[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
THE ROLE OF THE WHITE HOUSE
CHIEF TECHNOLOGY OFFICER IN
THE HEALTHCARE.GOV WEBSITE DEBACLE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
----------
NOVEMBER 19, 2014
----------
Serial No. 113-96
----------
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
THE ROLE OF THE WHITE HOUSE
CHIEF TECHNOLOGY OFFICER IN
THE HEALTHCARE.GOV WEBSITE DEBACLE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
NOVEMBER 19, 2014
__________
Serial No. 113-96
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
92-329PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR., DANIEL LIPINSKI, Illinois
Wisconsin DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
PAUL C. BROUN, Georgia DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi ALAN GRAYSON, Florida
MO BROOKS, Alabama JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois SCOTT PETERS, California
LARRY BUCSHON, Indiana DEREK KILMER, Washington
STEVE STOCKMAN, Texas AMI BERA, California
BILL POSEY, Florida ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky ROBIN KELLY, Illinois
KEVIN CRAMER, North Dakota KATHERINE CLARK, Massachusetts
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS COLLINS, New York
BILL JOHNSON, Ohio
------
Subcommittee on Oversight
HON. PAUL C. BROUN, Georgia, Chair
F. JAMES SENSENBRENNER, JR., DAN MAFFEI, New York
Wisconsin ERIC SWALWELL, California
BILL POSEY, Florida SCOTT PETERS, California
KEVIN CRAMER, North Dakota EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
LAMAR S. SMITH, Texas
C O N T E N T S
November 19, 2014
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Paul C. Broun, Chairman, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 8
Written Statement............................................ 9
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 10
Written Statement............................................ 12
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 13
Written Statement............................................ 14
Witnesses:
Mr. Todd Park, former Chief Technology Officer of the United
States, Office of Science and Technology Policy (OSTP)
Oral Statement............................................... 15
Submitted Biography.......................................... 18
Discussion....................................................... 25
Appendix I: Answers to Post-Hearing Questions
Mr. Todd Park, former Chief Technology Officer of the United
States, Office of Science and Technology Policy (OSTP)......... 50
Appendix II: Additional Material for the Record
Prepared statement by Representative Eric Swalwell, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 80
Supporting documents submitted by Representative Paul C. Broun,
Chairman, Subcommittee on Oversight, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 82
Hearing documents submitted by the Majority staff, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 155
Letter submitted by Representative Scott Peters, Subcommittee on
Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 193
Minority staff report submitted by Representative Eddie Bernice
Johnson, Ranking Member, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 195
Majority staff report submitted by Representative Paul C. Broun,
Chairman, Subcommittee on Oversight, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 413
THE ROLE OF THE WHITE HOUSE
CHIEF TECHNOLOGY OFFICER IN
THE HEALTHCARE.GOV WEBSITE DEBACLE
----------
WEDNESDAY, NOVEMBER 19, 2014
House of Representatives,
Subcommittee on Oversight,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 10:10 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Paul Broun
[Chairman of the Subcommittee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Broun. This hearing of the Subcommittee on
Oversight will come to order. Without objection, the Chair is
authorized to declare recesses of the Committee at any time.
Good morning, and welcome to today's hearing. In front of
you are packets containing the written testimony, biography,
and truth-in-testimony disclosure for today's witness. I now
recognize myself for five minutes for an opening statement.
I want to thank my colleagues for being here today, and I
want to especially thank our witness for his presence. We have
been waiting a very long time to be able to question you, sir.
I am sorry that we had to come to the point of issuing you a
subpoena to get that to happen, but I am glad that you are here
today, sir.
In fact, the Committee has invited you several times before
on five different occasions. We wrote directly to you, Mr.
Park, as well as to the Director of the Office of Science and
Technology Policy. None of those invitations elicited the
``yes'' response that we got as a result of issuing you a
subpoena.
In the course of our correspondence, several claims were
made by OSTP as to why you were not the individual to answer
the Committee's questions, such as: that you and OSTP personnel
have not been substantially involved in developing or
implementing the Federally Facilitated Marketplace's security
measures; that you did not develop or approve the security
measures in place to protect the website; that you do not
manage those responsible for keeping the site safe; and that
you are not a cybersecurity expert, which is an interesting
description of you to say the least. You are the co-founder of
Athenahealth, which you co-developed into one of the most
innovative health IT companies in the industry and become very
wealthy, in fact, doing that. As a government employee, you
helped launch the President's Smarter IT Delivery Agenda, which
created the new U.S. Digital Service, and you created the beta
version of HealthCare.gov. How do these activities not require
cybersecurity expertise?
Further, on November 13, 2013, in testimony, sworn
testimony, before the Committee on Oversight and Government
Reform, you said that you did not, to quote you, ``actually
have a really detailed knowledge base'' of the website before
it was launched, and that you were, again quoting you, ``not
deeply familiar with the development and testing regimen that
happened prior to October 1.''
However, the Committee has in its possession documents that
appear to contradict much of what you have said in your prior
Congressional appearance, again under oath, as well as what
OSTP has explained to this Committee.
But these documents were not easy to come by, despite
requesting them in a letter last December, and despite
preparing to ask about them in a briefing OSTP arranged on your
behalf in September--a briefing that was canceled the evening
before it was scheduled to take place when your colleagues were
informed it would be transcribed.
Mr. Park, I find your and the White House's lack of
transparency intolerable and an obstruction to this Committee's
efforts to conduct oversight. It took a subpoena to get you
here, sir. It took another subpoena to compel your documents
from the White House, but even with that, we have yet to
receive all of your documents in compliance with our subpoena
issued on September 19, exactly 2 months ago.
As a gesture of good faith, Committee staff have engaged in
multiple in-camera reviews with White House lawyers, yet there
are still documents being withheld from the Committee without a
claim of a legally recognized privilege. That begs the
question: What are you hiding, Mr. Park?
I have some theories about the answer to that question.
Perhaps it is that you knew there were serious problems with
HealthCare.gov prior to the launch but you did not convey them
up the chain in your briefings with the President. Or, perhaps
you did, and they were ignored because of this Administration's
relentless pursuit to launch HealthCare.gov on October 1, 2013,
no matter the consequences.
Now here we are, a year later and fresh into the beginning
of the second open enrollment, with questions that still remain
about this $2 billion debacle you are credited with fixing--a
debacle that, I might add, got hacked this summer and that,
according to a recent Government Accountability Office report,
still has weaknesses, as they say ``both in the processes used
for managing information security and privacy, as well as the
technical implementation of IT security controls.''
We look forward to this opportunity to ask you some of our
questions, Mr. Park.
I also now ask unanimous consent to submit documents for
the record, which will be referenced in some of our questions.
Without objection, so ordered.
[The information appears in Appendix II]
Chairman Broun. Before I yield to the Ranking Member, Eddie
Bernice Johnson, my friend from Texas, and because of some
conflict with the Democrats, we will come back to Mr.
Swalwell's statement later on, I might add that this is likely
my last time chairing this Subcommittee on Oversight for a
hearing, and I would like to thank my friends on both sides of
the aisle, especially Chairman Smith, for a productive two
years of hard work on this Subcommittee. Our staff, both
Democrat and Republican, worked very hard. We worked together
in as bipartisan manner as possible. We might not have agreed
on all the issues. Some issues we did, some we didn't. But it
has been a very productive two years, I think, and I have been
very privileged to Chair this Subcommittee. I wish you all well
next year.
[The prepared statement of Mr. Broun follows:]
Prepared Statement of Subcommittee on Oversight
Chairman Paul Broun
Good morning. I want to thank my colleagues for being here today
and I want to especially thank our witness for his presence--we have
been waiting a very long time to question you, sir.
In fact, the Committee has invited you to testify before us on five
different occasions. We wrote directly to you, Mr. Park, as well as to
the Director of the Office of Science and Technology Policy. None of
those invitations elicited the ``yes'' response we got as a result of
issuing you a subpoena.
In the course of our correspondence, several claims were made by
OSTP as to why you were not the individual to answer the Committee's
questions, such as:
That you and OSTP personnel have not been substantially
involved in developing or implementing the Federally Facilitated
Marketplace's security measures;
That you did not develop or approve the security measures
in place to protect the website;
That you do not manage those responsible for keeping the
site safe; and
That you are not a cybersecurity expert--which is an
interesting description of you to say the least. You are the co-founder
of Athenahealth, which you co-developed into one of the most innovative
health IT companies in the industry. As a government employee, you
helped launch the President's Smarter IT Delivery Agenda, which created
the new U.S. Digital Service.and you created the beta version of
HealthCare.gov--how do these activities not require cybersecurity
expertise?
Further, on November 13, 2013, in testimony before the Committee on
Oversight and Government Reform, you said that you did not ``actually
have a really detailed knowledge base'' of the website before it was
launched, and that you were ``not deeply familiar with the development
and testing regimen that happened prior to October 1.'' \1\
---------------------------------------------------------------------------
\1\ ``Obamacare Implementation-The Rollout of HealthCare.gov,''
House Oversight and Government Reform Committee, November 13, 2013,
available at: http://oversight.house.gov/wp-content/uploads/2014/06/11-
13-13-TRANSCRIPT-Obamacare-Implementation-The-Rollout-of-
HealthCare.gov--.pdf.
---------------------------------------------------------------------------
However, the Committee has in its possession documents that appear
to contradict much of what you have said in your prior Congressional
appearance, as well as what OSTP has explained to this Committee.
But these documents were not easy to come by, despite requesting
them in a letter last December, and despite preparing to ask about them
in a briefing OSTP arranged on your behalf in September--a briefing
that was cancelled the evening before it was scheduled to take place
when your colleagues were informed it would be transcribed.
Mr. Park, I find your and the White House's lack of transparency
intolerable and an obstruction to this Committee's efforts to conduct
oversight. It took a subpoena to get you here. It took another subpoena
to compel your documents from the White House, but even with that, we
have yet to receive all of your documents in compliance with our
subpoena issued on September 19th, exactly two months ago. As a gesture
of good faith, Committee staff have engaged in multiple in camera
reviews with White House lawyers, yet there are still documents being
withheld from the Committee without a claim of a legally recognized
privilege. That begs the question--what are you hiding, Mr. Park?
I have some theories about the answer to that question. Perhaps it
is that you knew there were serious problems with HealthCare.gov prior
to the launch but you did not convey them up the chain in your
briefings with the President. Or, perhaps you did, and they were
ignored because of this Administration's relentless pursuit to launch
HealthCare.gov on October 1, 2013, no matter what the consequences.
Now here we are, a year later and fresh into the beginning of the
second Open Enrollment, with questions that still remain about this $2
billion dollar debacle you are credited with fixing--a debacle that, I
might add, got hacked this summer and that, according to a recent
Government Accountability Office report, still has weaknesses ``both in
the processes used for managing information security and privacy, as
well as the technical implementation of IT security controls.''
We look forward to this opportunity to ask you some of our
questions.
Before I yield to Mr. Swalwell for his opening statement, let me
just add that this is likely my last time chairing an Oversight
Subcommittee hearing, and I would like to thank my friends on both
sides of the aisle--especially Chairman Smith--for a productive two
years of hard work on this Subcommittee. I wish you all well next year,
and I now recognize Mr. Swallwell.
