HHS Cannot Find Belarus Malware in Obamacare Networks

Contractor asserts software developed solely in U.S.

Kathleen Sebelius
Kathleen Sebelius / AP
February 10, 2014

The Department of Health and Human Services says it has been unable to locate malicious software from Belarus inside Obamacare computer networks, according to a department spokeswoman.

Joanne Peters, the spokeswoman, told the Washington Free Beacon that HHS Secretary Kathleen Sebelius received a letter sent last week from Rep. Michele Bachmann (R., Minn.) that urged HHS to shut down the network until the security of Americans’ private data can be assured.

According to U.S. officials, an intelligence report produced earlier this month stated that software developers linked to the Belarusian anti-U.S. government were involved in developing software for Obamacare, formally known as the Affordable Care Act.

U.S. security officials warned that the involvement of Belarusian software has made data submitted by Americans who signed up for health care through the website vulnerable to cyber attacks, specifically the loss of privacy data or identity theft.

The officials said they also urged HHS to conduct a search for malicious software in the system that links an estimated 3 million Americans to the federal government and some 300 health care providers and insurance companies.

After the Free Beacon reported on the Obamacare website vulnerability, the U.S. intelligence community withdrew an intelligence report that warned of the problem from circulation, the White House and a spokesman for the director of national intelligence (DNI) said. A DNI spokesman asserted that the report was not properly vetted before publication and circulation.

"Immediately upon learning of the now-recalled report, HHS conducted a review to determine whether, in fact, any of the software associated with the Affordable Care Act was written by Belarusian software developers," Peters said in an email. "HHS has found no indications that any software was developed in Belarus."

Additionally, Peters said that the main contractor for the software, CGI Federal, "has asserted in a statement to HHS that all code was developed in the U.S."

HHS, its Centers for Medicare and Medicaid Services (CMS) that helped set up the system, and CGI Federal so far have declined to provide details on the 55 contractors involved in

HHS spokesman Aaron Albright said in an email that the department released the names of 55 contractors to Congress' Government Accountability Office (GAO) for a June 2013 report. Among the contractors listed were CGI Federal, Booz, Allen Hamilton, Deloitte Consulting, KPMG, Lockheed Martin, Northrop Grumman, SAIC, Mitre Corp., and numerous smaller contractors.

Albright said there may be additional contractors not on the GAO list.

Questions about the security of information submitted to the system are the latest problem associated with the administration’s signature domestic program.

The website, which cost more than $400 million to develop, was plagued with functionality problems that prevented people from signing up beginning Oct. 1. The administration then spent two months working out what President Obama described as "glitches."

The president said last week in a Fox News Channel interview that all problems had been fixed. He made no mention of the concerns over Belarusian malware.

A White House spokesman did not respond when asked if he was aware of the recent intelligence warning.

Security questions about the network have been raised by intelligence and security officials since late last year.

Rep. Mike Rogers (R., Mich.), chairman of the intelligence committee, has also called for the Obamacare network to be shut down until proper security testing is carried out.

"We need an independent, thorough security evaluation of this site, and we need the commitment from the administration that the findings will be acknowledged and promptly addressed," Rogers told the Free Beacon last week.

Bachmann raised the software security issue during a committee hearing last week when she questioned four leaders of U.S. intelligence agencies about the software security problems. All said they were unaware of the intelligence report or its withdrawal. They included Director of National Intelligence James Clapper and CIA Director John Brennan.

Bachmann stated in letters to Sebelius, Clapper, and President Obama sent Thursday that "the American people’s personal information submitted to could be at risk from cyber attacks across the globe."

Bachmann, in her letter, asked Clapper to provide a copy of the report and to explain why it was produced and why it was recalled.

She said intelligence agencies are "on the front lines of ensuring that the American people’s personal information is safe from international cyber threats, and too much is at stake to have so many unanswered questions about’s security."

Bachmann said in a separate letter to Sebelius that she is concerned the agency within HHS that was in charge of producing the network, the Centers for Medicare and Medicaid Services (CMS), has been unable to confirm no malicious software from Belarus is hidden inside the Obamacare system.

The congresswoman formally asked Sebelius to state authoritatively whether malicious software from Belarus or other nations is contained in the network and to provide "an explanation of why CMS did not know where all the code was written."

Until the security questions are resolved, "I urge you to immediately shut down so no American’s personal data and privacy rights are jeopardized," Bachmann told Sebelius in the letter.

The recall of the intelligence report, which was produced by the CIA-based Open Source Center, has raised questions about the politicization of intelligence—the suppression or skewing of intelligence to conform to policy prescriptions.

DNI spokesman Shawn Turner, in a statement, denied that the withdrawal of the report was based on political motives.

Turner said the Open Source Center circulated its report on Obamacare software Jan. 29 under the title "United States’ Affordable Care Act Software – Cyber Attack Target."

According to Turner, the report was not reviewed by intelligence experts and did not meet "tradecraft standards," including certain pre-publication reviews.

"The document was recalled for these reasons and because evidence used in the report did not support the title or any conclusion that the software was compromised," Turner told the Free Beacon in a statement. He added that the report would not be reissued.

U.S. officials said the intelligence warning was based in part on remarks made by Belarusian official Valery Tsepkalo, the director of the government-backed High-Technology Park (HTP) in Minsk.

Tsepkalo said HHS was a client and that "we are helping Obama" institute health care reforms.

"Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient," Tsepkalo said June 25 on Voice of Russia Radio.

Tsepkalo, a former Belarusian ambassador to the United States, has not responded to requests for comment. He has not been observed explaining his comments on the Obamacare software.

One U.S. official said of the Belarusian link that the connection "makes the software a potential target for cyber attacks."

The fears of cyber attack are compounded by the anti-U.S. stance of the Minsk government and an incident in February 2013 when large amounts of U.S. Internet data were hijacked and rerouted to Belarus where it was sifted for intelligence.