18F data breach puts spotlight on commercial apps
Fairly or not, the data security incident at 18F is likely to increase scrutiny of commercial apps across at the government.
There might be something more to watch with the dinging of General Services Administration’s 18F by the GSA inspector general for creating a potential security breach.
18F was the subject of a management alert because of its use of the collaboration tool Slack opened over 100 Google Drives to potentially anyone. The drives contained a variety of data including personally identifiable information and proprietary information from contractors.
The group was criticized for poorly configuring Slack and how it handled the discovery of the breach as well as its slowness in reporting the problem. But there is no evidence that anyone accessed the information improperly.
For a cybersecurity incident, this is a small one, but it is adding fuel to the debate over whether commercial applications such as Slack are secure enough for the government market, as opposed to apps built just for the government.
The Washington Post reported that Rep. Jason Chaffetz (R-Utah) plans to launch an investigation. He is the chairman of the House Committee on Oversight and Government Reform.
“It is alarming that the very IT geeks charged with helping to modernize federal IT are so casual about safeguarding important data. … It appears these ‘experts’ need to learn a thing or two about protecting sensitive information,” he said.
While it sounds like the hearing will target 18F, there is potential fallout that would impact the use of Slack and other commercial apps like it.
Slack has made inroads in the government market with users at the Jet Propulsion Lab, State Department and, of course, GSA.
In a statement to our sister publication FCW.com, a Slack spokesperson said that the issue reported by the IG was not a breach of Slack. Slack integrates with Google Drive but does not override permissions that users set within Drive.
“Customers should continue to feel confident about the privacy and security of the data they entrust to Slack,” the spokesperson said.
18F described the steps it took once it discovered the issue. They acknowledge in a blog posting that mistakes were made.
It’s not clear if they have stopped using Slack as the IG recommended.
The bigger issue the 18F incident illuminates is a common one among security breaches – the role of culture and human error.
It’s not a problem with the product. And there are plenty in the government market. DigitalGov.gov has a long list of commercial apps – mostly free – that have received terms of service agreements from different agencies. There is Blip.tv for video sharing, Asana for collaboration, several Google products, Screendoor for online forms, Snapchat for messaging, and TubeMogul for video analytics and distribution.
The genie is too far out of the bottle – and it should be. There is no way to try reining in the variety of products and apps in use by the government.
Whether you are 18F or any other government office, the focus has to be on security.