Chairman Broun. I now recognize our Ranking Member, Ms.
Eddie Bernice Johnson, for her statement. You are recognized
for five minutes.
Ms. Johnson. Thank you, Mr. Chairman, and let me express my
appreciation for your service, since this might very well be
your last chairing of this Committee, and wish you well in the
future. We have maintained a great relationship, although I
must say that probably 99.9 percent of the time we disagree.
But I want to welcome Mr. Park, the former Chief Technology
Officer of the United States, to this Committee hearing, and I
appreciate, Mr. Park, your willingness to appear before us. I
want to apologize to you for all the political theater that is
unfolding around your appearance. Please keep in mind that this
hearing is largely an excuse for the majority to again express
their dislike for the Affordable Care Act and the online
Marketplace that has led millions of Americans to find medical
coverage. I know that they do not like Obamacare. The Majority
has voted at least some 53 times during this Congress to repeal
or dismantle the ACA.
Nevertheless, I want to ask all Members here today to
please remember that Mr. Park is not personally responsible for
the ACA, nor is he responsible for the problems on October 1,
2013.
Mr. Park, it is clear that you were not responsible for how
the website performed last October 1st. In doling out
responsibility for its performance on day one, I think it was
fair to assign you zero percentage of the responsibility, which
reflects the degree of your actual involvement in developing
the website.
Of course, your job at the White House put you in a
position to have more insight than most into how the Centers
for Medicare and Medicaid Services were doing in developing the
program, but the management of the program was up to CMS. And
the people doing the actual development work were contractors
who legally answered to CMS. As I am sure you would agree,
insight into what is going on does not equate to being
intimately involved or directly responsible for the website.
And of course your real job as CTO during that period had you
leading multiple interagency initiatives designed to push
technology into the American economy and across society. For
example, you were working to make U.S. government data more
easily accessible by the public, which can spur innovation,
profits and jobs, as has been amply demonstrated by the way
that publicly available National Weather Service data has
spawned a multibillion-dollar weather forecasting industry.
Mr. Park, I think it is fair to say that fundamentally you
were working to make services of the government more readily
available to citizens during your tenure as CTO. You were
working to help reduce information costs in various areas of
the economy, notably your green button initiative to let
consumers get a better idea about energy consumption and
sourcing. You were facilitating dialogues across communities to
bring experts on particular social issues face-to-face with
experts from the IT world. Laudably, you were a part of an
initiative aimed at stopping human trafficking and another
initiative designed to find ways to harness IT more effectively
in disaster response.
I know that as I cite these examples, I am just scratching
the surface of the scope of your day job as CTO of the United
States. Regrettably, the Committee has made no effort to
understand this broad portfolio of your accomplishments there,
and has shown little appreciation for your patriotic desire to
serve, even though it meant leaving the lucrative world of
Silicon Valley IT startups and venture capital. From the bottom
of my heart, I want to thank you for all you did and tried to
do, including joining the team tasked with fixing the
HealthCare.gov site after October 1st.
I hope your experience with this Committee won't diminish
your sense of pride in your accomplishments or dampen your
enthusiasm for public service. We need people like you to be
willing to come serve this country.
Thank you, and I yield back.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Full Committee
Ranking Member Eddie Bernice Johnson
Mr. Chairman, I want to welcome Mr. Park, the former Chief
Technology Officer of the United States, to this Committee hearing. I
appreciate your willingness to appear before us, Mr. Park, and I want
to apologize to you for all the political theater that is unfolding
around your appearance.
Please keep in mind that this hearing is largely an excuse for the
Majority to again express their dislike for the Affordable Care Act and
the online-Marketplace that has let millions of Americans find medical
coverage. I know that they do not like Obamacare--the Majority have
voted in the House some 53 times during this Congress to repeal or
dismantle the ACA. Nevertheless, I want to ask all Members here today
to please remember that Mr. Park is not personally responsible for the
ACA, nor is he responsible for the problems on October 1, 2013.
Mr. Park, it is clear that you were not responsible for how the
website performed last October 1. In doling out responsibility for its
performance on day one I think it's fair to assign you 0 % of the
responsibility, which reflects the degree of your actual involvement in
developing the website.
Of course, your job at the White House put you in a position to
have more insight than most into how the Centers for Medicare and
Medicaid Services were doing in developing the program, but the
management of the program was up to CMS. And the people doing the
actual development work were contractors who legally answered to CMS.
As I'm sure you would agree, insight into what is going on does not
equate to being intimately involved or directly responsible for the
website.
And of course your real job as CTO during that period had you
leading multiple interagency initiatives designed to push technology
out into the American economy and across society. For example, you were
working to make U.S. government data more easily accessible by the
public, which can spur innovation, profits, and jobs, as has been amply
demonstrated by the way that publicly available National Weather
Service data has spawned a multi-billion dollar weather forecasting
industry.
Mr. Park, I think it is fair to say that fundamentally you were
working to make services of the government more readily available to
citizens during your tenure as CTO. You were working to help reduce
information costs in various areas of the economy, notably your ``green
button'' initiative to let consumers get a better idea about energy
consumption and sourcing. You were facilitating dialogues across
communities to bring experts on particular social issues face-to-face
with experts from the IT world. Laudably, you were a part of an
initiative aimed at stopping human trafficking and another initiative
designed to find ways to harness IT more effectively in disaster
response.
I know that as I cite these examples, I am just scratching the
surface of the scope of your day job as CTO of the United States.
Regrettably, the Committee has made no effort to understand this broad
portfolio or your accomplishments there, and has shown little
appreciation for your patriotic desire to serve, even though it meant
leaving the lucrative world of Silicon Valley IT start-ups and venture
capital.
From the bottom of my heart, I want to thank you for all you did
and tried to do, including joining the team tasked with fixing the
healthcare.gov site after October 1. I hope your experience with this
Committee won't diminish your sense of pride in your accomplishments or
dampen your enthusiasm for public service. We need people like you to
be willing to come serve the country.
Chairman Broun. Thank you, Ms. Johnson. I disagree with you
about a couple of issues. One is that we have recognized Mr.
Park's accomplishments and responsibilities outside of being
involved in HealthCare.gov. In fact, he himself has said he has
not been deeply involved, though there are emails that we have
and that you have that show otherwise. So it is not zero
involvement, and it seems to be the mantra of this
Administration that people are zero involved and have no
responsibility for issues, but thank you, Ms. Johnson.
I now recognize the full Committee Chairman, Mr. Lamar
Smith, for five minutes.
Chairman Smith. Thank you, Mr. Chairman.
Americans have seen firsthand the misrepresentations that
surround Obamacare. First, there was the President's broken
promise that ``If you like your health care plan, you can keep
it.'' Then, in a video that surfaced last week, MIT professor
Jonathan Gruber, a principal architect of Obamacare, admitted
how the Administration sold this to the American people, saying
``Lack of transparency is a huge political advantage.
Basically, call it the stupidity of the American voter or
whatever, but basically that was really, really critical to
getting the thing [Obamacare] to pass.''
Finally, after a year of requests by this Committee, the
Administration has agreed to have someone who worked in the
White House testify about the lack of security of the
HealthCare.gov website. Mr. Todd Park was the White House Chief
Technology Officer for the Office of Science and Technology
Policy from March 2012 to August 2014.
Joining the Obama Administration in the Department of
Health and Human Services, Mr. Park was one of the principal
architects for the HealthCare.gov website. Former Health and
Human Services Secretary Kathleen Sebelius later called this
website ``a debacle'' with a recent estimated cost of $2
billion.
Today we will review the White House's repeated
misinformation about the HealthCare.gov website. Mr. Park's own
emails show an in-depth, detailed knowledge about cybersecurity
issues with the website. He was the primary spokesperson for
the White House about the website and the website's security.
Mr. Park directed several contractors to review the security of
the website.
On October 10th, soon after the website went operational,
Mr. Park read an online article by David Kennedy, a white hat
hacker who has testified twice before this Committee. Mr.
Kennedy's article was titled ``Is the Affordable Care Website
Secure? Probably Not.'' Mr. Park commented in an email how he
was advised that ``these guys are on the level.'' We are asking
Mr. Park to explain his role in developing the $2 billion
website and what the Administration knew about the security
risks of the website.
As of today, the White House still has failed to provide
this Committee with all the documents that are subject to the
subpoena. The ones we do have paint a far different picture
than that of the Office of Science and Technology Policy.
As I mentioned, the Committee has not received all of the
emails and other documents that were subject to the subpoena so
another hearing may well be necessary.
Finally, I want to take a moment to thank the Chairman of
the Oversight Subcommittee, Dr. Paul Broun, for his tireless
efforts on this subject as well as so many other subjects that
have come before this Subcommittee. We appreciate his public
service and his dedication over the years to his constituents,
to Congress, and to our country. So Chairman Broun, thank you
again for all you have done. We appreciate all your great work,
and I look forward to today's hearing.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Full Committee Chairman Lamar S. Smith
Americans have seen first-hand the misrepresentations that surround
Obamacare. First, there was the President's broken promise that ``If
you like your health care plan, you can keep it.''
Then, in a video that surfaced last week, MIT professor Jonathan
Gruber, a principal architect of Obamacare, admitted how the
Administration sold this to the American people, saying:
``Lack of transparency is a huge political advantage.
Basically, call it the stupidity of the American voter or
whatever, but basically that was really, really critical to
getting the thing [Obamacare] to pass.''
Finally, after a year of requests by this Committee, the
Administration has agreed to have someone who worked in the White House
testify about the lack of security of the HealthCare.gov website. Mr.
Todd Park was the White House Chief Technology Officer for the Office
of Science and Technology Policy (OSTP) from March 2012 to August 2014.
Joining the Obama Administration in the Department of Health and
Human Services, Mr. Park was one of the principal architects for the
HealthCare.gov website. Former Health and Human Services (HHS)
Secretary Kathleen Sebelius later called this website ``a debacle''
with a recent estimated cost of $2 billion.
Today we will review the White House's repeated misinformation
about the HealthCare.gov website.
Mr. Park's own emails show an in-depth, detailed knowledge about
cybersecurity issues with the website. He was the primary spokesperson
for the White House about the website and the website's security.
Mr. Park directed several contractors to review the security of the
website. On October 10th--soon after the website went operational--Mr.
Park read an online article by David Kennedy, a white hat hacker who
has testified twice before this Committee.
Mr. Kennedy's article was entitled ``Is the Affordable Care Website
Secure? Probably Not.'' Mr. Park commented in an email how he was
advised that ``these guys are on the level.''
We're asking Mr. Park to explain his role in developing the $2
billion website and what the Administration knew about the security
risks of the website.
As of today, the White House still has failed to provide this
Committee with all the documents that are subject to the subpoena. The
ones we do have paint a far different picture than that of the Office
of Science and Technology Policy.
As I mentioned, the Committee has not received all of the emails
and other documents that were subject to the subpoena. So another
hearing may well be necessary.
Finally, I want to take a moment to thank the chairman of the
Oversight Subcommittee, Dr. Paul Broun, for his tireless efforts on
this subject and many others before the Oversight Subcommittee. We
appreciate his public service and dedication over his many years on the
Science Committee.
I look forward to today's hearing.
