September 24, 2023


Your Partner in The Digital Era

D.C. Metro email policy under scrutiny after Russia computer probe

The lead investigator into an intrusion of Metro’s network by a former contractor’s Russia-based computer said the computer contained thousands of documents, some marked confidential, that had been automatically syncing from Metro’s system for years while the worker was under contract.

James S. Smith, deputy director for cyber and data analytics at Metro’s Office of the Inspector General (OIG), said he began looking into the computer’s owner, a Russian national and former Metro contractor, while searching the man’s previous logins to the network, as well as his emails. Smith said he couldn’t trace the former contractor’s record trail beyond half a year because of Metro’s policy to delete emails after that time period, even though the contractor worked on Metro’s mobile fare app and other projects for years.

“This has been going on for years, but yet we could only collect email for the past six months,” Smith said.

The long-standing Metro email policy automatically deletes correspondence after six months unless specifically exempted for legal or business purposes. The policy has long frustrated Smith and other OIG investigators, who say years of emails that might shed light on two of Metro’s most important safety investigations in recent years — the strength of the transit agency’s cybersecurity defenses and a wheel defect plaguing Metro’s troubled 7000-series rail cars — are unavailable to them and the public.

The policy is under increased scrutiny amid fresh cybersecurity concerns this past week and an email retention complaint Smith filed earlier this month with congressional offices and committees, as well as the Department of Transportation. Metro said Friday that it is reviewing the policy, which investigators say is years shorter than most government agencies and hinders both external and internal investigators from piecing together critical timelines for criminal, civil, mechanical or administrative cases. Instead, auditors and investigators are forced to rely on interviews and the recollections of those involved.

The OIG was among the agencies, including the National Transportation Safety Board, investigating a wheel defect found in several of Metro’s 7000-series rail cars. The problem was blamed for a derailment and created a year-long train shortage with waits of more than 10 minutes as the region sought to recover from the pandemic. Smith said digital correspondence that may have answered questions about the defect’s origins was no longer available.

“There were contract disputes that happened years ago earlier, and they were trying to iron out how the wheels were going to be designed and pressed,” Smith said. “There were emails going back and forth on trying to work out the issues. And so we could only do interviews, and people talked to us about what they recollect. But if we had emails, that would document and refresh the memories and also solidify what actually happened.”

Computer in Russia breached Metro system amid security concerns, report says

In a statement, Metro said General Manager Randy Clarke, who is in his first year leading the transit agency, has asked staff to review the email retention policy and recommend updates. The agency declined to address specific questions about its email protocols.

Retaining emails is a complex issue for agencies — a balance between keeping records available to the public, oversight and watchdog agencies, law enforcement, courts and auditors, while watching the expenses of storing and organizing emails that include a trove of inconsequential messages. Most transit agency policies are set by states, according to the American Public Transportation Association, but Metro sets its own rules with governance that consists of a board of representatives from D.C., Maryland and Virginia.

The short retention period for years has rankled Metro’s OIG, a semi-independent watchdog agency that released a report Wednesday indicating that the transit agency had forgone years of security updates, ignored cybersecurity guidance, relied on shoddy background checks and permitted high-level clearance to contractors in foreign countries not allied with the United States. The report highlighted a Jan. 4 incident in which a former I.T. contractor in Washington remotely accessed his computer in Russia and logged into a Metro network that contained sensitive information on its mobile fare payment programs.

Metro said that the intrusion was not malicious and that the former contractor was obtaining work documents.

Smith did not find any sign of malicious intent, he said, but the man’s home computer in Russia and his personal computers in Washington probably had been syncing for years, periodically transferring files from a Microsoft OneDrive licensed to Metro to the computer in Russia over internet networks that could be vulnerable to foreign intelligence gathering. An initial look into the drive showed documents shared between computers that were marked “confidential,” including the details of a Metro “Disaster Recovery Plan” from 2018, Smith said.

Some carried the warning: “CONFIDENTIAL: This document contains [Metro’s] sensitive information and is for official use only.” Some involved rider safety, Smith said.

During interviews, the former contractor, who worked for EastBanc Technologies, a Washington-based firm that has contracted with Metro for more than a decade, told OIG investigators he had remotely logged on to his home computer in Russia from Washington to retrieve documents and correct a syncing problem. Smith said the contractor probably had used the computer in Russia to work on Metro projects in previous years.

Smith said the contractor told investigators that after a prompt to reauthenticate his computer connection, he logged on to his computer in Russia using the Google Chrome Remote Desktop program and used his still-active Metro credentials to reauthenticate with Microsoft, reestablishing a connection with his computers in the United States that probably began years ago when he was working on Metro projects from Russia, Smith said.

“We could go in and see that his OneDrive was syncing from Russia on a personal computer,” Smith said. “It was more than just a ping.”

Metro notified the federal Cybersecurity and Infrastructure Security Agency (CISA) about a week after the intrusion.

Metro has defended the security of its network while contesting many of the OIG’s claims about the state of its cybersecurity, including whether the unauthorized intrusion in January constituted a “breach” — partly on the basis of CISA opening and closing the case without comment. Metro also said a Microsoft detection and response team (DART) brought in to review the OneDrive and Metro’s cybersecurity preparedness didn’t raise significant concerns.

“DART found no concrete indication that on Jan. 4 content on the individual’s One Drive was synchronized to a device in Russia and no indication of persistent or ongoing malicious activity,” Metro spokeswoman Kristie Swink Benson said in a statement Saturday.

Smith said the discrepancy between the Microsoft investigative team and the OIG could stem from the fact that the OIG saw logins before they disappeared after 30 days — logins Smith said showed syncing. The Microsoft team’s investigation came later, and Smith said they may have viewed logs that covered periods when no such activity took place.

