra, p. 6 n.10.  Contractors with specialized skills needed to

complete the C&A process were engaged and actively participated in the numerous C&A processes

on-going in the many bureaus and offices.  Tipton Decl. at 12.

	While great emphasis was placed on completing the accreditation of IT systems, Interior also

emphasized testing and monitoring of all IT systems.  Despite Plaintiffs’ unsupported attacks on the

results of the SANS Top 20 scanning program, Pl. Mot. at 12, the results of the testing, conducted by a

contractor, are real and verifiable.  Tipton Decl. at 9.  However, it has become apparent that the

scope of the scanning should to be expanded beyond the SANS Top 20 to provide Interior bureaus

and offices with greater testing depth and the program is being redesigned to test additional items of IT

security.  Id. at 18.  Further, even as the SANS Top 20 scanning was being conducted, Interior took

the initiative to expand its security testing program pursuant to an agreement with the OIG to conduct

independent penetration testing of Interior IT systems.  Id. at 9.  The program is funded by Interior but

completely managed by the OIG.  OIG engaged an IT security firm to conduct the testing.  The OIG-

administered penetration testing program has been on-going for six months and has provided

information useful to Interior in assessing the effectiveness of the security controls on its IT systems.  Id.

at 12.

	The very thorough and intensive OIG penetration tests have worked as designed.  By testing

the networks in a real world environment and using the expert skills possessed by contractor personnel,

the tests have provided valuable data and assisted Interior in further improving its IT security.  While

some potential vulnerabilities have been revealed, Interior’s discovery of these potential vulnerabilities

through Interior’s own testing program permits the owners of the IT systems to mitigate or remove

potential vulnerabilities expeditiously instead of exposing the systems to outside threats.  As a result of

the SANS Top 20 scanning, the OIG penetration testing and other testing activities, the state of IT

security at Interior is better today than it has ever been.  Interior is not suggesting, nor does it believe,

that further improvements will not be implemented.  Further improvements are underway and more

are planned, including the consolidation of the thirty-three Interior Internet points of presence (“POPs”)

into five POPs centrally managed by the Enterprise Service Network, a centralized security control

center which can be intensively monitored and protected, and the creation of a Trust DMZ to provide

even greater protection for this information.  Tipton Decl. at 8.  However, there can be no doubt that

IITD is at much less risk from unauthorized Internet access today than at any time in the past.  Id. at 13. 

	Plaintiffs’ attempt to use the deposition of Mr. Tipton to bolster their argument that IT security

is inadequate fares no better than their reliance upon the OIG Annual Evaluation.  While Mr. Tipton

stated that he was not aware that “irreparable injury to the plaintiffs” was included in the C&A process,

Tipton Deposition at 331: 9-14; Pl. Mot. at 26, this statement reflects the poor form of the question

rather than a dismissal of the C&A concept of considering the level of harm to individuals or agency

operations that might result from a loss of data.  Indeed, the confusion demonstrated in Mr. Tipton’s

deposition is understandable since “irreparable harm” is a legal term commonly used in the

consideration of requests for injunctive relief and not a term used by IT security professionals analyzing

risks and implementation of security controls.  A question framed in terms of the security categorization

of federal information and information systems would be answered in terms that reflect the relevant

portion of the process found in FIPS Pub. 199, Standards for Security Categorization of Federal

Information and Information Systems (“FIPS 199"), February 2004, and in Chapter 3 of SP 800-37. 

Security categorization requires the system owner to examine, quantify and categorize the information in

the IT system based upon the harm that loss or destruction of the information would cause for the

organization or individuals.  Thus, while Mr. Tipton may not have been familiar with the use of the

specific term “irreparable harm” in the C&A process, it is clear that the consideration of the harm that

might result from the loss of data is clearly an integral part of the C&A process.

