often duplication of effort and rework. That dysfunction endured throughout the project. As late as mid-September 2013 -- just two weeks before the start of the federally mandated open-enrollment period -- Maximus issued a report in which it observed that the overall "business transformation/integration between OHA and CO is not being tracked like a formal project. Typically a project of this size would have specific governance reporting, charter, scope, tasks, milestones, deliverables, and deadlines for the interagency work that is to be accomplished both operationally and technically." The risk Maximus identified that flowed from this was that Cover Oregon could not be sure that the project would be implemented in the expected timeframe.
State officials also seemed incapable of defining requirements for the project and sticking to them, or even understanding that it had taken on that responsibility, according to Oracle. In May 2013, Cover Oregon's then-executive director, Rodney King, acknowledged the need for better definition of requirements -- and asked Oracle to nail them down, according to the filing. "This request was an extraordinary one: Cover Oregon was the owner of the project and therefore responsible for making decisions about what the exchange would and would not do. The parties' contracts made it abundantly clear that Oracle had no role in establishing the functional requirements for the exchange, and Cover Oregon should have finalized them long before May 2013."
Yet Oracle says that, in mid-July, a little more than two months before the planned launch of the Oregon exchange, it made a presentation to the state saying that the continued lack of complete requirements was preventing it from performing end-to-end testing on the system. Further change requirements were still creeping into the project as little as two weeks before the planned launch, Oracle says.
In addition to changing requirements, Oracle says the project was subverted by a lack of project discipline in changes to the actual code. "Oracle software developers found themselves asked to perform on-the-spot code changes to meet ad hoc requests from Cover Oregon employees (a phenomenon Cover Oregon's chief technology officer himself acknowledged was 'short-circuiting our processes'), and at least one Cover Oregon employee attempted to implement his own changes to otherwise final code," according to the filing. Actually, Oracle points a finger at Cover Oregon CTO Reynolds Garrett himself, quoting from an email exchange between him and Oracle's chief corporate architect, Edward Screven.
"Oracle employees on site in Durham report that in a meeting today you stated that you now have Siebel Administrator privilege, and you have used that privilege to directly make environment and application changes to the production environment," Screven wrote. "Is this correct?" He went on to emphasize the need to follow an agreed-upon change management procedure, emphasizing the degree of expertise required to reconfigure the system and the danger that even experts can make mistakes.
Garrett testily replied: "I thought Cover Oregon paid for and owned the system...."
Oracle said that exchange was typical of the working relationship with state officials.
Yet Oracle seemed to take the side of state officials in another section of the filing, saying that they had also been unfairly scapegoated by the governor in his search for someone to blame. "The failure to deliver a working citizen self-service portal on October 1, 2013 was a political embarrassment for Governor Kitzhaber, who immediately looked for places to lay the blame. Among those who have lost their jobs at OHA or Cover Oregon over this project are Carolyn Lawson, OHA's chief information officer; Rocky King, Cover Oregon's executive director; Bruce Goldberg, Cover Oregon's iInterim executive director; Aaron Karjala, Cover Oregon's chief technology officer; and Triz delaRosa, Cover Oregon's chief operating officer. Carolyn Lawson was the first to go, and after destroying her professional reputation, the Governor quickly turned his sights on Oracle, and he set out systematically to vilify the company in the media."
Noting that Lawson "refused to accept her scapegoating quietly," Oracle quotes from a section of her own legal filing against the state in which she claims she was pressured into resigning by state officials who warned, "Somebody has to be held to blame for this -- it's going to be Rocky [King], or it's going to be Oracle, or it's going to be you. We want it to be Oracle, but it can be you if you want" (emphasis added by Oracle's lawyers).
In a statement to The Oregonian, Kitzhaber spokeswoman Melissa Navas said Oracle's action came as no surprise. "The State fully expected to end up in litigation over Oracle's failure to deliver. The Attorney General's Office will review the complaint filed by Oracle and continue to pursue legal remedies on behalf of the State," she said. Lawsons's lawyer didn't immediately respond to an InformationWeek request for comment.
Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today (free registration required).