The Obama administration on Wednesday acknowledged for the first time that cyberattacks have targeted the healthcare.gov website, but technology security experts say officials are downplaying the number of attacks and minimizing the privacy threat to Obamacare enrollees' personal information.
A top Department of Homeland Security official testified Wednesday that Health and Human Services had reported to her office approximately 16 "cyber-related" incidents on the website, which registers consumers in new health plans, and one “denial of service” that didn't result in any type of breach.
That admission from Roberta Stempfley, acting assistant secretary of DHS’s Office of Cybersecurity and Communications, was the first time the administration acknowledged any cyberattack occurred after repeated questions from lawmakers and the press about the website’s security vulnerabilities.
But technology experts who regularly run security tests for the websites of Fortune 500 companies say the report of only 16 incidents seems extremely low and in their view reflects a sliver of the larger cyber-security problems the website is facing.
Under questioning from Rep. Mike McCaul, R-Texas, Stempfley didn’t explain the nature of the reported security breaches.
She told lawmakers that DHS’s knowledge of cyber attacks “comes from a multitude of sources.”
"One is [HHS] reports specifically things that they've identified. And we've had a handful of reports from the Department of Health and Human Services," Stempfley said.
"A number of, about 16, as my memory recalls, but I'll get a specific number for you," she told the House Homeland Security panel.
A DHS official later said they had recorded “approximately 228,700 cyber incidents” over the last fiscal year, “an average of more than 620 per day, involving federal agencies, critical infrastructure, and the department’s industry partners."
But neither DHS nor HHS will define “cyber incident” or the severity that would warrant a report from Stempfley's office.
Cybersecurity specialists say the released figures don't tell the whole story and that the number of attempted attacks on the website’s security is likely far higher.
“Most organizations see many more such probes and potential attacks each and every day,” said Michael Gregg, chief operating officer of Superior Solutions, a firm that runs hacking tests for Fortune 500 companies.
“Attackers typically do not hold off. They look for opportunity where it is available. I would assume the site is being probed hundreds of times every day,” he added.
Facebook, for instance, “gets hit” more than 600,000 times per day, Gregg said. Any site that processes credit cards or has other types of highly personal data, can be targeted hundreds or thousands of times per day.
The experts say there could be several reasons why DHS is only reporting 16 cyberattacks on the Obamacare website.
The government may not be doing proper monitoring and have missed attacks. Another possibility experts say is that the government may not be defining an attack in the same way most security professionals do. Gregg also suggests that their system may not be properly attuned to attacks and they are experiencing “false negatives.”
Samuel Bucholtz, co-founder of Casaba, a cybersecurity firm that conducts test-hacking for major companies, said healthcare.gov would likely have been targeted far more than 16 times.
“The 16 times would be the number of times that attackers successfully found an exploit or attempted to execute an exploit that was caught,” he said.
In many cases, the government may not even know the website was targeted unless a consumer trying to sign up for insurance reported that their identity information was stolen or presented some other evidence of a breach, Bucholtz said.
“Large sites are hit by scans and other drive-by attacks on a regular and routine basis,” he said. “Such attacks are rarely counted on when compiling statistics.
“Social engineering attacks like phishing may also not be counted because they are executed independently of the website and there is no way to detect such attacks unless the users report them,” he added.
Over the last month, lawmakers, led by House Intelligence Committee Chairman Mike Rogers, R-Mich., have expressed deep concerns that security vulnerabilities are among the many problems continuing to plague the website and have accused the administration of failing to conduct proper testing before its Oct. 1 launch.
Rogers’ committee has held multiple hearings on cybersecurity threats to the U.S. government and he has accused the administration of not making security a priority as it furiously works to try to fix the website’s technical problems by a self-imposed Nov. 30 deadline.
Republicans have pointed to an internal Centers for Medicare and Medicaid Services memo from Sept. 27 that said “from a security perspective,” aspects of the system were not tested, exposing “a level of uncertainty that can be deemed as high risk.”
The memo was written by IT officials James Kerr and Henry Chao, and was signed by CMS Administrator Marilyn Tavenner.
Because healthcare.gov is such a high-profile website that collects sensitive personal data on individuals, computer security experts say the U.S. government should expect persistent and continuous targeting from foreign governments, organized crime and individual fraudsters.
“China, Iran, Russia – the Russian mafia – all are undoubtedly targeting it,” said Dave Aitel, who joined the National Security Agency at age 18 before being a cybersecurity consultant and starting his own firm, Immunity, in 2002.
Over the last month, specific incidents of the system exposing individuals’ personal information have surfaced.
In one case, an outside cybersecurity expert testing the site on his own said he was able to easily obtain personal information from working through the website’s function for resetting lost usernames and passwords.
In another case that attracted publicity, a North Carolina man who tried to sign up on healthcare.gov said he was sent another family’s eligibility letters, which included their names and home address.
Health and Human Services said both of those problems have been fixed.
HHS spokeswoman Joanne Peterson said consumers can trust the information they’re providing is “protected by stringent security standards and that technology underlying the application process has been tested and secure.”