Homeland Security watchdog investigates whistleblower complaint over lapses in bioterrorism program

Capitol Hill
Anthrax-laced letters sent to Capitol Hill in October 2001 helped lead to the establishment of BioWatch, a bioterrorism detection system.
(Ron Thomas / Associated Press)

The Department of Homeland Security’s inspector general is investigating whether agency officials retaliated against a whistleblower who criticized cybersecurity lapses in the nation’s bioterrorism defense program.

Harry Jackson, a former information security manager at Homeland Security, complained that data from the BioWatch program had been stored on an insecure dot-org website for over a decade, where it was vulnerable to cyberattacks, according to government documents.

The system contained the locations of BioWatch air samplers, which were designed to detect airborne biological weapons in more than 30 U.S. cities. It also included the system’s test results, a list of biological agents that could be detected, and response plans to be put in place in the case of a terrorist attack.


The Department of Homeland Security stored sensitive data from BioWatch on an insecure website where it was vulnerable to attacks by hackers, records show.

Aug. 25, 2019

Jackson filed a complaint in 2017 alleging that his security clearance was temporarily suspended after he raised concerns about the cybersecurity lapses and demanded that the BioWatch website be taken down.

The inspector general’s whistleblower unit initially notified Jackson’s lawyer this year that it would not investigate his claim. But in a letter to Jackson dated Nov. 19, Brian Volsky, the unit’s director, said an investigator would interview witnesses and review documents to discern whether Jackson was the victim of retaliation.

“If the report of investigation contains recommendations for corrective action,” Volsky wrote, the findings would be given to Congress.

Jackson said he believes the inspector general decided to look into his claims only after The Times published details about his complaint in August.

“It’s unfortunate that it took news coverage bringing this to light before DHS decided to revise their past decisions and open this case,” Jackson told The Times on Monday.

“I wasn’t protected back when I brought this to the attention of senior DHS officials back in 2017. Now it’s just a matter of seeing what DHS will do moving forward to protect people who choose to do the right thing.”


Homeland Security did not respond to requests for comment on Monday.

The agency previously notified Jackson that his security clearance was suspended because he had published his concerns about the BioWatch program’s website in an academic journal and also had been recently convicted of drunk driving.

Jackson first demanded that Homeland Security stop storing sensitive data on the website shortly after he was assigned to the program in 2016. A security audit completed in January 2017 confirmed “critical” and “high risk” vulnerabilities, such as weak encryption that made the website “extremely prone” to online attacks, according to records reviewed by The Times. There “does not seem to be any protective monitoring on the site,” a summary of the audit explained.

A subsequent report by the agency’s inspector general reiterated the system’s loopholes and recommended moving the data behind a secure firewall. It said that agency officials agreed to do so.

But government emails and documents show that a bitter clash ensued within the department, as officials argued over the practical obstacles to moving the database. Several also questioned whether the anti-terrorism information would be valuable to an enemy. (An earlier investigation by The Times revealed the system’s long-outdated technology and unreliable performance.)

Jackson filed a whistleblower reprisal complaint to the agency’s inspector general in June 2017; he left the agency later that year.

James F. McDonnell, who led the agency’s Countering Weapons of Mass Destruction Office, told The Times this year that the database had been fully migrated behind a secure firewall by May. But he acknowledged that officials do not know whether hackers ever gained access to the data. McDonnell has since resigned.