Chairman Broun. Thank you, Mr. Smith. As I announced
earlier, Mr. Swalwell will be joining us in a bit, and he will
give his opening statement at that time and then ask his
questions in due order. If there are Members who wish to submit
additional opening statements, your statements will be added to
the record at this point.
At this time, I would like to introduce today's witness,
Mr. Todd Park, the former Chief Technology Officer of the
United States and Assistant to the President. Prior to this
role, Mr. Park served as Chief Technology Officer for the U.S.
Department of Health and Human Services, and before entering
Federal service, Mr. Park co-founded Athenahealth and co-led
its development into one of the most impressive health IT
companies in the industry.
As our witness should know, spoken testimony is limited to
five minutes after which the members of the Committee will have
five minutes each to ask questions. And Mr. Park, it is the
practice of this Subcommittee on Oversight to receive testimony
under oath. If you now would please stand and raise your right
hand? Do you solemnly swear and affirm to tell the whole truth
and nothing but the truth, so help you God?
Mr. Park. I do.
Chairman Broun. Thank you. You may be seated. Let the
record reflect that the witness answered in the affirmative and
has taken the oath.
I now recognize Mr. Park for five minutes to present your
testimony, sir.
TESTIMONY OF TODD PARK,
FORMER CHIEF TECHNOLOGY OFFICER
OF THE UNITED STATES,
OFFICE OF SCIENCE AND TECHNOLOGY POLICY
Mr. Park. Thank you, sir.
Chairman Broun, thank you for your service. Chairman Smith,
Ranking Member Swalwell, Ranking Member Johnson and Members of
the Committee, good morning. I am looking forward to the
opportunity to offer testimony to you today.
To begin, I would like to provide some context for my time
as U.S. Chief Technology Officer that will be helpful in
addressing questions you have asked me to answer.
I am a private-sector health IT entrepreneur by background
and have been blessed with significant success in that arena.
Only in America can the son of two brave immigrants from Korea
have the kind of business-building experiences that I have been
blessed to have. I love this country very much, and it has been
the greatest honor of my life to serve it.
In March 2012, after 2-1/2 years working at the U.S.
Department of Health and Human Services, I joined the White
House Office of Science and Technology Policy as U.S. CTO. In
this role, my primary job was to serve as a Technology Policy
and Innovation Advisor across a broad portfolio of issues,
working on open data policy and initiatives, wireless spectrum
policy, how to advance a free and open Internet, how to harness
the power of technological innovation to fight human
trafficking and improve disaster response and recovery, and
more. My role as U.S. CTO was not to oversee the internal
Federal IT budget and operations. However, given my background
at HHS and as a health IT entrepreneur, I was asked to provide
assistance to CMS, which was the agency in charge of managing
the development of the new HealthCare.gov including the
Federally Facilitated Marketplace for Health Insurance. I
provided assistance to CMS in a few different capacities.
For example, I served as one of three co-chairs of an
interagency steering committee organized by the Office of
Management and Budget and which focused on providing a neutral
venue in which agencies like CMS, IRS, SSA and others could
work through interagency items, primarily in support of the
Data Services Hub, which ended up going live quite
successfully. I assisted with a Red Team exercise in early 2013
that helped identify actions to improve project execution as
well as some associated follow-on work that summer. From time
to time I helped connect people to each other, served as a
spokesperson of sorts, and provided help on particular
questions.
However, to properly calibrate your expectations of my
knowledge of CMS's initial development of the new
HealthCare.gov and the Federally Facilitated Marketplace, I was
not a project manager who was managing and executing the day-in
and day-out operational work of building the new HealthCare.gov
and the Federally Facilitated Marketplace. This was the
responsibility of CMS. I didn't have the kind of comprehensive,
deep, detailed knowledge of the effort that a hands-on project
manager would have, and which I have had about other projects
in my private-sector work.
I assisted CMS with its work as an advisor while executing
my overall duties as White House Technology Policy Innovation
Advisor working on a broad range of policy issues as I
described earlier.
As the new HealthCare.gov and the Federally Facilitated
Marketplace rolled out in the fall of 2013, as the extent of
operational issues with the site became clear, it became an
all-hands-on-deck moment, and I along with others dropped
everything else I was doing and increased my involvement in
HealthCare.gov dramatically, shifting full time into the
HealthCare.gov turnaround effort and working as part of a tech
surge, which radically improved the performance of the site. I
worked as part of a terrific team working around the clock,
even sleeping on office floors. My particular focus was on
helping to reduce the amount of time the site was down, improve
the site's speed, improve its ability to handle high user
volume, and improve user-facing functionality. Our team effort
drove massive improvement in the site, ultimately enabling
millions of Americans to sign up for health insurance through
the site, many of whom had previously been uninsured.
At the end of the day on April 15, 2014, the last day of
extended special enrollment, I went back to my U.S. CTO day job
of being Technology Policy and Innovation Advisor, and my
involvement in HealthCare.gov accordingly scaled back
dramatically.
As another contextual note, I understand that the
Committee's primary interest has been the security of
HealthCare.gov. I do not have the expertise in cybersecurity
that the professors of cybersecurity and other experts who
previously testified before this Committee have. Responsibility
for the cybersecurity of HealthCare.gov rests with CMS. My
involvement with the security of HealthCare.gov has been rather
tangential. The interagency steering committee I co-chaired had
a privacy and security subgroup but the subgroup was staffed
and led by Agency personnel who occasionally asked the overall
committee co-chairs to help facilitate interagency dialog and
cooperation but who generally drove to the ultimate answers
themselves. There were a small number of other occasions when I
was asked to serve as a spokesperson of sorts--summarizing
general cybersecurity content supplied by CMS and HHS--to
function as a liaison or facilitator connecting people to each
other, or to provide my general thoughts for whatever they were
worth. But, again, I am not a cybersecurity expert.
As a final contextual note, at the end of August of this
year, in order to stay married, I stepped down as U.S. CTO and
returned home to Silicon Valley, fulfilling my wife's
longstanding desire to do so. I continue to serve our country
as a consultant to the White House based in Silicon Valley,
focused primarily on attracting more and more of the best tech
talent in the Nation to serve the American people, which is
important to our vital work as a government to radically
improve how the government delivers digital services and
unleashes the power of technology in general.
Thank you for the opportunity to provide some context for
my testimony today, and I look forward to answering your
questions as best I can.
[The prepared statement of Mr. Park follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Broun. Thank you, Mr. Park, for your testimony.
Reminding members that Committee rules limit questioning to
five minutes, the Chair at this point will open the round of
questions. The Chairman recognizes himself for five minutes.
Mr. Park, let us clarify something. You claim in your
opening statement today that you did not have, to quote you,
``comprehensive, deep, detailed knowledge'' of development,
testing and cybersecurity of HealthCare.gov website and that
you ``assisted CMS with its work as an advisor.'' Yet if you
refer to tab 8 in your binder there, you can read along from
the highlighted sections of one of your subpoenaed emails dated
June 26, 2013, sent to Marilyn Tavener, Michele Snyder and
Henry Chao about ``a deep-dive session with Henry Chao.''
Specifically, you wrote, ``Marilyn, I'm also going to visit
with Henry and team for one of our evening deep-dive sessions
to get up to speed on the latest status of IT and testing.
There's no substitute for an evening deep dive. So I'll bring
healthy food and snacks to Baltimore and camp out with Henry
and team for a few hours.''
Mr. Park, please explain to me how you define ``deep,
detailed knowledge'' and then contrast that with a deep-dive
experience with Mr. Chao and that lasts for several hours.
Mr. Park. Sir, I would be delighted to. So in my private-
sector experience, when you have really deep, detailed,
comprehensive knowledge of a project, that comes from being the
project manager. That comes from being the person who is in
charge of running things, you know what is going on, you know
each axis of what is going on on an ongoing basis, and that is
the role I served in my private-sector life on a variety of
projects but that was not the role I was serving on the
Federally Facilitated Marketplace. That was CMS's
responsibility.
What is happening here is that on a few occasions, I spent
time with the folks who were actually running the project and
asked a series of questions and got information but that level
of knowledge pales in comparison to the really deep, detailed,
comprehensive knowledge that you would have as the project
manager running the thing on an ongoing basis.
Chairman Broun. So you had some supervisory function there.
Mr. Park, do you agree with Health Secretary Kathleen
Sebelius' assessment that the rollout of the website was ``a
debacle''?
Mr. Park. The rollout was unacceptable, sir.
Chairman Broun. Mr. Park, you acknowledge in your opening
statement that you were one of three White House co-chairmen of
the Affordable Care Act Information Technology Exchanges
Steering Committee, and that at least initially met on a
monthly basis. What was your role in these meetings? Would you
say that you were the leader of this White House trio?
Mr. Park. I would say that I was one of the three co-
chairs. It was actually principally led and organized by the
Office of Management and Budget, and the role of the committee
was to focus on providing a neutral venue where agencies could
come together and work on really interagency issues, primarily
in support of the Data Services Hub.
Chairman Broun. Well, on April 11, 2013, in an email sent
at 2:31 p.m.--that is in tab 1----
Mr. Park. Thank you, sir.
Chairman Broun. --of your binder, with the subject
``Coordination on ACA,'' one of the co-chairs, Mr. Steven
VanRoekel, then U.S. Chief Information Officer, expressed his
concerns about your closeness to the Centers for Medicare and
Medicaid Services by writing this: ``CMS has not been inclusive
and is not leading a coordinated effort that will lead to
success. I am also worried that you are getting a too-CMS-
centric picture. I would love nothing more than this not to be
the case, to be assured ACA implementation is on a path we want
to be on, and that existing efforts will deliver what we
want.''
Your response to him sent the same day at 4:58 p.m. states,
``Hey, brother. Thanks so much for the note and the chat! Many
apologies for not staying in tighter sync with you on this.
Will make sure we stay in close sync going forward.''
To be clear, this is the same CMS that the Office of
Science and Technology Policy has told the Committee in various
letters is in a ``far better position to discuss the standards
that are in place for the website.''
You did not deny this closeness to Mr. VanRoekel, and
indeed, your closeness to individuals such as Henry Chao, Chief
Information Officer at CMS, and Michele Snyder, then Chief
Operating Officer at CMS and the number two official, is
evident in the many emails we have seen of your conversations
with them.
If you were not the leader, then why was Mr. VanRoekel
looking toward you for guidance? And if you were so close to
CMS that it concerned your co-chair, then surely you are in
just fine a position to answer our questions about the website
and should have done so a year ago?
Mr. Park. So thank you for the opportunity to discuss this
particular email. As I recall, I think this was precipitated by
the fact that I had assisted, as I said in my opening
testimony, the Red Team exercise CMS had engaged in to
basically assess risks and identify mitigative actions to
mitigate those risks in early 2013. Steve was actually not
involved with that, and he was expressing concern about the
fact that he wasn't synced up and was worried about a variety
of different things.
What I can say, as actually the email says, is that we did
sync up. We were going to, and then I can report that we did
sync up on the Red Team results and recommendations and the
path forward on the steering committee and other items and his
concerns basically were dealt with in a way that was
satisfactory to him.
Chairman Broun. My time is expired. I now recognize Ms.
Johnson for five minutes.
Ms. Johnson. Thank you very much, Mr. Chairman.
Mr. Park, Mr. Broun summarized your explanation regarding
deep dives by saying you had some supervisory responsibilities.
