DHS BioWatch: A Failure of Oversight and Accountability
1:55PM Jul 27, 2020
And we're back. You're here with hope. 2020 having a spectacular week, what an event it's been so far. Thank you for signing in joining thanks to all the comments that we've received in the live chat. I'm really excited about this next talk, Dr. Harry Jackson is with us he has over 15 years of federal government experience in IT security. He's currently an IT consultant specializing in supporting the intelligence community, as well as Department of Defense, he's going to tell you more about that, we're going to hear about is something called DHS biowatch, and its subtitle the failure of oversight and accountability. This is a story of how in excess of $1 billion was essentially mismanaged by the government. Let's watch this movie and we'll come back for some live question and answer when movies done.
Hello Hello hope 2020
I'm Dr. Harry Jackson my presentation is going to be on DHS biowatch, a failure of oversight accountability. Now what is the just biowatch. The Firewatch is the only program, only system that was to provide early warning and detection of both a pandemic which unfortunately most of us are not familiar
with, as well as
accent indicative of an act of bioterrorism. It was run by the department Homeland Security Office Health Affairs later taken over by their web DHS weapons of mass destruction
So before we go into this any further. This system was actually slated for termination. So it was replaced by five sections 21, and the reasons why they're citing is that they said this technology just isn't quite that mature as the one we'll be revealing to you during this presentation is that that may not be the case. And the issues were in this, in this case where I am a whistleblower particularly regarding this program. We'll find out some of the other reasons. Alright, a little bit of administration here. I'm just gonna leave this up for here uses this was the correspondence I've had with the DHS Office of Public Affairs, which actually is now responsible for pre publication review a little bit about my background I used to be at DHS for those who read my bio information system security manager. In addition, being an information, professional, where I teach a number of IT security. It certifications that says p ch for another for another of institutions I also teach in college level, but also my background in the last 15 years I've been working in the intelligence community as well as supporting Department of Defense and when you're handling classified information, you have to do perfectly programs to handle classified information. You have to submit works for that are for publication as well as for speaking as well speaking at conferences, such as this one, they have to go to pre publication review. I've already been retaliated once for a work that I published that did go through pre publication review, and now I'm actually presenting. Again, the evidence that I did go through a patient view again. None of this material that I'm going to be talking about is classified all of that is unclassified, though it may be embarrassing to the agency. But however, in this case, it's not the agency's fault, we're actually going to identify, about half a dozen individuals that were specifically responsible for the actions that
Also, since I gave you some of my bona fides about talking about it, I'm talking about some of my other credentials, I am a retired naval officer for 20 years where I've been supporting the Defense Intelligence Agency. And I've also been a professor at National Intelligence universities in the cyber Intel course so when I start speaking about classified information and handling of classified information. I believe I'm credible of a credible authority, and when I talk about acquisition is a program management background I've been a pm for 10 over 10 years at DHS I'm level three program manager and a level three contracting officers representative. I've been through the Homeland Security Acquisition Institute level three course as well as the Defense Acquisition universities, third level program management so I am familiar with pm level and I do teach pm courses as well so I think I know I'm talking about when, when I get those topics. Okay, since we've talked about that I've gone through pre publication review.
Alright, this has been
the story's been a little bit in the media. For some, sometimes now. What you're gonna see over here to the right, this was one that kind of started off this was when I started seeing issues within the DHS Program Office like when I started trying to inform the CIO, Mr. Michael Williams. When I started noticing that my presentations there to go before him were getting pulled. When I didn't for my immediate supervisors, which we'll talk about a little bit later about it they tried to deny it. I went to DHS, not once but twice. And then I also brought this matter to the office of security within DHS which did nothing about it, but then I went into that pre publication review, which To my surprise they approved and I was able to publish this work in the Journal of bioterrorism defense, and then the following year later. Well, a few months later I was retaliated against but then later on, with about seven months later. Oh, gee, inspector jumps outside the privacy office actually did their own audit on the system and confirmed all of my findings with the issues with the system. And then there have been other issues where we talked about what the system particularly leaking sensitive data that was picked up by defense one, then on the front times the LA Times. Later in 2019. And then with a whistleblower case which Homeland Security did eventually did not want investigate then decided to open it when it hit the LA Times again. And then we can also talk about unfortunately ignoring the heavy costs of bio bio surveillance and national events magazine.
All right, so that's a little bit about me.
Let's go and delve right into biowatch. I'll talk to you about about what the purpose of biowatch, how this system evolved is the technology system while the funding issues and anomalies that occurred within the system and the assessment of the fielding of the field and system, some of the issues we saw the systems with a security plan and contingency plan, as well as steps that could be taken later on to how to remediate
mitigate most of this.
