A D.C. councilman sternly criticized the District’s homeland security director Thursday over a 2018 cybersecurity report withheld from the public for more than a year.
Councilman Charles Allen called that unacceptable and was particularly concerned that the D.C. Council didn't even get to see it until just a few weeks ago.
“The law clearly states the report is to be sent to the mayor and to the Council, and that didn't happen,” Allen said. “And a closed door briefing almost a full year later does not count as the same thing. So I don't believe we met our requirements in this regard. I think the report should have been sent to the Council at the same time as the mayor.”
Chris Rodriguez, the head of D.C.’s Homeland Security and Emergency Management Agency, was in the hot seat Thursday at his annual oversight hearing just two days after finally releasing a report that’s been subject to some scrutiny.
The News4 I-Team revealed in early January the report was a year past due. The mayor and Rodriguez said they were withholding it citing concerns over tensions with Iran.
“We owe it to our residents and certainly to the 35,000 men and women who serve in District government to ensure that that report did not expose any vulnerabilities to the District's networks,” Rodriguez said. “As a result, we underwent a process of robust interagency review and coordination process that took nine months.”
"It has not been edited,” Allen said. “It doesn't make any sense to me as to why it had not been shared with the Council. So that to me is a failure of what was required, and we can't have that again."
Rodriguez said he'd make sure it doesn't and vowed to work closely with the new members of the Homeland Security Commission which produced the report. They're now working on the 2019 version.
The report assesses how the District is doing in preventing and preparing for a cyberattack and makes recommendations on how to improve the District's readiness and response if something does happen.
The principal finding is that the District "continues to lack well-established coordination and collaboration processes within the government and across the National Capital Region to safeguard the District's cyberspace." It says the District has yet to define clear roles and responsibilities for its constituent agencies and positions responsible for cybersecurity.
The District's Homeland Security Commission by law is tasked with creating an annual report for the mayor and Council members. D.C. Code also specifies the commission "shall make the report available to the public." The previous report was released in 2015.
The report also criticizes District leaders for failing to implement some of the recommendations made in a 2013 report from the same commission. Those include the formation of a task force to perform cybersecurity risk assessment and development of a contingency response plan for catastrophic cyberattack on the District's electrical power grid.
Two members of the Homeland Security Commission who helped draft the report told the News4 I-Team that they saw no reason for it to be kept secret and that some members, who are experts in varying security-related fields, including cybersecurity, had been advocating for the report's release for more than a year. It was completed in December 2018.
D.C. government ultimately released the report late Tuesday, in its entirety, with no explanation for the change of heart. The I-Team emailed HSEMA and a spokesperson for the mayor to inquire further but did not receive a response.
The I-Team finally obtained the report late Tuesday evening in response to a Freedom of Information Act request filed in December after months of delay. HSEMA requested an extension on the FOIA, which expired Tuesday. On Wednesday, District leaders posted the report on the Homeland Security Commission website for the public to see.
The recommendations contained in the report focus on high-level policy, including the importance of adequate funding for cybersecurity, keeping the District's top cybersecurity positions filled with talented leaders and improving intelligence and information sharing about threats facing the region.
The report also recommends exploring ways to expand the authority of the chief technology officer and chief information security officer to be able to compel or require government entities outside the mayor's direct authority to adhere to and implement the District's information security programs and practices. Those offices, including the Board of Elections, DC Water and the D.C. Council, are currently encouraged to voluntarily comply.
"A lot of the recommendations in the report have already been implemented by the mayor and so we feel confident that we have a strong cyber posture," Rodriguez said during a news conference in January. He did not specify which changes were made.