Former HHS CyberSec Chief Faces PrisonConvicted on Child Pornography Charges
A former acting director of cybersecurity at the Department of Health and Human Services has been sentenced to 25 years in federal prison after being convicted on several child pornography charges.
The Jan. 5 sentencing of Timothy DeFoggi follows his conviction on Aug. 26, 2014, after a four-day jury trial in the U.S. District Court of Nebraska, according to the U.S. Department of Justice.
DeFoggi, who prosecutors says was a member of the Tor-network-based child pornography website, was convicted of engaging in a child exploitation enterprise, conspiracy to advertise and distribute child pornography and accessing a computer with intent to view child pornography.
Indictment papers in the case were filed against DeFoggi and several others on March 20, 2013. DeFoggi had been employed at HHS during the time of the alleged crimes in 2012, and was apparently still employed at HHS even after he was indicted in 2013.
However, court papers indicate that DeFoggi on May 13, 2013, was "detained" without bail at a correctional facility, citing "the nature and seriousness of the danger posed by the defendant's release." The detention papers cite DeFoggi's "on-line communications with others regarding sadistic and bizarre actions to be taken with children."
An HHS spokesman tells Information Security Media Group that "DeFoggi was employed at HHS, first at the Indian Health Service as a supervisory IT specialist from September 2008 until March 2012, and then at the HHS Office of the Assistant Secretary for Administration as a lead IT specialist from March 2012 until January 2014." When asked about DeFoggi's HHS employment tenure overlapping the crimes and extending beyond his indictment, the spokesman told ISMG, "we're not at liberty to provide any further details since that relates to a personnel matter, which we do not discuss publicly."
Before working for HHS, DeFoggi was a counterintelligence official at the Department of Energy, according to a copy of his rÃ©sumÃ© supplied to ISMG by the Justice Department, which presented the document as evidence at DeFoggi's trial.
A DOJ statement about DeFoggi's conviction in August said evidence presented at his trial showed that DeFoggi was registered as a member of the Tor-network-based child pornography website on March 2, 2012, and maintained his membership and activity until Dec. 8, 2012, when the website was taken down by the FBI.
"The website's users utilized advanced technological means in order to undermine law enforcement's attempts to identify them," the DOJ statement said. "The website was accessible only through Tor, an Internet application specifically designed to facilitate anonymous communication. Acting under the cloak of anonymity, users advised others on best practices to prevent detection by law enforcement, including advice about the proper use of encryption software, techniques to hide or password-protect child pornography collections, and programs to remove data from a user's computer."
Role at HHS
An organizational chart contained in an HHS fiscal 2014 document Public Health and Social Services Emergency Fund - Justification of Estimates for Appropriations Committees lists DeFoggi reporting to HHS CISO Kevin Charest. The document lists DeFoggi as heading "OS IT security operations," with several other unnamed managers reporting to him in areas including operations and program management; security monitoring and incident response; risk management and audit remediation; vulnerability/patch management; asset management; and configuration management.
DeFoggi's rÃ©sumÃ© indicates that he became acting director of HHS cybersecurity operations in September 2008. In that role, according to the document, he was paid an annual salary of $144,385 and was "responsible for agency-wide IT security policy, incident response, evaluation and implementation of security tools, oversight and compliance, and system accreditation for all IT systems." His rÃ©sumÃ© says he was also "accountable for the protection of all personally identifiable and personal health information through implementation and enforcement of FISMA, HITECH and HIPAA regulations."
Prior to joining HHS, DeFoggi from May 2006 to September 2008 worked for the Department of Energy office of counterintelligence as director of emerging programs and as a counterintelligence officer, the rÃ©sumÃ© shows.
A DOJ spokesman tells ISMG that there was no evidence presented at DeFoggi's trial that indicated he used or accessed government computers or other federal IT to commit his crimes. Prosecutors, however, did argue that DeFoggi tapped his federal technology know-how for the criminal activity.
"Using the same technological expertise he employed as acting director of cybersecurity at HHS, DeFoggi attempted to sexually exploit children and traffic in child pornography through an anonymous computer network of child predators," Assistant Attorney General Leslie Caldwell said in a Jan. 5 statement. "But dangerous criminals cannot be allowed to operate on-line with impunity."
DeFoggi was the sixth individual to be convicted as part of an ongoing investigation targeting three Tor-network-based child pornography websites, according to the Justice Department.
The websites were run by a single administrator, Aaron McGrath, who was previously convicted of engaging in a child exploitation enterprise in connection with his administration of the websites, prosecutors say. On Jan. 31, 2014, McGrath was sentenced to 20 years in prison by a U.S. District judge. In addition, four other members of the same website as DeFoggi were convicted and sentenced in connection with their illegal activity on the site. Those sentences ranged from 12 to 20 years in prison.
DOJ says the cases were brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 to combat child sexual exploitation and abuse.