All right, let's talk about what is biowatch, and not
in October 2001 after, after the 911, the nation experience anthrax attacks we had and there is an individual sending packets of anthrax who out the Postal Service and the DHS was actually this response to this actually received presidential attention under
the birth, the second Bush administration
issued homelife Presidential Security 10 by defense for 21st century century and hspt 21 Public Health and Medical preparedness is another issue this has at this program serves a both a national security and public sector. I mean, it says with a national national security and public health interest. It is the nation's, or nationwide. Early detection system to detect pandemics, as well as acts of bioterrorism,
the technology at the time. We typically when I talk about, because some of the criticism this program has had they said the technology wasn't mature by detection capable technologies have been around since the Cold War era, 1980s, and on upward so within the government we typically buy things at milestone B we've had done so, since the 1990s. What I mean by b milestone B is that we have things called Technology Readiness levels that there have been technologies that have demonstrated promise within the laboratory vitamins laboratory environment, as well as prototypes within a simulated operational environment that say that yes this is possible that you can create an early detection nationwide nationwide. Early detection capability.
If it was managed, if it was managed appropriately. This case by a watch it was not
at the time when I was there DHS,
biowatch is managed by the Office of Health Affairs health threats, resilience division. The mission of it was to provide nationwide aerosol detection system for early warning cans, across all levels of government to support
public health and emergency magic community prepare for and respond to biological events. This would have been helpful. Back in December of last year.
This is right from the LSA website. They're no longer managing the programs moved over to another office but this is an operational view diagram just showing how they would record how there was the early recognition even back then since two from 2016. How early detection of a pandemic or an act of terrorism can early can lead to saving lives, saving a life. And this one for for this one early detection. In this case, could provide where they can send
you know save reduce the loss of life by up to 30%.
When I talk about the issues within this program. When I first took over in August of 2016. I looked at the system, there wasn't a lot of information about it what was struck out to me about it was that it was hosted on a.org website, which is very unusual, we have to adhere to Office of Management budget mandates. And this one particular a 130 it says Thou shalt have sites hosted on.gov. And if you do host it on.org it has to be approved by the agency head in this case it would have been approved by the Secretary of Homeland Security in this case Jay Johnson misc, but what I noticed that Mr. Johnson did not approve the site's operation on that site. I noticed that lacked a trusted internet connection, it didn't require multi factor authentication. But it was also categorized as a low low low and I'll go into that a little bit more about why it doesn't really have a priority when I looked at the system security plan I didn't see much regarding it and I saw this continuous monitoring scans it seemed like it was okay, but this kind of why make the state that misled the DHS CIO as assassin system is a correct statement and I'll go into you and share my experience as to what I was that how I came about finding out
this information, and it really became as a fluke.
When I was going through the program, do my baseline. I got to buy a watch program last because it was one of the lower priority systems, and when I saw that it lacked both interesting internet connection, as well as a two factor authentication, but yet I saw identify as a Privacy Information System.
Now I know that
when I talk about system categorizations and a little bit later. I noticed that, because of handle privacy I knew that it had to have greater confidentiality controls that were deployed, and I knew it had to have a trusted internet connection and two factor and so when I talked to my information system security officer for the program I said you have to get these things, the system could get shut down. I immediately got a call from the DHS CIO, Deputy Wendell bumbling telling me that there's a big major issue I can't threaten to take a system offline I said, I mentioned what the issues were, Mr. Obama was also previous ism of the system. Back in, when it was first deployed, so I was kind of curious and I scheduled a meeting with his office to meet with him about the system. Not only was it on a.org website, it was hosted on a, it was hosted an unmanned data center, an area that we couldn't control had no visibility, and that they had plans when I talked to him they said oh we have plans to actually migrate the system to another data center, and I said, Oh great, is it going to move to one of the government ones DC one or DC two. Those are the two data centers DHS manages or FedRAMP approved center which has a certain middle of Ohio standards and security. And the answer
was no. But then we're going in this discussion, then they said that they
had a bunch of subsystems deployed on the system.
I was curious like how there are subsystems.
None of these are mentioned in your security plan I asked for information regarding which ones are which was about this information and asked you to give me information and I found out information about one was called program management office.
I said oh so what is
this deal I said well this is what tracks the cloud. If there's an actual event of bioterrorism, I said, Oh really. So what could happen if this information is disclosed to not to a person unauthorized receive and they said well then you would have somebody that would know the capabilities the biowatch system and know how to evade detection if they wanted to deploy biological agent.