	Plaintiffs’ assertion that Mr. Tipton’s use of the term “residual risk” somehow negates the entire

C&A process is even more flawed.  Management of risk entails the concept of acceptance of some

risk and does not require the elimination of all risk, an impossible task.  Mr. Tipton’s deposition

testimony does not support the Plaintiffs’ assertions that Interior’s IT systems are insecure; it in fact

accurately tracks the NIST guidance on the management of risk in federal information systems.

	Moreover, in apparently rejecting the process prescribed by FISMA and OMB Circular A-

130 – governmental assessment of risks and terminations to accept certain risks – Plaintiffs substitute no

standard for this Court to apply.  Rather than recognizing that it is the responsibility of informed officials

who are responsible for the operation of IT systems, Plaintiffs seek to substitute their own judgment that

any perceived risk to IITD – even risks not shown to have resulted in any loss of data – is sufficient to

order the severe impact of disconnection of IT systems from the Internet and even the shutting down of

such systems completely.

	Not only have Plaintiffs failed to show a substantial likelihood of success on their allegation that

Interior IT systems housing or accessing IITD are not adequately secure from Internet access by

unauthorized users, but also the facts discussed in their motion actually support the conclusion that

Interior’s IT security program is making great progress toward full compliance with the federal

standards contained OMB Cir. A-130, Appendix III.  Plaintiffs have not met their burden of showing

a substantial likelihood of success on the issue of whether IITD on the BLM systems is at risk from

Internet access by authorized access, much less on the other IT systems within Interior which contain

IITD.

     		B. Plaintiffs Have Not Established the Potential for

     “Irreparable Harm.”

			

	Plaintiffs’ Motion provides no specific support for a finding of irreparable harm if a temporary

restraining order is not granted.  Plaintiffs simply assert that “degradation of the integrity of Trust Data is

per se a breach of trust and constitutes irreparable harm on its face.”  Pl. Mot. at 32.  No evidence,

however, supports their assertion that any IITD on any IT system is being degraded, destroyed,

corrupted or lost.  Indeed, much of the IITD housed or accessed on Interior IT systems is not

accessible from the Internet and has not been since December 5, 2001.  Moreover, the April Notice

refers only to the BLM IT systems, and as noted, even that bureau has taken prompt actions to address

potential vulnerabilities identified by the Inspector General and to protect IITD.  Levine Decl. at 2, 4-6,

8.

	Further, Plaintiffs establish no irreparable harm as a result of the operation of Interior IT

systems that house or access IITD and have Internet connections.  Plaintiffs have not even attempted

to provide evidence to suggest that the IITD housed or accessed on Interior IT systems without

Internet connectivity is being degraded, lost, destroyed or corrupted.  Without such a showing, no basis

exists for directing that these systems terminate their operation.  Simply stated, Plaintiffs have failed to

present any evidence that any IITD on Interior IT systems is currently being lost, damaged, degraded

or corrupted so as to constitute “irreparable harm.”

     	C.  The Granting of Plaintiffs’ Motion Would Substantially Harm Interior

     and Is Not in the Public Interest.



	Plaintiffs’ Motion completely disregards the harm to Interior and the public that would result

from the granting of a motion to disconnect from the Internet and shut down all IT systems “within the

custody and control of the Department of the Interior, its employees, agents, and contractors that house

or provide access to [IITD].”  It is beyond comprehension that Plaintiffs could seek such

unprecedented and patently destructive relief and, at the same time, deny that such an order would

harm Interior or the public.  Pl. Mot. at 32-33.

