CBS: Top ObamaCare official wanted site shut down over security risks — and was overruled
posted at 9:41 am on December 20, 2013 by Ed Morrissey
It’s not as if HHS wasn’t aware of concerns over security for the ObamaCare exchange they launched. Dozens of Attorneys General issued public warnings over the summer about the lack of security in a system that would contain the most private identity information of any web portal ever. Their own Inspector General blasted the contractors working on the site in June for their performance on security.
Still, HHS rolled out the site even with those gaps unaddressed, putting millions of Americans at risk for identity theft — but the news gets worse. CBS News’ Sharyl Attkisson reports this morning that a top official in the ObamaCare exchange told Congress on Tuesday that HHS discovered two more big security issues that no one detected before the rollout:
A top HealthCare.gov security officer told Congress there have been two, serious high-risk findings since the website’s launch, including one on Monday of this week, CBS News has learned.
Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS), revealed the findings when she was interviewed Tuesday behind closed doors by House Oversight Committee officials. The security risks were not previously disclosed to members of Congress or the public. Obama administration officials have firmly insisted there’s no reason for any concern regarding the website’s security. …
Details are not being made public for security reasons but Fryer testified that one vulnerability in the system was discovered during testing last week related to an incident reported in November. She says that as a result, the government has shut down functionality in the vulnerable part of the system. Fryer said the other high-risk finding was discovered Monday.
Fryer then told Congress that she recommended the site be shut down to address the security gaps — and was overruled:
“My recommendation was a denial of ATO [Authority to Operate — allowing the website to go live],” Fryer told Democrats and Republicans who sat in on the day-long interview. According to Fryer, she first recommended denying the ATO to CMS chief information officer Tony Trenkle based on the many outstanding security concerns after pre-launch testing.
“I had discussions with him on this and told him that my evaluation of this was a high risk,” Fryer told the committee. Trenkle retired from his CMS job on Nov. 13. He has not responded to CBS News interview requests.
That must have been news to Congress. As Attkisson recounts, Kathleen Sebelius testified before Congress on October 30th that “no senior official reporting to me ever advised me that we should delay.” While Sebelius may be able to claim that Fryer didn’t report to her and that her statement was technically accurate, Congress may want to know why Sebelius went forward with the launch without Fryer’s signature on the letter recommending the ATO. Fryer also told Congress that she personally briefed Sebelius’ advisers on her recommendation to withhold the ATO on September 20th, six weeks before her testimony to Congress.
Once again, we have the spectacle of another high-ranking Obama administration official misrespresenting — at best — the operations of agencies to Congress in areas of legitimate oversight. The question is beginning to change from who’s being dishonest to whether anyone on Barack Obama’s team has ever been honest in testimony to Congress. I’d expect House Oversight chair Darrell Issa to start issuing subpoenas to everyone briefed by Fryer, so that the question of obstruction of Congress by Kathleen Sebelius can be answered. (Those names include the already-discredited Henry Chao, by the way.) It’s clear that the dishonesty of this administration extends far and wide.
Update (Allahpundit): Fryer’s not the only techie at CMS whose signature was mysteriously missing from the Authority to Operate. Remember Tony Trenkle? He was the project manager who left the agency in November — an unusual move given the all-hands-on-deck attitude to fixing Healthcare.gov at the time. Trenkle also didn’t sign the ATO. I speculated at the time that he refused for the same reasons that Fryer did, namely, that no tech specialist with a conscience would greenlight a site this vulnerable, but the official explanation was that CMS chief Marilyn Tavenner wanted to sign the ATO herself because this project was super-important and should be formally endorsed by the head of the agency or whatever. Sure looks like Tavenner was fully aware of how dangerous Healthcare.gov could be to users who entered their private information but insisted that the site be launched anyway, over the objections of her own team. It’s subpoena time.