WTInsider
18F breach puts spotlight
on commercial apps
Recent security lapses have raised questions about the proper use of popular online collaboration tools
BY NICK WAKEMAN
When the General Services Administra- tion’s inspector general dinged 18F for creating a potential security breach via a collaboration app, it raised issues that go beyond this particular situation.
18F was the subject of a management alert in late May because its employ- ees’ use of the collaboration tool Slack opened more than 100 Google Drives to potentially anyone. The drives con- tained a variety of data, including per- sonally identifiable information and pro- prietary information from contractors.
The group was criticized for poorly configuring Slack, for how it handled the breach’s discovery and for its slow- ness in reporting the problem. But there is no evidence that anyone accessed the information improperly.
For a cybersecurity incident, this is a small one, but it is adding fuel to the debate over whether commercial applications are secure enough for the government market, as opposed to apps built specifically for federal agencies.
The Washington Post reported that Rep. Jason Chaffetz (R-Utah) plans to launch an investigation. And as chair- man of the House Oversight and Gov- ernment Reform Committee, Chaffetz and his concerns demand a certain degree of attention.
“It is alarming that the very IT geeks charged with helping to modernize fed- eral IT are so casual about safeguarding important data,” he said. “It appears these ‘experts’ need to learn a thing or two about protecting sensitive information.”
“It is alarming that the very IT geeks charged with helping to modernize
federal IT are so casual about safeguarding important data.”
REP. JASON CHAFFETZ (R-UTAH)
Although it sounds like the commit- tee will target 18F, there is potential fall- out that could affect the use of Slack and other commercial apps like it.
Slack has made inroads with govern- ment users at NASA’s Jet Propulsion Laboratory, State Department and, of course, GSA.
In a statement to FCW, a Slack spokesperson said the issue reported by the IG was not a breach of Slack, which integrates with Google Drive but does not override permissions that users set within Drive.
“Customers should continue to feel confident about the privacy and security of the data they entrust to Slack,” the spokesperson said.
18F, meanwhile, described the steps it took once it discovered the issue and acknowledged in a blog posting that mistakes were made. It’s not clear if 18F team members have stopped using Slack as the IG recommended.
The bigger issue the incident illumi- nates, however, is a common one when it comes to security breaches: the role of culture and human error.
In other words, the fault doesn’t lie with the product. And plenty of other commercial products have made their way into the government market. Digi- talGov.gov has a long list of commercial apps — mostly free — that have signed terms-of-service agreements with vari- ous agencies. The list includes Blip.tv for video sharing, Asana for collabora- tion, several Google products, Screen- door for online forms, Snapchat for messaging and TubeMogul for video analytics and distribution.
The genie is too far out of the bottle to ban agency use of commercial apps, and that’s as it should be. Yet whether you are at 18F or any other government office, the focus must be on security. n
WashingtonTechnology, a sister publication to FCW, covers all the ins and outs of the IT contracting community. Learn more at WashingtonTechnology.com.
32 June 15, 2016 FCW.COM
FLICKR.COM/REPUBLICANCONFERENCE