A few weeks ago Washington Technology reported that 18F, a digital services agency whose mission is to field technology solutions quickly for Federal Government agencies, had been hacked and was being investigated by the agency’s inspector general.
The problem stemmed from 18F staffers who allowed access to over 100 GSA Google Drives to anyone inside or outside the agency because of the way some collaboration tools were configured.
Specifically, it involved 18Fs use of Slack, an online collaboration application used to share files, images, PDFs, documents, etc. To enable that sharing, 18F also used OAuth 2.0, an authentication and authorization process. OAuth also can be used to authorize access between GSA’s IT environment and other applications. As it turned out, the use of OAuth and Slack does not comply with GSA’s IT Standards Profile.
While there was no data breach, and the problem was corrected immediately, it illustrates the need for every organization to manage risk – particularly those that might be involved in “fielding technology solutions quickly” for Government agencies.
The article notes how the concept behind 18F is a good one but also how a complaint about 18F has been that the group seems to think some traditional rules don’t apply to them. And because of the recent hype around 18F, this breach might have a more negative impact on them than a more conventional government organization.
So in their zeal to choose and implement a new technology quickly they did not manage the risk. And by ignoring IT policy and compliance with IT standards, which includes security, they may have missed guidance that would have prevented it.
In fact, Waverley Labs believes 18F is in a great position to begin identifying and collecting risk profiles for the agencies they are serving. This is knowledge that should be fed back into the process to ensure risk is kept to a minimum.
If 18F had followed NIST guidelines for authentication that are currently being revised, they would have determined that Slack was not authorized and did not meet compliance standards.
Managing digital risk must take priority. While it is not easy and requires extreme diligence, we are all learning and 18F is a lesson for us all.
