Ignorance is Bliss: More on the GSA IG and 18F

A few days ago, I wrote about Federal IT systems management. In particular, I noted this GSA-OIG report, and its criticism (in my view wrong headed) of 18F—an innovative Federal IT digital consultancy. I wanted to dig down a bit into the IG's report and explain, further, how ... well ... silly it is.

Today's case in point is the critique from the GSA IG (echoed by GSA IT) that 18F used software products that were not approved for use. That sounds pretty serious—but when you look at it closely, it becomes a bit more nonsensical. Here's the finding from page 3 of the IG's report:

Examples of software that were in use by 18F, but not approved by GSA IT, included Hackpad,used for taking collaborative notes and sharing data and files; CloudApp, a visual communication platform; Pingdom, a website monitoring tool; and Hootsuite, a social media marketing and management dashboard. During our review, GSA IT determined that these software products should not be used in the GSA information technology environment and issued a notice to GSA staff in June 2016 that access to these and other software products would be blocked.

So ... what we have here is that 18F used four commercially available products, in wide-spread use by the private sector, but they were "unapproved" by GSA and hence prohibited. Note that "unapproved" does not, it seems, bring with it a finding of "vulnerable" or "non-functional." Just "not approved."

To see what this means, let's take just one of these four—chosen at random, by me—Pingdom. According to its website, Pingdom is used to monitor the performance of your website—how often it is "up" and running; how often it is "down"—and helps improve your performance by doing things like root cause analysis of instances when you have failures. Those seem like useful utilities—especially if, like 18F, your first mission is to fix a broken website like HealthCare.gov.

Unless they are lying through their teeth, it appears that Pingdom currently has more than 700,000 customers in 22 countries, including small fry like Facebook and Spotify. And the tech has gotten some pretty good reviews. Here's one from TechNet (a Microsoft site) (you have to scroll down) and here's another from PC magazine. Do I, personally, have enough tech-savvy to validate these views—no, I don't. But folks who do have the chops (including those at 18F) think it works well.

More to the point, you will search in vain throughout all of the plausible sources to find any report of any actual security vulnerability in Pingdom's tech. Much less a report of any successful attack using Pingdom as a vector. Perhaps they are out there and I didn't find them (readers are invited to provide citations for such, please), but as far as I can tell, there is no such record. Does that mean that Pingdom's code is 100% secure? Of course not. No code ever is, at least that I'm aware. But what it does mean is that the vulnerabilities that may exist are not known and there is no reason to think they are any worse than anyone elses.

I have not done the same examination of the other technologies mentioned: Hackpad, CloudApp, and Hootsuite. But I am going to go out on a limb and speculate that the same is true of them—commercial products with wide-use and no known vulnerabilities.

So ... there you have it. 18F's "tragic" error was to use commercial off-the-shelf technology (did I mention it was relatively inexpensive) that is used on a global basis and that has no known publicized security flaws. It did this without "approval" from higher-ups, and for that, it gets an IG report that slams it for its "failures."

Color me skeptical—the more I look at this the more it seems to me as if this is a case of "federal bureaucracy revenge."