Did you indeed have supervisory responsibilities?
Mr. Park. I would not define it that way. I was an advisor
assisting CMS, but CMS was responsible for delivering the
Federally Facilitated Marketplace and the new HealthCare.gov.
Ms. Johnson. How would you describe your work on
HealthCare.gov during your tenure there as CTO?
Mr. Park. Yes. So we are talking about the new
HealthCare.gov, the Federally Facilitated Marketplace. I will
again describe it as I referred to in my opening testimony. I
assisted CMS in a few different capacities, serving as a co-
chair of this interagency steering committee, focused on
providing a venue for agencies to work together on interagency
issues in support of the hub, assisting with the Red Team
exercise and follow-up to the Red Team exercise that summer,
serving from time to time as a spokesperson, as a liaison, as
someone who could help with particular questions. I began as an
assistant, as an advisor to CMS and certainly not as the person
who was the hands-on project manager running the thing. I was
doing this assistance work as I was fulfilling my much broader
portfolio of duties as Technology Policy and Innovation Advisor
at the White House.
Ms. Johnson. Could you give me a little idea as to what
that broader responsibility for being the Chief Technology
Officer over and above or around or in conjunction with, in
whatever you want to put it, for the dot.gov program for the
health care?
Mr. Park. Yes, ma'am. So as U.S. CTO, my job was to be a
technology policy and innovation advisor at the White House
focused on how can technological innovation help build a
brighter future, create a brighter future for the country and
for the American people. So there was a wide range of
initiatives that I worked on and championed, so you mentioned
one in your opening statement, you mentioned a few, but the
open data policy, open data initiatives work of the
Administration, which really focused on opening up the
information and knowledge in the vaults of the federal
government such as weather data, health data, energy data,
public safety data, et cetera, as machine-readable fuel that
taxpayers had paid for and returning it back to the American
people and American entrepreneurs and American innovators and
researchers to turn into all kinds of incredible new products,
services and companies that help people and that create jobs.
I also was one of the creators and leaders of the
Presidential Innovation Fellows program, which was an effort to
bring in the most amazing technologists and tech entrepreneurs
from outside government and team them up with the best people
inside government to work on projects like Blue Button, which
has enabled well over 100 million Americans to be able to
download copies of their own health information. I did a whole
bunch of work in figuring out how we could tap into the
ingenuity of the private sector to help use the power of
technology to fight the evil of human trafficking, to help
improve disaster recovery and response, and other key
priorities. I worked on policy issues like how do you advance a
free and open Internet, how do you actually massively improve
the supply of and utilization of wireless spectrum, and more.
It is the most amazing experience I have ever had.
Ms. Johnson. It appears to me that though you were a person
that could be asked a question or included in a loop that your
responsibilities were really very broad and really had no key
responsibility toward the HealthCare.gov.
Mr. Park. So there was a chunk of my time that I reserved
for basically being helpful, being an advisor on issues that
came up beyond the initiatives that I was championing or co-
championing. That is the bucket in which I put being helpful to
CMS on HealthCare.gov, which I did try to do in the capacities
that I described.
Ms. Johnson. Thank you very much. I yield back, Mr.
Chairman.
Chairman Broun. Thank you, Ms. Johnson. Now I recognize the
full Committee chairman, Mr. Smith, for five minutes.
Chairman Smith. Thank you, Mr. Chairman.
Mr. Park, thank you for being here today.
Mr. Park. Thank you, sir.
Chairman Smith. As I understand it, you were briefed and
given notice on several occasions that there were problems with
the Obamacare website. So my question is, did you believe that
the website was secure when it was first made operational?
Mr. Park. So I think over the course of any large-scale
digital project, there are issues and challenges that come up,
so----
Chairman Smith. Did you think the website was secure before
it was operational?
Mr. Park. I did, sir, to the best of my understanding.
Chairman Smith. Despite the warnings you got, despite the
briefings you had pointing out the problems, you still thought
it was secure?
Mr. Park. My understanding was that it was.
Chairman Smith. What did you think yourself?
Mr. Park. Again, I am not an expert.
Chairman Smith. Did you discount the briefings and the
notice that you had gotten?
Mr. Park. So which briefings and notices are you referring
to, sir?
Chairman Smith. Well, there was a Red Team, there were
emails, and then other indications that you knew that there
were problems.
Mr. Park. So the Red Team exercise didn't really focus on
security. The Red Team focused on how the project was being
run.
Chairman Smith. The Mackenzie report is what I am talking
about that pointed out the problems.
Mr. Park. Yes, I am referring to the same report, sir. So
it didn't really focused on security, it focus on how the
project was operating and running generally.
Chairman Smith. But they still pointed out problems, and
you still decided that they were not significant enough, I
guess, to put you on notice that it shouldn't be operational?
Mr. Park. So the Mackenzie report again addressed the
general management of the project and talked about----
Chairman Smith. Again, they pointed out the problems but
you discounted the problems?
Mr. Park. Each of the issues, the risks, was tied to an
action to mitigate that risk and deal with that risk.
Chairman Smith. So you think all the risks were addressed
before the website was made operational?
Mr. Park. I think that the risks identified by the Red Team
report, my understanding is that they were addressed.
Chairman Smith. Well, that is amazing because both then and
more recently, all the various studies that were conducted, not
a one found that the website was secure, not a one found that
the website was without risk.
More recently, the U.S. Government Accountability Office
found ``HealthCare.gov had weaknesses when it was first
deployed including incomplete security plans and privacy
documentation, incomplete security tests, and the lack of an
alternative processing site to avoid major service
disruptions.'' This report also finds ``weaknesses remain both
in the processes used for managing information security and
privacy and so forth.''
So you have these outside studies saying that it was not
secure at the beginning and it remains insecure. Do you think
the website is secure today despite all these warnings by
independent, objective entities?
Mr. Park. So CMS is the best source of information about
the detailed security----
Chairman Smith. Do you discount the Government
Accountability Office's review? The language I just read to you
are direct quotes from the GAO.
Mr. Park. So sir, I am not an expert in this arena. I don't
want to comment on something----
Chairman Smith. You said repeatedly that you were an
advisor. As an advisor, do you advise people that the website
is secure today?
Mr. Park. That is not the area where I really concentrated
my advisory work.
Chairman Smith. Well, knowing what you know now, do you
consider the website to be secure today?
Mr. Park. So based on my understanding, I would use it. I
would have family----
Chairman Smith. No, no, I didn't ask you whether you would
use it. That is easy for you to say yes. Do you think the
website is secure today?
Mr. Park. My understanding is----
Chairman Smith. Would you advise the American people that
the website is secure today?
Mr. Park. My understanding is that it is, but again, I
would say that the best----
Chairman Smith. Despite the GAO, despite all these studies,
despite all these reports saying it is not, you still think it
is?
Mr. Park. The best source of information about that is CMS,
and they have a dedicated team----
Chairman Smith. Well, they are obviously biased. They have
got an in-house conflict of interest to say anything else. Do
you discount all these third-party entities, these credible
organizations saying that it is insecure? Do you disagree with
them?
Mr. Park. Sir, again, I would just refer you to CMS for----
Chairman Smith. Like I said, you are asking the people that
developed the plan whether it is secure. What else are they
going to say? I was asking you as an advisor whether you
thought these independent entities' reports were accurate or
not.
Mr. Park. I can't say that I have actually gone through----
Chairman Smith. Okay. My last question is this. Did you
advise the White House at any point or meet with the White
House or brief the White House about Obamacare's roll-out?
Mr. Park. Sir, can you repeat the question?
Chairman Smith. Did you at any point brief the president or
the White House about the Obamacare website before it went
operational?
Mr. Park. So as I can recall----
Chairman Smith. And definitely how many times if you did.
Mr. Park. As I can recall, I gave a briefing to senior
White House officials about the results of the Red Team review
and----
Chairman Smith. How many times did you brief White House
personnel?
Mr. Park. So if you were talking about senior White House
advisors----
Chairman Smith. How many times roughly?
Mr. Park. I can recall two.
Chairman Smith. And during either of those times, if two or
more times, did you ever say anything to them about the
problems that were inherent in the system or about any of the
warnings that you had received?
Mr. Park. So in both the Red Team briefing from early 2013
and then the follow-on in July----
Chairman Smith. Well, again, my question was fairly
specific. Did you alert the White House staff to any problems
with the website?
Mr. Park. So we were very clear, yes, about the risks
identified by the----
Chairman Smith. You did make it clear to the White House
that there were risks?
Mr. Park. That there were risks and here are the actions to
mitigate those risks.
Chairman Smith. But the actions had not been taken yet or
that they had been taken yet?
Mr. Park. Well, the actions at the time we identified the
Red Team risks, we presented both the risks and the actions,
and then in July we said that the actions had been taken.
Chairman Smith. Okay. So you notified the White House of
the risk and then you came back later and said that you had
limited those risks even despite outside entities saying that
there were still problems?
Mr. Park. So this was specifically on how the project was
being run, so--and again, just to be super clear, I briefed on
the Mackenzie work to senior White House officials that there
were risks that needed to be dealt with, and then there were
actions that were needing to be taken to mitigate those risks.
Chairman Smith. Okay. Thank you.
Mr. Park. --and then----
Chairman Smith. That answered my question. Thank you, Mr.
Park.
Thank you, Mr. Chairman.
Chairman Broun. Thank you, Chairman Smith. I now recognize
Mr. Peters for five minutes.
Mr. Peters. Thank you, Mr. Chairman, and thank you for your
service on the Committee. It has been a pleasure to serve with
you and I wish you the best going forward. Thank you.
There has been some suggestion and some discussion on the
security of HealthCare.gov in reference to a hack over the
summer, and it is not necessarily true that that means that the
site is insecure. HHS worked with the Department of Homeland
Security to analyze the effects of the package found on the
site, and according to the Director for U.S. Computer Emergency
Readiness at DHS, this type of malware is not designed to
extract information. There is no indication that any data was
compromised as a result of the intrusion.
I would like, Mr. Chairman, unanimous consent to enter into
the record a letter from Ms. Tavener to Congressman Issa of
November 14, 2014, in which Ms. Tavener states that no one has
maliciously accessed personally identifiable information from
HealthCare.gov.
Chairman Broun. Hearing no objection, so ordered.
[The information appears in Appendix II]
Mr. Peters. Thank you.
Thank you, Mr. Park, for being here. In your testimony, you
mentioned that you were not the project manager of
HealthCare.gov but you functioned as the project manager for
other projects when you were in the private sector. Is that
correct?
Mr. Park. Yes, sir.
Mr. Peters. Since my colleagues have suggested that you
were the project manager of HealthCare.gov or functioned as
such, I thought it would be helpful to discuss the kinds of
activities that a project manager does. And you founded
Athenahealth with Jonathan Bush, incidentally, the cousin of
former President George Bush, is that correct?
Mr. Park. Yes, sir, my best friend.
Mr. Peters. Athenahealth provides healthcare practices with
services including cloud-based medical billing and electronic
medical record services, which aims to make healthcare more
efficient and effective, correct?
Mr. Park. Yes, sir.
Mr. Peters. Since you built the company, can you describe
what was involved in creating the company from the ground up?
What tasks were involved with developing a new IT company?
Mr. Park. Thank you, sir.
