The Incontiguous Brick

January 12, 2008

INFORMATION SECURITY BREACH AT TSA

Filed under: politics,Warnings,Wordpress Political Blogs — iknowkeith @ 12:34 am


There is an absolutely astonishing report from the U.S. House of Representatives, Committee on Oversight and Government Reform. The new report on the TSA is a horrifying example of a government bureaucracy that is out of control and operating without proper restraint.

Here is the Executive Summary:

In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain.
At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers’ sensitive personal information. As this report describes, these security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight.
The report finds:
• TSA awarded the website contract without competition. TSA gave a small, Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress website. According to an internal TSA investigation, the “Statement of Work” for the contract was “written such that Desyne Web was the only vendor that could meet program requirements.”
• The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the “Technical Lead” on the website project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne’s owner. • TSA did not detect the website’s security weaknesses for months. The redress website was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured “the privacy of users and the security of the system” before its launch. Thousands of individuals used the insecure website, including at least 247 travelers who submitted large amounts of personal information through an insecure webpage.
• TSA did not provide sufficient oversight of the website and the contractor.
The internal TSA investigation found that there were problems with the “planning, development, and operation” of the website and that the program managers were “overly reliant on contractors for information technology expertise” and had failed to properly oversee the contractor, which as a result, “made TSA vulnerable to non-performance and poor quality work by the
contractor.”Neither Desyne nor the Technical Lead on the traveler redress website has been sanctioned by TSA for their roles in the deployment of an insecure website. TSA continues to pay Desyne to host and maintain two major web-based information systems: TSA’s claims management system and a government-wide traveler redress program. TSA has taken no steps to discipline the Technical Lead, who still holds a senior program management position at TSA.

I am bothered by the poor handling of the personal data and the breach of public trust. But on a larger level, I consider the extreme corruption of this case more than disturbing considering that this is the agency that is supposedly “protecting” us from another terrorist attack from the sky.

Let me illustrate this by looking to the military. To gain a security clearance in the military, an extensive background investigation is conducted for each individual. The point of the investigation can be boiled down to two questions that determine one’s suitability to be trusted with sensitive information. One, does the individual have a past history that demonstrates untrustworthiness? Two, does the individual have areas in their lives that could give a foreign spy the ability to coerce the individual to give up classified information by threatening to embarrass or expose them? Both of these question could be asked of the TSA and they would fail.

This is not an agency that can be trusted to keep us safe!

Full report can be found HERE

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: