In the 31-page affidavit supporting the OCTO arrest warrants, few allegations were more chilling than that employee Yusuf Acar had been monitoring e-mails going into and out of the city inspector general’s office.
In other words, the guy behind a sceme to steal hundreds of thousands from the District government was also abusing his position as chief of computer security to surreptitiously read e-mails of the city’s investigative arm.
The city happens to have another investigative arm, the D.C. Auditor’s office, and its chief, Deborah K. Nichols has a rather bulletproof reputation.
For instance, in the wake of the $50 million Office of Tax and Revenue scam, Nichols won well-deserved plaudits for being one of the only persons in town to raise warning flags. She had noted excessive levels of property-tax refunds—-warnings that would have been key to unraveling the scheme but went essentially ignored by the rest of the government.
Now that the city is embroiled in another embezzlement scandal, one less costly but equally galling, Nichols’ scarily Nostradamian ways are being exposed once again.
On March 6, Nichols appeared before the D.C. Council for her yearly performance oversight hearing. Her discussion with Chairman Vincent C. Gray turned to what’s long been a tricky issue for the auditor’s office—-where exactly it sits on the government org chart. It’s supposed to be an agent of the legislative branch, yet its budget passes through the executive budget process and other executive processes. One such sticky wicket is technology—-while the council maintains a separate tech staff (though OCTO does provide some assistance), the auditor is handled solely by OCTO.
Nichols said at the hearing that she was looking to get OCTO out of the picture, “because there is a clear and present danger that our e-mails are being reviewed by the executive. I don’t think there are enough safeguards in place that ensure that access is only for purposes that are legitimate government operation purposes. So we’re trying to decouple from all that…even down to the phone systems. Because we believe that there are forces that are not conducting government operations in a trustful kind of way.”
That’s a full week before the OCTO scandal came to light!
Now, there is some backstory here. Nichols was fully aware that there was e-mail monitoring in place, because back in December, OCTO flagged a possible security breach. What had happened was that one of Nichols’ employees who was investigating the troubled summer jobs program had sent a file containing some 20,000 names, with accompying addresses and Social Security numbers, to his personal e-mail account so he could do work at home.
The next day, none other than Yusuf Acar, in his role as chief security officer, interviewed the employee about the breach and admonished him never to do it again.
What ensued was a classic jurisdictional squabble run amok. Then-CTO Vivek Kundra alerted City Administrator Dan Tangherlini to the breach; because of the jurisdictional issues, Tangherlini enlisted Attorney General Peter Nickles to “take the appropriate action,” according to a memo obtained by LL. Shortly after the New Year, Nickles personally contacted Gray about the matter and followed up with a letter.
Then things got really tricky: Nichols sent a letter of her own on Jan. 16, clearly miffed that she wasn’t informed of the security breach by OCTO immediately—-in violation, mind you, of OCTO protocols. So Nichols demanded from Kundra a bunch of information—-copies of information security reports going back to 2006, for one—-in order to, as she wrote, “understand why OCTO did not provide the required notification and to prevent other agency directors from being hampered in carrying out their fiduciary duties.”
Nickles wrote back to Nichols, saying he was “quite taken aback” by the letter and the lack of assurances therein that the security problem had been addressed. “Instead,” he wrote, “it appears you have commenced an investigation of OCTO.” At the end of January, he wrote again to explain that the reports she wanted were numerous and were full of sensitive information that would have to be redacted. He also penned a missive to Gray a few days later, in which he said, “Relying on your assurances” that the employee meant no harm, “I am willing to consider the matter closed.”
Nichols wasn’t. Three weeks later, on Feb. 20, she wrote again to Kundra asking for the reports in full, as part of “an examination of the operations of the District’s Data Loss Prevention (DLP) system.”
On Feb. 25, Nickles wrote a final time, telling Nichols that OCTO would not be complying with her request for documents: “Given that your request was triggered not by any OCTO misconduct, but by a serious security violation by your own staff, placing such burdens on OCTO would serve no legitimate public purpose.”
Given the development of the past week, you can bet Nichols will be trying one more time. She declined to comment; Nickles says he’s heard nothing since he sent his last letter. He says Nichols’ requests for documents are an attempt to distract from her office’s shortcomings, calling it “playing defense by going on offense.” And the OCTO scandal has “nothing to do” with the requests, he says. “It was inappropriate then, and it’s inappropriate now.”