We have met the enemy and he is Issa
Congressman Darrell Issa is determined that he’s going eventually uncover an actual scandal. If it’s not regarding Benghazi then it will be regarding the IRS. If it’s not the IRS then, by God, it will be about the security of the healthcare.gov website. Yesterday he held yet another hearing to “prove” that the site is not secure.
At the hearing, the top cybersecurity official at the Centers for Medicare and Medicaid Services, Teresa Fryer, testified that, despite concerns she had previously expressed regarding the security of the site, extensive testing done more recently has changed her mind. “This security control assessment met all industry standards, was an end-to-end test and was conducted in a stable environment that allowed for testing to be completed in the allotted time,” she told the Committee on Oversight and Government Reform panel.
However, Rep. Issa prefers to believe a private security consultant, David Kennedy of TrustedSec LLC, who has no relationship with the Department of Health and Human Services or any access to the website that the average citizen doesn’t have. He told the panel, “HealthCare.gov is not secure today…It is insecure – 100 percent.”
Mr. Kennedy may be right about the vulnerability of the healthcare.gov but the threat is not because the site is insecure. Rather, it is vulnerable because the code behind the website may be insecure because it is in the possession of someone known to leak government information when it suits his political agenda: Darrell Issa.
The threat is so real that, the day before yesterday’s hearing, Democratic Rep. Elijah E. Cummings, a Ranking Member on the House Oversight Committee, sent Rep. Issa a letter imploring him to secure the sensitive information in his possession. You can read the full letter HERE. Here are some critical excerpts:
I am writing to raise concerns and propose Committee action on three requests so that Committee Members will be able to conduct this hearing in a responsible and bipartisan manner that does not jeopardize the security of the website or the personal information of American citizens.
My concerns are based on explicit and repeated warnings by the MITRE Corporation, which conducted security testing on the Healthcare.gov website. MITRE officials warned in four different letters to the Committee—on November 5, November 22, December 4, and December 13—that the documents it produced to the Committee include software code and other technical information that is highly sensitive and could give hackers a roadmap to compromise the security of the website and the personal information of consumers.
When MITRE produced these documents to the Committee in unredacted form on December 13, 2013, the company’s President and Chief Executive Officer warned:
In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov and potentially to the security of other CMS data networks that share attributes of this architecture. The resulting potential for risk to the privacy of Americans’ personal information is the reason that MITRE remains concerned about disclosure of the previously redacted information.
Despite multiple requests and MITRE’s repeated warnings, you have not responded to any of my inquiries. As a result, Committee Members participating in Thursday’s hearing have no protocol in place to help them determine which documents may be used in open session and which documents should be protected to prevent against attacks by domestic hackers, foreign entities, and other seeking to harm our national interests… I also remain concerned with the unilateral release by your office of partial transcripts and select document excerpts to promote partisan narratives that often turn out to be inaccurate, particularly when these releases are not part of any official report, correspondence, or other Committee action. […]
Another concern is the security of documents in the custody of the Committee. Currently, the Committee has no procedure governing the storage and handling of these sensitive documents. As a result, there have been two separate occasions last week when sensitive documents were left unattended in unlocked rooms accessible by the public. Although I understand that your office believes these documents are not sensitive, one was produced to the Committee in encrypted, password-protected format, and both were marked as sensitive documents that require special handling. […]
A third concern relates to providing access to sensitive information to individuals outside the Committee. In December, you stated that you intended to “consult carefully with non-conflicted experts to ensure no information is released that could further jeopardize the website’s security.” Several days later, you wrote a letter to the Department of Health and Human Services indicating that you had already begun this process, stating that you would “continue” consulting with outside security experts.
Based on your statements, it is unclear who these outside experts are, who they work for, and who they may be affiliated with, raising concerns about what they may do with the information. If they do not work for the government or any of its contractors, it is unclear what contractual or other restrictions they are under not to disclose this sensitive information further. There have been multiple reports about organizations and individuals who are deliberately targeting the Healthcare.gov website for malicious purposes. The risk that this information could get into the wrong hands increases dramatically as more individuals gain access to it, particularly when these individuals are under no obligation to safeguard it.
Yes, healthcare.gov faces a serious and imminent security threat. That threat comes in the form of a hyper-partisan politician looking to further his own political career and shore up support from his far-right conservative benefactors and supporters, even if it compromises the personal and private information of American Citizens.
If anything nefarious results from information leaked or inadvertently released through shoddy handling by Congressman Issa and his staff, particularly after these warnings, he should go to prison.
[CC photo credit: stanfordcis | Flickr]