I said oh boy, that's that sounds like that. Your baselines
not low could be high that this could be a national security system and I need to see this information immediately. And sure enough, and we'll go into this later I said da says classified information on it and I declared a classified spill, other things I investigated with this issue not only deal with the deal with mishandling classified information. It also deals with mishandling and abuse of government funding
as well and gross mismanagement.
But what I noticed in issues for this issue, we'll continue to talk with is that the system had several when I had my own system I had a, I had the system scanned externally and I found several critical high vulnerabilities.
Whenever reported. The system was act like
this program reported its own scans and sent them in but when I scanned it I found that there were several critical high that were never reported. So I knew that there there contains monitoring scans were falsified, the system had never gone to pen test, normally wouldn't help because of its baseline was considered the bare minimal security, and that since its support was launched in 2007 it underwent on restrained and undocumented growth as I shared with you earlier about the system security plan, and I talked about the numerous subsystems in one actually processed stored information at the secret level. Another one was that another subsystem within this. That was deployed actually handling programmatic information which itself has a new is a huge issue because it presents a fraud, waste and abuse issue. It was a privacy system as well and did not have adequate privacy controls that was later found in an audit as well,
and leadership made inaccurate decisions of how to handle classified information.
Now the issue that we have with orgs is that one.
In this case, most large enterprises and for a system that that's a nationwide system like this, typically is subject to a change control board which is important because you want to know what changes are reviewed and approved to go on to this particular system, you want to make sure things work and things don't break.
Well, in this case, there
was no change control board for the bio watch program, so they had no record of all the changes that were made, they just knew what the current configuration was or record
of who approved it.
Now, the other issue that is, we talked
about third parties that required for a.org is an RMF, meaning that you're gonna get to a V you're gonna get to avoid oversight, not going to be monitoring the site or web application for security you're not being subject to a big audition or being subject to congressional scrutiny. And because of that, the color money requirements. What I mean by color money is that within the government. You can only spend certain funds on certain things for example if you have funds for research and development, you can only use those funds for research and development if you use money that is given to you for operations and maintenance, you can only use it for operation means in the system you can't use that to go make them purchase something else or
to use it for travel. Now,
we talked about the level of funds within this, we know what the system will show integrate with you what the system was funded
the funds were actually was spent, whether this where the Delta was. And where did that money go,
but yet you have these individuals I'll bring to your attention, you have these individuals that run this program going to major events such as the Super Bowl the NBA playoffs. And the Rio Olympics.
This goes into
another. The response time and this is a little bit more of it, considering the current environment we're in where the response time that if you can have an aerosol eyes release of a pathogen of how you can actually help rakow have a speedy to early detection early treatment leads to recovery and live saved.
And another one from
the biowatch again from their biowatch website with what would happen without biowatch, and this is again from 2016, knowing that ongoing response in the left the percent casualties. And if you look at day 10 here with hundred percent depending on what was what was released into the air and the area.
I think we can look
at that, look at this in hindsight that even when you look at the COVID, where we notice like it takes two weeks for detection. We're seeing symptoms of symptoms occur from initial exposure but they can see like you know when they're having the
with detection they can hopefully respond within four days.
And another one from the Oh Ha website regarding time to release
and triggering into anti
well what buy watches purposes for is to activate natural resources in response to a pandemic or active bioterrorism.
As I said before,
the technology at the time when this was called for was at Tier technology Riley's level seven or eight did require some program management to make the system work when they, you hear reports saying of false alarms and false alerts, well the false alerts could have easily been caused by a false flag because we did see indications, I had it scanned externally, that there had been a pen test attempt I did discover that not only did a lack of trust and internet connection factor authentication and was on there as connected to the internet but it also lacked an intrusion detection system. And during the initial scan we did externally. We would scan for 30 days from single IP address and didn't raise a single alert, so they had no way of telling what what the system was so it's quite see what this could have been that most of the indications could have been due to false flag.
Okay, we talked about the funding estimates, with generation
two this is the one we're currently in right now the time detect
is that best 10 to 20 to 36 hours
it, we have about 30 done a few hundred units about 30. And it's projected
and funded at about $800 million a year, what they wanted to propose and
generation three which was denied because they didn't have adequate requirements developed back in 2015, which are now present again, and by detection 21 should be costing anywhere estimates of about $200 billion dollars a year to operate.
That's if things are done right
now things were not done right.
As we saw this is from 2012 from a little conservative group Judicial Watch where they discovered that you know that they had hundreds that hit DHS hit
records about $1 billion
in this from the system from Congress and biowatch being that system,
and what they didn't realize that yeah
DHS couldn't find it because the program manager Michael Walzer, and who got approval from Michael Brown and Paul Beckman were able to get the system deployed on a.org manage it from a.org, of course the wreck the records on the.org they're not within the DOD Gov. They're not subject to FOIA, there's no accountability no transparency and it's blatant ongoing, and not only that the system was never even registered with OMB as a major OMB it major investment.
