This Obamacare contractor doesn’t take security seriously. That needs to change.

October 25, 2013

CGI Federal Senior Vice President Cheryl Campbell  talks to Optum/QSSI group Executive Vice President Andrew Slavitt prior to a hearing on implementation of the Affordable Care Act before the House Energy and Commerce Committee on Oct. 24, 2013 on Capitol Hill.  (Alex Wong/Getty Images)

Yesterday's congressional hearing on Obamacare's faulty Web site gave CGI and the other federal contractors a chance to explain themselves. Instead, we saw a lot of finger-pointing and blame-shifting. One particularly egregious moment had QSSI Executive Vice President Andy Slavitt downplaying his company's responsibility for securing the information in his system.

"Our systems don't hold data," he quibbled. "They just transport data through it."

"You don't have to hold it to protect it," Rep. Mike Rogers (R-Mich.) fired back.

In Slavitt's defense, data security may not have been an explicit feature of QSSI's federal contract. But the fact that he thought this dodge would fly says a lot about executives who work with some of the nation's most sensitive digital infrastructure. They just aren't equipped to understand the weaknesses that make their systems vulnerable to cyberattacks.

Safeguarding machinery, even if it's digital machinery, can seem like busy work. But in fact, as a new set of cybersecurity guidelines crafted by industry leaders and released by the government points out, effective IT security calls for a great deal of buy-in from top-level officials. They don't just set an example for the rest of the organization when it comes to digital hygiene; they're sometimes the only ones with enough power and authority to change a company's security culture. Northrop Grumman's chief information security officer, Michael Papay, routinely tries to hack his own employees' e-mail accounts — which, he says, has made them more aware of the dangers of e-mail phishing scams.

"This is not an area where [companies in the same industry] are necessarily competing against each other," Papay said at the first workshop in March to design the guidelines. "We may fight like cats and dogs over procurement contracts, but. … If my information security network is infiltrated, it's likely theirs will be as well, because we carry some of their key information."

But there's only so much a CISO can do without being supported by the other C-suite execs around him. That's why the draft cybersecurity guidelines, which were released earlier this week, ask readers at the outset to make sure cybersecurity risk is "appropriately integrated" into overall business risk and that the document successfully provides "the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail."

In plain English, the private sector is really concerned about its own executives who foolishly accept gaps in online security because they don't think it's their responsibility. Slavitt falls right into that category.

Brian Fung covers technology for The Washington Post.
SECTION: {section=business/technology, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Comments
SECTION: {section=business/technology, subsection=null}!!!
INITIAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!!

UGC FROM ARTICLE: !!!

FINAL commentConfig: {includereply=true, canvas_permalink_id=washpost.com/8bvh5zpd9k, allow_comments=true, commentmaxlength=2000, includeshare=true, display_comments=true, canvas_permalink_app_instance=m6yzjj840m, display_more=true, moderationrequired=false, includefeaturenotification=true, canvas_allcomments_id=washpost.com/km4ey0dajm, comments_period=14, defaultsort=reverseChronological, includevoteofftopic=false, allow_videos=false, includesorts=true, markerdisplay=post_commenter:Post Commenter|staff:Post Writer|top_commenter:Post Forum|top_local:Washingtologist|top_sports:SuperFan|fact_checker:Fact Checker|post_recommended:Post Recommended|world_watcher:World Watcher|cultuer_connoisseur:Culture Connoisseur|weather_watcher:Capital Weather Watcher|post_contributor:Post Contributor, childrenitemsperpage=3, includeheader=true, includeverifiedcommenters=true, defaulttab=all, includerecommend=true, includereport=true, maxitemstop=2, source=washpost.com, allow_photos=false, maxitems=7, display_ugc_photos=false, includepause=true, canvas_allcomments_app_instance=6634zxcgfd, includepermalink=false}!!
Show Comments
Next Story
Timothy B. Lee | October 25, 2013