In July, a hacker gained access to a computer server used to test code for the federal government's Obamacare website HealthCare.gov, according to a Thursday report by the Wall Street Journal's Danny Yadron. Although the Department of Health and Human Services (HHS) stressed no data was taken and no harm resulted, officials remain concerned about the hacker's ease of access and the potential for great damage. But despite HHS's assurances after the breach was discovered on August 25 that measures are in place to guarantee security, including "daily security scans and drill hacking exercises," at least one test site, akatest.healthcare.gov, is still accessible publicly via a simple web browser.
After warning users of potential security issues, different browsers respond to the test site in various ways. For instance, Google's Chrome browser displays lines of computer code, but the Firefox browser actually shows users (see screenshot below) a somewhat stripped-down version of the normal Healthcare.gov homepage:
Users can click on links to navigate around the test site, although there do not appear to be any opportunities to create or log on to accounts as on the regular site. (A cached version of the above page is saved on archive.org if the government eventually blocks the test server.) This test site was updated as recently as August 28 with a blog post on that date, three days after HHS discovered the July hacking incident and instituted "measures to further strengthen security," according to an HHS official quoted by the Journal. The Journal also said that "[t]he White House and Congressional staff have been briefed on the matter... The Department of Homeland Security, Federal Bureau of Investigation and National Security Agency have aided the investigation," which is still ongoing.
THE WEEKLY STANDARD first reported the vulnerability of Healthcare.gov test sites in December 2013 when at least two such sites were exposed. The two sites, spa.healthcare.gov and test.healthcare.gov, were quickly blocked after our report. It is unclear how long akatest.healthcare.gov has been accessible, and it's also unclear if the akatest server or some other test server was hacked in the incident reported by the Journal.
When asked to comment on this latest discovery, David Kennedy of TrustedSec, an Internet security firm, surmised that probably "they plugged the initial hole, but having their test servers exposed externally is bad practice." Kennedy has testified before Congress about security concerns with the Healthcare.gov site.
With 2015 open enrollment less than two and a half months away, the government has been hiring new personnel and contractors to try to avoid a repeat of last year's debacle. As Congress continues to press for more details of the launch and what went wrong, fresh news of security breaches and potential breaches almost a year after Healthcare.gov launched is not reassuring. The Journal report said that the "server accessed had such low security settings because it was never meant to be connected to the Internet." With the cost of Healthcare.gov estimated in a recent inspector general report to eventually run as high as $1.7 billion, Congress and the public may be justified in wondering if, at least when it comes to security, they are getting their money's worth.
The latest attack ad from the Mark Pryor campaign is, well, absurd. Here's Politico's description of the 30-second spot: "Sen. Mark Pryor (D-Ark.) is citing the recent scare over the Ebola virus in a new attack ad against his GOP opponent, the first mention of America’s preparedness for a possible pandemic in a 2014 political advertisement."
What to do about cyber attacks from state actors and their surrogates? For the State Department and DHS it would seem that the answer is now the courts and international negotiation. Hints of this came recently with the indictment of 5 Chinese military personnel for hacking. An utterly futile gesture as the Chinese are not about to extradite the 5 to stand trial, it bespeaks reliance on legal remedies that are, at best, only a matter of public shaming. Now, however, there is new evidence regarding the U.S. intent to negotiate on cyber with state actors like China, Russia, and Iran.
In an interview that will air tonight, Hillary Clinton will tell Diane Sawyer that the Benghazi terrorist attack that left four Americans dead is "more of a reason to run" for president of the United States.
Two former CIA officials who fought in Benghazi on September 11, 2012, were asked to sign additional nondisclosure agreements (NDAs) more than six months after those attacks. The two officials, who will testify Thursday before a subcommittee of the House Permanent Select Committee on Intelligence, were presented the nondisclosure agreements during a memorial service in May at CIA headquarters in Langley, Virginia, honoring Tyrone Woods and Glen Doherty, two of the CIA-affiliated personnel who died during those attacks.