Published January 16, 2014
Security expert -- and once the world's most-wanted cyber criminal -- Kevin Mitnick submitted a scathing criticism to a House panel Thursday of ObamaCare's Healthcare.gov website, calling the protections built into the site "shameful" and "minimal."
In a letter submitted as testimony to the House Science, Space and Technology Committee, Mitnick wrote: "It's shameful the team that built the Healthcare.gov site implemented minimal, if any, security best practices to mitigate the significant risk of a system compromise."
Mitnick's letter, submitted to panel Chairman Lamar Smith, R-Texas, and ranking member Eddie Bernice Johnson, D-Texas, held comments from several leading security experts.
Mitnick concluded that, "After reading the documents provided by David Kennedy that detailed numerous security vulnerabilities associated with the Healthcare.gov Website, it's clear that the management team did not consider security as a priority."
His comments were backed up by testimony by Kennedy, who is CEO and founder of TrustedSec LLC and a self-described "white hat hacker," meaning someone who hacks in order to fix security flaws and not commit cybercrime. In November, Kennedy and other experts testified before the same panel about security issues on Healthcare.gov.
Kennedy testified that most of the flaws they identified at the time still exist on the site, and said "indeed, it's getting worse," telling the panel that he and other experts have seen little improvement in the past two months.
"Nothing has really changed since our November 19 testimony," Kennedy said.
Only one-half of a vulnerability has been found and plugged since then, he told the committee. "They did a little bit of work on it and it's still vulnerable today."
Also speaking at the panel were Michael Gregg, chief executive officer of Superior Solutions, Waylon Krush, co-founder and CEO of Lunarline, and Dr. Lawrence Ponemon, chairman and founder of the Ponemon Institute.
There have been no confirmed security breaches or hacks of the site yet, despite the alarming current and past testimony from the panel. (At the November panel, Kennedy said the website "may have already been hacked.") The flaws that have been found are mere speculation, pointed out Krush, whose firm has done security work for the Department of Health and Human Services.
“Nobody here at this table can tell you there is a vulnerability,” he said during testimony. To actually test the flaws would require hacking the website itself, which would mean breaking the law, he noted.