Since last October the U.S. media, in full orgasmic throng, has been barking madly over the fate of the Healthcare.gov rollout. There has been overwhelming and obdurate polarization around positions on issues that would, in other arenas, be viewed through the objective lens of what most agree are facts.
This has had the highly unfortunate effect of villianizing good people of integrity – people like Dave Kennedy at TrustedSec and U.S. Chief Technology Officer Todd Park — skilled patriots who genuinely desire to fix the problems.
The irony is that, unlike most of the defecation that has hit the ventilation in the media over healthcare.gov, the information security issues are binarily judged: they are correct or incorrect; code within the application is either vulnerable or it is not. Which means that, with a little cooperation, a lot of fixes could be made.
To review what’s happened with the healthcare.gov rollout, but to avoid partisan devolvement, I will discuss it in the terms with which there is consensus or near-consensus among the technology, information security and civic-coding communities.
The rollout of healthcare.gov was a technical failure in that it did not accomplish the stated goals of securely and efficiently allowing millions to register and apply for coverage under the Affordable Care Act. The problems with the site’s front- and back-ends are complex, and were caused by poor project management, bad code, and poor decisions made during development. Security testing was not done to minimal industry standards. The fix will be expensive and complex.
The procurement process around large-scale government software projects is in need of overhaul. The IT fabric of non-classified U.S. government computer networks has improved, but must be further strengthened, and its data opened considerably more. Government must move rapidly towards executing on the president’s vision that “open and machine readable is the new default in government.”
The information security posture of the healthcare.gov applications is inadequate to provide the commercially reasonable security of most large retail websites. The ability of contractors to keep pace with and repair obvious flaws in the security, and vulnerabilities in the code, of the applications has proved substandard. The site fails objective and subjective passive analysis and testing. The site’s managers lack fundamental visibility into the applications’ processes, and lack a full understanding of the architecture and the connected systems.
This last bit – the controversial part – is where I get boxed into the category of a “Republican partisan” (because of appearances on Fox News and Fox Business News). I assure you that, having been privy since last December to some of the vulnerabilities that Dave Kennedy has been speaking regularly about, and having checked periodically to see if they have been addressed, I can state that these vulnerabilities are real. The politics of how to deal with these real vulnerabilities (and what to me is more interesting, what these vulnerabilities expose about other potential ones, and the culture and context of the coding that led to them) is where the arguments go off the rails, and everyone gets into corners.
[Oh, one more thing – I’m not a Republican. I’m not saying, I’m just saying.]
A little visualization exercise
As an illustration: on the first day of the Code for America Accelerator last year, we were all put into a room and asked to make controversial statements with which the others could agree or disagree. Moving towards the far wall placed us physically at the extreme of agreement with the statement, and moving towards the near wall placed us at the extreme of disagreement with the statement. That’s pretty much where I see our lawmakers, political leaders and pundits – pressed, in a clump, against the walls across the room from one another.
The interesting thing is that, at Code for America, those at those extreme ends were then asked, “Why? Why do you feel the way you do?” and, as they spoke, those who were partially or somewhat convinced by the argument would move, physically, towards the modified position. It’s a new-age exercise, very crystals and Birkenstocks and groovy and San Franciscan, but most important, it helps viscerally demonstrate an initial reaction and subsequent reconsideration and modification of a position.
We have none of the second part in the healthcare.gov debate. In congressional hearings, speeches and lobbying, we only hear two primary messages:
“Everything’s fine, they’re working out the kinks and the system will work,”
“This is a total disaster, we’ve got to tear it down and start over.”
Those polar opposites should form the beginning of the debate, but instead, they seem to have formed the crux, the culminations of the arguments.
It’s instructive to look as a contrast to the coverage of the Target breach. It is interesting to note that Target is a firm that is demonstrably good at information security – if it can fall victim to issues, so can anyone. And fall victim it did: a third of American consumers, and probably more than half of American families, have been directly affected by a breach, first reported by Brian Krebs last December, in the point-of-sale systems at Target. Few have called for shutting down and rebuilding Target’s IT infrastructure.
Few have stated that this is a trifling issue in which Target didn’t “work as well as it should.” Almost everyone has asked but two piercing questions: “Can I shop safely at Target now?” and “If my card was compromised how will Target compensate me?”
Target has made no statements of bug fixes or “punch lists,” or boasts about its uptime. Rather it has stated forcefully that it is sorry, that it understands, takes responsibility for and commits to fix the problems, and to make whole those affected while at the same time it asks for the opportunity to “win back” the trust of its customers.
Almost all the expert commentary about Target has been about root cause analysis, methods of ensuring that the issue is fixed and does not repeat, and sober discussion of some of the technical issues behind the failure. Most cogently, there is now mainstream discussion of finally defeating, as a matter of public safety and policy, the Payment Card Industry’s stubborn, silly and cynical, decade-long campaign against Chip+Pin cards.
Will the debate over Target solve the information security problem? No. And there will be other breaches, other problems.
But one thing is sure: whether you believe water will boil when heated to 100°C/212°F, the only way to discover the truth is to get you a pot, some fire and some water and find out. We can argue about the politics of it, but ultimately, the politics of physics is irrelevant.
It’s true that the politics of a breached computer system are less absolute. But we should at the very least agree that demonstrable facts, as opposed to political desires, should be the basis of discussions about compromise.