So this is the funding that
biowatch received during this time when I was there from two, I was there from 2010 to 2017, but this is from the funding from 2007 2017 so it was funded about a billion dollars.
When I was free I was able to obtain.
Now I mentioned I'm a core so I actually got a hand when I started seeing a lot of these problems with the system, particularly when I bring to you the attention like the the like talk about the go into more depth about the categorization baseline. I found discrepancies there and like if this system is funded this much why is Yak Why is a security so inadequate. So I actually looked at was actually looked up the contract for the vendor, that's actually provisioning and deploying the system. So, the base funding for this one was your funded 10 $80 million a year but the base period funding for one year is just a little bit 10 and a half million, with a total funding of 64 million so I think Hmm, there's a huge area
in this area. With this, and that's what I'm going to share with you on this next slide.
The funding anomalies showing the projected cost of 80 million, the actual funded amount and mil and millions from 2013 to 2017 that was actually in the remedies system.
And I see how
much funds they actually committed annually contractually, I mentioned that a little bit earlier. Over here, but then this is the unaccounted for funds like where did this money go to. Now, as I showed you before, you know, the, the system, the individual that ran the program not the technical people but the ones that were meant managing
it did use Viet biowatch funds to
go to special events they went to the Super Bowl, the NBA playoffs,
the Rose Bowl and the and the Rio Olympics I think they even went into some NASCAR events to
the lives of people he's a division one on some vacations.
And then we can talk about
this is followed up later. Your Judicial Watch. Another the watchdog group came in there. This was published in 2020, they found like you know least $1 billion wasted. They didn't know where it was, but they haven't seen this presentation and I'll point to exactly who actually did this.
Alright now let's talk about security.
I'm going to talk about seeds
a little bit boring for those of you that work within federal government, I talk about Federal Information Processing standards for those of you familiar with it I'm gonna talk about FIPS 199 and NIST 860. So when you have a system, which we follow we follow the risk management framework RMF and you might have seen that in the slides. So the first thing you do is you have to categorize your system is it going to be low impact moderate impact or high impact. If it's a low impact system, it means it's going to go across minimal just minimal loss of confidentiality, integrity availability. But, you know, you're going to still be able to provide your primary functions, there's no loss of life. It's a moderate. If it's a moderate impact it can cause a significant series of serious damage that could cause it but it doesn't want involve the loss of life or life threatening injuries.
If it's a high impact system
now remember this systems provide early detection and warning of a pandemic.
And for active bioterrorism. It's a high impact system,
if, if it has adverse effect on the organization operations assets or individuals and can cause result the licensed loss of life. should the degree, loss of confidentiality, integrity, or availability ever occur. So this is from our in my in
when we categorize these systems.
You have to do it across the three pillars
of confidentiality, integrity, and availability we don't address authentication and non repudiation,
but there are three areas that you have to address it.
You can address low, moderate high across either for confidentiality,
integrity, or availability. Now, for a system like
that you could have a system that show is failing low confidentiality moderate integrity moderate availability low mod mod, or if you think it's high all across the board, no I need to have high, it is a higher severe catastrophic impact individuals get access to the information that are not they're not authorized to receive it. It could be severe or catastrophic. If it, if the information
is off is modified by someone not authorized to modify it, or severe
or catastrophic is not available now for this system, and I'll talk a little bit later about
about that about secret information that hadn't didn't have a security classification guide which is your standing guidance on how to secure information and the best they said that this system has information classified secret. Secret being defined anything if it's undisclosed to individuals with that aren't authorized receive it, you could have serious damage to national security. So likely in all cases you might see the system, one would expect to be have perhaps a moderate high high baseline categorization. You would think, Oh, it's not actually what occurred for this system.
This systems baseline was low, low, low.
So, didn't even obviously this, so I'm sure that if, for those of you that are following along, might find that to be somewhat shocking and I certainly did especially when I found out that they had CES these The, the operational system actually deployed onto this website.
Worse, I mentioned a
few of the other controls that was lacking two factor authentication of trusted internet connection, it didn't have an intrusion detection system. And it was an unmanned uncontrolled space. The main data center. To make matters worse, so I looked at what controls they had implemented it even for this baseline of low low low, they had only implemented 42% of those controls.
