HealthCare.gov’s risk status is a very big deal, indeed.
Kim manages to locate one credible expert who will speak about the security problems on camera: Affordable Care Act supporter and Georgetown law professor Lawrence Gostin. Gostin is an especially valuable figure in this context because he helped craft the Affordable Care Act so that it would stand up to constitutional challenge. His criticisms can’t be dismissed as partisan. When we tell him about the September 27 memo and waiver, he’s disturbed that the Obama administration signed off and moved forward.
“Nothing can undermine public confidence more than the fear of a security and privacy breach,” Gostin tells me in an interview. “You could have somebody hack into the system, get your Social Security number, get your financial information.”
Adding to the security questions is a strange addendum to the September 27 memo. It’s signed by three of Chao’s colleagues: fellow managers at CMS. It states that while the government’s mitigation plan would reduce the security risk to the overall operation, it “does not reduce the risk to the [Federally Facilitated Marketplace] system itself going into operation on October 1, 2013.” For all the effort the administration has put into trying to convince the public otherwise, evidence of the persistent threat is codified in black and white, signed by the government’s own experts.
I wonder: Is the addendum a “cover your ass” document? Did these security officials who signed it suspect that disaster might strike? Were they making sure that if people later asked, Who the hell approved the website to go forward with such risks? the record would reflect they had raised flags?
I also know from my research that CMS chief information officer Tony Trenkle—not Tavenner—was originally the authorized official who should have signed the website’s Authority to Operate. Instead, he signed the odd addendum noting the risk. This seems like a clue. I consult my inside sources, who tell me this whole arrangement is unusual, if not unprecedented. I wonder if it’s proper or legal. I ask HHS to explain. But like most of my inquiries, these fall into the bottomless pit where unwanted questions to federal agencies go, never to be answered or addressed again.
| CHAO’S AWKWARD POSITION
Some Democrats as well as Republicans are now questioning the security status of the website and on November 13, 2013, Chao is called to testify before Congress. His demeanor couldn’t be more different than what I expected based on the descriptions from some of his acquaintances. They said that he was a good guy to work with. A competent, straightforward man who always had a kind or encouraging word when he saw you in the hallway. But when Chao appears before Congress in a suit that’s too big and a collar that’s too tight, he appears uncomfortable, shifty, and sarcastic. He puts a great deal of effort into backpedaling from his September 27 memo. Now he tells Congress he never really had any serious security concerns and was confident the website would perform well on its debut. That the only reason he sounded so worried in internal emails is that he’s an overly cautious kind of guy.
It’s an awkward scenario for Chao, to say the least. HealthCare.gov is an unmitigated mess. For him to now claim that he didn’t have a clue may advance the interests of the Obama administration, which wants America to believe there were no real warning signs, but the tradeoff is that Chao comes off as ignorant. Yet as long as Chao wears the mask of the ignorant but stays in synch with the White House, his job is safe. It’s moving off that script that could jeopardize his government career.
In short, Chao must convince the public that the true Chao isn’t the worried Chao revealed in the documents; the true Chao is the one who didn’t foresee impending disaster and is, therefore, the incompetent Chao, but the Chao who’s in harmony with the administration.
Democrats coalesce behind the incompetent version of Chao; Republicans prefer the concerned Chao who foresaw the train wreck. As for me? Do I believe Chao 1.0 from documents prior to the PR crisis, or the updated version, Chao 1.1, prepped by his HHS minders in advance of a potentially damaging congressional hearing? After the hearing ends, one government insider tells me he’s shocked at how evasive, if not downright dishonest, his colleague Chao seemed at the hearing.
“I wouldn’t have guessed he’d be like that,” says the source. “He must be under a lot of pressure.”
| ALTERNATE UNIVERSES?
To hear the opposing views of HealthCare.gov’s security status, you might think you were in alternate universes: one where the system is invincible: another where it’s frighteningly vulnerable. Never is the contrast more absolute than on Tuesday, November 19, 2013, during dueling hearings on Capitol Hill. It’s Chao’s second appearance before Congress since the website’s launch; this time it’s Energy and Commerce. Democrat John Dingell of Michigan asks a series of rapid-fire questions intended to dispel the security concerns.
DINGELL Is HealthCare.gov safe and secure for my constituents to use today with regard to protection of their personal information and their privacy? Yes or no?
CHAO Yes.
DINGELL Is there any evidence at all to the contrary?
CHAO No.
At the precise moment that Chao is giving those reassurances, four security experts are barely a stone’s throw away giving the opposite assessment before the Science, Space and Technology Committee.
Republican Chris Collins of New York asks, “Would any of you have launched HealthCare.gov, recommended the launch, given the factual known status of the website on October first?”
“No,” answer the four security experts.
“Do any of you think today that the site is secure?” Collins asks.
“No,” they reply.
“In your opinion, do any of you think the site will be secure on November thirty?”
“No,” say all four.
Back at Chao’s hearing, Chao testifies that no identified vulnerabilities have been exploited by an attack and “the American people can be confident in the privacy and security of the marketplace.”
