Can the US Government procure IT security successfully?
In a speech today, the president admitted that "one of the things [the US government] does not do well is information technology procurement." Having worked around government IT for years, I think that's a gross understatement. But okay, so at least he knows we suck at IT procurement. Surely we do a better job at information security, right? I mean, security is probably separate from "IT procurement" in the president's mind. So I'm sure they've got the security of healthcare.gov worked out.
Or maybe not…
Earlier in the week HHS sources noted that public and private sector workers were operating 24/7 to get the site fully functional. Certainly they're following best coding practices while working 24/7. I'm sure there's a project plan, complete with regression tests so nothing bites us from a security perspective. After all, when was the last time re-coding something introduced a bug? But the interesting part is that for all the talk of fixing the site to ensure that it is available, I rarely hear people talk about security (or how security can be ensured in such a rapidly changing code base).
But that’s not the worst of it!
The person at HHS responsible for deploying healthcare.gov didn’t know that end to end security testing hadn’t been completed when the site when live on October 1st. He testified to congress that details of existing security problems had been hidden from him (literally claiming that he didn’t get the memo). This points to a clear failure in the security of the site when the person making go/nogo decisions isn’t “in the know” on critical security issues. When asked if he thought that healthcare.gov was as secure as his bank website, he refused to answer and said instead that it “complies with all federally mandated security standards.” Whoa! WTF??? Hold the phone… you want me to put my personal data on the site when you have no confidence in it? Yeah, that’s pretty much insane. Based on this alone, healthcare.gov should be taken offline. That is until such a time as government officials can answer under oath that it is as secure as my online banking site (which I think, by the way, is a pretty low bar).
But are there really critical security issues?
I’m guessing that there are. The site is vast, complex, and there have already been hushed reports of information disclosure vulnerabilities. The fact that vulnerabilities were discussed in closed sessions in congress tells me that there is something to hide. I’m guessing that “something” is huge. I’ve performed security testing on similar sites of lower complexity and found serious vulnerabilities. If you’re thinking that the government contractor who developed healthcare.gov is better than those I’ve had the privilege to test, just remember that the same contractor can’t keep the site online under even moderate load. How sure are you that their security engineering is better than their availability engineering? Remember, this question isn’t rhetorical: you’re literally betting the confidentiality of your private information on the answer.
Call to arms
Hopefully this has given you some food for thought. I’d like to point out that I haven’t performed any security testing on healthcare.gov (I don’t have a CFAA letter and I’m too pretty for jail). However, if this has gotten you thinking, then spread the word to those who will be using the site. Better yet, call your congressman and demand independent end to end security testing of the site. The fact that the site went live without it is a huge failure, and it’s one we can’t afford to continue.