Is secure? In Congress, cyber-experts vouch for Obamacare site.

Despite the cyber-experts' assurances on Obamacare's site, their assessments were done before it was up and running, leaving a level of uncertainty that brought vigorous questioning.

Brian Snyder/Reuters
Liz Carlson (l.), a self-employed student, gets help from Eireann Aspell at a health care enrollment fair in Portsmouth, New Hampshire, Nov. 9.

Americans using the Obamacare website can be assured that the site has undergone numerous cybersecurity evaluations – and passed – but should know also that no website is 100-percent secure, cybersecurity experts testified today.

The Obama administration’s much-criticized new website for enrolling Americans in Obamacare meets federal cyber standards, they said. It also passed 18 “security control assessments,” six of those in the weeks just prior to its launch. Virtually all the “high risk” areas that were identified were fixed before the site went live, the experts responsible for security told a congressional subcommittee.

Even so, those assessments evaluated the website while its software system was still in development – not when its various pieces were fully assembled and the entire site was up and running, those experts noted. Additionally, about 30 percent of the site – the payment portion – will be completed only by next month and so its security has not yet been assessed as part of the overall system.

That uncertainty about the overall security of the live website was more than enough to cause Republicans on the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee to express deep consternation during the hearing examining security.

“How can the public trust a hastily thrown together system in which meeting a deadline was more important for the administration than conducting complete end-to-end testing of the site’s security,” asked Rep. Fred Upton (R) of Michigan. “We’d like to know how the delays and rushed implementation have affected or complicated the ability to perform the security work for the website.”

Democrats on the committee, while expressing concern about the website performance overall, suggested that the hearing was mainly a partisan attempt to raise public fears about the website’s security – despite a lack of significant problems with it – in order to deflate public interest in the Affordable Care Act.

“I find it intolerable that this committee is running around fishing for trouble where none exists,” said Rep. John Dingell (D) of Michigan. “I have seen no evidence of any complaints or any evidence of misbehavior with regard to information that is controlled by the government.”

Henry Chao, deputy chief information officer at the Centers for Medicare and Medicaid services (CMS), who was largely in charge of the website project management, testified under oath that the site had indeed been built as required to exacting federal cybersecurity standards.

While admitting the website’s overall performance had seen major delays, the website’s security was built to the same standards as CMS’s Medicaid and Medicare websites, he said.

“CMS also protects the federal marketplace through intensive and stringent security testing,” he said. “While the federal marketplace has had some performance issues ... I want to be clear that we have conducted extensive security testing for the systems that went live on Oct. 1st. We continue to test for security on a daily and a weekly basis and any new functions or code prior to its launch.

“Consumers should feel confident in trusting [the site] with their personal information,” he said.

Several Republicans, however, questioned whether due diligence had been done, asking representatives of three cybersecurity providers that had contracts to secure the website how they could be sure the site is secure.

“If you design a part for a car, and you know your part’s working, would you like to know if the cars work?” asked Rep. Tim Murphy (R) of Pennsylvania. Each of the three said they would – but did not know the big picture, only their part of the pie, which they said was secure.

Rep. Diana DeGette (D) of Colorado noted that the contracts of each security provider present stipulated that they check for specific areas of the whole – and did not request an “end-to-end” check because it would not have been possible until the site was complete anyway.

“So your job was to assess risk with different components of, to work with CMS, address those concerns and report on the findings and the results. Is that correct?” she asked.

“Yes,” replied Jason Providakes an official representing Mitre Corporation, which conducted the 18 security evaluations. “Almost all” of the high risks identified by Mitre were eliminated by CMS before the website went live, he said.

“What’s your personal view of the overall safety and security of the site?” Ms. Degette asked.

“It’s my personal perspective,” Mr. Providakes said, “They [CMS] do a very solid job in terms of securing their systems, historically.”

Congressman Murphy, who conducted the hearing, as well as other Republican members of the committee, repeatedly sought to link an internal “red team” management study conducted of website development earlier this spring. The study had found a number of problems in the site’s development at that time – but apparently little specifically concerning security problems.

“Have there been any attempts ... to hack into the system that you can tell?” Murphy asked David Amsler, president and chief information officer of Foreground Security, Inc., whose company monitors the site for cyberattacks.

“Congressman, the simple answer is ‘yes,’ ” Mr. Amsler replied. “The longer answer is: I don’t have an environment [in any of the systems his company monitors] where it’s not being attacked today.”

“Is this system now, are you saying that it’s fully secure from external hackers trying to get in?” Murphy responded.

“We live in a world of not if, but more when – that’s the nature of the world we live in today,” Amsler responded. “So I can never give you a guarantee that someone’s not going to get in. It’s probably going to happen at some point. But we have designed it to limit the damage and identify it as quick as possible.”

“So we cannot sign off at this point and say this system is fully secure,” Murphy asked, “It’s an ongoing process you’re saying?”

“It’s always an ongoing process,” Amsler said. “Today I feel comfortable about the capabilities we have put in place. But I’m always striving for more.”

Maggie Bauer, senior vice president for Creative Computing Solutions, which along with Amsler’s company provides much of the site security, agreed.

“From our perspective, right now today, the system is secure,” she said. “We are confident.”

“What I’m hearing from you is nobody can give a 100 percent guarantee that this website is secure with regard to the data it has, the personally identifiable information,” Murphy said in his follow up. “As people put those things in, nobody can guarantee that some hacker isn’t going to try and get into it and that they will continue to try and probe until they get through. Is that what you’re saying?”

“I also would say the same about Facebook or any banking website as well,” Amsler responded. “It’s just an unfortunate part of the world we live in today.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Is secure? In Congress, cyber-experts vouch for Obamacare site.
Read this article in
QR Code to Subscription page
Start your subscription today