back to article US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Serial tech and digital privacy critic Senator Ron Wyden (D-OR) laid into UnitedHealth Group's (UHG) CEO for appointing a CISO Wyden deemed "unqualified"– a decision he claims likely led to its ransomware catastrophe of late. Wyden lambasted UHG in a letter sent to Lina Khan and Gary Gensler, chairs of the FTC and SEC …

  1. Doctor Syntax Silver badge

    "and, as appropriate, hold these senior officials accountable."

    If that happens it might cause changes of attitude more widely.

    1. Zibob Silver badge

      Or hell might freeze over.

      I can see the coming comments of "well yeah we would but that would put the country into a recessi9n worse than the 1920s!" Simultaneously getting their way, and pointing out how unprotected the entire nation is. And nothing changes.

    2. UnknownUnknown

      IT is the same as Politics/Government you don’t need to have any qualifications to work or hold office in it.

      It’s not a regulated/chartered sector- unlike say Accountancy or Healthcare.

  2. JRStern Bronze badge

    MFA?

    Master of Fine Arts?

    1. Sudosu Bronze badge

      Re: MFA?

      Multi Factor Authentication - essentially meaning additional validations over and above just a password to access systems (i.e. a RSA type token, biometrics, something on your phone etc)

  3. Blazde Silver badge

    Previous job

    In fact his previous role was a high level information security role. It's a bit lazy of the senator not to look behind job titles. However...

    https://www.businesswire.com/news/home/20200413005255/en/Change-Healthcare-Appoints-Steven-Martin-as-Executive-Vice-President-of-Enterprise-Technology

    "In his new role, Martin will oversee all of Change Healthcare’s R&D, information security and IT operations and he will be responsible for the overall technology direction of the Company’s product and service portfolio."

    That's an alarmingly wide portfolio and probably the real problem. God knows who was doing security before him, no one? Perhaps one has to give the benefit of the doubt and assume he knew a thing or two about security and eventually managed to argue it needed someone's sole focus and as the one most familiar with the overall technology of the company he'd have been a decent pick for that role, but that only happened a couple of months before the attack..

    1. An_Old_Dog Silver badge
      Meh

      CISO == Scapegoat (Traditionally)

      It's been traditional to fire the CISO after a security breach, to placate the masses. The Board of Directors effectively says: "Look, look, we're doing something about this problem!"

      The most technically-skilled and most security-knowledge-credentialled CISO in the world will still be hamstrung if the BoD votes down his/her/etc. budget requests and proposed policy/procedure changes.

      1. Zibob Silver badge

        Re: CISO == Scapegoat (Traditionally)

        Which likely causes more harm, as the mistake to be learned from was made, and the person supposed to be learning from it is fired, replaced with a new person unaware of the problem, until it happens again and then they learn, but again are fired...

      2. springsmarty

        Re: CISO == Scapegoat (Traditionally)

        The CEO and board constantly balance perceived costs against perceived benefits and risks. Perhaps the scale of the risks were not well understood at the board level, making it easier to dismiss pleas for better tooling and procedures. Unfortunately, the risks were borne by far more than UHG, but UHG was only weighing *their* costs and risks. Hopefully this will cause other organizations to place more emphasis on the risks of attackers, allowing them to spend more appropriately on security.

      3. ITS Retired

        Re: CISO == Scapegoat (Traditionally)

        "...budget requests and proposed policy/procedure changes."

        Can't afford that. That money is earmarked for our share holders.

    2. ecofeco Silver badge

      Re: Previous job

      That's WAY too much responsibility.

      It's quite common to blame your head of IT security. And if that is their only role, appropriate as well.

      But this guy was overseeing way too many things. And I stated in a previous comment in the original article, and so did the other commenter in this thread, you can bet the BoD was NOT spending the money needed for security. I'm leaving a company that has just done the same thing to their head of IT security. Too much responsibility and frozen budget.

    3. Anonymous Coward
      Anonymous Coward

      Re: Previous job

      What you are calling his "previous job" is his current job - the senator was not wrong. Change Healthcare is the same as United Health since 2022.