Smith said the OIG is attempting to interview Microsoft to discuss its findings, but “our indications are that it did” sync. Microsoft did not return a message Saturday.

EastBanc has said the company ended any relationship with Russia after sanctions were imposed last year following that country’s invasion of Ukraine, adding that the company complied with Metro’s security requirements. Attempts to contact the former contractor, who isn’t accused of wrongdoing, have not been successful.

During the investigation, Smith said, he began tracing the former contractor’s network logins, but Metro only keeps records for 30 days. He then began tracing the man’s emails and found correspondence between him and a former Metro supervisor. Smith wanted to look into other communications, he said, but he couldn’t go back more than six months because of Metro’s email retention policy.

Federal agencies retain most emails for a minimum of seven years while emails from high-level officials are retained longer, according to the National Archives and Records Administration.

Among transit agencies, the Metropolitan Transportation Authority of New York — the nation’s largest — has a multiyear retention policy “with the exact length of time subject to classification of data,” MTA spokesman Michael Cortez said.

Metro board votes to replace agency’s top watchdog without comment

The Massachusetts Bay Transportation Authority does not have a policy. The email system the Boston-area transit authority has used since 2010 has not required the MBTA to delete emails, agency spokeswoman Lisa Battiston.

The Washington Metropolitan Safety Commission, an agency Congress created six years ago to monitor safety within the rail system, keeps its emails for two years, spokesman Max Smith said.

While Metro’s six-month retention period is generally on the shorter end, one similar-sized transit agency deletes emails even more quickly. Bay Area Rapid Transit in the San Francisco area keeps emails for 90 days, agency spokesman James K. Allison said.

Until 2007, Metro had an email retention period of 60 days, according to a ruling that was part of a lawsuit the Disabilities Rights Council of Greater Washington filed against Metro over MetroAccess paratransit service. In June that year, U.S. Magistrate Judge John M. Facciola ruled in favor of a motion to compel documents in the case after he said Metro “did nothing to stop its email system from obliterating all emails,” including those pertinent to the case, after 60 days — an action the judge said was “indefensible.”

Metro changed its policy that year, expanding the period to six months. The policy applies to employees, contractors and vendors who use Metro’s email system.

With a workforce of nearly 11,000 employees, the transit agency’s policy says “excessive retention” of emails would harm its system’s performance and increase costs. Metro said its parameters were designed to “permit reasonable email retention while ensuring a system that performs consistently, reliably, and cost-effectively.”

But the six-month policy has vexed OIG investigators for years. Smith and others who have worked in the OIG say the transit agency’s policy is purposefully short to reduce potential legal liability.

In 2021, he began researching whether Metro could easily switch to a longer retention period, discovering that “the email retention policy can be easily changed to 3 years or 7 years, and there would be no additional cost,” according to an email he sent to a supervisor that year.

At the time, the office was being asked by Rep. Gerald E. Connolly (D-Va.) to investigate why top-level Metro leaders and the safety commission had not been alerted to the wheel defect Metro inspections had uncovered in the 7000-series rail cars over a four-year period. A federal investigation into the October 2021 derailment uncovered inspection records and other evidence.

Inspectors general investigate Metro over not reporting rail car defects

“In light of the current derailment investigation, OIG feels that this policy (which is hindering our investigation) may come to light and since other investigative agencies outside of [Metro] are also conducting investigations, we feel you should be made aware in advance of any issues,” then-Inspector General Geoffrey A. Cherrington wrote in an email to Metro Board Chairman Paul C. Smedberg in November 2021.

In a letter to the full Metro board, Cherrington wrote that the email policy also inhibited work of the National Transportation Safety Board, Department of Transportation and the safety commission — all of which were looking into the 7000-series cars. He said the OIG had brought up the issue as early as 2019 in a memo to then-General Manager Paul J. Wiedefeld.

“If the investigations uncover emails to or from [Metro] personnel in the files of non-[Metro] entities that are material to the investigations but were not provided by [Metro] to investigators because [Metro] had deleted them, new questions will arise, fairly or unfairly, about [Metro’s] transparency with its oversight bodies,” he said in the letter. “The current email deletion policy needlessly increases [Metro’s] reputational risk.”

Dave Gallagher, who worked as Metro’s deputy inspector general for audits between late 2021 and this month, said the push to change the policy should continue.

“It’s a public agency,” he said. “There’s a responsibility to the taxpayers, to the riders.”

Smith filed a formal whistleblower complaint this month against Inspector General Rene Febles with the Senate Homeland Security and Governmental Affairs Committee, the Department of Transportation, Connolly’s office, the Virginia State Office of the Inspector General, the Washington Metrorail Safety Commission and the Maryland Department of Transportation. The complaint said Febles has done too little to seek changes to the six-month retention policy and is not safeguarding the office’s independence from Metro interference.

Febles said he has not heard Smith bring up email retention problems this year. Febles said he shares Smith’s opinion that the policy needs to be changed, noting that he researched and wrote the memo that Cherrington sent to Metro leaders in 2021 calling for emails to be saved longer than six months. Any change would have to be enacted by Metro’s board.

“Nobody from my staff or anybody else came to me to complain about [Metro’s] email policy,” he said. “I cannot force [Metro] to change its own policy, but I did everything I could to change it.”

Febles, in turn, has filed a complaint against Metro to the Department of Transportation, saying the agency is preventing his office from being fully independent so it can better serve as a watchdog. Federal transportation officials have not spoken to Smith or Febles, but Metro has hired a law firm to investigate the claims.

Razzan Nakhlawi contributed to this report.