Auditor Thrashes 18F for IT Security Vulnerabilities, 18F Staffers Shoot Back

An Obama initiative to create a tech startup inside government routinely violated security procedures, skirted requirements, played fast and loose with personal information and communicated using personal emails, according to a savage watchdog report released Tuesday.

Program officials, however, say the inspector general is confusing “box checking” with security.

The General Services Administration’s 18F program did not seek official approval for 100 out of the 116 software tools it was using and lacked proper authorization for at least 18 information technology systems, according to the review by GSA’s inspector general.

The unapproved software included the data sharing tool Hackpad, the website monitoring tool Pingdom and the Twitter dashboard Hootsuite. The startup office also entered into $24.8 million worth of contracts without the go-ahead from GSA’s chief information officer, the IG said.

In each case, 18F had its own authorization procedures in place, which the inspector general says do not pass muster.

The report highlights a conflict throughout the Obama administration between the Silicon Valley startup culture that Obama officials tried to infuse into government technology offices and the often arcane and rule-bound strictures of legacy government technology.

18F staffers are mostly nongovernment technologists recruited into federal service who are accustomed to working in faster-paced environments and with the innovation pressure of the private sector.

An 18F staffer who requested anonymity to discuss the report freely told Nextgov the inspector general had not uncovered any genuine security vulnerabilities in 18F systems or processes, only failures to strictly adhere to government procedures.

“It’s important to make the distinction between compliance and security,” the staffer said. “This report has nothing to do with security and a tremendous amount to do with compliance.”

In particular, the inspector general’s office did not assess the quality of an internal 18F procedure to vet low-risk software and technology tools for security vulnerabilities, the staffer noted. It simply attacked the agency for “circumventing” the standard authorization procedures from GSA’s chief information security officer.

“This is literally 18F’s job,” the staffer said. “To be the first through the door, take all the arrows and move the horizon of risk tolerance out a little bit more in a data-driven and responsible way.”

The staffer criticized government IG offices for having a box-checking mentality and lacking technological or security expertise.

“18F’s actual security has been exemplary, even if its ‘checkbox-ing’ has not,” the organization’s Co-founder and former Executive Director Aaron Snow told Nextgov by email.

“In my opinion, the additional policy steps have slowed 18F down and cost taxpayers more money without significantly improving the actual security of any systems,” said Snow, now a senior adviser at GSA’s Technology Transformation Service, adding that, in government, “checking compliance boxes is often conflated with actual security [and] the more any agency is forced to focus on the former as opposed to the latter, the slower [its] progress will be across the board.”

The IG report quotes GSA’s IT director of security engineering, a position outside of 18F, stating that “18F has highly skilled developers who are confident that they write code and develop products without any security vulnerabilities.” However,” the report notes, “developers can still write bad code and that is why processes like the GSA IT [authority to operate] process are important.”

President Donald Trump’s team appears inclined to continue the 18F program, which Obama launched in the wake of the disastrous HealthCare.gov rollout, but has not formally endorsed it.

Unlike the Presidential Innovation Fellows program, which brings technologists into government for short-term rotations and which was an early forerunner of both 18F and its cousin the U.S. Digital Service, 18F has not been codified by legislation.

The broad inspector general’s review was prompted by an earlier report that 18F staff could have exposed sensitive information using the workplace communication tool Slack.

Leaders at 18F published a blog post in the wake of that report attributing the vulnerability to a configuration error and stating that, to the best of their knowledge, no personally identifiable information was actually shared inappropriately.

A fuller review by GSA’s IT team found that personal information was, in fact, exposed to unauthorized users, but 18F has not updated the blog post, Tuesday’s report notes.

The IG also describes 27 personal email accounts that 18F staff used to send work-related emails without copying government accounts as required by federal records laws.

“The work-related emails sent from these 27 accounts included information such as ongoing project details, a draft letter to congressional legislators, 18F involvement with upcoming speaking events and conferences, account login information, documents related to official travel, issues with payments to an 18F vendor, and employee separations,” the report states.

18F just learned of the email issue last week and is investigating it, the staffer who requested anonymity said.

“We take this finding extremely seriously and we’re investigating it as quickly as possible,” the staffer said.

The report offers six recommendations, all of which GSA management agreed to pursue.

A request for comment sent to 18F’s inquiry email was forwarded to the GSA press office, which did not immediately respond.