Reports have surfaced that the Federal Trade Commission failed to maintain security-related language in service contracts awarded to a public relations firm responsible for the agencies websites.
The lack of proper security precautions governing the agency's websites may have been a contributing factor to the January 24 hack of the FTC's OnGuardOnline.gov site where attackers exploited vulnerabilities in the application software employed.
In addition, the PR firm subsequently failed to take action to mitigate FTC website vulnerabilities after the initial attack, allowing for the successful defacement of the agency's Consumer.ftc.gov website.
"The initial language of the FTC's solicitation for the $1.49 million contract that created the sites that were hacked on January 24 and February 17 set out very specific language about the security requirements for the site. But by the time the contract for a set of consumer and business education websites and social media was awarded to public relations firm Fleishman-Hilliard in August of 2011, those requirements were dropped from the statement of work," Arstechnica reports.
The lack of due diligence has prompted the hosting service Media Temple to ask Fleishman-Hilliard to take down any remaining websites subject to federal security guidelines.
"We have actually asked Fleishman-Hilliard to remove any [remaining] .gov sites... We aren't a FISMA-certified hosting service," said Temple Media's Kim Brubeck.
The events leading up to the security gaff provide a prime example of the risks government agencies face when outsourcing operations. In the midst of dealing with multiple contractors, security precautions seemed to have just fell to the wayside.
"In part, the security requirements were dropped because the FTC planned to host the sites with someone other than the winner of the contract. But Fleishman-Hilliard ended up setting up the servers for the sites themselves—on Media Temple's unmanaged server-in-the-cloud service that was never intended for .gov sites. And it appears the FTC signed off on the move. As a result, the servers provisioned for a number of FTC sites, including a site providing recommendations for business and consumer information security, were configured with an outdated version of the Drupal content management system that offered up a tempting target to Anonymous "antisec" hackers looking to embarrass the government."
The events appear to be a comedy of errors, where during the long process involved in setting up and awarding federal contracts, due diligence was not maintained and critical security requirements were not enforced.
As the federal government races to outsource services to the cloud in an effort to cut costs, the risk of oversights of this nature unfortunately become more probable.