I mentioned before, as on
OMB a 130 Web. It was in violation of OMB circular a 130, which dictates that you have to store information on a gov.gov domain, that's for purposes of accountability. And for accounting transparency and accountability. And I mentioned before the other issues two factor intrusion, and Desi is a Privacy Information System not handling Privacy Information in this case it wasn't protecting the privacy information of first responders that would be called or deployed in response to a pandemic or an act of bioterrorism. And the system was in operation for some time. I went even when I had Italian brought this issue so he didn't spoken to members of Congress about this before. I noticed that even in March of 2018 for the defense one article broke that was still operational and it was still, and it was it wasn't taken down until just before 25 August 2018. When the LA Times published an article in the front page of the Sunday paper regarding this portal.
This is basically the architectural
diagram of the of the of the biowatch data center architecture,
highlighting on next slide is where you can see
what had the lack of a trusted internet connection.
Just basically wide open to the web to anyone.
Also, just to make matters worse, just to be quite thorough I just said okay how resilient is the system. I looked at their, their coupon on the continuity of operations plan. They didn't comply with any, any standard regulation. They didn't comply with your federal continuity directives one or two I'm sure these are not the most ghastly of all everything I brought before since I've already showed just finding about four and a million on accounted for lack of security mishandling classified which I'll go into a little bit more but in this case it wasn't even designed for resiliency should it ever ever disaster occur at this site. In fact they are actually we're actually we're dependent on the to plan of the kind of the cloud provider that they were using that had no idea what was being hosted on the site where it was hosted it was an unmanned data center in McLean, Virginia. They this site actually had some vendor actually had alternate sites in Dallas, Texas, but they no longer existed at the time so this kind of shows complete neglect. Complete neglect on the part of the other bio watch program management team. And, and they're say it was necessarily inconsistent providing a common, the coop plan actually was inconsistent for providing continuity should pandemic or
epidemic or a act of bioterrorism do it does occur
they had no resiliency if they had another natural disaster occur at the same time when they had to move to another location
provider current vendor lrmi. I talked about the portal system owner, that's,
that was Mr. Dr. Michael Walters,
who was actually in charges program since 2007 and one of the individuals that helped that coordinate getting the system deployed on a.org by purposeful design,
and to actually go back to that, when I say by purposeful design it was actually in their contingency plan when I did look at it. They said that they were going to host it on a.org because this was the reason that state and local governments that they worked with did not want the government accessing information without their knowledge or consent that was a justification that they ran with to get it approved now did it get approved by DHS CIO, no it did not get approved by one of his immediate subordinates. It was also responsible for preventing me from informing the CIO
of this, of this activity.
Didn't have any reconstitution procedures were even returned to primary site but I couldn't believe that's probably one of the least of the problems with this program, didn't even have training requirements. These are things of administration that you're supposed to do when you do have plans to train personnel on how to recover and how to recover identify your mission essential functions which weren't done in this case.
So I talked about some of the it. I
looked for I talked about some of the funding anomalies. I talked about the lack of transparency and oversight I talked about some of the IT security deficiencies. Now let's talk about a little bit how they mishandled classified information. Now as I say before. Whenever you work with a program that handles classified information you have to adhere to as soon as the security classification guide. This tells you exactly which data elements, either by themselves, or an aggregation or compilation and put together, rise to level secret for this case I want to point your attention. These are directly from the biowatch secure classification guide as it existed in 2016, that technology advances bill to build, change the availability to detect the specific threat was classified secret, the essay limit limited detection for a buyer's agent is also defined as a secret about operational equipment operational status is defined a secret feeling that equipment cannot detect a biological agent is revealed a secret as well as well as information regarding specific base sequence of primers and primers used to detect a DNA sequence is also designated a secret.
Also test results
provide this specific safe performance against any ports exclusive exclusivity powel exclusive exclusivity poudel environmental panels also classified as secret and information or deficiency including information identified during testing is classified as secret.
All right. I've
just said a lot of terms in there What do all those What do all those mean well I'll get to that in just one second, but when I got that information from the information security officer as to what is being collected by this program manager office database element. You can see here it's got the, the status of it, the sample capacity start date, as well as total personnel. Then as we move in here here's some other issues here with the associated agents that Ken's collecting as I pulling forward, those are classified secret. When I look at biowatch actual result data form elements. This talks
about quality of QA quality assurance performed it notes, what's the timestamp was
a bar declared was it conducted what are the result attributes of that particular all of this is talking about the essay limits and the limits of what this system the sampler can collect and cannot collect. Um, we also talked about. This was the PII that it collected on this first responders that wasn't appropriately protected. And this also goes into the collector status which we talked about what he can and cannot call, what is operational status, also designated secret for the security classification guide. And we talked about bar data what's bar data collect it talks about the sensitivity, where this is the probability that the laboratory will correctly identify the presence of a targeted pathogen, and the specific specificity that I talked about a little bit earlier from the classification guide is a probability from the test will correctly identify the absence of a targeted pathogen, but we talked about the sensitivity says what it can detect, as well as what cannot detect and false positive and false negative rates. You can see that, okay you're collecting bar data.
