A still-ongoing program devised by President Barack Obama to bring Silicon Valley tech types into the federal government to foster innovation instead descended into repeated rule violations, massive financial losses, and retaliation against a whistleblower who called attention to potential violations of the law, government records show.
The Daily Wire reported last week that the General Services Administration (GSA) Inspector General found that GSA’s disruptive tech unit, the Technology Transformation Service (TTS), tricked federal agencies into violating security standards by omitting facial recognition from software designed to lock up highly sensitive information — reasoning internally that such software was racist. It falsely told the agencies that its solution met the security standards, obtaining $197 million in part on the basis of the false representation. GSA said it is pursuing disciplinary measures.
But a series of other government probes show that the team of highly-paid computer programmers at TTS — also known as 18F — has repeatedly put cybersecurity at risk for years. Despite the staff overwhelmingly being far-Left partisans who supported big government, they also seemed to believe that the rules that define big government did not apply to them, all while operating in the risky terrain of government cyberspace.
In May 2016, the IG issued an emergency alert of a “data breach,” writing that “Due to authorizations enabled by GSA 18F staff, over 100 GSA Google Drives were reportedly accessible by users both inside and outside of GSA during a five month period, potentially exposing sensitive content such as personally identifiable information and contractor proprietary information.” The breach involved a misconfiguration in the use of Slack and OAuth, neither of which were supposed to be used.
The IG later said that 18F waited five days to inform management of the long-running breach, then falsely told the public and its customers that sensitive information was not exposed.
“In response to our alert report, the 18F Executive Director [Aaron Snow] and Director of Infrastructure [Noah Kunin] co-authored a public blog post on May 13, 2016, stating, ‘We did a full investigation and to our knowledge no sensitive information was shared inappropriately.’ 18F also subsequently issued emails to external partner agencies stating that ‘this was not a hack or data breach in any way, and this misconfiguration did not cause any sensitive information to be shared inappropriately,’” the IG wrote.
But a February 2017 IG report on “18F’s Information Technology Security Compliance” said the claim by 18F wasn’t true. “GSA IT found that the vulnerability exposed content containing PII to unauthorized users. As of February 2, 2017, the 18F blog post had not been updated to reflect the results of GSA IT’s review,” it said.
The report found that “18F routinely disregarded and circumvented fundamental security requirements related to both the acquisition of information technology and the operation of information systems.” When 18F wanted to do things that were not permitted, it took it upon itself to do them anyway and call it “pre-authorization,” it said. And its employees used personal email accounts for sensitive government business.
When Kunin got tired of oversight from Information Systems Security Officers (ISSO) from the GSA, whose job it was to ensure that federal data was secure, he named himself ISSO for 18F, something he had no power to do, the IG said.
Kunin — who later quit the government because of his hatred of Donald Trump — admitted to the IG that the unit was “definitely not compliant.” He told investigators he “had no training on GSA IT policies,” but the IG “found that he completed the mandatory training, received a copy of the IT Security Policy from GSA IT, and had frequent discussions with the Chief Information Security Officer.”
“We sought to determine the cause of 18F’s widespread violations of fundamental GSA information technology security requirements. We concluded that management failures in GSA IT and 18F caused the breakdown in compliance,” it wrote. “When we asked 18F Executive Director Snow why there was a breakdown in 18F’s information technology security policy compliance, he answered, ‘I honestly don’t know,’” it said.
The failures also extended to finances. 18F had little concern about taxpayer dollars: 18F’s Director of Operations said privately: “To be frank, there are some of us that don’t give rip about the losses,” the IG uncovered.
In June 2017, the IG found that “18F had a $31.66 million cumulative net loss from its launch in March 2014 through the third quarter of FY 2016” and hired 200 people anyway. This occurred in part due to wildly inaccurate projections by its leaders. “For example, although 18F projected over $84 million in revenue for FY 2016, by the third quarter the actual revenue was less than $28 million,” it said.
Meanwhile, the staff spent much of its time on self-promotional activities, vanity projects, and social justice initiatives. “The OIG found that less than half of the 18F staff’s time was spent on projects that would recover FAS’s ASF investment in 18F,” it said, referring to the Federal Acquisition Service.
18F performed work without a contract in place despite dozens of warnings to stop the practice. It billed clients incorrectly in most cases reviewed by the IG, such as undercharging one by $5.5 million. It did not maintain billing records and spent nearly $25 million without approval, the IG found.
Thomas Sharpe, the GSA’s Commissioner of FAS, believed that the entire way the tech group was financed was illegal. He alerted the Inspector General. The IG found that others, including GSA’s own lawyers, believed that GSA was circumventing Congress’ intent with the tech shop. One lawyer in the GSA’s Office of General Counsel wrote that GSA appeared to attempt “an administrative repeal of prior legislation and a stealth re-creation of a service Congress specifically abolished via the GSA Modernization Act.”
The IG found in June 2017 that Obama’s GSA Administrator, Denise Turner Roth, retaliated against Sharpe for blowing the whistle. In April 2017, the GSA responded to the Office of Special Counsel, which policies whistleblower retaliation, conceding: “Many violations identified in the IG’s October 24, 2016 report are the result of gross mismanagement.”
“The legal foundation of TTS is legally permissible. However, [our own] report does identify problems with the implementation of the legal foundation that was provided by the Office of General Counsel, which resulted in a violation of 31 USC §1535 and of GSA policy as well as gross mismanagement,” the GSA continued.
Still, little seemed to change. The far-Left technologists continued on through the Trump administration and into the Biden administration. The IG caught them the latest time this month in what could be its most dangerous misstep yet, the fiasco which caught the unit telling federal agencies that their data was secure with its login product, when in fact it violated required standards by removing biometric requirements in the name of “equity.” The deception imperiled nearly one million online accounts.
This is the second installment in a series.
Part 1: Feds Jeopardized Security Of 1M Americans’ Online Accounts, Citing ‘Equity’
Part 3: Federal Agency Focused On Leftist Politics And Pronouns As ‘Gross Mismanagement’ Put Cybersecurity At Risk
Part 4: Chat Records Reveal Epic Meltdown In Federal Agency After Trump Win