One of former President Barack Obama’s pet projects -- to drag federal bureaucracy into the digital age -- morphed into a rogue operation that disregarded information security policies, used unauthorized software and information systems on government networks, and exposed sensitive information to potential hackers, according to a watchdog report.
Many of the most egregious security violations took place long after the Obama administration’s 2014 admission of one of the worst cyber-security losses in history: the theft by China-based intruders of 4.2 million personnel files from its Office of Personnel Management -- a revelation that set off a wide-ranging review of all federal cybersecurity.
The report, issued Feb. 21 by the Inspector General’s office of the General Services Administration (GSA), puts the spotlight on a runaway digital services operation known as 18F.
The unit was established in 2014 as part of Obama’s Digital Government Strategy of 2012 -- and apparently made up its own information security rules as it went along, resulting, according to the report, in “widespread violations of fundamental GSA information technology security requirements.” Officials supervising the unit say those problems are now being fixed.
Subsequently, 18F became part of a broader high-tech initiative established the following year and known as the Technology Transformation Service within GSA, which is the services and facilities management pump at the center of the government’s vast and sprawling bureaucracy.
Both 18F and the Technology Transformation Service were supposed to bring the outside-the-box thinking and whiz-kid talent of Silicon Valley to stodgy Washington; both grew out of yet another Obama initiative, the Presidential Innovation Fellows program established in 2012.
Originally focused on website and software development for government agencies, 18F fast grew into an in-house information services contractor for the federal bureaucracy, using GSA funds which were supposed to be repaid through fees to the new unit.
In April 2016, the Technology Transformation Service, with 18F included, was given a broader mandate to “transform the way government builds, buys and shares technology.”
By July, according to an earlier Inspector General’s report, 18F was doing $31 million worth of business with 31 federal agencies, including the Department of Homeland Security.
However much money it made, however, 18F was losing more -- one of the original reasons the Inspector General’s watchdogs got involved.
In an initial report last October, the IG’s staffers warned that the hot-shot start-up had lost more than $31 million from its launch in 2014 through the third quarter of 2016 -- and had always been operating in the red, with revenue projections for its services running tens of millions of dollars ahead of actual revenues.
One major reason was ballooning staff rolls: 18F had grown from a 33-person start-up in April 2014 to more than 200 people by March 2016 -- a more than 500 percent increase.
That October IG report also quoted one 18F official as saying, “to be frank, there are some of us that don’t give a rip about the losses” involved in its growth spurt. GSA’s then-regional administrator for the West Coast, Andrew McMahon, is quoted in the October report as agreeing, “Sure, in the end, I could care less.” (According to his LinkedIn website, McMahon, who describes himself as a “co-founder of 18F,” left GSA in January 2017.)
How 18F was running its fast-growing, money-losing business is a big part of the problem. According to the most recent IG report, one method was to ignore virtually all GSA information security safeguards for the wares it was encouraging agencies to buy. Those safeguards involve planning and testing unauthorized systems, then submitting a system security plan for review, and getting a signed authorization to operate that must be periodically reviewed.
According to the Inspector General’s office, 18F just ignored all that, and “disregarded GSA IT [information technology] security policies for operating and obtaining information technology, and for using non-official email.”
The unit “also created and used its own set of guidelines for assessing and authorizing information systems that circumvented GSA IT” -- and short-circuited the information security of the GSA network.
In all, the watchdogs found, 100 of 116 software items on 18F’s inventory of software were unauthorized, ranging from collaborative note-taking and data-sharing tools, to website monitoring tools and social media marketing dashboards. All were banned from GSA use by June 2016.
By that time, the watchdogs had already found out from 18F itself that unauthorized use of, among other things, another online messaging and collaboration app, Slack, had “potentially exposed sensitive information” over a five-month period ending in May. The breach involved “over 100 GSA Google Drives…reportedly accessible by users both inside and outside of GSA,” the watchdogs noted in an alert to GSA management.
The breach potential exposed such things as “personally identifiable information and contractor proprietary information,” the inspectors said. They issued a May 12 brief -- 2016 Management Alert Report -- as a warning flare about the data breach, with “recommendations” that GSA stop that practice.
Even so, the alert noted, the 18F users waited five days to report the situation, which itself was another breach of info-security policy -- which says that one hour is the top limit for delay.
Compounding the issue, the report says that 18F’s executive director and its director of infrastructure co-authored a blog post saying that they had done a “full investigation” of the breach issue, and declared that “to the best of our knowledge no sensitive information was shared inappropriately.”
By August, the Inspector General’s investigators had found otherwise.
But, as the inspectors noted, “as of February 2, 2017, [presumably, the date when their report was finalized internally], the 18F blog post had not been updated” to reflect any of that.
A GSA spokesperson did not answer an email question from Fox News about whether the blog post had been removed or recanted. Instead, the spokesman declared that “GSA considers IT security a top priority and takes the GSA Inspector General’s report seriously.
The spokesman added that the agency “notes that there were gaps in compliance with our CIO [Chief Information Officer] security requirements” but wanted to emphasize “that the issues raised” in the most recent report “were promptly addressed.”