	Contrary to Plaintiffs’ unsupported assertions, the experience since the initial disconnection

order in early December 2001 confirms that the disconnection of Interior’s IT systems has been costly

and disruptive.  See, e.g., Notice of Filing Interior's Twentieth Status Report at 9 (Dkt. No. 2827)

(filed Feb. 1, 2005);  Notice of Filing Interior's Nineteenth Status Report at 9 (Dkt. No. 2748) (filed

Nov. 1, 2004);  Notice of Filing Interior's Eighteenth Status Report at 8 (Dkt. No. 2622) (filed Aug. 2,

2004).  As the Court is aware, where systems have remained disconnected from the Internet, Interior

has been forced to rely upon costly and, at times, inefficient “workarounds” to continue to seek to

perform its many diverse and critical duties.  See, e.g.,  Notice of Filing Interior's Sixteenth Status

Report at 43 (Dkt. No. 2455) (filed Feb. 2, 2004).  Now, Plaintiffs seek to go even further and deny

Interior the use of its own computers, and in seeking such relief, Plaintiffs baldly assert, in this electronic

information age, that “The Secretary cannot argue in good faith that the injunctive relief plaintiffs’ [sic]

request would harm Interior.”  Pl. Mot. at 32.

	Plaintiffs’ argument on this point essentially is based upon a flawed premise:  that their version

of the so-called “maintenance of the status quo” is the sole interest of Interior and that issuance of the

Temporary Restraining Order will further that goal.  Pl. Mot. at 32.  As previously explained, in making

this assertion, Plaintiffs ignore the fact that they have not and cannot point to a single example in which

IITD has, in fact, been degraded.  Indeed, the OIG’s April Report – the only new factual basis relied

upon for Plaintiffs’ latest motion – confirmed that “No information was collected, no data was

manipulated, and no system was actually compromised.”  April Notice (Dkt. No. 2994) (filed Apr. 8,

2005).

	While Interior recognizes its duties to preserve IITD and has devoted substantial financial and

human resources to that end, Interior has a vast array of critical duties, mandated by statute, including

but not limited to matters affecting Native American health, education, and housing; the maintenance

and protection of natural resources, including fire-fighting systems; and matters affecting national

security and the nation's critical infrastructure.  See, e.g., National Park Service Organic Act, 16

U.S.C. § 1 et seq.; Indian Law Enforcement Reform Act, 25 U.S.C. 2801 et seq.; Surface Mining

Control and Reclamation Act of 1977, 30 U.S.C. § 1201 et seq.; Federal Oil and Gas Royalty

Management Act, 30 U.S.C. § 1732; Reclamation Act, 43 U.S.C. § 411; Outer Continental Shelf

Lands Act, 43 U.S.C. §§ 1331 et seq.; Federal Land Policy and Management Act, 43 U.S.C. § 1701

et seq.  Even assuming for the sake of argument that Interior could continue to perform these varied and

important functions without the benefit of IT systems, it is beyond dispute that it could only do so at an

extraordinary cost and with substantial disruption to its operations. 

	In the same fashion as their argument regarding the harm to Interior’s operations, Plaintiffs’

Motion asserts that the granting of the injunctive relief sought in their motion “cannot harm the public

interest.”  Pl. Mot. at 33.  In making this argument, Plaintiffs focus solely on the preservation of IITD –

again without any showing of destruction or alteration of IITD – and make no attempt to justify the

impact upon the public from the disconnection and shut down which they seek.

	Plaintiffs’ focus upon an undefined and theoretical risk to IITD – again, with no showing of

actual harm to any IITD housed or accessed by Interior’s systems – completely ignores the real harm

which would flow from the relief they request.  Because many of Interior’s trust systems have been

disconnected from the Internet for over three years, Interior’s ability to communicate with beneficiaries

and process transactions for beneficiaries has been hampered and made more costly.  Now, Plaintiffs

seek both an order of disconnection and an unprecedented “shut down” for systems that house or

access IITD.  In seeking such relief, Plaintiffs even seek to terminate the operation of systems that are

currently disconnected from the Internet.  

	If the Court were to grant Plaintiffs’ request for an order disconnecting systems housing or

accessing IITD from the Internet, the impacts upon Interior and the public would be substantial.  As the

Court is aware from prior disconnection orders, the Internet connection is critical for MMS’s

processing of royalties and related payments.  See Tipton Decl. at 17(c).  The processing of royalties in

excess of $500 million per month would be severely hampered by another order to disconnect systems

housing or accessing IITD from the Internet.  Id.