So as I think others who have had similar experiences would
share, you know, it is a big, complex undertaking. You put
together the best team that you can. You raise initial money.
You put together the best plan you can but understand that that
plan is likely to survive about 17 seconds of contact with
reality. You put together an initial prototype as fast as you
can of your product to try to figure out, you know, based on
actual customers using it, what the real issues are and real
opportunities are and then you iterate the plan, you iterate
the product, you iterate execution constantly, right----
Mr. Peters. Right.
Mr. Park. --and it is an all-consuming thing and you have
in your head each key axis of effort, how conditions are
changing, how plan, product execution are changing constantly--
--
Mr. Peters. Is it fair then----
Mr. Park. --and balance all of that together.
Mr. Peters. Is it fair then to say when you are on the
project management, you are very hands-on? At athena you had a
comprehensive, deep understanding of the efforts, very detailed
knowledge of the projects and products based on your day-to-day
engagement?
Mr. Park. Absolutely.
Mr. Peters. Okay. So what is the difference between that
role at Athenahealth and the role you played with respect to
the healthcare marketplace as CTO and the government?
Mr. Park. It is night and day, sir, as I think anyone who
has built a company or led a large initiative would tell you. I
again did advise and assist CMS in a few different capacities,
as I described in my testimony and earlier--in testimony and
earlier.
The--but again, it is just--it is very different from being
the project leader, the project manager, actually running the
day-to-day and having the kind of comprehensive, detailed,
multi-axis knowledge that you have in that context.
Mr. Peters. In one of the emails that the Committee has
provided, you describe yourself as a consigliore. Is that kind
of what you mean, as an advisor?
Mr. Park. As an advisor, yeah.
Mr. Peters. Okay. I want to--I do think that--it strikes me
that the role of project manager is fairly well-defined as
being different from what you were doing. I think that is
pretty clear.
I just offer, too, that one of the mistakes we make here in
Congress is pulling people out of the bureaucracy and beating
them up when we are all really trying to get the same place. We
would like to get our government to be functioning--a
healthcare website that is functioning. And I am--I would just
observe that I have seen this in the Armed Services Committee,
too. We are trying to get the best technology people we can to
come work for the government, and in the federal--in the
defense side we have a great need for cyber warriors and we
have to be very sensitive about how we treat people like you
and like those folks who can be in the private sector making
much more money but who are willing to give up their time, to
delay their careers, to step out of them and to help the
government.
And I want to thank you for your service. I want you to
know that I appreciate it and I hope you are able to help
continue to recruit the very, very best to come help us in this
effort and other efforts throughout the government.
Thank you, Mr. Chairman, and I yield back.
Mr. Park. Thank you, sir.
Chairman Broun. Thank you, Mr. Peters.
Now, I recognize Mr. Sensenbrenner for five minutes.
Mr. Sensenbrenner. Thank you very much, Mr. Chairman.
Mr. Park, when you testified before the Committee on
Oversight and Government Reform, you repeatedly claimed
ignorance about any issues with HealthCare.gov prior to the
website's launch. You testified that you had ``no detailed
knowledge base of what actually happened pre-October 1.'' You
further testified that you were not deeply familiar with the
development and testing regimen that happened prior to October
1.''
But the email record tells a very different story. On June
11, you emailed staff at CMS asking to ``check in on how things
are going with respect to Marketplace IT development and
testing.'' On June 26, you said you would visit Henry Chao of
CMS and his team for ``one of our evening deep-dive sessions,''
and on July 12, Henry Chao referenced a briefing that you were
doing for the President. If you were preparing to brief the
President and doing deep-dives with CMS staff in June and July
2013, how can you claim to have no knowledge of issues prior to
October 1 of that year?
Mr. Park. So thank you for the opportunity to answer your
question.
So what I said at the hearing last November was I didn't
have really detailed knowledge--a really detailed knowledge
base, if I recall correctly, of what actually happened in the
run-up to October 1. And as I have described previously, when I
say ``really detailed knowledge base of what actually
happened,'' that is the kind of knowledge that comes from being
the hands-on project manager running the thing and not the kind
of knowledge that one would have as an assistant advisor who,
on a series of occasions, meets with the people who are running
the thing and asks questions. So that is what I would say.
Mr. Sensenbrenner. Well, obviously on the June 11 email,
where you said you were going to check in on how things were
going with respect to marketplace IT development and testing,
you just didn't ask that question out of the blue. Obviously,
you decided to try to check up on this. And then I don't know
what goes on at deep-dive briefings. I imagine that there is
quite a bit of detail that goes on. But I guess it kind of
boggles my mind that if you didn't know the detail of that, why
were you asked to go and brief the President? Wasn't he
interested in really the detail of what was going on, not just
whether it was going well or not?
Mr. Park. Could you just refer me again to the email you
are talking about?
Mr. Sensenbrenner. Okay. I referred to two emails. You
emailed the staff at CMS to check in on how things were going
with respect to marketplace IT development and testing, and
then on June 26, two weeks and a day later, you said you would
visit Henry Chao and his team for an evening deep-dive session.
Mr. Park. Could you just refer me--I am so sorry--for the
tabs in the binder?
Mr. Sensenbrenner. I don't know if you have the same binder
I have.
Mr. Park. I see.
Mr. Sensenbrenner. This is the tab on the deep-dive
session, number 8.
Mr. Park. Okay. So, again, just speaking to this session,
the difference between the really detailed knowledge base that
you have as a hands-on project manager and the knowledge that
you have from asking people on the project a set of questions
over the course of a few hours is, again, just night and day.
And also I think to address something you asked earlier,
the--as I recall, the trigger event for the check-in that you
described was to follow up on the Red Team recommendations with
respect to how the project should be managed and make sure
those recommendation had been implemented by CMS. And so that
was the trigger event for the inquiry.
Mr. Sensenbrenner. Well, you denied involvement in your
testimony before the OGR Committee, but obviously you were
involved because you asked how things were going, then you
asked for a deep-dive briefing and you came in to brief the
President on this. It seems a complete disconnect between you
claiming ignorance and the information you did get filled you
in and you certainly weren't ignorant. How can you say that
when you came in to brief the President, you briefed him from a
base of ignorance?
Mr. Park. So, again, just to respectfully disagree with
something you said earlier, I don't believe I have said----
Mr. Sensenbrenner. Um-hum.
Mr. Park. --to the Committee last November that I had no
involvement whatsoever. What I said was I didn't have a really
detailed knowledge base of what actually happened in response
to a question about something or other. So--but, again, the
point I wanted to make was that I didn't have that level of
really detailed knowledge. I did have the kind of involvement
that I described in my testimony earlier.
Mr. Sensenbrenner. Well, my last question is what did you
tell the President about HealthCare.gov when you briefed him?
Mr. Park. So at the Red Team briefing in early 2013 and
then in the follow-up, as I recall, the gist was here are the
Red Team recommendations in terms of the risks identified and
what to do about them, and then in the follow-up in the summer,
as I can recall, the briefing again to senior White House
officials was that CMS implemented the key Red Team
recommendations.
Mr. Sensenbrenner. Did you brief the President or senior
White House officials or was somebody other than the President
there?
Mr. Park. At those two meetings, as I recall, the President
was there.
Mr. Sensenbrenner. Thank you.
Chairman Broun. Thank you, Mr. Sensenbrenner.
I now recognize Mr. Cramer for five minutes.
Mr. Cramer. Thank you, Mr. Chairman, and thank you, Mr.
Park.
Mr. Park, I want you to look at tab 5 in the binder if you
would, please.
Mr. Park. Thank you, sir.
Mr. Cramer. Um-hum. So this is an email that has become a
little bit famous today. It is an email from Michelle Snyder to
you dated September 29, 2013, posted at 6:22 p.m. In this
email, which, by the way, ends by her asking you to delete it,
she writes, ``just so you know, she decided in January we are
going no matter what, hence the really cruel and uncaring march
that has occurred since January when she threatened me with a
demotion or forced retirement if I didn't take this on. Do you
really think she has enough understanding of the risks to fight
for a delay? No, and hell no. For just one moment let's be
honest with each other.''
Now, Mr. Park, it is a reasonable inference that the
``she'' in the email is Marilyn Tavenner because Ms. Snyder is
responding to an email from you to her that same day at 5:54
p.m. that says ``MT said that she appreciates the additional
info we will generate tonight, but that she and she alone will
make the decision to go or not.''
Mr. Park, what were these risks that Ms. Snyder referenced
in her email that she asked you to delete?
Mr. Park. So at the time what I recall I was doing was
helping CMS basically get hardware--additional hardware in
place to provide additional server capacity for the federally
facilitated marketplace, and that was the issue that we were
talking about.
Mr. Cramer. So the risk was there wasn't enough hardware?
In other words, you testified that you thought everything was
ready to go, that you were confident. This is September 29. I
mean the risk was hardware?
Mr. Park. So the risks I think that are being referred to
in this email is that based on what we had been talking about
where I had been asked to be helpful, and the hardware did
actually get to where it needed to go in an operation that
worked pretty well.
Mr. Cramer. In this same email chain, about three hours
earlier, she asked you this question--which is, by the way,
located in tab 6.
Mr. Park. Oh, thank you, sir.
Mr. Cramer. Sure. She asked a series of questions, but one
of them is ``should we go live on October 1?'' Now, again, I
remind you this is September 29 so she is asking pretty close
should we be going live on October 1?
Mr. Park. I am sorry, who--what--could you just say that
one more time? So who is asking who?
Mr. Cramer. So in--it is the same email chain you asked
Ms.--I am sorry, you asked Ms. Snyder a series of questions,
one of which is should we go live on October 1. So when you
asked her that question, obviously you had some concern it
would seem to me earlier that day about whether they should
even go live.
Mr. Park. So, again, as I recall as I am looking at the
email, I was suggesting a set of questions for her to think
about as an advisor, and again, this was really again focused
on the task of getting the hardware in place----
Mr. Cramer. Did you ask the same question of anyone else?
Whether it was Henry Chao or maybe somebody in the White House,
Marilyn Tavenner, or was this just between you and Ms. Snyder?
Did you raise this question with other people that might be in
a position to do something more about it?
Mr. Park. So I think Michelle was actually, as I recall,
pretty central to us, and so I was injecting this set of
questions as questions I thought that would be good for CMS to
think through in the run-up.
Mr. Cramer. Some of these risks that Ms. Snyder was
raising, did you ever share them? Because clearly there is this
confidence, it appears, between you and her. She references in
other parts of the rant probably or possibly losing her job if
she raises these risks with the wrong people. In fact, she did,
of course, announce her resignation not too long after all of
this.
What I am trying to get at is that as an advisor, was your
advice only given to this one person or to others higher up the
chain? I mean considering that earlier you testified that you
did of course brief the President himself. Was there other
concern raised by other people to these risks that seem to be
so central between you and Ms. Snyder?
Mr. Park. So with respect to what we are talking about
here, which, as I recall, are risks associated with not having
enough server capacity the CMS senior management team, Office
of Health Reform at the White House were following what was
happening very closely.
Mr. Cramer. And that gave you all the confidence in the
world, that extra server space? That was all that was
necessary----
Mr. Park. Well, the specific question that I got asked to
be helpful on was getting hardware to the data center for
additional server capacity, and that operation did end up being
successful as I recall.
