Every so often we get a clear example of how procurement can go wrong.  As usual, these examples revolve around, to use the phrase loosely, the top of the food chain.  In this case that means a federal agency, the Transportation Security Administration.

The Transportation Security Administration launched a traveler redress website to make it easier for travelers to contact the TSA if they encountered problems, such as having been put on an airline's watch list by mistake.  A great idea that suffered considerably due to poor implementation.

In procurement, as in any business really, there are examples such as this that raise the question, "Do they take this business seriously?" Perhaps it's the lack of an outside perspective because most of us, when we look at such things, spot the moral ambiguity and pitfalls quite easily.

The problem, to quote the Committee on Oversight and Government Reform report, is as follows: "This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft."

A grievous shortcoming that should never have happened.  It did, of course, and the report detailed how this was possible.  Investigators found that "the RFQ was written in such a way that a small northern Virginia web marketing firm called Desyne Web Services was "the only vendor that could meet program requirements.""  Desyne already hosted a claims management website for the TSA.  The RFQ specified that this new traveler redress site must be "consistent with" this existing website and must be hosted on the same server.

Mimicking a website's design is not very difficult.  Any experienced company could have done that much.  However, since Desyne owned the server on which this website needed to be hosted nobody else could have met that requirement.

It's no surprise to learn that the project's Technical Lead and author of the RFQ "had known Desyne's owner since high school" and still kept in close contact with him.  Indeed, he had even worked for Desyne in the past.

Of course these are only details to the thousands of people who may have had their personal information compromised.  There the question remains, how could the TSA fail so completely in providing security?  The answer is that neither the TSA's project director nor the technical lead had the expertise to know whether the website was designed to be secure.

To recap the website's main security flaws, "it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified."

When people visit a government website they count on a certain level of safety and security.  Instead of being hosted on the tsa.gov domain this website was hosted on desyne.com.

The home page was not encrypted, so any information entered there could easily be retrieved by criminals.  This included a control number that people who had filed a complaint could enter to access their file, which contained all their personal information.

The submission page, through which all the personal data was sent to the TSA, was not encrypted at all.  Those pages which were encrypted had an SSL certificate generated and signed by Desyne rather than a valid third party provider (see last week's newsletter for more information about SSL).

That leaves one last question.  Could these problems have been avoided?  Absolutely.  This is decidedly not a case of an issue being blown out of proportion.  As one commentator put it, "This is Web Development 101. Anyone who has ever worked on an ecommerce site should [be] aware of the issues."

It's chilling to think that people who are employed by the government to provide or deal with security can be so cavalier about that very subject.  This isn't a frightening thought because this is a new and unforeseen threat.  It's frightening because this entire issue could have been avoided so easily.  All that the TSA had to do, to avoid this, is do the job right.

 

Sincerely,