COMM that we collect up here was performed was a declared timestamp conducted.
It clearly shows that this is actually collecting classified information that we considered classified. And when I brought this to the attention of oj senior senior officials and this is a recording we actually have that conversation and I can have it on the other posting and actually have the transcripts available if I can arrange that through 2600 for everyone to take a look, if you want to take a
look at it but this is what
they said this meeting on the first,
and this is important, they basically said that as a. This is from the proceed double set Deputy Secretary Larry Flutie he is just new on board so he didn't know all the history back then, to be fair, that Michael Walter did did and was able to get under his nose. But he decided to go to bat for him and he said, and this is what they told him they said from a policy standpoint, we're not going to treat this information as classified, which, for those of you that were classified information that's not the case that's not how it works. You have to go through a process for that it has to get approved, you have to update your security classification guide. You just can't say it's too inconvenient, I'm not going to handle the security information appropriately, and realizing that you know that this is a big deal at the point just on the secure handling securing information, because people can go to jail for this if you're mishandling, such as such a gross extent in that case but as I said missing and classified was just one aspect of this program. We talked about the lack of oversight the lack of program management we talked about those security issues and then handling it this is Privacy Information as well as security information like this being inappropriate.
The timeline of events, I
told you is 2016 This is why I started looking into some of the things with the system, I found the system is categorized because of privacy system. If it's a pricey system confidentiality has to be a minimum of moderate, and then I start seeing the other issues when 17th I had a pm disclose additional subsystems, and then I reviewed it to correct the clarity spill met with several individuals that we'll talk about a little bit later. And in this 16th meeting where we basically said you'll hear the recording that they'll look into it, which they never did all they didn't said is issue a member they got a Mr. Steve Lynch and ocso to write a memorandum for record and close the case to no other action on it and kept the system operational, all the way through 2019. Alright, so, a guy put fake names and faces because there's about half a dozen people that are responsible for this catastrophe for the wasting of a billion dollars for a system that's designed to have an early detection of a pandemic to save lives those bioterrorism that failed that was mismanaged and yes there are six specific individuals that responsible for it. This is the one gentleman that helped with a cover up Mrs Stephens lunch she was the special Security Program Director division director at the time. At the time when I was retaliated shortly later he was quickly promoted to the
chief security officer within DHS he's now the chief security officer at DHS handling clearance issues for personnel.
This is the memorandum for record
that he wrote, stating that oh they met on the first and they said that they keep everything operational which certainly wasn't
other individuals out the laws that they violated by doing this, obviously title 18 gathering losing Defense Information. They're in violation of intelligence committee directive 703 protection of classified material, as well as other instructions executive orders and
Public Law 107.
Delicious response, you'll if we do get a chance to play that at some point in time maybe during a breakout session, you will actually hear them overruling me as the ISM and allowing the system to operate without, without, without any further action closing the case, and they said, we'll try to move it up, then we're going to upgrade the, they said that they'll make try to host a site on
one of the centers in a mod mod mod baseline.
We talked about who's specifically responsible for this the person who helps coordinate getting the system on an org he did have help was Dr Michael Walters who's a program manager, and if you recognize this back in 2017, when he's often one of his vacations. He left a sense of document on Super unclaimed behind the Super Bowl. As I was before, CNN personnel they thought it was super insensitive. They thought it were they believed to be classified they didn't have a copy of security classification guide. I believe if they did, it would probably agree they will probably realize that it was classified information. But, yeah, that's what he left so this person really didn't have had a very lacks approach to security and handling things but he was able to get away with getting this hosting on a.org handling funds in any way he saw fit an individual that helped to do that without the Secretary's knowledge or without the CIOs knowledge within DHS, are these two individuals here Mr. Mike Brown, and Mr. Paul Backman both of which have moved on to private industry. Mike Brown was the director of the information technology security. Security security that information technology and services organization within DHS, back when he worked for him as the, as one of his, his Risk Management Division. And he actually probably was the information system security manager for by Washington was first deployed and Mike Brown has actually served as an authorizing official authorized a system to operate in this capacity on.org, and never came to any other further a further scrutiny until I came along. These are two. Now, Mike Brown he moved on to before he left for working in Gartner now also became the CIO over at ice, which I believe is a popular organization with this graph. Paul Beckman he actually got promoted to be the deputy CIO as what then became the chief information security officer for DHS before departing. In February of this year,
and two other individuals, both of
whom and also have benefited from this program on the IT side, both of whom has also served as the information system security manager this program and did nothing about it, and then served as my supervisors and were also involved with retaliation include winbond Belinda Lamont Yarborough. Both of them were still at DHS, to my knowledge, they're both there and that to this date. My whistleblower case has not been resolved and those that are responsible for one retaliation, and wells for the responsibility, responsible for the deployment mismanagement system these specific individuals suffered Nope, no real repercussions for their actions. So I got a few minutes here. What I would recommend that they do for this next system is that they move it to what we call h SDN Homeland Security network is actually designed to secure information up to the upper level secret get individuals have appropriate security clearances that have access to it. Take a proper personal history of action, make sure that you're having to plan, make sure it's resilient
and those kind of summing up but
as they move forward I talked about my experiences as a whistleblower.