At the security expert hearing, Morgan Wright, CEO of Crowd Sourced Investigations, testifies that “only in the government could such a gaping hole be allowed to exist without fear of consequence. . . . [There is] a massive opportunity for fraud, scams, deceptive trade practices, identity theft and more.”
Democrats ask choreographed questions to try to make the Chao hearing go their way. But Republicans have their own preplanned strategy and get Chao to confess that up to 40 percent of the website systems remain unfinished more than seven weeks after it went live. On top of that setback, Chao once again pleads ignorance. He says as project leader he never saw a damaging independent consulting report that foreshadowed many of HealthCare.gov’s problems. Even after the report was leaked to the Washington Post and published the morning of the hearing, Chao testifies he still hasn’t bothered to review it.
These two hearings should be of great interest. A poll released the same day shows that more Americans are following the HealthCare.gov rollout than the monster typhoon in the Philippines that killed more than six thousand people. Yet the hearings receive scant attention in the mainstream media. CBS is alone among the big three to mention them at all on the evening newscasts. It seems as though the temporary surge in aggressive coverage on the topic is now waning.
NBC leads with a positive story for the Justice Department announcing JPMorgan Chase will pay $13 billion in the mortgage crisis. ABC leads with the stabbing of a Virginia state senator by his son. There are also stories on pilot obesity, insomnia, the JFK assassination anniversary (still three days away), Caroline Kennedy becoming U.S. ambassador to Japan, and a feature on penguins. But no time for the news topic that interests more Americans than most anything else.
Among the news wire services, Reuters does cover the security expert hearing. Interestingly, the article calls it a “Republican sponsored Congressional hearing.” It’s the first time I remember noticing an offici
al congressional hearing described as being “sponsored” by a political party. It’s as if readers are being cued to skeptically view the expert witnesses who criticize the Obama administration. If the article considers the hearing to be Republican-sponsored because Republicans hold the majority in the House, then—Substitution Game—shouldn’t we describe all hearings in the Democratic majority Senate as “Democrat sponsored congressional hearings”?
It’s an example of the disparate treatment the media may give to different political interests.
As a young journalist, I once had a supervisor who required us to label conservative analysts in our news stories as “conservatives,” while the liberals were simply referred to as “analysts.” And if a conservative analyst’s opinion really rubbed the supervisor the wrong way, she might rewrite the script to label him a “right-wing” analyst. The implication is that when a conservative says something, the opinion needs to be qualified and perhaps discounted. But the liberal? He’s just an independent, fair guy giving an everyman’s opinion.
Often, this type of bias isn’t thought out: it just comes naturally. One day, to make a point, I called a conservative in my story a “right-wing” analyst and labeled the liberal a “left-wing” analyst. When the supervisor read “left-wing,” she sputtered out a spontaneous objection. I argued that we could label both analysts similarly, or label neither, but that it wasn’t logical to label one without the other. She leaned back in her chair as if the thought had never dawned on her, and I’m pretty sure it hadn’t until that day. After a moment, she looked at me and said, “You’re right.” From then on, we applied equivalent labels to conservative and liberal analysts.
Many others have faced their own challenges. A network news writer recently told me he that he was forbidden to refer to President Obama as “Obama” or “Mister” on second references, which had been common style for other U.S. presidents. “When I questioned this,” says the writer, “I was told it was because ‘the office of the President demands respect.’ I asked, ‘Did you always say “President’ Bush?” I was told ‘No, he didn’t deserve respect.’”
The writer says that when he reported on the Defense of Marriage Act, “the part about President Clinton signing it into law was taken out every time (thirty-five times, I counted).” When he reported on same sex marriage, “any reference to President Obama having opposed same sex marriage while serving in the Senate was taken out of my scripts.” When reporting on HealthCare.gov, any reference to the government releasing sign-up figures but not actual enrollment “was taken out.”
I think of all of this when I read the article about the “Republican sponsored Congressional hearing.” Was there an editor somewhere up the line who, like my old supervisor, felt compelled to put a Republican label to qualify opinions he didn’t like? To be clear, there’s nothing wrong with applying a label if it’s accurate, if there’s a journalistic reason to do so, and if it’s equally applied under similar circumstances. In other words, the same news outlet should refer to all Senate hearings as “Democrat sponsored.”
| THE PUSHBACK
The news organizations that have been covering HealthCare.gov’s troubles now face intense, daily pressure from the White House and its supporters, who are desperate to turn things around. The fervor with which they pursue their attacks on the stories and the journalists reporting them is directly proportional to the importance of the subject matter. Judging by the response, we’ve done some pretty impactful stories. At the same time, many in the media are wrestling with their own souls: they know that Obamacare is in serious trouble but they’re conflicted about reporting that. Some worry that the news coverage will hurt a cause that they personally believe in. They’re all too eager to dismiss damaging documentary evidence while embracing, sometimes unquestioningly, the Obama administration’s ever-evolving and unproven explanations.
