What could possibly have motivated the Centers for Medicare and Medicaid Services to refuse to release even a single document about the healthcare.gov site’s security in response to a Freedom of Information Act request submitted by the Associated Press? The AP announced that its request had been refused last week and, by way of explanation, cited a statement from CMS spokesman Aaron Albright that “releasing this information would potentially cause an unwarranted risk to consumers’ private information.” It’s hard to imagine that any documents the agency could have released would have generated more doubts about the site’s security than those remarks. The best way to protect the site—and its users—would be to stop defending it against legitimate questions and release some of the requested information.
There’s an episode of The West Wing in which staffer Josh Lyman sarcastically tells the White House press corps that the president has a secret plan to fight inflation. Suddenly, that’s the only thing any of the reporters want to talk about. Just replace “secret plan to fight inflation” with “secret plan to fight online intruders,” and it’s the same thing. Is there any surer way to generate a lot of interest in the security of healthcare.gov than to shroud it in secrecy?
Concerns were raised about the health care site’s security back when it was launched last fall and a memo revealed that the developers had not had adequate time to complete final security tests prior to the launch. But in January, CMS chief information security officer Teresa Fryer told the House Oversight Committee that the site had passed all of its security tests and that its security protections had successfully prevented any attacks since the problematic October launch. Of course, the website has been roundly criticized for a whole host of other reasons, so perhaps it’s not surprising that CMS is wary of giving the press anything that might lead to another round of negative publicity.
But if healthcare.gov really has excellent—or even just industry-standard—protective measures in place, then why isn’t the government willing to describe them, even partially? Because they are in some way inadequate and embarrassing? Because there is no site security plan to release? Because CMS actually has developed a secret plan to fight online intruders using revolutionary new top-secret technology? I’m inclined toward the first explanation, even though my only real reason to doubt the security of the site is precisely the refusal to reveal any information about its protections.
The AP rightly lambastes CMS for practicing “security through obscurity” and relying on secrecy rather than effective security controls to protect the site. After all, responding to the FOIA request would not have had to mean releasing a road map for attackers detailing how best to steal data from the site. Instead, the agency could have released some documents describing the general sorts of mechanisms in place to protect the data entered into the site and perhaps updating the January statistic from Fryer about how many—if any—successful attacks it has experienced. That response would probably have generated a lot less interest than this refusal, even though it likely wouldn’t have told us very much about the actual state of the site’s security—maybe even less than we’re inferring now, as we wonder what CMS has to hide.
Of course, it’s also possible that the agency doesn’t have anything to hide—that its staffers truly believe the best way to secure a website is to be as secretive as possible about its protections. That mindset is an interesting contrast to the decision that the Netflix security team made on Monday to publicly release the code for two of its own security tools. The two applications, called Scumblr and Sketchy, are intended to help defenders search the Web specifically to collect information about potential threats and malicious websites. “Scumblr and Sketchy are helping the Netflix security team keep an eye on potential threats to our environment every day,” Netflix cloud security team members Andy Hoernecke and Scott Behrens write at the end of the blog post. “We hope that the open source community can find new and interesting uses for [them].”
Releasing some open-source security tools that your site uses is not the same as detailing your entire security plan, but it’s telling that Netflix is willing to volunteer information about some of its security practices while CMS is not. Netflix, which is not subject to FOIA, is talking about it—and the implication is that it is confident in its security and proud of the tools it’s developed. Healthcare.gov, on the other hand, is not coming off as confident—let alone proud.
Netflix and healthcare.gov serve very different functions, but both sites collect personally identifiable information from users. The health care data may be more sensitive—or more strongly protected by health care privacy laws—but it’s not clear that healthcare.gov actually collects medical data. Writing in Forbes last year, Rick Ungar noted that on the site “there are no medically specific questions that require disclose of any medical information beyond learning whether or not you smoke.” That doesn’t mean there are no differences between the data Netflix and healthcare.gov protect—or the threats they have to defend against—but it may undermine the idea that healthcare.gov is in a completely different situation because disclosing security information would “violate health-privacy laws.”
So the contrasting decisions by Netflix and CMS end up suggesting different levels of confidence. But they also suggest two totally different attitudes about information security. The Netflix announcement is indicative of an outlook in which defenders view the outside world as largely composed of allies, or people who face similar security problems and who can learn from their tools and security decisions, or even provide useful critiques and suggestions. The CMS approach, however, suggests a defender that views the rest of the world as a large population of potential attackers, liable to seize any provided information and immediately use it for evil.
Certainly, there are bad guys out there, and Netflix knows that every bit as well as the government. But those bent on serious criminal activity will probably be able to figure out many of the security measures healthcare.gov is using just by testing different ways of trying to access it. So if those measures are any good, they won’t depend too heavily on being kept secret in order to be effective, just like Scumblr and Sketchy will continue to gather useful threat intelligence information for the Netflix security team even after being posted on GitHub. And if CMS really has developed a secret plan, if it’s actually got cool new security tools protecting healthcare.gov that no one else knows about, maybe it should consider following Netflix’s example and releasing more information, not less, so that other organizations trying to protect sensitive information and health care data can learn from them.
There’s a certain irony in a private company taking steps toward providing a public service by voluntarily releasing some security information about how it protects its site and its customers while a public government agency refuses to release so much as a single high-level document even when explicitly requested to do so under FOIA. The CMS decision suggests a considerable lack of confidence in its own security measures, but it also represents a refusal to be part of a larger endeavor, an unwillingness to work with others who handle health care information online, providing guidance, developing common tools, or finding those “new and interesting uses” that might help keep everyone safer.
This article is part of Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.