WaPo Headline Frets About Possible Issa File Releases, Not Insecure HealthCare.gov

December 26th, 2013 10:16 AM

Major establishment press outlets ignored Friday's news that "Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS) ... explicitly recommended denial of the website’s Authority to Operate (ATO), but was overruled by her superiors." Fryer also "refused to put her name on a letter recommending a temporary ATO be granted for six months" In other words, HealthCare.gov should not have launched.

Brian Fung at the Washington Post's "The Switch" blog didn't consider the idea that HC.gov shouldn't even have gone live the most important story element. While failing to disclose Fryer's no-go recommendation and refusal to go along, he and his post's headline instead obsessed over whether Republican Congressman and House Oversight Committee chair Darrell Issa might "release files" that "could aid hackers." It wouldn't be a surprise to learn that hackers already have them, or at least have figured out how to work with or around them. Excerpts follow the jump (bolds are mine):


These HealthCare.gov files could aid hackers. And Darrell Issa may release them.

HCgovNotSecure

Significant security vulnerabilities are still being uncovered in the Obama administration's health-insurance Web site, nearly three months after the launch of HealthCare.gov.

Officials discovered two such vulnerabilities, known as "high findings," within the last month, including one this week, Teresa Fryer, the chief information security officer for the Center for Medicare and Medicaid Services, told the House Oversight Committee this week in an interview. Fryer said that both issues were being addressed.

The debate over the security of HealthCare.gov has raised questions about whether similar vulnerabilities exist in systems across the federal government. Because the Internal Revenue Service, the Social Security Administration and other agencies communicate with HealthCare.gov, security gaps in those agencies could, if discovered, allow hackers to penetrate their systems and indirectly compromise the functioning of the new health-care law, according to outside security experts.

... While software vulnerabilities in Healthcare.gov have been documented, the potential risk stemming from the site’s interconnection with other federal systems has not. Officials from the White House, the Health and Human Services Department and others did not answer questions posed by The Washington Post about whether serious vulnerabilities exist in other federal IT systems linked to HealthCare.gov.

... Separately, Mitre, an independent contractor hired to test the security of HealthCare.gov, identified 28 security vulnerabilities in one of several tests it conducted in mid-October, according to the company.

... Last month, Mitre agreed to send redacted copies of its test results to Issa in response to a subpoena. On Dec. 9, Issa requested the same documents in an unredacted format.

In a series of four letters to Issa, executives from Mitre, the contractor behind the studies, warned that the unredacted documents could pose a risk to national security.

"In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov," wrote Mitre chief executive Alfred Grasso in a letter that accompanied the unredacted documents, "and potentially to the security of other CMS data networks that share attributes of this architecture."

The Obama administration chimed in, with the White House counsel's office urging Issa not to leak the documents for fear of endangering "other, similarly constructed federal IT system controls."

The obviously unexplored "potential risk stemming from the site’s interconnection with other federal systems" represents yet another reason why Fryer's no-go recommendation should have been heeded.

It would appear likely that Mitre had to write the letters it did as a matter of due diligence, so the fact that the firm did so is not automatically extraordinary, as Fung would want us to believe.

As to Issa, contrary to the Obama administration's assumptions, he wasn't quoted about releasing or "leaking" them, only about getting them in unredacted form. Is the Obama administration so distrusting of Congress, to which it gives national security briefings all the time, or is it more concerned that there's damning information in what has been redacted to this point? If Team Obama is worried about "leaks," maybe it should be look at the Democrats on Issa's committee, who would appear to have a lot to gain from anonymously "leaking" the documents to embarrass the chairman.

The larger point is that Fung blew off Fryer's courageous refusal to go along and get along in favor of fretting about something (i.e., releasing security-sensitive documents) no one has ever said they intend to do.

Maybe the paper should change its name to "The Water-Carrying Post."

Cross-posted at BizzyBlog.com.