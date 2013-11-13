(Recasts lead, adds committee chairman, fresh homeland security
comment, context)
By Alina Selyukh
WASHINGTON Nov 13 U.S. authorities are
investigating a series of cybersecurity incidents targeting the
HealthCare.gov website at the center of President Obama's
healthcare law, a U.S. homeland security official told Congress
on Wednesday.
Roberta Stempfley, acting assistant secretary of the
Department of Homeland Security's Office of Cybersecurity and
Communications, said her department was aware of "about 16"
reports from the Department of Health and Human Services - which
is responsible for implementing the healthcare law - on
cybersecurity incidents related to the website.
Testifying before the House of Representatives Homeland
Security Committee, Stempfley also said officials were aware of
an unsuccessful attempt by hackers to organize a "denial of
service" attack to overwhelm and take down the website.
Stempfley's testimony marked the first time that the Obama
administration publicly discussed cybersecurity threats to the
website at the heart of the law known as Obamacare.
Obama has faced sharp criticism over the technical problems
that have plagued the HealthCare.gov website - set up to enable
uninsured Americans to buy affordable health insurance - since
its launch last month.
Some experts have raised concerns about the security of the
private data collected by the site, such as Social Security
numbers, email addresses, phone numbers and birth dates that
could be used by criminals for identity theft or other schemes.
"This is a goldmine for hackers. ... Frankly, I think it's
the tip of the iceberg," Homeland Security Committee Chairman
Michael McCaul, a Texas Republican, told Reuters after
Stempfley's testimony.
"That's the first public testimony we've had on this and
we'll certainly follow up," McCaul added.
Department of Homeland Security officials declined to
provide further details on cybersecurity incidents related to
HealthCare.gov. One department official, speaking on condition
of anonymity, said after the hearing that the incidents were not
considered significant.
The official also said the DHS cybersecurity office has not
received any report of a successful attack on HealthCare.gov.
During the hearing, Stempfley told lawmakers that "we are
aware of one open-source action attempting to perpetrate a
denial of service attack against the HealthCare.gov site that
has been unsuccessful."
Although some lawmakers on the panel took Stempfley's words
to indicate an acknowledgement of an attempted cyberattack on
the site, department officials later said Stempfley was not
referring to any actual attempted cyberattack but to an
unsuccessful software tool created to enable such an attack.
Stempfley did not comment after the hearing.
Security researchers last week reported that hacker
activists were distributing a software tool through social media
sites that was designed to attack the site by performing
requests to pull up several pages on HealthCare.gov.
The developers of the software - dubbed "Destroy Obama
Care!" - said in remarks annotated in the tool that its purpose
was to overload and crash the system, according to a screenshot
posted by security researchers with Arbor Networks.
The Arbor Networks researchers said that the tool was
unlikely to succeed in taking down the site because of
weaknesses in its design.
Stempfley said the HHS's Centers for Medicare and Medicaid
Services (CMS), the lead health agency managing the rollout of
the site, had not sent a specific request for help, so federal
cyber officials have not provided any technical assistance yet.
Henry Chao, deputy chief information officer for CMS, said
at another hearing on Wednesday that the information technology
system behind the website employs "stringent privacy and
security controls to safeguard consumer data."
Obama has promised Americans that the website will work for
most people by the end of the month - a critical deadline for
those who need to sign up for insurance benefits that would
start on Jan. 1.
(Additional reporting by Jim Finkle; Editing by Will Dunham)