Two members of the D.C. Homeland Security Commission are questioning the District’s decision to not release a cybersecurity report the members say they prepared for the public.
On Friday, a second member told the News4 I-Team the report was completed in 2018, but the commission was immediately met with delays and resistance from District leaders over its release.
The news comes a day after District leaders cited security concerns stemming from the recent conflict with Iran as a reason to withhold the report, despite a city law that specifies annual reports prepared by the Homeland Security Commission be made “available to the public.”
"The events of the last week, particularly with the heightened cyberthreat from overseas, only reinforces the fact that that report right now will not be made public," Chris Rodriguez, the director of D.C.’s Homeland Security and Emergency Management Agency, said during a Thursday press conference with Mayor Muriel Bowser.
But two commission members interviewed by the I-Team said the report did not contain sensitive information that would make the District vulnerable to cyberattacks and instead focused on policy and strategy recommendations.
In a statement Friday, Rodriguez doubled down on his decision to withhold the report, saying, “It discusses the District’s cybersecurity posture and other details that we do not want to disclose to our adversaries, especially Iran, which has a history of conducting cyberattacks against U.S. interests.”
Just last week, the News4 I-Team reported the delay in the report's release after spending several months trying to get answers from District officials. The District has not yet responded to an open records request for the report.
The commission, composed of seven members nominated by the mayor and confirmed by the Council, is tasked with making annual security and preparedness recommendations to District leaders. Its last report was released in 2015.
Two commission members, who are experts in varying security-related fields including cybersecurity, told the I-Team they have been advocating for the latest report's release for about a year.
They aren’t alone. The I-Team obtained emails showing the D.C. auditor inquired about the report in November 2018 and February 2019 and was told "it was in final review stages" and should be "finalized within the next month or so." Council member Charles Allen, who oversees the District's Homeland Security and Emergency Management Agency, also inquired about the status of the report last year.
The minutes from a Homeland Security Commission meeting in April 2019 show a commissioner asked publicly about the report's release but the discussion was held in closed session. The minutes stated only that the report was "awaiting final approval."
In a statement to the I-Team, city leaders said, "D.C. government remains laser-focused on detecting and defending against cybersecurity threats" and that District leaders had received "confidential briefings" on the report.
"A lot of the recommendations in the report have already been implemented by the mayor and so we feel confident that we have a strong cyber posture," Rodriguez said.
The District has not said what changes were made or what any of the prior vulnerabilities included.
During Thursday’s press conference, Rodriguez stated council members had also been briefed on the report and were aware of the findings.
On Friday, a District spokesperson told the I-Team Council members Allen and Brandon Todd were briefed earlier this week.
Allen has previously expressed concern over the functioning of the Homeland Security Commission.
The commission is supposed to meet quarterly but has not convened since May.
On Thursday, Rodriguez publicly blamed that on the former Homeland Security Commission chairman, David Heyman.
"The reason why they have not met was because for one reason or another we were not able to contact the chair of the commission to set up a report; I'm sorry to set up a meeting," Rodriguez said.
A District spokesperson told the I-Team Heyman’s term expired in August 2019, but Heyman said — and documents show — his term expired in February 2019.
Because of a provision that allows commissioners to continue serving up to 180 days beyond the lapse of their term, Heyman said he continued holding meetings through May. He said he was not reappointed to the commission.
Records show the mayor reappointed other commission members during that same time frame.
In 2018, Heyman told the I-Team he welcomed the opportunity to revive the Homeland Security Commission, which had been nearly defunct. It had only produced two reports in 12 years since its inception. Records show Heyman regularly held meetings during his tenure, exceeding the number required.
Heyman, a cybersecurity expert and former assistant secretary of policy for the U.S. Department of Homeland Security, told the I-Team his commission members worked hard on the report for roughly a year and are extremely proud of its contents. He’s among the two commissioners who told the I-Team the report should be made public.
Councilman Allen said he plans to address this situation at the agency's upcoming oversight hearing next month. That's also when the homeland security commission plans to hold its next meeting and select a new chairperson.
Complete statement from D.C. Homeland Security and Emergency Management Ageny Director Chris Rodriguez:
We thank the Homeland Security Commission for all its hard work on its 2018 annual report, which focused on the District’s cybersecurity posture. Each year, the Commission produces a report on a topic of import for the District. Commission members, who serve in an advisory capacity and are unpaid volunteers, do not have an operational role in managing security incidents or emergencies here in the District.
Cybersecurity is a top priority for the District. Over the past few years, the DC Government has taken a number of steps to improve how it manages and mitigates the cyber threat to the DC network. Many of those changes were implemented prior the completion of the Commission’s report. Others, based on the Commission’s recommendations, are being implemented now.
The Commission’s report has been briefed and delivered to city leadership and the DC Council. We have made the decision, however, not to release the report publicly because it discusses the District’s cybersecurity posture and other details that we do not want to disclose to our adversaries, especially Iran, which has a history of conducting cyber attacks against US interests.