Mr. Cramer. All right. My time is expired, Mr. Chairman.
Thank you.
Chairman Broun. Thank you, Mr. Cramer.
Now, I recognize Mr. Posey for five minutes.
Mr. Posey. Thank you, Mr. Chairman.
Mr. Park, in an email chain with the subject heading ``How
serious are you about using Homestead Air Force Base to get the
equipment to Culpepper,'' this is dated September 28, 2013. It
is located in your tab 12.
Mr. Park. Thank you, sir.
Mr. Posey. You and Mr. Henry Chao worked with Mrs. Laura
Fasching from Verizon Terremark to discuss several last-minute
options to transport some hardware or computer equipment by
either private ground, private jet, cargo, or even Air Force
jets.
For someone claiming to not have a detailed knowledge base
of what actually happened pre-October 1, you seem to be all-in
on a lot of aspects of operations related to the HealthCare.gov
website. So, I am wondering whose idea it was to procure the
equipment, and what the need was for spending $40,000 of
taxpayers' money to transport computer equipment by plane?
Mr. Park. So, first of all, thank you for the question.
Just to clarify, when I say really detailed knowledge base of
what actually happened prior to October 1, I am not talking
about like one narrow aspect of what happened; I am talking
about the full breadth of what happened over the course of the
project. And as I have said, I did assist and advise CMS in a
few different capacities. This was one where what happened is
CMS contacted me, as I can recall, and said we think we have,
long story short, a need for additional hardware to get to the
data center, and they were the ones who teed up the notion of
potentially a military option. And I volunteered to help look
into that for them.
Mr. Posey. Okay. Is it routine for a White House official,
or actually, an assistant to the President, as you were at the
time, to be engaged in last-minute discussions with a
contractor about the delivery of computer equipment? Why and
how did you get involved in that?
Mr. Park. So my style is to try to help in every way I
possibly can, and so I got asked to help with this and I threw
myself into trying to help. And although the military option
ended up not being used; it didn't have to be used; there was
private transport, the operation to get hardware there worked
out.
Mr. Posey. It sounds like a pretty detailed knowledge base.
Mr. Park. Not of the whole project and how it was working.
This is one very specific, very narrow aspect and one episode
in time.
Mr. Posey. You also appear to be the point of contact for
most interactions with technology companies and people such as
Palantir, Red Hat, Alex Karp, MITRE, and even Gartner, a
company used to help with the Administration's messaging on
HealthCare.gov around the time of a Committee on Homeland
Security hearing on September 11, 2013. In fact, a Gartner
analyst provided a quote that the statements made in a CMS
letter to the Ranking Member of Homeland Security Committee
``represent current best practices for the protection of
sensitive and regulated data and systems.'' That is in tab 14.
Mr. Park. Oh, thank you, sir.
Mr. Posey. I am wondering how often did you reach out to
such companies or people to talk about aspects of the
HealthCare.gov website for either PR purposes or technical
purposes?
Mr. Park. Not that often, as I can recall. But on the
several occasions, yes.
Mr. Posey. And what others do you recall?
Mr. Park. Well, so you mentioned this one. I can speak to
Red Hat. So what happened there was that CMS asked me to be on
the phone with them as they asked for additional Red Hat
resources to be applied and just to communicate that this was a
top priority of the government, which I volunteered to do.
I can talk to the Palantir example. So they are--you know,
as part of my role as a facilitator, I connected Palantir to
CMS to have a discussion at a high level about cybersecurity.
Mr. Posey. That is a little bit beyond the scope of
advisory, though, wouldn't you think?
Mr. Park. Not in my experience, no.
Mr. Posey. Okay. Arranging contractors to get together
and----
Mr. Park. No, we actually--it is assisting, as I have said,
in a few different capacities.
Mr. Posey. What did they have to say about the website? Did
they ever provide feedback to you on the security aspects of
the website?
Mr. Park. So as I can recall, the Palantir conversation, I
think the experts said here is what you should be thinking
about, and CMS said that basically accords with what we are
thinking about. So that was what I recall of the call.
Mr. Posey. And that is the only time you are aware of any
security issue at all?
Mr. Park. Again, and that call basically it was a very
high-level call and Palantir said just kind of not with any
particular knowledge of HealthCare.gov but here are the kind of
things that represent cybersecurity best practices and CMS
said, yes, that makes sense; that is what we are thinking, too.
Mr. Posey. Yeah. You had mentioned that you would use the
website. Just out of curiosity, are you enrolled in ObamaCare?
Mr. Park. I am not but I continue to get my insurance
through the Federal Government. But my tour of duty in
government, which has been the greatest experience of my life,
will at some point end and then I am very excited about
enrolling in Covered California, which is the marketplace in
California, when I do roll off.
Mr. Posey. Yeah. The people who wrote the bill aren't in it
either so don't feel bad about that.
My time is expired, Mr. Chairman. Thank you.
Chairman Broun. Thank you, Mr. Posey.
Now, Mr. Johnson from Ohio, you are recognized for five
minutes.
Mr. Johnson. Thank you, Mr. Chairman.
Good morning, Mr. Park.
Mr. Park. Good morning, sir.
Mr. Johnson. You and I share something in common. My
background is thirty years in information technology. I have
never been a Chief Technical Officer, but I have certainly been
a Program Manager, Project Manager, Chief Information Officer,
and even had Chief Technical Officers work for me.
Mr. Park. God bless you.
Mr. Johnson. Yeah. So I certainly understand from where you
come. And I must confess to you, Mr. Park, that I find it a
little bit disingenuous that you would qualify or classify your
role in all of this as simply an advisor.
In 2008, when the President issued a position paper on the
use of technology in innovation, he talked about standing up
the Nation's first Chief Technology Officer. And to quote from
what came directly from at that time the campaign website it
said that ``the CTO will ensure the safety of our networks and
will lead an interagency effort working with the Chief
Technology and Information Officers of each of the Federal
agencies to ensure that they use best-in-class technologies and
share best practices.''
In November of 2008, the President reiterated his
intentions, and again quoting from the President-elect's
website that he would ``appoint the Nation's first Chief
Technology Officer to ensure the safety of our networks.''
Before that, it said ``ensuring the security of our networks.''
So whether you envisioned your role being an advisor, the
President said you were responsible. That is what ``ensuring''
means. As a CIO, and as a Project Manager, I know what
``ensuring'' means. It was your job to ensure the safety and
security of those networks, at least according to what the
President was telling the American people.
So I want to go to your role as the co-Chair of the ACA IT
Exchange Steering Committee. If I look at the charter that set
that up, one of the responsibilities in there is to direct the
formulation of workgroups to identify the barriers and
recommend fixes and those kind of things, and two of those
working groups were directly related to data-sharing and
privacy and security harmonization. What was your role then as
the co-Chair? You either misrepresented your knowledge of
cybersecurity to the President or you didn't do your job. Which
was it?
Mr. Park. So thank you for the opportunity to address I
think a couple different questions embedded in there. And I
respect your service as technologist, sir, to the country.
So the position of U.S. CTO has evolved quite a lot I think
over the years. And what I can represent is what I did in the
role, and cybersecurity ops for the Federal Government has very
much not been part of my role.
Mr. Johnson. I don't want to use the whole time just
pontificating, Mr. Park. When you were with Athenahealth, was
cybersecurity a part of what you considered important in
standing up that cloud-based system?
Mr. Park. Sure.
Mr. Johnson. It was?
Mr. Park. Um-hum.
Mr. Johnson. Okay. On September the 2nd of 2013, you sent
an email to Christopher Jennings. It said, ``Hi, Chris. Here
are the cybersecurity background points for you. The first
three are the points CMS put together previously, which I am
sure you have already seen. They are followed by a couple of
points about next steps currently underway.'' So are you trying
to tell this Committee that you knew nothing about the security
failures and the security risks associated with HealthCare.gov?
Mr. Park. Would you mind just pointing me to the email that
you are referencing? I think it is----
Mr. Johnson. I am not sure where it is in your tab, but I
have got it here. I don't know where it is in your tab.
Mr. Park. Well, okay. Let me just speak to the episode that
I think you are talking about, but long story short because I
know we have very little time left, so the content that was put
together for Office of Health Reform on cybersecurity was
content supplied by CMS and HHS.
Mr. Johnson. But, Mr. Park, there you are being
disingenuous again. You are the Nation's CTO appointed by the
President to ensure the safety and security of our networks.
You can't just say this was CMS's responsibility. And let me
remind you that you can delegate responsibility to people that
do the actual coding, to Project Managers and Program Managers,
but you can't delegate accountability.
Mr. Park. So again, sir----
Mr. Johnson. And you were responsible. You are accountable
to the President and to the American people. Now, you have
testified this morning that you briefed the President several
times. Did you ever once tell the President that you had
concerns about the security of the system in your role as Chief
Technical Officer and co-Chair?
Mr. Park. So, again, to go back to I think a fundamental
misunderstanding, in my role as U.S. CTO I haven't been--the
cybersecurity operations hasn't been a focus----
Mr. Johnson. But it was as co-Chair of the Steering
Committee. It was clearly in the charter, the co-Chair of the
Steering Committee. You did have that responsibility.
Mr. Park. I was co-Chair on a--one of three co-Chairs on a
committee organized by OMB and there was a privacy security
subgroup, as you have mentioned.
Mr. Johnson. But----
Mr. Park. That was staffed and led by agency personnel and
was really self-propelled and driven by them. The point of us
as co-Chairs was to provide a neutral venue where they could
get together to do that work.
Mr. Johnson. Well, that is not my reading of the charter,
but my time has expired, Mr. Chairman, and I will yield back.
Chairman Broun. Thank you, Mr. Johnson.
Now, I recognize my friend Eric Swalwell for five minutes.
Mr. Swalwell. Thank you, Mr. Chairman.
I also would like to take a moment to thank you for your
service and you served two years as Ranking Member and four
years as Chairman of this Committee and you have always
conducted yourself and your chairmanship with dignity and
courtesy. And I know Mr. Maffei has also shared that with me
privately. And so I wanted to thank you for that.
Today may be a day of disagreement but I sincerely believe
that if we conduct this hearing fairly, as we have in the past,
that we will emerge as a more--we will emerge with a better
understanding of what Mr. Park did and, most importantly, did
not do with respect to HealthCare.gov.
Fairness is particularly important because this hearing has
the feeling quite frankly, as a former prosecutor, of a trial,
and the only witness before us is Mr. Park. The title of the
hearing implies that we are going to examine his involvement in
the development of the HealthCare.gov website, but most
significantly, a staff report released by you, Mr. Chair, and
Chairman Smith on October 28 functions as a prosecutor's
memorandum that makes very damning allegations regarding Mr.
Park's honesty before the Committee on Oversight and Government
Reform and Dr. Holdren's candor in his replies to this
Committee regarding Mr. Park's involvement in cybersecurity. As
a former prosecutor, I believe that allegations made against
Mr. Park can place him in legal jeopardy. He deserves a chance
to tell his own story and put these allegations to rest and I
believe he can do that.
Mr. Park is a successful entrepreneur in the IT world who
took a break from developing successful companies to come to
Washington, D.C., to help the government and the country think
of creative ways to use information technology to improve our
economy and address important social problems. He is a patriot
and he is a son of immigrants who have played their own role in
keeping the American economy vibrant and expanding. Mr. Park's
parents, I understand, are here today, as is his wife, as is
his pastor and friends from the IT business world.
