Nick's Blog

Personal opinions. Aggressively stated.

When I say, ‘Catastrophic Failure,’ I mean…

As news outlets around the country have hammered on the problems with the rollout of, we have seen, ironically, the same politicization of technology that in fact led to the problems at While media outlets that lean left have referred to reparable problems and “glitches“, those on the right have referred to the End of Times and proof that Obama hates you, yes you, personally.

Because I have spoken about the issues publicly and criticized the website – and on Fox Business yet! – people have questioned my motives.

To be clear about those, what I see now with the debacle is this generation’s greatest opportunity to show that government – on its own and in partnership with the private sector – can indeed make great technology if it focuses on the principles of letting users and the use-case drive the application, making the data open, and looking at fixing how government procures bespoke technology.

My greatest fear is that the same politics that led to this abject technology failure will lead to failure to seize this opportunity. That would be even worse.

Analysis of technology were behind even the snarkiest of my comments when I spoke on Fox, but even friends of mine thought that I was playing ‘Dog Pile on the Obamacare’ (attacking the administration and making political commentary), even though what I was saying was clearly about the technology[1].

I judge all software through a security prism, because that’s my training and experience. When I hear people saying that the login and the email confirmation mechanism wasn’t working, but that, now, 90% of people can now register; when I hear people say that the 834 form is being sent to insurers containing errors; when I hear that the authentication against the DHS and SS DBs (actually it seems the site is proofing against IRS DBs); when I hear all this I think of fundamental information security, and the CIA Triad Confidentiality, Integrity and Availability.

Confidentiality: We are having – still – regular but intermittent and unpredictable errors in authentication. This may be due to network latency (I think not), and/or application latency (certainly) and/or coding errors (likely) and/or process latency (certainly), and/or architecture and routing errors (certainly) etc. The javascript files I have viewed are positively riddled with exploitable vulnerabilities, comments and just plain, bad code (if I can recognize garbage code in your code, then your code is bad); Dave Kennedy’s sober, rational and deductive post on other code available on found similar substantial issues and walks you through how security people look at the site. There is a fundamental lack of confidentiality in the system.

Integrity: We cannot prove who people are; the system cannot attest to a straight-line, auditable trail of everything it is doing and everyone it is tracking; the data is corrupted, so that the insurance companies cannot be certain that the information they get is dependable. There is a fundamental lack of integrity in the system.

Availability: The application outages, unpredictable processes and unpredictable availability mean that one cannot count on the system to do what it is designed to doThere is a fundamental lack of availability to the system

When I look at, I don’t see a healthcare system or signature political program. I see a poorly executed and managed technology project that can’t deliver on the basic principle, definitionally, of a secure and usable website. Much worse than that, I still can’t find out how much my mother-in-law will have to pay for the healthcare plan she needs.

So, when I hear people saying it will be “fixed” by the end of November, based on what I know about software development, I can only state that it seems clear that people are saying that fixing the availability will fix the site.

It will not.



[1] In that Fox Business interview, and in others, I also stated that there were many things about – like the front end and UI, and the delivery services being provided by contractors – that were tip top and worked well. I said I have also stated repeatedly that government can in fact make great websites, and I pointed to and as specific examples. I have also said, repeatedly, that policy – not user outcome and user experience – drove the development of the technology; that attempts were made to hide, or secure through obscurity, the underlying pricing data as opposed to opening it and making it available to all; both of which situations aggravated the underlying procurement issues.

Leave a Reply