The House Science, Space, and Technology Committee held a hearing yesterday on the cyber security of the healthcare.gov website. The prepared testimony is available on the Committee’s website.

The testimony of so-called “white hat hacker” David Kennedy reflected the findings in a report from TrustedSEC, LLC (full report embedded at bottom of post) which concluded:

What this analysis shows us is that as an attacker, there are known exposures in the healthcare.gov
website today that could lead to significant compromise of the website and information. Additionally, the website is integrated into multiple agencies including some of the largest collections of United States citizen data – this includes the Internal Revenue Service (IRS) and other federal agencies.

Based on our evaluation of the website, we have serious concerns over the security of the website and the ability to protect information.

The testimony was featured on Greta:

ABC News further reports:

Cyber security experts told Congress today that the Obama administration should take Healthcare.gov offline until privacy vulnerabilities are addressed and detection capabilities are improved.

David Kennedy, a so-called “white hat hacker” who tests security flaws by hacking online systems to help identify weaknesses, warned that there are critical flaws and exposures “currently on the website that hackers could use to extract sensitive information.”

“The purpose of security isn’t to say, ‘Hey, we’re 100 percent impenetrable all the time,’ but can we detect the hackers in the very early stages of the life cycle of the attack, monitor that, and prevent the attacks from happening. And none of those are clearly being done on the Healthcare.gov website,” Kennedy said before the Science, Space and Technology Committee.

“Just by looking at the website, we can see that there is just fundamental security principles that are not being followed,” he said.

Kennedy demonstrated how hackers are attempting to exploit the website’s vulnerabilities to access personal information and testified that he believes the website has either already been subject to cyber attacks or will be hacked soon.

“We can actually enable their web cam, monitor their web cam, listen to their microphone, steal passwords,” he explained. “Anything that they do on their computer we now have full access to.”

Three of the four witnesses agreed that the Obama administration should take the site offline in order to address the security flaws.

“If you’re asking from a technology standpoint, it would be easier to start over again, lay a foundation of security and start from the beginning because security has to be the foundation of this site,” said Morgan Wright, CEO of Crowd Sourced Investigations, LLC.

The one dissenting witness, Dr. Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, called for a security review of the system “to establish whether there’s a deep infrastructural problem” with the website.

TrustedSec Analysis of Healthcare.gov Security 11-15-2013