Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > August 7, 2000 issue

After site shutdown, EPA seeps back onto the Net

With a new firewall, stronger management and restoration criteria, 80 percent of site is back online

By Christopher J. Dorobek
GCN Staff

Nearly five months after the Environmental Protection Agency had to sever its connection with the Internet due to security concerns, the agency is taking information assurance more seriously, the EPA’s information technology security chief says.

But EPA must institutionalize security practices to avoid a serious breach, said George A. Bonina, director of EPA’s Information Security Staff, who joined the agency in January.

EPA shut down its Internet connection in February after an audit by the General Accounting Office found serious security problems [GCN, March 6, Page 1].

Only 80 percent of EPA’s systems are again providing Internet links, Bonina said. Systems that are still offline are more complex to effectively secure. They include those that support dial-up connections and passive outbound File Transfer Protocol services, he said.


IT surpassed EPA’s ability to secure its data, George A. Bonina says.


Since the shutdown, EPA has worked to change its attitude toward security, he said. The agency used to consider all information available unless there was a specific reason it should not be public, he said. Now, information must be considered secure unless officials determine it should be made public, he said recently during a presentation to the Federal Webmasters Forum in Washington.

“We were not asleep at the switch,” Bonina said. The agency had conducted risk assessments and implemented advisories from the CERT Coordination Center at Carnegie Mellon University, he said. EPA had also installed strong security for its mainframe environment and had created private networks for confidential business information. The agency had a firewall between its public access servers and the rest of the EPA network, and it had planned to install a more robust firewall and an intrusion detection system, he said.

In fact, after GAO conducted the in-depth audit of the agency’s security practices, it told the EPA that the agency had an effective security plan on paper, Bonina said. It wasn’t until GAO conducted penetration tests that the holes became apparent.



GCN Popup