What could possibly have motivated the Centers for Medicare and Medicaid Services to refuse to release even a single document about the healthcare.gov site’s security in response to a Freedom of Information Act request submitted by the Associated Press? The AP announced that its request had been refused last week and, by way of explanation, cited a statement from CMS spokesman Aaron Albright that “releasing this information would potentially cause an unwarranted risk to consumers’ private information.” It’s hard to imagine that any documents the agency could have released would have generated more doubts about the site’s security than those remarks. The best way to protect the site—and its users—would be to stop defending it against legitimate questions and release some of the requested information.
There’s an episode of The West Wing in which staffer Josh Lyman sarcastically tells the White House press corps that the president has a secret plan to fight inflation. Suddenly, that’s the only thing any of the reporters want to talk about. Just replace “secret plan to fight inflation” with “secret plan to fight online intruders,” and it’s the same thing. Is there any surer way to generate a lot of interest in the security of healthcare.gov than to shroud it in secrecy?
Concerns were raised about the health care site’s security back when it was launched last fall and a memo revealed that the developers had not had adequate time to complete final security tests prior to the launch. But in January, CMS chief information security officer Teresa Fryer told the House Oversight Committee that the site had passed all of its security tests and that its security protections had successfully prevented any attacks since the problematic October launch. Of course, the website has been roundly criticized for a whole host of other reasons, so perhaps it’s not surprising that CMS is wary of giving the press anything that might lead to another round of negative publicity.
But if healthcare.gov really has excellent—or even just industry-standard—protective measures in place, then why isn’t the government willing to describe them, even partially? Because they are in some way inadequate and embarrassing? Because there is no site security plan to release? Because CMS actually has developed a secret plan to fight online intruders using revolutionary new top-secret technology? I’m inclined toward the first explanation, even though my only real reason to doubt the security of the site is precisely the refusal to reveal any information about its protections.
The AP rightly lambastes CMS for practicing “security through obscurity” and relying on secrecy rather than effective security controls to protect the site. After all, responding to the FOIA request would not have had to mean releasing a road map for attackers detailing how best to steal data from the site. Instead, the agency could have released some documents describing the general sorts of mechanisms in place to protect the data entered into the site and perhaps updating the January statistic from Fryer about how many—if any—successful attacks it has experienced. That response would probably have generated a lot less interest than this refusal, even though it likely wouldn’t have told us very much about the actual state of the site’s security—maybe even less than we’re inferring now, as we wonder what CMS has to hide.
Of course, it’s also possible that the agency doesn’t have anything to hide—that its staffers truly believe the best way to secure a website is to be as secretive as possible about its protections. That mindset is an interesting contrast to the decision that the Netflix security team made on Monday to publicly release the code for two of its own security tools. The two applications, called Scumblr and Sketchy, are intended to help defenders search the Web specifically to collect information about potential threats and malicious websites. “Scumblr and Sketchy are helping the Netflix security team keep an eye on potential threats to our environment every day,” Netflix cloud security team members Andy Hoernecke and Scott Behrens write at the end of the blog post. “We hope that the open source community can find new and interesting uses for [them].”
Releasing some open-source security tools that your site uses is not the same as detailing your entire security plan, but it’s telling that Netflix is willing to volunteer information about some of its security practices while CMS is not. Netflix, which is not subject to FOIA, is talking about it—and the implication is that it is confident in its security and proud of the tools it’s developed. Healthcare.gov, on the other hand, is not coming off as confident—let alone proud.