District leaders have released a 2018 cybersecurity report they previously had been withholding from the public.
The News4 I-Team spent months trying to get a copy of the report, which was at one point deemed a security risk, even though it was produced for the public per D.C. law.
The report assesses how the District is doing in preventing and preparing for a cyber attack and makes recommendations on how to improve the District's readiness and response if something does happen.
The principal finding is that the District "continues to lack well-established coordination and collaboration processes within the government and across the National Capital Region to safeguard the District's cyberspace." It says the District has yet to define clear roles and responsibilities for its constituent agencies and positions responsible for cybersecurity.
The report was created by the District's Homeland Security Commission, which by law is tasked with creating an annual report for the mayor and council members. The D.C. Code also specifies the commission "shall make the report available to the public." The last report was released in 2015.
The report also criticizes District leaders for failing to implement some of the recommendations made in a 2013 report from the same commission. Those include the formation of a task force to perform cybersecurity risk assessment and development of a contingency response plan for catastrophic cyber attack on the District's electrical power grid.
In January, Mayor Muriel Bowser and Homeland Security and Emergency Management Agency Director Chris Rodriguez announced they were withholding the report for security reasons, citing heightened concern regarding tensions with Iran.
Two members of the Homeland Security Commission who helped draft the report told the News4 I-Team that they saw no reason for it to be kept secret and that some members, who are experts in varying security-related fields, including cybersecurity, had been advocating for the report's release for more than a year. It was completed in December 2018.
D.C. government ultimately released the report late Tuesday, in its entirety, with no explanation for the change of heart. The I-Team emailed HSEMA and a spokesperson for the mayor to inquire further but did not receive a response.
The I-Team finally obtained the report late Tuesday evening in response to a Freedom of Information Act request filed in December after months of delay. HSEMA requested an extension on the FOIA, which expired Tuesday. On Wednesday, District leaders posted the report on the Homeland Security Commission website for the public to see.
The recommendations contained in the report focus on high-level policy, including the importance of adequate funding for cybersecurity, keeping the District's top cybersecurity positions filled with talented leaders and improving intelligence and information sharing about threats facing the region.
The report also recommends exploring ways to expand the authority of the chief technology officer and chief information security officer to be able to compel or require government entities outside the mayor's direct authority to adhere to and implement the District's information security programs and practices. Those offices, including the Board of Elections, DC Water and the D.C. Council, are currently encouraged to voluntarily comply.
"A lot of the recommendations in the report have already been implemented by the mayor and so we feel confident that we have a strong cyber posture," Rodriguez said during a news conference in January. He did not specify which changes were made.
As director of the Homeland Security and Emergency Management Agency, Rodriguez will face questions during an oversight hearing before D.C. Council Wednesday. A spokesperson for Councilman Charles Allen said the decision to withhold the report and status of the Homeland Security Commission likely would be a topic during the hearing.