WT Business Beat

By Nick Wakeman

Blog archive
Nick Wakeman

18F gets slapped for security breach

GSA’s 18F is getting slapped for a security breach by the agency’s inspector general.

18F staffers apparently allowed access to over 100 GSA Google Drives to anyone inside or outside the agency because of the way some collaboration tools were configured.

A GSA spokesperson told me that no data was actually exposed.

The IG’s alert, which was released Friday, describes it as “potentially exposing sensitive content such as personally identifiable information and contractor proprietary information.”

To compound the security breach, the 18F supervisor who discovered the problem didn’t report the vulnerability to the GSA Senior Agency Information Security Office for another five days. GSA policy requires a report within an hour, so they missed that by about 119 hours.

The issue was first discovered on March 4 by the supervisor and reported to the security office on March 9. The vulnerability apparently had existed since October.

The IG’s office became involved when it learned of the problem on May 5 during the course of an ongoing evaluation of 18F, according to the management alert.

The problem stems from 18Fs use of Slack, an online collaboration application, to share files, images, PDFs, documents, etc. To enable that sharing, 18F also uses OAuth 2.0, an authentication and authorization process. OAuth also can be used to authorize access between GSA’s IT environment and other applications.

The IG alert says that use of OAuth and Slack does not comply with GSA’s IT Standards Profile., GSA Order CIO P 2160.1E. To comply, products must meet GSA’s security, legal and accessibility requirements.

Neither OAuth 2.0 nor Slack are approved, according to the IG.

The IG wants 18F to stop using Slack and OAuth 2.0 until they are approved for use. GSA also should ensure that 18F complies with GSA It Standards Profile.

GSA has 10 days to notify the IG of the steps it has taken.

The GSA spokesperson told me that issue was corrected immediately and there was no data breach. “Additionally, we made our user community aware of the issue to ensure they operate in a manner consistent with our IT policies,” the spokesperson said.

This is an unfortunate incident for 18F, which was created to give agencies a way to field technology solutions more quickly.

The concept behind 18F is a good one, but a complaint has been that the group seems to think many traditional rules don’t apply to them.

As one source told me, “They operate with fairly unfettered processes.”

They also work on relatively small, short-term projects, which has many questioning what kind of lasting impact they will have.

Because of the hype around the group over the last couple of years, this breach might have more of a negative impact on them than it would on another more traditional group.

Time will tell, but this incident should be an important lesson learned if other agencies are to field their own 18F-like organizations.

Posted by Nick Wakeman on May 13, 2016 at 9:27 AM

Reader Comments

Wed, May 18, 2016

They are arrogant in their approach. The love the limelight and the positive press when it comes to projects and programs that have FAR less of a government or societal impact than they seem to perceive, but when it comes to taking the heat / negative press.....all you hear are crickets. As they say on the show Silicon Valley #Posers #KeyboardGangsters

Mon, May 16, 2016

You hit it right on the head. Groups like this (and USDS, and others) tend to be given green-field circumstances (e.g., ignore agency tech standards and practices, ignore legacy constraints, etc) plus very small projects --- and when they get their little win people applaud them like a baby who took his first steps. Well, the rest of us have been forced to walk hot coals carrying generations of agency problems on our shoulders, so congrats on waddling your baby steps, kids.

Mon, May 16, 2016

Unfortunately this means that the fear based management many of the government organizations will immediately disavow Slack, thus putting the government farther into the dark ages. How does the federal government expect to attract or retain the best and the brightest (let alone new blood) with all of these knee jerk reactionary responses?

Fri, May 13, 2016 Mel Ostrow

The probability that any Federal employee will be disciplined for this is: zero. You can count on GSA and OPM to live by "mistakes were made." No one is accountable; they don't even admit that any person did anything wrong.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.