It appears 18F was long used to working without much reference to GSA’s Chief Information Security Officer (CISO), who was, among other things, supposed to sign off on all information systems’ adherence to federal security policies.
According to the most recent report, no fewer than 18 information systems operated by 18F for more than a year ending in July 2016 lacked proper CISO authorizations for their use, and eleven of them had never been authorized. One system 18F was operating without required sign-off was “a recruitment and applicant tracking information system containing applicants’ resumes and contact information.”
Rather than get security clearances from the CISO, 18F apparently had a better idea: make up its own information security assessment and authorization system.
In February 2015, the latest report says, 18F’s then-Deputy Executive Director Aaron Snow -- who became executive director in May of that year -- proposed a new set of procedures titled, “Guidelines for Granting Authority to Operate 18F-Hosted Open Data Systems.” If approved, they would have allowed the unit to authorize the use of essentially public information systems without full security vetting.
The guidelines were not approved by GSA’s information security brass. But in February 2015 18F began using them anyway, the report says.
How that came to be is apparently still something of a mystery.
According to the report, 18F’s director of infrastructure told the watchdogs that “he received approval of the guidelines from Phaedra Chrousos, who at the time had oversight of 18F in her position as head of GSA’s Office of Citizen Services and Innovative Technologies (OCSIT).”
(OCSIT and 18F were both subsequently rolled into the new Technology Transfer Service, which Chrousos also headed, until she stepped down in July 2016.)
According to the report, “Chrousos told us that she remembered the director’s request for her signed approval of the guidelines shortly after she became head of OCSIT in early 2015. She said she did not recall signing them, but probably would have done so.”
When the Inspector General’s staffers asked the Technology Transfer Service to search “for any record of the guidelines,” the officials “told us that they could not verify the existence of the signed document.”
Using its own rules apparently still did not make things happen fast enough for 18F, so, according to the watchdog report, it also implemented a “pre-authorization” policy that allowed information systems it decided were “low-risk” to operate without any security assessment or subsequent OK.
To make things happen even quicker than that, 18F’s director of infrastructure appointed himself as the 18F Information Systems Security Officer -- the person responsible for implementing the GSA rules that 18F was apparently already ignoring. The appointment was never revealed to the overall agency’s CISO, who is responsible for appointing such officials.
Review of its business contracts was something else that 18F apparently felt was dispensable. According to the latest watchdog report, the renegade unit “entered into contracts and other agreements” for information technology purchases worth $24.8 million, and never got approval from GSA’s Chief Information Officer, as required under a formal Memorandum of Agreement with the unit.
How did it all happen? Many of 18F’s top brass and external supervisors claimed not to know.
According to the report, GSA regional administrator McMahon, who was also a GSA “Senior Technology Adviser,” told the watchdogs that “18F was not permitted any flexibility regarding compliance with GSA information technology policies.”
When the Inspector General’s investigators asked 18F Executive Director Snow why there was a “breakdown” in 18F’s info-tech security policy compliance, his reply was, “I honestly don’t know.”
Former OCSIT head Chrousos told the Inspector General’s staffers that “18F was not sufficiently integrated into the GSA IT environment,” but when asked how, as 18F’s overseer, she had allowed the unit to operate without higher information security clearance, she “said that she is not an IT engineer and therefore left technical matters to the director of infrastructure.”
The Inspector General’s staffers put much of the blame for the 18F debacle down to “management failures,” and they specifically pointed the finger at Chrousos and Snow in particular for failing “to provide adequate oversight and guidance to subordinates.”
“Ultimately,” their report says, “Chrousos’ and Snow’s indifference to GSA IT policies contributed to the compliance breakdown.”
Both Chrousos and Snow declined to respond to emailed Fox News questions about the report; in Snow’s case, he said, due to urgent family matters. He had already told the Washington Post, however, that “this report is not about security. It’s about compliance. And that’s why government falls so far behind the rest of the world when it comes to technology.”
The Inspector General’s report also blamed GSA’s current Chief Information Officer, David Shrive -- who told them he was “not in a position” to see what 18F was doing before the May 2016 Management Alert Report -- for “failing to fulfill” his responsibilities for the agency’s information technology security program.
Shive had not answered emailed questions from Fox News about the report by the time this story was published.
Both Chrousos and Snow have left their roles. Chrousos announced her departure as head of the Technology Transformation Service in June 2016, after just two months on the job, while Snow left 18F four months later.
The new head of the Technology Transformation Service, Rob Cook, told Fox News that the he had already made substantial changes in the way his organization was operating.
In the past, he said, “there was less care taken about complying with the rules than in getting the work done. If we are going to transform government, we have to play by the rules while changing the rules.”
The organization that was supposed to bring dramatic change to the federal world of high-tech is now treating its role as “more of a partnership” -- especially with the bureaucracy’s own legal and technology staff.
Among other things, Cook said, that means painstakingly seeking security OKs for all the high-tech tools it uses -- and not using them until the approvals are granted.
George Russell is Editor-at-Large of Fox News. He is reachable on Twitter at @GeorgeRussell and on Facebook at Facebook.com/George.Russell