Hearing: Security Flaws in Obamacare Website Endanger Americans

Experts say they would not use due to risks

November 19, 2013

A panel of IT experts had one answer for Congress when asked if Americans should use the Obamacare exchanges on in light of its security concerns: "No."

A quartet of experts testifying before the House Committee on Science, Space, and Technology cited numerous security flaws within They attributed the risks to the complexity of its 500 million lines of code and a rushed rollout that failed to properly test the website.

David Kennedy, the founder of TrustedSec, an online security firm, said that the risks were easy to ascertain.

"Just by looking at the website we can see that there is just fundamental security principles not being followed, things that are basic in nature that any security tester, like myself or anyone that we hire to test these sites, would actually test for prior to being released," Kennedy, formerly of the National Security Agency and a one-time cyber-intelligence analyst for the U.S. Marine Corps, said.

The experts said the personal information of millions of Americans is at risk, including Social Security numbers, birthdays, incomes, home mortgages, and addresses. Rep. Mo Brooks (R., Ala.) called it the "mother lode for identity theft."

"Americans should be scared to death," said Rep. Chris Stewart (R., Utah).

Kennedy demonstrated an attack in the hearing room, showing how on a hacker could breach into a computer, monitor its webcam, and steal passwords.

Hackers from Russia or China could "absolutely" breach the online marketplace, he said.

The problems could only get worse since the president’s team is trying to fix the website while it is still up and running.

Morgan Wright, a cyber terrorism expert and CEO of Crowd Sourced Investigations, LLC., said attempting to fix one line of code could open up a "Pandora’s box."

"You create an unintended series of cascading events you have no control over because you don’t have a grasp of what the code is actually doing," he said. "You think you’ve changed one thing, by doing that you’ve opened up a Pandora’s box of vulnerabilities on the other side."

Kennedy said he has never seen anything like it.

"To be honest with you, I have not seen—and I’ve worked for Fortune 10, Fortune 50, Fortune 1,000 companies, as well as on the government side—I have not seen an application that pales in comparison to 500 million lines of code, including some of the largest applications you would ever see in the history of man."

Because of the sheer amount of code, it is impossible to conduct a complete end-to-end security assessment on the website, the panelists said. Just reviewing it for security risks could take six months.

Fixing the flawed code will also be extremely expensive. The market value of high-end website code is about $50 per line, Kennedy said.

"That’s where I’ve been trying to get my head around, just—half a billion lines of code, particularly when you’re reaching out and pulling it out of other databases and then standardizing," said Rep. David Schweikert (R., Ariz.). "Does something seem almost absurd?"

"Well, there’s also another paradigm, too, that it costs you $1 to fix it before you launch, it will cost you up to $100 to fix it after you launch," Wright said.

Another concern is that the website is integrated with other federal agencies, including the Internal Revenue Service (IRS).

"It hooks into the IRS, it hooks into DHS, it hooks into Experian, which is a third party," Kennedy said. "You have all of these trusted connections, all these things that make up the site itself, but the pieces that actually make up are multiple areas."

"Given’s security issues, and assuming for the moment that you would be personally responsible for all damages incurred from your advice, would any of you advise an American citizen to use this website as the security issues now exist?" asked Rep. Brooks.

Every witness said no.

Kennedy offered three recommendations to Congress. The best option, he said, is to create " 2.0," a completely redesigned second website that will work in conjunction with the original. He estimated it would take about six months to complete.

The other options are to take the website offline to fix it, which could take four to six months, or introduce new code while it’s still running, which could take years.

"I’m not a political person, I’m not here to talk politics, but if you’re asking me from a technology standpoint, it would be easier to start over again, lay the foundation of security, and start from the beginning," Wright said. "The security has to be the foundation of this site. Period."

"Unfortunately the personal information that has already been entered into is vulnerable to online criminals and identity thieves," Committee Chairman Lamar Smith (R., Texas) said. "President Obama has a responsibility to ensure that the personal and financial data collected as part of Obamacare is secure. It is clear this is not the case."

"There is only one useable course of action: Mr. President, take down this website."