Something that I currently still,
still experience that the time of the pandemic while still working the icy community I've had all my without notice. I did have all my clearances suspended which is very odd because typically in a statement of reasons. The government still has not responded to exactly why that is the case. And so yeah there is, there is a definite repercussion, it's difficult to operate as a whistleblower anonymously because everyone knows who actually got who had access to the information. And in this case, we're talking about, you know, a handful of individuals that were able to, to take an action to mismanage the program and that were able that were responsible for it. And we're able to actually hold accountability for accountability for this program, but it's important to actually go ahead and you still need a detection capability because it's not a question of, when's the next pandemic is going to happen it's going to be, when the next pandemic is going to happen, particularly with the earth population doubling every, every couple generations or so it's only going to be a matter of time, and that there's needs to be accountability, transparency and accountability. When they register the system. And so, that To that end, when I said measuring like an obesity major investment, have they ever registered the system that actually would have went under congressional additional congressional scrutiny, they probably would have replaced the program manager at some point in time to actually get this on track and who knows where we'd be today, but certainly not the predicament that we currently have. And that's all the time I have and thank you.
And we're back.
That was fascinating. Thank you so much.
So, we have some good questions in the chat. The first one I think would be worthwhile is in the chat you saw that some people might have been a little confused about your disclosure, maybe you could just restate about that you didn't include secret data, but that the data fields of collected would be set point, I think,
yes, I'll be very clear about that this everything in this presentation was on classified the data fields I was talking about were the fields of a sub system that was deployed. That was, it was, this feels was the data that's actually being collected by that system, and per the security classification guide, it would be classified as secret.
I think that's that's clear. Thank you for restating it. One of the questions that came up is we wonder how pervasive you think this type of essentially fraud and abuses, especially in DHS but maybe you're aware of elsewhere in the government. I mean, it's a billion dollar case right it's $1 case, really.
This was the worst of the worst right so yeah I've seen others where like the sunflower sunflower asset management system. That one was about 3 million. When I was CIO, is it pervasive within the within the federal space. Unfortunately, the answer is yes, it's been noted before that, when DHS was created that one of the concerns was that individuals could conduct behavior and hot conducts inappropriate behavior and practices and hide behind layers of bureaucracy, which is a challenge. When you're navigating a DHS, trying to resolve these issues.
Do you have a feel so so you definitely have a feel of there's a lot more of a going on. Do you have a feel whether government employees versus individual contractors or small company versus some of the big companies I mean you know are any worse or better than the others or is it really across the board or is it more where you have to have those levels cooperating which is I think a part of your, your story
right part of my story. In this case, these are all federal employees, and from my experience at DHS was mostly federal employees that were conducting this type of activity for if a contractor were to ever do that and it were to be known. They could be blackballed which is known as like our C pars bad evaluation where they would no longer be able to do business with the federal government,
even the biggest contractors because he mentioned at least one of the, one of the very biggest contractors in your presentation.
Well, yes you're talking about one that was certainly complicit, you're talking about lmia, but they were dealing as they were directed to you. It was, I mean they were running, I mean, yes they were by falsifying, you know, continuous monitoring scans but they handed it to the government oversight in this case, you know Mike Walter who knew that they were falsified forwarded on to headquarters, and we're thinking that this is the health and the security of the system is adequate when it actually wasn't.
