ADVERTISEMENT

Shut It Down

DNI, HHS urged to shut Obamacare website until security issues resolved

healthcare.gov
AP
February 7, 2014

President Barack Obama and two senior aides are being urged to suspend all use of the Obamacare computer network until recent U.S. intelligence warnings of potential cyber attacks from Belarus are resolved.

Michele Bachmann (R., Minn.), a member of the House Permanent Select Committee on Intelligence, called for the suspension in letters to the president, Director of National Intelligence James Clapper, and Health and Human Services Secretary Kathleen Sebelius. She warned that "the American people’s personal information submitted to Healthcare.gov could be at risk from cyber attacks across the globe."

"Intelligence officials reportedly briefed the administration that Healthcare.gov software potentially written by a state-owned firm in Belarus could contain malware and allow surreptitious access to Americans’ health and financial information," she stated, adding that Belarus is a close ally of Russia.

Bachmann told Clapper that a report posted to the U.S. government’s Open Source Center website had been removed and that the report revealed that Belarusian software engineers were suspected of inserting malicious code in the Obamacare network.

The healthcare network is made up of seven computer hubs that link major federal agencies with some 300 health care providers and insurance firms and some 3 million people who have signed up for health care coverage.

Bachmann reminded Clapper that she had questioned him about the report during an intelligence committee hearing this week.

Clapper stated that he was unaware of the report or its recall.

"However, a DNI spokesman has since confirmed the existence of this report," she stated in the Feb. 6 letter.

The lawmaker then requested a copy of the report, as well as an explanation of why it was produced and withdrawn from internal circulation.

She then urged Clapper to tell HHS to shut down the Healthcare.gov network until proper security testing is carried out in order to prevent the possible loss of personal data or violations of privacy rights of Americans who used the network.

"Intelligence is on the front lines of ensuring that the American people’s personal information is safe from international cyber threats, and too much is at stake to have so many unanswered questions about Healthcare.gov’s security," she said.

The healthcare network, one of the president’s most important domestic policy items, has been plagued with problems since it debuted Oct. 1.

Obama told Fox News Channel on Sunday that the software problems, which he described as "glitches," had been fixed. He made no mention of the potential implanting of malware from Belarus during the pre-Super Bowl interview.

Bachmann, in a separate letter to Sebelius, stated she was concerned that the HHS’ Centers for Medicare and Medicaid Services (CMS), the agency in charge of overseeing Healthcare.gov, could not confirm no malicious software from Belarus is hidden in the software.

"I am writing to respectfully request information on whether or not any code for Healthcare.gov was written in Belarus—or any other country outside the United States—and an explanation of why CMS did not know where all the code was written," Bachmann said.

"Until these questions are answered and until Healthcare.gov has undergone a proper end-to-end stress test, I urge you to immediately shut down Healthcare.gov so no American’s personal data and privacy rights are jeopardized," she said.

Copies of the letters were sent to Obama.

Former intelligence officials said the withdrawal of the cyber threat report was an indication of intelligence politicization, a practice barred by regulations for all U.S. intelligence agencies. Politicization occurs when intelligence is skewed or suppressed because it presents unwelcome views or conflicts with administration policies.

A DNI spokesman earlier this week denied the report was withdrawn for political reasons, insisting that it was not properly vetted.

CIA Director John Brennan told the House hearing this week that he was unaware of the report or its withdrawal. The Open Source Center is located at CIA headquarters in Virginia.

DNI spokesman Shawn Turner said Clapper received the letter and "looks forward to providing a timely response."

The Open Source Center on Jan. 29 distributed a report titled, "United States’ Affordable Care Act Software – Cyber Attack Target." The report was not coordinated with "subject matter experts, did not meet OSC tradecraft standards, and did not follow established procedures for pre-publication review," he said.

"The document was recalled for these reasons and because evidence used in the report did not support the title or any conclusion that the software was compromised," Turner said. "The report will not be reissued."

The handling of the report was a "rare breakdown" in internal vetting, Turner added. "The cause of the breakdown has been identified and steps are being taken to prevent it from happening again."

Spokesmen for Sebelius and the White House either had no immediate comment or did not respond to email requests for comment.

The Bachmann letters followed a report in the Washington Free Beacon published Monday revealing that U.S. intelligence agencies early last month discovered information indicating that software developers under Belarus state control had been involved in developing the Obamacare software.

The intelligence was based in part on comments by Belarusian official Valery Tsepkalo who is director of the government-backed High-Technology Park (HTP) in Minsk.

Tsepkalo stated last summer in an interview broadcast on Russian radio that HHS was among his clients and that "we are helping Obama complete his insurance reform."

"Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient," Tsepkalo said June 25 on Voice of Russia Radio.

Efforts to reach Tsepkalo for comment were unsuccessful.

One U.S. official said: "The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks."

Concerns about malicious software in the network were compounded by an incident in February 2013 when large segments of U.S. Internet traffic were hijacked to Belarus. Security officials said it was likely the data was sifted for government and economic intelligence before being rerouted back to the United States.

Additionally, the potential for cyber attacks is increased because the Belarusian government is a Soviet-style dictatorship and U.S. adversary.

The potential of Belarus-origin malware, combined with the Internet hijacking of data to Belarus and the hostile Minsk regime, "makes the software written in Belarus a potential target of cyber attacks for identity theft and privacy violations" of Americans, the U.S. official familiar with the report said.

Officials urged HHS to launch security reviews of the network software for malicious code.

All medical facilities and insurance companies in the United States currently use the software.

White House spokeswoman Caitlin Hayden said the warning in the intelligence report prompted a review of Obamacare software but that no links to Belarus or malicious software had been found.

"So far HHS has found no indications that any software was developed in Belarus," she said. "However, as a matter of due diligence, they will continue to review the supply chain. Supply chain risk is real and it is one of our top concerns in the area of cyber-security."

Some 55 contractors at a cost of more than $400 million were involved in the development of Healthcare.gov’s software.