When the news broke last night that he was leaving, I figured he’d been pushed out as a sacrificial lamb in lieu of firing someone more important like Sebelius or Marilyn Tavenner. After reading this, I wonder if I’ve got it all wrong. Was he pushed out or did he resign in protest because they insisted on launching a site that he knew wasn’t secure?
When asked whether he jumped or was pushed, HHS said simply that “Tony [Trenkle] made a decision that he was going to move to the private sector.” Memo to Darrell Issa: Subpoena this man.
CBS News has learned that [Tony] Trenkle, the Chief Information Officer for the Centers for Medicare and Medicaid Services (CMS), was originally supposed to sign off on security for the glitch-ridden website before its Oct. 1 launch, but didn’t. Instead, the authorization on September 27 was given by Trenkle’s boss, CMS administrator Marilyn Tavenner…
Trenkle and two other CMS officials, including Chief Operating Officer Michelle Snyder, signed an unusual “risk acknowledgement” saying that the agency’s mitigation plan for rigorous monitoring and ongoing tests did “not reduce the (security) risk to the … system itself going into operation on October 1, 2013.”…
Wednesday, an HHS spokesman said that the reason Tavenner, not Trenkle, signed the security authorization is because HealthCare.gov is “a high-profile project and CMS felt it warranted having the administrator sign the authority to operate memo.” HHS also says there is an aggressive risk mitigation plan in effect, “the privacy and security of consumers personal information is a top priority for us” and personal information is “protected by stringent security standards.”
So Trenkle wanted to sign the authority memo for a site he knew hadn’t been tested for security end-to-end and was guaranteed to malfunction once it came under a heavy traffic load? He hoped and dreamed to put his John Hancock on this trainwreck — but Tavenner decided to selflessly take responsibility for the looming disaster by signing it herself? That seems … unlikely. Tell me if this sounds more plausible: Tavenner asks Trenkle to sign and he politely refuses. The site’s not secure, after all, and not only is it not secure but trying to repair it on the fly is bound to create even more security holes. Because he’s a good soldier and wants the site to work, though, he sticks around for another month and does his best to help fix things. A month later, for reasons as yet unknown, he finally abandons ship.
Could be, I guess, that Trenkle was so incompetent that he didn’t realize the extent of the security problems, but that doesn’t jibe with his assessment in the “risk acknowledgment” mentioned in the excerpt above. It also doesn’t jibe with the nearly universal opinion among tech experts who’ve been quoted in the media that launching a site without end-to-end testing for security is unorthodox, especially one as prominent as this:
“The best scenario is to have done end-to-end testing,” said Lisa Gallagher, vice president of technology solutions for the Healthcare Information and Management Systems Society, a medical technology nonprofit. That it wasn’t done “would cause me some mild concern,” she continued, adding she would advise a relative or close friend to wait until the website is stabilized before plunging in.
Asked former White House chief information officer Theresa Payton, “If you haven’t done end-to-end testing, how can we say with certainty how hard or easy it is for cybercriminals to attack at different points in the process?”
“It makes me shudder a little,” said Payton, a former bank security executive who now has her own company.
At least one tech consultant thinks “It would be very surprising if there isn’t some type of breach, either at the federal or state level, by this time next year.” Exit question: Per the AP, Tavenner testified a few days ago that she didn’t voice the concerns about security at CMS to either Sebelius or the White House. In that case, why hasn’t she been fired?