On Monday, November 11, we break news of another damning internal security document: a memo dated September 3, a month before HealthCare.gov went live. It’s bad. It delineates specific “high risk” security problems—the most serious kind. Vulnerabilities that “could be expected to have a severe or catastrophic adverse effect.”
It’s pretty difficult to spin or sugarcoat “severe or catastrophic.” Pretty much everyone knows that’s serious.
The memo says the risks are posed to the “Federally Facilitated Marketplace,” or FFM for short. Exactly what is the FFM? It’s the entire support structure for HealthCare.gov and, says the memo, is what handles the flow of “financial, demographic, and (potentially) health information.” (Remember this part, because Democrats will later falsely claim to an unsuspecting public that the described catastrophic risks didn’t apply to the FFM and could not have jeopardized any personal information.)
The single most worrisome finding uncovered by independent security testers in the memo states that “macros enabled on uploaded files allow code to execute automatically. . . . The threat and risk potential is limitless.”
Limitless.
Why? Because a malicious macro can do almost anything: transmit viruses, execute a program, gain access to other parts of the system, set up connections to outside computers, and search for passwords, personal data, and financial data. One cybersecurity expert I consult says it’s impossible to overstate how potentially damaging this is.
“Anyone who downloads those documents with macros enabled can open a pathway for their computer to be hacked,” he says. “Even a government computer.”
He adds that criminals have been able to embed macros into documents and use them to hack an entire company.
Furthermore, according to the security memo, the independent testers uncovered another extremely serious issue: software that may produce functional errors was being deployed. That’s “a very big red flag for security folks,” says one expert, “and can introduce unknown, new security flaws into the system.” It’s a risky practice known in the industry as “cowboy coding.”
There are other risks revealed in the memo: it appears there’s “an inappropriate E-Authentication level” in the system that “contains financial and privacy data.” One expert explains to me that means people could access sensitive information without proper authentication, for example, without logging in. Or one customer might be able to see the log-in and documents from another’s health plan.
As I consider the memo’s enormous implications, I assume the government is addressing these risks, but the fact that they arose so close to the website’s deployment is troublesome. Experts agree that forcing the October 1 deadline jeopardized security.
Even more important, I learn that once again, the project’s lead manager was in the dark about all of this information. Chao-the-Ignorant says he knew nothing of the security risks. He’d made that confession in a secret closed-door interview with House Oversight staff on November 1, a month after HealthCare.gov launched.
“I just want to say that I haven’t seen this before,” Chao tells Oversight staff when they show him the security memo outlining the “limitless” and possibly “catastrophic” security risks.
“Do you find it surprising that you haven’t seen this before?” asks a Republican staffer.
“Yeah . . . I mean, wouldn’t you be surprised if you were me?” He later added, “It is disturbing. I mean, I don’t deny that this is . . . a fairly nonstandard way” to proceed.
Even more disturbing, Chao tells the committee that his own team had led him to believe the opposite was true.
“What I recall is what the team told me, is that there were no high [risk security] findings,” Chao testifies.
Not only were the high-risk findings unearthed by security testers, but another government document indicates they persisted, unresolved, weeks after the September 3 memo. Why would Chao’s team have kept him in the dark about all of this? Shouldn’t he have had a better grasp on the big-picture items of concern and
the supposed remedies?
As I prepare to write up the story for that night’s Evening News, I contact Oversight Democrats and HHS asking for comments and context. The information on the security problems is particularly incriminating because it’s not from political opponents; it comes from the government’s own files. If the administration now contradicts it, it’s undercutting its own documents and Chao’s testimony.
Specifically, I ask HHS how and when it addressed the security holes outlined in the September 3 memo. I also ask to see the paper trail providing proof of any fixes. (I asked for all the website’s security documents weeks ago by filing a Freedom of Information Act request, but it apparently got lost in the bottomless pit.) The most important question I ask now: How could Chao have been so far out of the loop on security? What else doesn’t he know? What else haven’t we been told?
The way I figure it, the government should already have its response to these questions prepared. After all, HHS has had the damaging security assessment memo for two months—it’s their document. And Oversight Democrats were present for Chao’s closed-door testimony ten days ago when he said he’d never seen the security memo and was completely blind to its findings.
However, both HHS and Oversight Democrats react to my queries as though I’m probing mysterious, new territory. In fact, both ask me for copies of the relevant materials. I point out that the documents originated with them, and that they’ve had the facts much longer than I have.
They’re employing the Mine and Pump Strategy. Stall, claim ignorance of the facts, and mine the reporter for what info he has.
Hours tick by as Oversight Democrats tell me they have no information or comment. At 3:56 p.m., the spokeswoman for the Democrats, Jennifer Hoffman, emails me, “still waiting to see if our team has any insights on your questions.” Then at 5:58 p.m.: “Nothing yet . . .”
Shortly before air, I get a brief email statement from HHS that fails to answer any of my questions but says that privacy is of the utmost concern and there’s no reason for HealthCare.gov customers to worry.
Stonewalled: My Fight for Truth Against the Forces of Obstruction, Intimidation, and Harassment in Obama's Washington Page 25