I mention this to remind all Members to not confuse their
feelings towards the Affordable Care Act with Mr. Park as a
person. He served the public and did his best and should be
thanked for his contributions. In fact, Mr. Park has returned
to the Bay area, and I know people personally who have been
contacted by Mr. Park who he is trying to recruit to bring
bright, young, innovative stars to the IT world and to take a
break from the multimillion dollar contracts that they have in
Silicon Valley, come out to Washington, D.C., and try and solve
problems. I cannot imagine that this helps him make that case.
In fact, this probably makes it much harder for him to make
that case, to go through a process like this.
I have reviewed a minority staff report, which I ask to be
made part of the record, built on a complete review of the
documents produced by the White House. The staff makes a very
strong argument supported by White House documents that Mr.
Park did not have a deep, direct, or intimate involvement in
any of the work of developing the online marketplace launched
on October 1, 2013, or the cybersecurity standards and
techniques used for the site. If he was playing such a role,
there should be monthly progress reports from contractors that
show progress against deliverables and requirements, costs of
work, a critical path analysis that identifies where problems
threatened the successful launch, and a discussion of the
integration process for the site across an army of contractors
on the project.
None of these documents have been produced because Mr. Park
was not the day-to-day manager on the project. Nor are there
any kind of documents that any of the contractors produce doing
the actual work could possess, which would result or include a
discussion of code, performance, and testing results. Those
documents can be found at CMS, which managed this complex
acquisition among the contractors.
I believe that Mr. Park's job was about trying to push
technology, and the record and evidence supports that,
technology throughout all levels of the country to improve our
competitiveness and quality of life. As just one example, Mr.
Park drove an initiative to find innovative methods to use IT
and big data to combat human trafficking. I don't think there
is any Member who favors human trafficking. That is about as
nonpartisan as an initiative as you can get. Mr. Park was
working full-time in a much wider swath of issues and areas
than HealthCare.gov. Members, I hope, will not lose sight of
that and get tunnel vision about Mr. Park simply because we
have such a narrow set of records.
I believe that if Mr. Park is given a fair chance, a fair
opportunity to answer questions here today, that Members on
both sides of the aisle will conclude that Mr. Park was not a
principal actor in the development of HealthCare.gov prior to
October 1, 2013, and had no role in developing cybersecurity
standards or techniques for the website.
Mr. Park, I am going to apologize to you now for the way
you have been treated and I am hopeful that you will get
apologies from the Chairman and other Members by the end of
this hearing.
Thank you, Mr. Chair.
Mr. Swalwell. And, Mr. Chair, I understand that the Chair
will yield to me five minutes of questions, which I also
appreciate.
Chairman Broun. And you are recognized for five minutes for
questions.
Mr. Swalwell. Mr. Park, you are not a cybersecurity expert,
are you?
Mr. Park. I am not.
Mr. Swalwell. Mr. Park, the White House provided several
emails from you to CMS relating to cybersecurity. Was there
ever a time where you were writing to CMS to give them
direction on cybersecurity standards, design, testing, or
tools?
Mr. Park. Not that I can recall, no.
Mr. Swalwell. When you wrote to CMS, Mr. Park, about
cybersecurity, you were doing it because someone at the White
House had asked you to gather information, whether for a
briefing or meetings or to use as a press event for the White
House, is that correct?
Mr. Park. Correct.
Mr. Swalwell. When Dr. Holdren wrote to this Committee that
``Mr. Park and OSTP personnel have not been substantially
involved in developing or implementing the federally
facilitated marketplaces security measures;'' and ``Mr. Park is
not a cybersecurity expert. He did not develop or approve the
security measures in place to protect the website and he does
not manage those responsible for keeping the site safe.'' Is
every element of the statement made by Dr. Holdren that I just
read correct?
Mr. Park. Yes, sir.
Mr. Swalwell. Henry Chao ran the website development for
CMS and Mr. Chao told the White House--told the House Oversight
and Government Reform Committee that he did not run the
cybersecurity side of development. With 100 percent confidence
do you know before October 2013 who was in charge of
cybersecurity on this process?
Mr. Park. I believe it was Tom Shankweiler, but I am not
100 percent sure he was the leader.
Mr. Swalwell. Henry Chao, who was doing the day-to-day
management of the development of HealthCare.gov, was
interviewed by the staff of the House Oversight and Government
Reform Committee. He was asked if you Todd Park played a
management role and replied that--this is Mr. Chao's words--you
``didn't own anything meaning he didn't have the budget, the
staff, the contractors, so the day-to-day management really
still falls to the operating agencies.'' Is this an accurate
statement, Mr. Park?
Mr. Park. Yes, sir.
Mr. Swalwell. Were you a manager on the HealthCare.gov
website?
Mr. Park. I was not a hands-on project manager, sir, as I
have described. I did assist in particular ways that I have
testified to earlier.
Mr. Swalwell. Did you have any control, authority over
budgets, staff, or contractors?
Mr. Park. No, sir.
Mr. Swalwell. And you asked Mr. Chao about attending the
July 19 Readiness Review, which was to be an end-to-end review
with all of the contractors about the state of the program.
Initially, Mr. Chao said yes. Then you mentioned in an email to
Michelle Snyder, Mr. Chao's supervisor, that you were going to
be a ``fly on the wall at the event.'' And then Ms. Snyder
responds that ``flies on the wall are seldom invisible and are
often distracting.'' Then Mr. Chao writes a letter that the
review is not the place for an observer. Did you go to this
meeting?
Mr. Park. I do not.
Mr. Swalwell. You spoke with Mr. Chao and Ms. Snyder about
getting a walk-through of the live website system as it was
developing in mid-July. People are alleging that you were
deeply involved in the implementation and development of the
site so I assume that you got that walk-through very quickly?
Mr. Park. As I recall, I believe the walk-through ended up
happening with me and other officials in early September.
Mr. Swalwell. Now, was that a walk-through that was
exclusive to you or were there other officials present?
Mr. Park. Other officials were present.
Mr. Swalwell. Those managing or directing multibillion-
dollar developmental projects always get a core set of document
to track progress. Usually, it is in the form of a monthly
report from contractors that show their performance on
requirements, the dollars spent, the value achieved, and the
critical path issues. Without these detailed reports, Mr. Park,
is it possible to have a detailed knowledge of how a project is
going at an on-the-ground level? And if so, did you have any
reports that would inform you on this?
Mr. Park. You need those kinds of reports, and frankly, you
need more. You need to be on the ground.
Mr. Swalwell. And were you on the ground?
Mr. Park. No, sir.
Mr. Swalwell. Did you have those reports?
Mr. Park. No, sir.
Mr. Swalwell. Mr. Chairman, being a spokesperson or
collecting talking points for a briefing does not translate
into intimate involvement in the development and testing of the
website. Mr. Park was not managing the acquisition, he was not
directing the development or designing the cybersecurity
system, and he sure as heck was not a contractor down in the
trenches writing code, which I think is pretty apparent from
his testimony. He was the Chief Technology Officer of the
United States with the broad portfolio ranging from human
trafficking to other important technology advising, and he did
a lot more work with that portfolio than any two normal people
could pull off. But at some point the actual evidence has to
guide our opinion of Mr. Park, which is that he was not
intimately involved in the development of HealthCare.gov.
And I yield back.
Chairman Broun. Thank you, Mr. Swalwell.
And you remind me that, without objection, we will enter in
the record our own majority staff report.
[The information appears in Appendix II]
Chairman Broun. Without objection, the Chair recognizes Ms.
Bonamici for five minutes to ask questions.
Ms. Bonamici. Thank you very much, Mr. Chairman, and thank
you for allowing me to participate in this Subcommittee
hearing. Even though I do not serve on this Subcommittee and do
serve on the full Committee, it is an area of interest to me
and I am glad to be here today. And I want to thank Mr. Park
for being here and withstanding this line of questioning that
frankly concerns me. I want to align myself with the remarks
made by my colleagues Mr. Peters and Mr. Swalwell.
When we have someone who has come and given so much to this
country from the private sector and done so much, we want to
make sure that we send a message to the American public that we
appreciate your sacrifice and all of your hard work, Mr. Park.
And I would imagine that when you said yes when you were asked
to come and serve your country, you never imagined that you
would be sitting in a Subcommittee hearing with what appears to
be a game of gotcha about a whole series of emails.
So I want to start by, again, saying thank you so much for
your service. As someone who represents a district in Oregon
with a lot of high-tech industry and innovation, I appreciate
all you have been doing and understand that the drive for IT
innovation to improve service delivery is something that we can
all benefit from, so thank you for your expertise.
Mr. Park. Thank you, ma'am.
Ms. Bonamici. You are welcome. And apologies for perhaps
being a bit repetitive on some of these issues, but I just want
to make sure a couple of things are clear and that is what
happens when you go last is that sometimes you sound like you
are being repetitive.
But I know that the title on the majority's report says
something about ``knowingly put Americans' sensitive
information at risk.'' And that is the title of the report. So,
Mr. Park, did your interactions with the Administration
personnel working on HealthCare.gov give you any cause to worry
that they would knowingly put Americans' sensitive information
at risk?
Mr. Park. Not that I can recall, no.
Ms. Bonamici. Thank you and I understand from the documents
that were provided to us by the majority, what we have been
looking at here is numerous emails that were exchanged with
members of the Administration and officials on the subject of
HealthCare.gov, but what we have not seen is what must be many
emails that you have exchanged with them on other efforts that
occupied your time. I know, for example, that you worked on the
ConnectED initiative, and given my role on the Education
Committee, I am grateful for your efforts with that as well.
So we heard about a couple of other areas that you worked
on but I understand that you oversaw at least 15 initiatives,
including HealthCare.gov. So would you care to tell us a little
bit about a few of those others just so we can understand the
breadth of what you were doing?
Mr. Park. Sure. And just to be specific, I think the 15 you
are referring to, these are initiatives that I was either
championing or co-championing. That didn't include
HealthCare.gov. Advice and assistance to HealthCare.gov was
something I classified into a chunk of my time that was set
aside for reacting and helping on issues as they arose.
But in terms of the 15 or so initiatives that I was
directly helping to drive, as I described earlier, they
included open data initiatives to help unlock the power of the
data inside the Federal Government by making it available in
machine-readable form for the public so that entrepreneurs and
technologists could grab it and turn it into all kinds of
incredible services and products and improvement in life and
jobs, much as the National Weather Service's release of weather
data has really powered all kinds of innovation in weather and
jobs as a result.
I championed a set of initiatives, as has been described,
to do things like harness the power of private sector
technologists and innovators to help fight the evil of human
trafficking, rallying innovators to build tools that could help
with that. I similarly did the same thing to help improve
American disaster recovery and response. I worked on policy
initiatives like how to advance a free and open internet, how
to actually share wireless spectrum more efficiently and
effectively across the country as demand for spectrum continues
to increase significantly.
I was a cofounder of the Presidential Innovation Fellows
Program that brings in amazing technologists from the private
sector to work with the best technologists in government on all
kinds of exciting initiatives like Blue Button and Green Button
to help Americans get access to their own health data, their
own electricity usage data, and more.
