David Kennedy has been sounding this alarm for months. The former Marine Corps cyberwarfare expert and now a private-sector entrepreneur in cyber security testified before Congress to the huge gaps in data security in Healthcare.gov, the Obama administration’s web portal for ObamaCare. After a large amount of frantic reprogramming in November, Kennedy thought the problems would worsen. After doing his own research into the web portal, Kennedy says he has confirmed that the site is now “much worse off” (via Daniel Halper at TWS):
KENNEDY: I have to completely disagree with her. And it’s not just myself that is just saying this website is insecure, it is also seven other independent security researchers that also looked at all of the research that I’ve done and came to the exact same conclusion. And these are folks that work really well in the industry. And they’re highly respected, have an extensive experience of working for the government. And, you know, if you read the testimony and you read what she had actually said, she said that it’s done end to end security testing. They don’t say what type of testing that is. It could have been an audit that just looks at paperwork. It could have been, you know, really rudimentary testing that looks for just basic things. But what is pretty evident right now is that the site itself is not secure.
WALLACE: All right.
KENNEDY: It’s much worse off.
Chris Wallace then asked Kennedy why, if the site is so vulnerable, there haven’t been any hacks against it. That was the question asked by Gary Cohen, the HHS manager overseeing Healthcare.gov, claiming that “there have been no successful attempts of what anyone has been able to attack the system and penetrate it.” Kennedy declared this defense of Healthcare.gov to be “one of my favorites,” and says … how do they know it hasn’t been hacked? Emphases mine:
KENNEDY: And that’s great. This is one of my favorite ones out of the whole testimony. And so they (inaudible) that there has been no successful hacks that they’ve been able to detect. If you look at — there’s November testimony by Congress that basically said that a third party company was contracted to build out what we call the security operations center, which is what would actually detect these types of attacks. As of November, it hadn’t even been started yet. So, if you look at how long these security operations centers take to put into play, it takes several months, if not years to actually implement and fully build the attacks out there. So, as of November we have no modern detection. And that, from my understanding, it’s still not happening to this date. So they’re accurate in their statement. They haven’t detected any attacks on the website, because they don’t have the capability to detect them.
So how does Kennedy know that the website is vulnerable? He’s glad you asked:
KENNEDY: That’s a great question. There is a technique called — what we call passer reconnaissance, which allows us to query — look at how the website operates and performs. And these type of attacks that, you know, I’m mentioning here in the 70,000 that you’re referencing is very easy to do. It’s a rudimentary type attack that doesn’t actually attack the website itself, it extracts information from it without actually having to go into the system. Think of it this way. Think of something where you have a car and the car doors are open and the windows are open, you can see inside of it. That’s basically what they allow you to do. And there is no real sophistication level here. It is just really wide open. So, there is no hacking actually involved. And 70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I’m sure it’s hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it’s just wide open. You can literally just open up your browser, go to this and extract all this information. Not actually having to hack the website itself.
You don’t need to hack the website. The data is right out there for anyone to gather, apparently.
The full interview is below, and well worth watching:
Update: It’s David Kennedy, not Doug Kennedy (an author). My apologies to both men for the confusion.