The Politico story is at http://images.politico.com/global/2013/12/12/hhstoissa.html
House Oversight and Government Reform Committee Chairman, Darrell Issa, issued a subpoena to MITRE for the security review of the website. As most of us know, they only issue a subpoena if they have asked for the document and not received it from HHS. One could reason that has happened. It isn't that unusual that someone ignores a request for documents, especially when there have been so many over the matter of the website construction and management. The system is an IT nightmare, and however much we are assured it works for most people, it isn't secure enough to be used by most of those people and HHS knows it. They have accepted the risk and they are diligently working on remedial correction of the deficiencies. That, at least, is what they want us to think.
However, when the subpoena is issued, they have less wiggle room. Politico speculates that it was because HHS was afraid the Committee would release the information to the public. Actually, Congress has released sensitive information to the public in every administration and by both political parties, so that should not come as a surprise to anyone. In this case, they wouldn't unless they thought it was the only way to keep consumers of the service from putting their data at risk. There are always two sides to this story, and this is the side of HHS:
“As you are aware, MITRE shares our assessment regarding the risks from public disclosure of these documents and has warned, most recently in its letter of December 4, 2013, that the information they contain ‘could be used to hack the system … and may pose a risk to the confidentiality of consumer information accessible through healthcare.gov if disclosed,” Esquea wrote, further offering to let a third party determine whether their publication could imperil the website.
While we all might share this concern, I wonder why they allow the risk of operating the website to begin with. Testimony on this, so far, indicates there were almost no serious security deficiencies, to the point that the system was allowed to operate with some known "minor" risk elements, and an incomplete report from MITRE. All the good Committee is trying to do is find out how serious those minor things really are. They will find it hard to justify releasing risk information while the system still operates, and shouldn't do that.
On the other hand, if MITRE and the HHS staff feel hackers might be able to exploit existing vulnerabilities in the system, why didn't they think they were serious enough to not stop it from going operational? It isn't risk to HHS. It is risk to my data and millions of others who are the potential users of the systems. Who said that could be done?
You can read HHS' full response below and wonder how serious this really is. Hackers are far brighter than most political appointees, especially in their chosen fields. If there were vulnerabilities so serious that MITRE did not think they should be made public, we can almost say for certain that hackers already know about them. It is certainly not something where they needed to wait for a published report.
But, what will come back to haunt them one day, is putting in writing that they don't trust the Members of Congress to protect information they are given. You might say it in a back room or office, even at a party caucus. Saying it in writing is never smart.
Congress gets Top Secret information almost every day and when I worked in both the Senate and House, it was being protected pretty well. They surely can handle this kind of risk assessment and appreciate the sensitivity of it. The sentiment that they might not, will not be well received by any member of either party. Amazon books:
No comments:
Post a Comment