Update: Fleishman-Hilliard is disputing the facts of the hack as presented by hosting provider Media Temple. Bill Pendergast, general manager of the Fleishman-Hillard DC office, told Ars Technica, ""For Media Temple to claim ignorance of hosting the FTC -- or other government -- sites is completely false. In their own words, Media Temple is deep in this area, with what they claim to be the appropriate level of compliance. It's hard to see how their fiction helps anyone get to a constructive outcome." A fully-updated story with the latest information from FTC, Fleishman-Hilliard and Media Temple will be posted shortly.

If you were looking for a recipe for creating government websites that attract defacement attacks, the acquisition process that led to the creation of a set of recently hacked Federal Trade Commission sites would be a good place to start. Despite a raft of federal security regulations and guidelines for using cloud services, smaller projects often fall through the cracks of security oversight—just as they often do with outsourced marketing projects for large corporations.

The initial language of the FTC's solicitation for the $1.49 million contract that created the sites that were hacked on January 24 and February 17 set out very specific language about the security requirements for the site. But by the time the contract for a set of consumer and business education websites and social media was awarded to public relations firm Fleishman-Hilliard in August of 2011, those requirements were dropped from the statement of work.

In part, the security requirements were dropped because the FTC planned to host the sites with someone other than the winner of the contract. But Fleishman-Hilliard ended up setting up the servers for the sites themselves—on Media Temple's unmanaged server-in-the-cloud service that was never intended for .gov sites. And it appears the FTC signed off on the move.

As a result, the servers provisioned for a number of FTC sites, including a site providing recommendations for business and consumer information security, were configured with an outdated version of the Drupal content management system that offered up a tempting target to Anonymous "antisec" hackers looking to embarrass the government.

When the FTC originally posted the solicitation for bids in May of 2011, the statement of work included strong security language for the project, stating that the servers for the project would be subject to the requirements of the Federal Information Security Management Act of 2002 (FISMA). And as part of those requirements, the FTC's solicitation spelled out contractors' responsibilities regarding data breaches: "The contractor shall be required to prevent and remedy data breaches and to provide the FTC with all necessary information and cooperation, and to take all other reasonable and necessary steps and precautions, to enable the FTC to satisfy its data breach reporting duties under applicable law, regulation, or policy in the event, if any, that a breach occurs The Information System Security Plan required elsewhere in this document shall include policies and procedures necessary to ensure the timely detection of and reporting to the FTC of data breaches, as well as safeguards to prevent and mitigate the risk of, as well as to remedy, such breaches, if any."

But by the time the contract was awarded, the FTC had struck any reference to security requirements from its amended statement of work. In a "Questions and Answers" document posted by the FTC's Office of Acquisitions on June 3, the office responded to a question on the nature of the security requirements of the project by stating "This information has been deleted from the statement of work." In the same Q&A document, the FTC said that the websites built under the contract "will be hosted by a third-party hosting provider to be contracted separately and directly by the FTC."

That clearly didn't happen. Media Temple, the hosting service that was used to provide the servers for the sites, wasn't contracted by the FTC; instead, the sites were set up by Fleishman-Hilliard, and the hosting provider was unaware they were being used for .gov domains, according to Media Temple chief marketing officer Kim Brubeck.

The result of the process was that a whole set of FTC domains—including business.ftc.com, OnGuardOnline.gov, and the National Consumer Protection Week blog—were left unpatched and exposed to attack, creating low-hanging fruit for attackers like Anonymous. And there are clearly many other civilian federal agencies that have the same problem. Anonymous' Antisec collective claims to have amassed a large number of similar federal sites that it has already compromised.