      UnitedHealth Group completed its purchase of Change Healthcare, the company announced Monday morning, after defeating the Department of Justice in federal court over the agency's attempt to block the $13 billion deal. It does not appear the DOJ will challenge the deal in appellate court. [healthcaredive dot com Oct 3, 2022 ]

      Theirin lies a (the?) major problem - the monopolization of the healthcare industry. Why should they fix the security problem? It costs less to pay the ransom and the alternative to so-called customers is to go without medical care.

      1. Blazde Silver badge

        Re: Previous job

        He took on a different job title at the parent company which acquired the business his previous role was at. My point is precisely that his job didn't change all that much so he had more experience than the senator implies. The senator's specific complain was: that Martin was promoted to CISO *in 2023* having not worked "a full-time cybersecurity role before". In fact he would have had extensive knowledge of not only cybersecurity but of cybersecurity in the relevant business unit, and that seems important to gloss over, albeit the actual job title does imply the security overseeing wasn't full-time. We don't really know for sure, job titles and responsibilities don't correlate well.

        Let's just agree the senator is likely not wrong but is spinning the facts. As is his wont as a politician *shrug*

        I do wonder about the suspicious timing of the promotion (the senator says June 2023, other sources give Nov 2023). Did UHG have some kind of warning an attack was in progress? It's entirely possible a foothold was gained in late 2023, which prompted an 'oh shit' moment, the promotion, and ultimately a failure to prevent the attack progressing as it did by Feb 2024.

        1. Cliffwilliams44 Silver badge

          Re: Previous job

          This was his previous job!

          Martin brings more than 20 years of experience through the various roles he held at GE, including chief digital officer and chief commercial officer, where was responsible for engineering, sales, marketing, product management, and services across GE’s global digital portfolio.

  4. DS999 Silver badge

    I think this is overblown

    In a business that size, you need effective managers at the top more than you need subject matter experts at the top. A good manager would trust his SMEs and take their advice when it comes to technical matters beyond his knowledge.

    Now if this guy wasn't doing that then he was a bad manager. But not every cybersecurity expert is going to make a good manager regardless of how much experience they have in the field, and might be even more unwilling to listen to those under him if his opinion differed and he assumed because of his experience and position that he knew best.

    1. wub

      Re: I think this is overblown

      United Healthcare has been cutting corners for years in various ways. I'm not surprised they weren't interested in spending more than the minimum on security.

      On an unrelated note, I'm impressed that no one mentioned this guy's 14 year stint at Microsoft as having any impact on his decision making in the C suite.

      This >is< a big deal! Pharmacy access was significantly impacted for weeks, and PII of over 100 million people was released. If the top managers of this corp are responsible for its successes, and are rewarded accordingly, why are they NOT responsible for its failures?

      1. doublelayer Silver badge

        Re: I think this is overblown

        The question is not whether they are responsible in theory, as that's what having that position means. The question is whether the level of blame attached to this person is correct. If they had named someone with more security experience, do we have reason to believe that would have improved things? If the answer is no, then focusing on this is distracting from a different and larger problem. Of course, this depends on lots of little points that we don't have information on, which is why most retrospective examinations take a long time and produce long reports.

        For example, if the lack of MFA issue is determined to be an important issue, did the CISO know about it? If he did, was he trying to do something about it or not? If he was, did he have enough time between finding out about the situation and the attack that he should have completed his actions or not? If he didn't know, why didn't he? If he should have been told but wasn't, why not? If he shouldn't have been told because it was being managed by a lower level, repeat all these questions with the manager of that group.

        It's boring work, but if you need a problem to stop, it is not enough to fire the person nominally in charge and put someone else in. That someone else will probably change something, but without asking all these questions, it could end up being the wrong thing and that person just becomes the responsible party in the next breech. In this case, there actually appears to be several technical failures involved, but exactly the same blame is ascribed to anywhere that had a negative event, no matter how much responsibility the tech areas had for causing the event. Did someone in sales get bribed to get the customer list, to which they had access because sales needs to annoy the customers to keep having more sales, and send a copy? Fire the CISO, that's what they're there for. It can easily be the right response, but it shouldn't be an automatic one.

