l****z 发帖数: 29846 | 1 BY: Elizabeth Harrington Follow @GoliadGal
November 19, 2013 6:12 pm
A panel of IT experts had one answer for Congress when asked if Americans
should use the Obamacare exchanges on Healthcare.gov in light of its
security concerns: “No.”
A quartet of experts testifying before the House Committee on Science, Space
, and Technology cited numerous security flaws within Healthcare.gov. They
attributed the risks to the complexity of its 500 million lines of code and
a rushed rollout that failed to properly test the website.
David Kennedy, the founder of TrustedSec, an online security firm, said that
the risks were easy to ascertain.
“Just by looking at the website we can see that there is just fundamental
security principles not being followed, things that are basic in nature that
any security tester, like myself or anyone that we hire to test these sites
, would actually test for prior to being released,” Kennedy, formerly of
the National Security Agency and a one-time cyber-intelligence analyst for
the U.S. Marine Corps, said.
The experts said the personal information of millions of Americans is at
risk, including Social Security numbers, birthdays, incomes, home mortgages,
and addresses. Rep. Mo Brooks (R., Ala.) called it the “mother lode for
identity theft.”
“Americans should be scared to death,” said Rep. Chris Stewart (R., Utah).
Kennedy demonstrated an attack in the hearing room, showing how on Finder.
Healthcare.gov a hacker could breach into a computer, monitor its webcam,
and steal passwords.
Hackers from Russia or China could “absolutely” breach the online
marketplace, he said.
The problems could only get worse since the president’s team is trying to
fix the website while it is still up and running.
Morgan Wright, a cyber terrorism expert and CEO of Crowd Sourced
Investigations, LLC., said attempting to fix one line of code could open up
a “Pandora’s box.”
“You create an unintended series of cascading events you have no control
over because you don’t have a grasp of what the code is actually doing,”
he said. “You think you’ve changed one thing, by doing that you’ve opened
up a Pandora’s box of vulnerabilities on the other side.”
Kennedy said he has never seen anything like it.
“To be honest with you, I have not seen—and I’ve worked for Fortune 10,
Fortune 50, Fortune 1,000 companies, as well as on the government side—I
have not seen an application that pales in comparison to 500 million lines
of code, including some of the largest applications you would ever see in
the history of man.”
Because of the sheer amount of code, it is impossible to conduct a complete
end-to-end security assessment on the website, the panelists said. Just
reviewing it for security risks could take six months.
Fixing the flawed code will also be extremely expensive. The market value of
high-end website code is about $50 per line, Kennedy said.
“That’s where I’ve been trying to get my head around, just—half a
billion lines of code, particularly when you’re reaching out and pulling it
out of other databases and then standardizing,” said Rep. David Schweikert
(R., Ariz.). “Does something seem almost absurd?”
“Well, there’s also another paradigm, too, that it costs you $1 to fix it
before you launch, it will cost you up to $100 to fix it after you launch,”
Wright said.
Another concern is that the website is integrated with other federal
agencies, including the Internal Revenue Service (IRS).
“It hooks into the IRS, it hooks into DHS, it hooks into Experian, which is
a third party,” Kennedy said. “You have all of these trusted connections,
all these things that make up the site itself, but the pieces that actually
make up Healthcare.gov are multiple areas.”
“Given Healthcare.gov’s security issues, and assuming for the moment that
you would be personally responsible for all damages incurred from your
advice, would any of you advise an American citizen to use this website as
the security issues now exist?” asked Rep. Brooks.
Every witness said no.
Kennedy offered three recommendations to Congress. The best option, he said,
is to create “Healtcare.gov 2.0,” a completely redesigned second website
that will work in conjunction with the original. He estimated it would take
about six months to complete.
The other options are to take the website offline to fix it, which could
take four to six months, or introduce new code while it’s still running,
which could take years.
“I’m not a political person, I’m not here to talk politics, but if you’
re asking me from a technology standpoint, it would be easier to start over
again, lay the foundation of security, and start from the beginning,”
Wright said. “The security has to be the foundation of this site. Period.”
“Unfortunately the personal information that has already been entered into
Healthcare.gov is vulnerable to online criminals and identity thieves,”
Committee Chairman Lamar Smith (R., Texas) said. “President Obama has a
responsibility to ensure that the personal and financial data collected as
part of Obamacare is secure. It is clear this is not the case.”
“There is only one useable course of action: Mr. President, take down this
website.” |
|