Mobile Menu - OpenMobile Menu - Closed

Top House Dems Urge Leadership to Hold Immediate Classified Briefing on Sensitive IT Documents Subpoenaed by Issa

Dec 16, 2013
Press Release

Washington, D.C.—Today, the top ranking Democrats on seven House Committees—Oversight and Government Reform, Energy and Commerce, Armed Services, Homeland Security, Intelligence, Education and the Workforce, and Ways and Means—sent a letter to Speaker John Boehner and Democratic Leader Nancy Pelosi urging them to hold an immediate classified briefing with top Administration cyber security officials about the risks posed by the disclosure of documents relating to the Healthcare.gov website that were subpoenaed last week by Oversight Committee Chairman Darrell Issa.  The documents, known as Security Control Assessments (SCAs), already had been provided to the Committee in redacted form, and Committee staff reviewed the full unredacted documents in camera, but Chairman Issa issued a unilateral subpoena for the full unredacted copies, which he received on Friday.

The Members wrote:  “We do not believe these sensitive documents should have been provided to the Committee without adequate protocols to safeguard their contents.  But now that they have, we have an obligation to understand the harm that would be caused if these documents were disclosed.  It is reckless in the extreme for Chairman Issa or any member to possess these documents without a full understanding of the extremely sensitive information they contain and the widespread damage that could be caused if they got into the wrong hands.”   

On Sunday, White House Counsel Kathryn Ruemmler sent a letter to Speaker Boehner warning that disclosing these documents could increase the risks to federal IT systems across the entire federal government:  “Since many Federal IT systems are built using similar components and techniques, the release of the SCAs for the FFM would increase the ability of sophisticated actors to infiltrate not only the FFM, but potentially other, similarly constructed Federal IT system controls.”

This followed a letter sent by the MITRE Corporation on Friday warning:  “In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov and potentially to the security of other CMS data networks that share attributes of this architecture.”  It also followed a letter sent on Friday by the Department of Health and Human Services on Friday warning that releasing the documents “could provide a roadmap for malicious cyber actors to direct more efficient and effective cyber-attacks against some of the most sensitive sites the Federal government operates.”

The letter from the Ranking Members can be found here.

The letter from White House Counsel to Speaker Boehner can be found here.

The letter from security contractor MITRE to Issa can be found here.

The letter from HHS to Issa can be found here.

The text of the Ranking Members’ letter is pasted below.

 

December 16, 2013

 

The Honorable John Boehner
Speaker
The Honorable Nancy Pelosi
Democratic Leader
U.S. House of representatives
Washington, D.C. 20515

Dear Mr. Speaker and Madam Leader:

            We are writing to request that you call an immediate classified meeting with the Administration’s top cyber security officials to brief you and the Chairs and Ranking Members of our Committees about the extremely significant risks of disclosing sensitive contractor documents relating to the Healthcare.gov website that were unilaterally subpoenaed by Oversight Committee Chairman Darrell Issa. 

            Yesterday, the White House Counsel, Kathyrn Ruemmler, sent you a letter about the damage to our national interest that would be caused by public disclosure of the documents.  Although the documents in question relate to the Healthcare.gov website, their release could jeopardize the security of sensitive sites across the government.  According to the letter from Ms. Ruemmler:

It is the view of cybersecurity experts from across the Administration that these documents, if further disclosed, would provide information to potential hackers that increases the risk they could penetrate healthcare.gov, the Federal Data Services Hub, and other Federal IT systems.[1]

            The documents at issue are Security Control Assessments (SCAs) and other materials relating to the MITRE Corporation’s work under a contract with the Department of Health and Human Services (HHS) for security testing on Healthcare.gov.  MITRE produced these documents to the Oversight Committee on Friday pursuant to a subpoena issued by Chairman Issa without consultation with other Committee Members. 