    2. mmccul

      Re: I think this is overblown

      While the CISO is a manager, they need to understand the needs of security. The risk analysis questions that CISOs face are unique compared to other C*O managers. They cannot just rely on their deputy CISO to provide that risk analysis.

      Why does that matter? Knowing the details of infosec allows the CISO to understand which efforts to prioritize inside their division, which initiatives are likely to be a more effective use of funds.

      SMEs provide expertise in their specific area, but are not the persons to balance competing efforts from their own department.

  5. SammyB

    Unquialified?

    We need to fire 80-90% of the politicians and those that they selected/appointed for total incompetency never mind for lack of ethics and morals.

  6. Strong as Taishan Mountains

    Somewhat surprising that anyone in government a) has read anything about system security b) is interested at all in holding some feet to the fire over this.

    Bravo! May my cynicism be proven wrong again!

  7. DerekCurrie
    Go

    Ron Wyden Should Be President

    It's hard to find a more intelligent or reality aware elected official than Ron Wyden.

    UnitedHealth Group? They're pathetic parasites IMHO. Parasites are renowned for not having much in the intelligence department.

    Thank you again, Senator Wyden! And thank you Oregon for keeping him in office.

  8. Dostoevsky Bronze badge

    Please, sue them into the ground!

    Let's show corporations and organizations the importance of cybersecurity!

  9. Claptrap314 Silver badge

    He's wrong this time

    The main job of the CISO (other than to be ablative armor for the CEO in situations like this) is to get budget. I'm willing to be that that is BY FAR the main challenge. You don't need to be a SME for that, you need to be a salesman. This is going to be more true the larger the corporation.

    Yes, you need to learn enough that the various directors lying to you get caught. But given that they should not be SMEs either...

    I'm a big fan of the Senator when it comes to tech. But this really isn't a tech issue.

  10. Eclectic Man Silver badge
    Facepalm

    Gone with the Wind(?)

    One such critic is Tom Kellermann, SVP of cyber strategy at Contrast Security, who previously told The Register: "I'm blown away by the fact that they weren't using multi-factor authentication. I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."

    I remember failing to persuade a client to install internal firewalls on their network to segregate things like their finance department, from their R&D and their main businesses (it was a large Govt. Department). 'Not needed because they have secured their perimeter.'

    Then one senior executive brought in her 'friend' Melissa* to play one morning ...

    Took them three days to clean the network.

    'Once bitten, twice shy' as the saying goes.

    * Link for the youngsters: https://en.wikipedia.org/wiki/Melissa_(computer_virus)

  11. Joe Dietz

    CISO isn't a technical role

    It's my job to talk with CISOs. I've discovered there are a few types:

    1) former 'technical' person. Probably worked on a SOC team or did some red teaming at some point in their carrier. They view CISO as 'defend the network'. These guys tend to fail in the boardroom but tend do a competent job with what little budget they get.

    2) former 'cops'. Law enforcement, legal backgrounds, program managers for TLAs etc. They view being a CISO as 'risk management'. Do somewhat better with the board room, but also tend to be a bit brittle since they have impostor syndrome pretty hard with their technical team that reports to them.

    2b) Subset of 2 that has done X things that have now 'solved security'. These are the ones that get hacked hard.

    And finally, I'll take objection to the Senators statement:

    "The cyberattack against UHG could have been prevented had UHG followed industry best practices," said Wyden, concluding his rousing letter-cum-tirade. "UHG's failure to follow those best practices, and the harm that resulted, is the responsibility of the company's senior officials including UHG's CEO and board of directors"

    MFA is a good thing, but the REAL question is how did somebody already have credentials? They were already breached, and they still haven't found root cause.

    1. Cliffwilliams44 Silver badge

      Re: CISO isn't a technical role

      MFA is there to defend against stolen credentials, alert when credentials are compromised, and initiate a process to correct those stolen credentials.

      At that point you can make the effort to discover the HOW of the stolen credentials, which almost always falls upon some user getting socially engineered in some way. Then you can re-enforce user education.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like