The Washington Post

This Obamacare contractor doesn’t take security seriously. That needs to change.

CGI Federal Senior Vice President Cheryl Campbell  talks to Optum/QSSI group Executive Vice President Andrew Slavitt prior to a hearing on implementation of the Affordable Care Act before the House Energy and Commerce Committee on Oct. 24, 2013 on Capitol Hill.  (Alex Wong/Getty Images)

Yesterday's congressional hearing on Obamacare's faulty Web site gave CGI and the other federal contractors a chance to explain themselves. Instead, we saw a lot of finger-pointing and blame-shifting. One particularly egregious moment had QSSI Executive Vice President Andy Slavitt downplaying his company's responsibility for securing the information in his system.

"Our systems don't hold data," he quibbled. "They just transport data through it."

"You don't have to hold it to protect it," Rep. Mike Rogers (R-Mich.) fired back.

In Slavitt's defense, data security may not have been an explicit feature of QSSI's federal contract. But the fact that he thought this dodge would fly says a lot about executives who work with some of the nation's most sensitive digital infrastructure. They just aren't equipped to understand the weaknesses that make their systems vulnerable to cyberattacks.

Safeguarding machinery, even if it's digital machinery, can seem like busy work. But in fact, as a new set of cybersecurity guidelines crafted by industry leaders and released by the government points out, effective IT security calls for a great deal of buy-in from top-level officials. They don't just set an example for the rest of the organization when it comes to digital hygiene; they're sometimes the only ones with enough power and authority to change a company's security culture. Northrop Grumman's chief information security officer, Michael Papay, routinely tries to hack his own employees' e-mail accounts — which, he says, has made them more aware of the dangers of e-mail phishing scams.

"This is not an area where [companies in the same industry] are necessarily competing against each other," Papay said at the first workshop in March to design the guidelines. "We may fight like cats and dogs over procurement contracts, but. … If my information security network is infiltrated, it's likely theirs will be as well, because we carry some of their key information."

But there's only so much a CISO can do without being supported by the other C-suite execs around him. That's why the draft cybersecurity guidelines, which were released earlier this week, ask readers at the outset to make sure cybersecurity risk is "appropriately integrated" into overall business risk and that the document successfully provides "the tools for senior executives and boards of directors to understand risks and mitigations at the appropriate level of detail."

In plain English, the private sector is really concerned about its own executives who foolishly accept gaps in online security because they don't think it's their responsibility. Slavitt falls right into that category.

Brian Fung covers technology for The Washington Post, focusing on telecommunications and the Internet. Before joining the Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.
Next Story
Timothy B. Lee · October 25, 2013

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.