            MITRE had previously produced redacted copies of these documents to the Oversight Committee, and both Republican and Democratic Committee staff had already reviewed the full unredacted content of these documents in camera.  Despite the fact that Committee Members had full access to this information, Chairman Issa demanded that MITRE produce physical copies of all of the unredacted documents, which the company did on Friday.  The rationale for this action is not clear since there have been no successful cyber attacks on Healthcare.gov.[2]

            Prior to producing the documents, MITRE had sent three letters to Chairman Issa—on November 5, November 22, and December 4—warning that the documents include software code and other technical information that is highly sensitive and could give hackers a roadmap to compromise the security of the website and the personal information of American citizens.  When MITRE produced the unredacted documents to the Committee on Friday, the company’s President and CEO issued this grave warning:

The … SCAs … contain information about cybersecurity methods and the fundamental cyber-architecture of HealthCare.gov that transcends the specific security control vulnerabilities which have been the focus of news reports and the Committee’s public inquiry.  In the wrong hands, this information could cause irreparable harm to the basic security architecture of HealthCare.gov and potentially to the security of other CMS data networks that share attributes of this architecture.[3]

            On Friday, HHS sent a letter warning Chairman Issa that disclosing these documents publicly would pose grave risks to our national interest.  According to the letter: 

Our concern is not the current security status of the website, but the threat to the security of the site created by releasing documents that could provide a roadmap for malicious cyber actors to direct more efficient and effective cyber-attacks against some of the most sensitive sites the Federal government operates.[4]

            The letter from Ms. Ruemmler to the Speaker provides more detail about what is at stake.  Ms. Ruemmler explained:

Even though many of the originally discovered vulnerabilities have been successfully mitigated, details in the unredacted SCAs could be misused to develop a targeted intrusion strategy.  In addition, the security assessments provide insight into the FFM system’s architecture, including its network and security controls, as well the hardware and software applications it employs.  Since many Federal IT systems are built using similar components and techniques, the release of the SCAs for the FFM would increase the ability of sophisticated actors to infiltrate not only the FFM, but potentially other, similarly constructed Federal IT system controls.[5]

            As soon as these documents were produced to the Oversight Committee on Friday, HHS officials immediately contacted Chairman Issa’s office and asked to have the opportunity for Secretary Sebelius and senior cybersecurity officials to provide a personal briefing for him and the Committee’s Ranking Member, Rep. Elijah Cummings, on the security risks of disclosing these documents.  Unfortunately, Chairman Issa’s office declined.  As a result, he and his staff are unaware of the extent of damage to our national interest that could be caused by release of the documents. 

            We do not believe these sensitive documents should have been provided to the Committee without adequate protocols to safeguard their contents.  But now that they have, we have an obligation to understand the harm that would be caused if these documents were disclosed.  It is reckless in the extreme for Chairman Issa or any member to possess these documents without a full understanding of the extremely sensitive information they contain and the widespread damage that could be caused if they got into the wrong hands.   

That is why we are writing to urge you to schedule an immediate briefing with the appropriate Administration officials.  If travel schedules make an in-person briefing infeasible, we request that this briefing occur over a secure phone line.     

Thank you for your consideration of this request.

Sincerely,

Rep. Elijah E. Cummings
Ranking Member, House Committee on Oversight and Government Reform

Rep. Henry A. Waxman
Ranking Member, House Committee on Energy and Commerce

Rep. Adam Smith
Ranking Member, House Committee on Armed Services

Rep. Bennie G. Thompson
Ranking Member, House Committee on Homeland Security

Rep. C.A. Dutch Ruppersberger
Ranking Member, House Permanent Select Committee on Intelligence

Rep. George Miller
Ranking Member, House Committee on Education and the Workforce

Rep. Sander M. Levin
Ranking Member, House Committee on Ways and Means

 

[1]Letter from Kathyrn H. Ruemmler, Counsel to the President, to the Honorable John Boehner, Speaker, U.S. House of Representatives (Dec. 15, 2013).

[2]Memorandum from Reps. Henry A. Waxman and Diana DeGette, House Committee on Energy and Commerce, to Subcommittee on Oversight and Investigations Democratic Members and Staff (Dec. 13, 2013).

[3]Letter from Alfred Grasso, President and Chief Executive Officer, MITRE Corporation, to Chairman Darrell E. Issa, House Committee on Oversight and Government Reform (Dec. 13, 2013)

[4]Letter from Jim R. Esquea, Assistant Secretary for Legislation, Department of Health and Human Services, to Chairman Darrell E. Issa, House Committee on Oversight and Government Reform (Dec. 13, 2013).

[5]Letter from Kathyrn H. Ruemmler, Counsel to the President, to the Honorable John Boehner, Speaker, U.S. House of Representatives (Dec. 15, 2013).

Issues: 
113th Congress