Yeah, yeah, this guy saying and yeah I think you're telling us that really it does happen all the time but the government employees have to be happy to be part of it the actual Feds Yeah. We had a question to you as you can imagine people are very interested in your experiences of whistleblower and you've shared that to a great extent and. And could you maybe summarize what you learned about the whistleblowing process and also maybe you have advice for other security professionals that might you know come across information as you did
well we talked about the whistleblowing process I knew about the whistleblowing process follow the whistleblowing process and it did not protect me at all, bringing it up to senior leadership that I had within DHS is just for those of you who are thinking about ever whistleblowing. This was documented I did bring it up to the supervisor at the time when I mentioned my presentation that took no action. I then tried to escalate to the CIO and breeze in presentations again, those were being pulled by my immediate supervisor so I could not present that material. I then went to the Office of Inspector, I did the big office report this as well for the process, and was the end, and was told that they should refer me back to my supervisors, at which point in time I then reached out to a colleague who was also it with the D o d. We rephrase, we rephrase my complaint my concerns brought it to their attention again, at which point they again at this point, at this point in time. Again sent denied is it just go back to the referring agency. At that point, as a whistleblower I then went to, for you to talk to the media, I decided to go to Congress and I spent before the House Intelligence senate oversight committee as well as governor of Homeland Security and government affairs I briefed them. And actually I was in the meeting with this with it with congressional investigators and as I was going through like third or fourth round of interviews going over information. That was when I was actually retaliated, that's when I received the notice of retaliation via email that I was to come in and to have my security clearance suspended for at this point time, the justification that they use is that I published an article which at that time had already went through pre publication review. So if you're a whistleblower, just be aware that the process may not protect you that there's some reform that's needed in this area for protecting whistleblowers as well as holding. And I mentioned before, accountability for those that are going to retaliate against whistleblowers.
Yeah, thanks for that. It's such a familiar story from the hackers on planet earth conference and I want to ask you about that. As you might know we've had really a series of whistleblowers on the stage for the last set of conferences. These include people like Thomas Drake and William Binney, who I think a pretty similar experience to you of trying to work within the system trying really hard and you know retaliation and so forth. We also have people that took a different approach including Chelsea Manning and Edward Snowden on the stage, but I guess I'm wondering, really two things you know one is, Where do you see yourself in that if you do, you know, and that sort of mixture and maybe there's more. More people that we haven't heard of as much then these really big names. And I'm also curious about your if you would characterize a little more your motivation, even to go public because that's something we've heard a lot about from some of these other folks you know Ed Snowden wrote a whole, whole book about it
well within the spectrum, I'm definitely not Snowden or man, I went by, I went by, work within the institutional framework. What forced me to talk about this publicly is what's known as a forcing function for example, this site was not taken down was not even they made no attempt for me to make it more secure more resilient, until it was publicly released by talking about that front page that newspaper article within the within the LA Times, my case within DHS as a whistleblower was not going to be investigated initially I had received a notice from by Brian Boesky over a DHS Whistleblower Protection Unit that they do not investigate matters in which clearances are suspended for less than a year. Only then when my when my story came to light did they decide to reopen investigation. From my understanding right now that there's a big turnover of personnel and they still have yet to look into this matter. So yes, at some point in time, as a very last resort, that yes, you do have to sometimes go to the media to have openness and transparency and to bring to light, what is going, what is actually going on what has been done what are the continuing ongoing violations in this case, this is a national, this is a this is a national safety issue the system had to benefit two functions, it was a national security mission and it also had a public safety benefit and early detection of pandemics.
Yeah, thank you for that. We had a great question in the chat because you know I think we were all technical people and we tend to compartmentalize and, you know, treat things sort of factually, but this this as must have had a tremendous emotional toll on you and we, we had a question that that basically says, were you getting Did you get emotional support outside of the agency especially to help you to cope with this, you know this whole situation.
Uh, well, friends and family that are aware of it, and that's about it. I mean there are other whistleblower resources that are out there but this case is a lot of different moving parts and just getting somebody to wrap their heads around like what all the different aspects of it's kind of hard to explain takes a lot of different sessions, but I've had I've had, you know, personal friends and family help support me through this.
Yeah, yeah. What a story, I think we're getting towards the end of our time here and I think you did say this already but I'd like to give the opportunity to say it again is what advice or lessons learned. Would you share with other contractors or other government employees that are in situations similar to you
with the current framework of whistleblower protection or lack thereof. Have an exit plan, plan a different career. I mean, obviously know when you actually have to make that decision that you have to blow the whistle in this case, I thought it was just so pervasive It was one of those things like, Alright, maybe I do follow my sword on this one because I mean they are this handling over almost a billion dollars, they are putting life in jeopardy. I mean, and they're, and they're actively fighting me when I'm trying to bring up the issue and get it resolved and and yeah i was just say having an exit plan, plan a sec career at that point.
yeah that's that's pretty stark advice actually so well we're at the end of our time and fantastic presentation great discussion. Thank you so much. This has been Dr. Harry Jackson, and this talk has been DHS biowatch a failure of oversight and accountability. Thank you again and we'll be back shortly with our next talk.