For those that do, or have done, government security for IT systems, the hearings yesterday by the House Government Oversight Committee, were surreal. (see http://www.c-span.org/search.aspx?For=CMS) It is long, but worth watching for its politics, security, and professional conduct in the security field. I have 42 years of doing security for government systems and this was the nightmare we used to warn each other about. Having to explain the tortured process of getting a senior manager to accept risk for a signature on an ATO is not normally as painful as this particular one turned out to be, but maybe they should be. The participants were:
DR. KEVIN CHAREST Health & Human Services Department (HHS) CISO
TERESA FRYER Centers for Medicare & Medicaid Serrvices (CMS) CISO
FRANK BAITMAN Health & Human Services Department (HHS) CIO
What we discover in this hearing is that the process in security is so convoluted in large organizations that no one person is at fault. Everybody in this group took FingerPointing 101.
Baitman says each of the 11 operating divisions have their own CIO and CISO, which is enough to confuse anyone. When he says he can't remember being aware of the specifics of any of the security problems with the Obamacare website, it is not hard to figure out why. This kind of management structure is an abomination.
Fryer says she and her CIO passed along their "reservations about the ATO" and indicated they did not want to sign it. She based this on the fact that end-to-end security testing had not been done, and she did not have confidence that "PII information could be protected". She briefed her CIO that they should not release the ATO. That means it wasn't ready.
Both, eventually, briefed Baitman who says this is "not a red flag" to him, though he did consider it "noteworthy". He says he had "no direct understanding of operations or security of CMS." The risk decision was not his to make. Mr. Baitman got an "A" in FingerPointing 101 and may have taken advanced courses after that.
He did, however pass it along to some other people in HHS. He also says, on Sept 1, he recommended doing a Beta deployment but his recommendation was not accepted. Everyone in IT knows what this means to an experienced CIO. It wasn't ready and he knew it wasn't.
Mr. Meehan, Chairman of the House Cybersecurity Committee, said some Chinese hackers tried to get into the system in November. If they, were trying in November, before end-to-end testing was done, nobody knows if they succeeded. The Chinese are pretty good at this kind of thing, so if they failed, you can bet they tried several other times. They fact that they were not detected is not a big surprise to anyone. He was skeptical of their assurances to the contrary, hesitated, and stopped before saying anymore. I got the impression there was more to say. Each of the persons testifying said there were no reported intrusions into the system, just as there were no reported intrusions into Target before there were reported intrusions. Mr. Cummins, a committee member and frequent foil to Mr. Issa, the Chairman, said anything to the contrary was the use of "scare tactics" by the Republicans.
The most interesting addition to the knowledge about this IT security disaster was a chart indicating there were 17 states which did not have Authority to Connect agreements with CMS. It mentions that CMS should accept the risk for these, and the internal connections to IRS, DHS, SSA, et al, for 90 days. They acknowledged that these were not their risks to take, but they could do it anyway. That was a decision that even Baitman could not make. It would have had to be done higher up in HHS. Amazon books:
No comments:
Post a Comment