Ms. Bonamici. Well, thank you. And I think we get a sense
from that of many of the areas where you do have expertise and
where you did serve our country. And I want to suggest that the
time on the Science Committee would have been much better spent
on talking about some of those issues like open access, like
innovation in healthcare technology rather than trying to get
you to say that you are an expert on cybersecurity, which
obviously from everything that I have read and seen and heard,
you are not on this issue.
So thank you again for spending your time here. Thank you
for your service. And I hope that we can have you come back
sometime and talk about those areas that the public would
really be interested in hearing about. That to me, Mr.
Chairman, would be a great use of Science Committee time.
Thank you again, Mr. Park, for your service.
Mr. Park. Thank you, ma'am.
Chairman Broun. Thank you, Ms. Bonamici. Your time is
expired.
Before we adjourn, I would like to give myself some leeway
as Chairman of this Subcommittee for the last time with one
last question for you, Mr. Park.
Mr. Park. Yes, sir.
Chairman Broun. One of your emails provided to the
Committee late last Friday was one on October the 10th where
you forwarded an article that you had read by David Kennedy, a
``white hat'' hacker, who has testified twice before this
Committee about his concern. And the headline from that article
was ``Is the Affordable Healthcare Website Secure? Probably
Not.'' Mr. Park, if you want to refer to it, it is in tab 15 in
your binder.
Mr. Park. Thank you, sir.
Chairman Broun. You even commented about David Kennedy's
article that ``This got sent to me by someone who says these
guys are on the level.'' Other documents provided to the
Committee show that several other cybersecurity experts
expressed concerns with the security of the website around that
same time. Mr. Park, do you think that David Kennedy's concerns
with the security of the website are on the level?
Mr. Park. So thank you for the question. As I recall, this
did get sent to me by someone who thought that TrustedSec was
someone that was worth paying attention to. I can't comment on
that----
Chairman Broun. Do you think he is on the level, yes or no?
Mr. Park. I don't have the judgment--the knowledge of
cybersecurity to say and so that is why I forwarded it
immediately to CMS, which then evaluated it, and had the
response that you see.
Chairman Broun. Are you being level with us today?
Mr. Park. Yes, sir. Absolutely.
Chairman Broun. Okay. According to a news report, it says
that you reportedly briefed President Obama, Vice President
Biden, Health Secretary Kathleen Sebelius, and others about the
problems with the website only a few days after reading David
Kennedy's report. Did you ever express the warnings that were
in David Kennedy's report about the lack of security with the
website to the President or others in the White House in that
October meeting or any other previous meetings?
Mr. Park. So, again, as I think this email demonstrates, I
forwarded this to CMS right away and CMS responded saying CMS
acknowledges this feedback by the security committee,
analysis----
Chairman Broun. So just forwarding the email was the only
warning that you gave to anyone, is that correct?
Mr. Park. Well, it says, ``Analysis of the code and review
of the operational environment has confirmed the site is secure
and operating with low risk to consumers,'' which then got
forwarded back to me.
Chairman Broun. So it is--but that was the only warning you
gave anybody, is that correct?
Mr. Park. Well, sir, again, cybersecurity is handled by
CMS, and I think they----
Chairman Broun. I am just asking. That is a yes-or-no
question.
Mr. Park. So I just--I can report what happened, which is I
sent this----
Chairman Broun. Okay.
Mr. Park. --asked them to evaluate it----
Chairman Broun. I take that that----
Mr. Park. --and got a response.
Chairman Broun. I take that that the answer is no.
Mr. Park, I want to thank you for finally appearing before
this Committee and I am sorry that we had to----
Mr. Swalwell. Mr. Chairman, may I have a follow-up
question, please?
Chairman Broun. No, sir.
Mr. Swalwell. Okay.
Chairman Broun. We have got to adjourn.
Mr. Swalwell. May I have a follow-up briefly, Mr. Chair?
Chairman Broun. Mr. Park, I am sorry we came to the point
where we had to subpoena you to come before this Committee, but
thank you for coming, even possibly under duress.
But obviously people can disagree about whether you were
deeply involved or not with the HealthCare.gov website. While I
thank you for your government service, the fact remains that
the rollout of the HealthCare.gov website last year was a
debacle, and that is not my assessment but that of Health
Secretary Kathleen Sebelius.
My assessment of this situation remains that you and others
in the White House have been neither forthright nor forthcoming
about your role and responsibilities at the White House.
Integrity in government is integral to the public's faith in
our democracy, thus, our Nation's leaders must be open and
honest with our fellow Americans and respect the roles of the
executive branch and Congress, as articulated in our
Constitution.
The fact remains that the White House still has not
provided all the documents pursuant to the Committee's
subpoena. We have asked for them, we subpoenaed them, we still
haven't gotten them. And perhaps that is why people still
disagree about your role in the debacle.
Eternal vigilance is the price we pay for our liberty. To
that end, the Committee maintains that all documents pursuant
to the subpoena be provided and we ask for the Administration
to please provide those expeditiously. After a more thorough
assessment of these documents, you may be called to appear
before us again, Mr. Park, in order to one day reach a better
understanding. While I may no longer be in Congress on that
day, the Committee's vigilance on this matter will carry on.
Honest people can fundamentally disagree and we have seen
that today. For example, you believe that ObamaCare will be a
great thing for Americans, but I think too much of it was
predicated on a lie. As a medical doctor, I believe that
ObamaCare is the wrong prescription for what ails our nation's
healthcare system, but that is a debate for another time.
And with that, I want to thank you, Mr. Park, for appearing
before us today, and the Members for their questions. The
Members of the Committee may have additional questions for you,
Mr. Park, and we will ask that you respond to those in writing,
please, and do so expeditiously.
I want to thank my friend Dan Maffei and Eric Swalwell for
you all working with me through this process. It has been a
great experience for me, and I consider you a friend and
consider Dan a friend and I consider all of your staff to be
excellent. It has been great working with you all. I had the
opportunity to work with Ms. Bonamici also, and I enjoyed
working with her, as I told her earlier today. She just left,
but it has been a great experience, and I have been
tremendously honored by chairing this Subcommittee.
The record will remain open for two weeks for additional
comments and written questions from Members. The witness is
excused. The hearing is adjourned.
Mr. Park. Thank you, sir.
[Whereupon, at 11:47 a.m., the Subcommittee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Written statement submitted by Rep. Eric Swalwell
Mr. Chairman, first, I would like to take a moment to thank you for
your service. You served two years as Ranking Member and four years as
Chairman. During your tenure, you have always conducted your
chairmanship with generosity and great courtesy. While we have not
always seen eye-to-eye on the matters before the Subcommittee, no
Member on this side of the aisle has ever had reason to complain about
the way you have conducted yourself, and that has gone a long way
towards keeping relations civil and even cordial in the midst of
disagreement. Thank you.
Today may be a day of disagreement, but I sincerely believe that if
you conduct this hearing as fairly as you have your past hearings, that
we will all emerge with a clear understanding of what Mr. Park did and
did not do related to HealthCare.gov.
Fairness is particularly important because this hearing has the
feel of a trial. The only witness before us is Mr. Park. The title of
the hearing implies that we are going to examine his involvement in the
development of the Healthcare.gov website. Most significantly, a staff
report released by you and Chairman Smith on October 28 functions as a
prosecutor's memorandum that makes very damning allegations regarding
Mr. Park's honesty before the Committee on Oversight and Government
Reform and Dr. Holdren's candor in his replies to this Committee
regarding Mr. Park's involvement in cybersecurity. As a former
prosecutor, I believe that the allegations you have made against Mr.
Park could place him in legal jeopardy. He deserves a chance to tell
his story and put these allegations to rest, and I believe he can do
that.
Mr. Park is a successful entrepreneur in the IT world who took a
break from developing successful companies to come to Washington, D.C.
to help the government and the country think of creative ways to use
information technology to improve our economy and address important
social problems.
He is a patriot and the son of immigrants who have played their own
role in keeping the American economy vibrant and expanding. Mr. Park's
parents are here today. Mr. Park's wife is here today. Mr. Park's
pastor is here today as well as friends from the IT business world. I
mention this to remind all the Members to not confuse their feelings
towards the Affordable Care Act with Mr. Park as a person. He served
the public and did his best and should be thanked for his
contributions. In fact, Mr. Park has returned to the Bay Area and is
attempting to recruit other bright, innovative stars from the IT world
to come to Washington and take a few years to try to make a difference
for the good of the country. Good luck with that message after today,
Mr. Park.
I have reviewed a Minority staff report, which I ask be made part
of the record, built on a complete review of the documents produced by
the White House. The staff make a very strong argument, supported by
White House documents, that Park did not have deep, direct, or intimate
involvement in any of the work of developing the on-line marketplace
launched on October 1, 2013 or the cybersecurity standards and
techniques used for the site.
If he was playing such a role, there should be monthly progress
reports from contractors that show progress against deliverables and
requirements, costs of work, a critical path analysis that identifies
where problems threaten a successful launch and discussion of the
integration process for the site across an army of contractors on the
project. None of those documents have been produced because he was not
the day-to-day manager on the project. Nor are there the kind of
documents that the contractors doing the actual work would possess--
which would include discussion of code, performance and testing
results. Those documents can be found at CMS, which managed this
complex acquisition, and among the contractors, who did the work, but
not in Todd Park's records.
The records that did come to us make it very clear what he was
doing: He acted to gather information when the White House had
questions about the project and he acted to help CMS find resources
when they asked for help from the White House. 90% of the records fall
into one category or the other. Gathering information for the boss or
to use as a spokesman or providing assistance to the actual managers
sounds more like the kind of work our Legislative Assistants and
Committee staff do than that of people deeply involved in a project.
The record shows Park was not in charge of anything, and what he did do
on healthcare.gov was about information aggregation or assistance at
the request of others.
There is another missing element in the records the Committee has
received from the White House: the thousands of pages of records
related to Mr. Park's full time job as Chief Technology Officer of the
United States. Because we only requested records related to
HealthCare.gov, it is easy to lose sight of the fact that his very
limited work on Healthcare.gov was coming while he did a wide-ranging
job as CTO.
Park's job was about trying to push technology throughout all
levels of the country to improve our competitiveness and quality of
life. As just one example, he drove an initiative to find innovative
methods to use IT and big data to combat human trafficking. I don't
think there is any Member who favors human trafficking--that is about
as non-partisan an initiative as you can get. Park was working, full
time, in a much wider swath of issues and areas than healthcare.gov.
Members should never lose sight of that and get tunnel vision about
Park simply because we have such a narrow set of records.
I believe that if Mr. Park is given a fair chance to answer
questions here today, that Members on both sides of the aisle will
conclude that Park was not a principal actor in the development of
HealthCare.gov prior to October 1, 2013 and had no role in developing
cybersecurity standards or techniques for the web site. Mr. Park, I am
going to apologize to you now for the way you have been treated, and I
am hopeful that you will get apologies from the Chairman by the end of
this hearing.
Supporting documents submitted by Subcommittee Chairman Paul Bourn
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Hearing documents submitted by Majority staff
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Letter submitted by Representative Scott Peters
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Minority staff report submitted by Ranking Member Eddie Bernice Johnson
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Majority staff report submitted by Subcommittee Chairman Paul Bourn
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]