	In addition, the public impacts would include areas as diverse as procurement, access to broad

and diverse forms of data, and FOIA requests.  Tipton Decl. at 17(a), 17(b) and 17(e).  Moreover, the

issuance of a disconnection order would prevent any affected bureau or office from electronically

obtaining security software updates and patches, including anti-virus definition files and intrusion

detection system signature files.  Id. at 17(d).  While such harms to Interior and the public have been

documented in connection with prior disconnection orders, e.g., Defendants’ Emergency Motion to

Stay Preliminary Injunction Pending Appeal and for Expedited Consideration at 12-15 (Dkt. No.

2549) (filed Mar. 22, 2004), Plaintiffs wholly ignore them in their latest request for a Temporary

Restraining Order.

	Now, Plaintiffs seek even more than disconnection from the Internet; they seek to shut down

computer systems entirely.  In spite of this, Plaintiffs’ justification for their request devotes slightly less

than one page to their discussion of the public harm and wholly ignores previously documented public

harm resulting from disconnection orders.  Plaintiffs instead rely upon another attack upon the Secretary

of the Interior, rather than a serious discussion of the public harm that would result from their request. 

Pl. Mot. at 33-34.

	It should be beyond any serious dispute that an order to shut down computer systems –

whether currently connected to the Internet or disconnected – would have severely disruptive impacts

upon Interior and would harm the public.  While it is impossible to list every adverse impact from such

an order, a few examples illustrate the imprudence of such an order.  An order to shut down IITD

systems would impede or prevent the Interior’s (including the Bureau of Indian Affairs, the Office of the

Special Trustee and the Minerals Management Service among others) processing activities in a variety

of areas affecting beneficiaries, including the electronic processing of payments or the providing of

statements to beneficiaries, and would stop the majority of trust reform initiatives among all of the trust

bureaus.  Tipton Decl. at 18(a), 18(b) and 18(c).  Further, such an order would effectively halt Office

of Historical Trust Accounting activities, including ongoing accounting activities.  Id. at 18(d).  A

shutdown order would stop MMS’s operations with respect to collecting, accounting for, verifying and

distributing revenues derived from Indian, federal and state oil, gas, and mineral leases totaling in the

billions of dollars each year.  Id. at 18(e).  BLM would also be severely impacted by a shutdown order

in that oil, gas, and minerals permitting actions, which are necessary for leasing and production, would

cease on all on-shore public lands.  Id. at 18(f).

	In summary, Plaintiffs’ Motion wholly ignores the impacts upon the operations of Interior and

the public, including members of the Plaintiff class.  Plaintiffs elevate the protection of IITD against

theoretical harms to a level that supercedes all real impacts upon governmental operations and the

general public.  No circumstances justify the relief requested by Plaintiffs in the face of its impacts upon

both Interior and the public. 

                           Conclusion

	Plaintiffs' Motion fails to establish any of the four elements necessary for the granting of a

temporary restraining order or a preliminary injunction.  It should be denied.

					Respectfully submitted,



               	              	ROBERT McCALLUM, JR.

					Associate Attorney General



					PETER D. KEISLER

					Assistant Attorney General



					STUART E. SCHIFFER

					Deputy Assistant Attorney General 



					/s/  John Warshawsky

					_________________________________________

					J. CHRISTOPHER KOHN

					Director (D.C. Bar No. 261495)

					JOHN T. STEMPLEWICZ

					Senior Trial Attorney

					JOHN WARSHAWSKY (D.C. Bar No. 417170)

					Trial Attorney

					GLENN D. GILLETT

					Trial Attorney

					Commercial Litigation Branch

					Civil Division

					P.O. Box 875

					Ben Franklin Station

					Washington, D.C. 20044-0875	

					Telephone:  (202) 307-0010

					Facsimile:  (202) 514-9163



April 18, 2005