Congressional report blasts TSA for security lapses on Web site

Committee blames lack of oversight; agency says newer site is working properly

A congressional report released today claims that a vulnerability-ridden Web site set up in 2006 by the Transportation Security Administration (TSA) was the result of poor acquisition practices, rampant conflicts of interest and inadequate oversight at the agency.

The Web site was designed to help airline travelers whose names were erroneously listed on terrorist watch-lists to seek to have the listings removed. But an investigation initiated last year at the request of U.S. Rep. Henry Waxman (D-Calif.) found that the TSA had awarded the Web site development contract without competition to a small Virginia-based contractor that was ill-equipped to do the job.

The TSA then completely failed to oversee the work of the contractor, according to the report, which was written by staffers at the House Committee on Oversight and Government Reform, which Waxman chairs. In addition, the report said that the TSA official in charge of the project was a former employee of the contractor and regularly socialized with the company's owner.

The Web site was activated in October 2006. Travelers seeking redress from the government on the watch-list entries were required to provide a wide range of information via the Web site, including their passport details, Social Security number, birth date and place of birth, as well as their height, weight and other personal data.

According to the report released by Waxman, the site posed a serious identity-theft risk to people who submitted information. The site wasn't hosted on a government Internet domain, nor did its home page and one of its data submission pages use encryption, said the report. It adds that none of the pages with encrypted fields provided users with actual digital certificates.

The report describes the security defects on the Web site as glaringly obvious. But they didn't come to light until they were publicized by Chris Soghoian, a Ph.D. student at the University of Indiana's School of Informatics who wrote about them on his personal blog last February.

Lara Uselding, a spokeswoman for the TSA, said today that the agency addressed all of the issues raised in Waxman's report months ago. Soon after the security flaws were identified, Uselding said, the original Web site was taken down and a new one was set up within the Web domain of the Department of Homeland Security, of which the TSA is a part.

The replacement site has been used without incident by more than 16,000 individuals, according to Uselding. She added that all of the more than 230 people who had input personal data on the original Web site have been notified of the security risks. Meanwhile, the contractor that built the first site -- a company called Desyne Web Services Inc. -- continues to do work for the TSA but is no longer involved with the redress management system, Uselding said.

According to Waxman's report, the TSA's initial request for quotes (RFQ) from outside contractors was worded in such a way as to ensure that only Boston, Va.-based Desyne would qualify for the $48,000 Web-site design job.

Desyne has done work for the TSA since 2004 and already had been awarded several contracts without competition, according to the report. One of the earlier contracts involved hosting a claims management site that enabled travelers to file online claims for damaged property. The RFQ for the redress management system required that the Web site be hosted on the same server, said the report.

The situation was compounded by the fact that the TSA's lead technical staffer on the redress management system project had a prior relationship with Desyne and the company's owner, who was a friend from high school.

The report said that relationship "seemed to blur the lines between the contractor's performance of the contract and TSA's contract oversight." It goes on to claim that the TSA staffer didn't have the information security knowledge needed to ensure that the system and Web site were built securely.

The TSA hasn't taken any action against Desyne in connection with the problems on the redress management system project, according to the report. Desyne officials didn't return a phone call seeking comment on the report's findings.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon