New woes for Obamacare website—hackers
The Department of Homeland Security said there have been multiple unsuccessful cyberattacks against the federal Obamacare exchange website, HealthCare.gov.
The news comes as glitches continue to plague the exchange, with federal officials saying just over 106,000 people have signed up for Affordable Care Act insurance plans, and a paltry 26,000 have done so through the federal exchange.
Roberta Stempfley, DHS' acting assistant secretary of the office of cybersecurity and communications, testified before the House Homeland Security Committee on Wednesday, saying, "We have had a handful of reports from the Department of Health and Human Services. A number of about 16, if my memory recalls, but I will get a specific number for you."
A DHS spokesman, Sy Lee, confirmed Friday that there have been 16 cyber attacks since the site went live.
During her questioning, Stempfley also revealed there was one unsuccessful denial of service attack.
Distributed denial of service (DDOS) attacks attempt to overwhelm a website and prevent users from accessing it. According to security company Arbor Networks, one-third of DDOS attacks are politically motivated.
"[DDOS attacks are] a popular way of voicing civil disobedience," said Dan Holden, director of security research for Arbor Networks' security engineering and response team.
The company's research found a DDOS tool designed to carry out an attack on HealthCare.gov, which appeared to express anti-Obamacare sentiment. Included in the tool was text that read, "ObamaCare is an affront to the Constitutional rights of the people. We HAVE the right to CIVIL disobedience!"
Source: Arbor Networks
Holden said that in this case, "the message is sent via the tool itself."
A DHS spokesman confirmed to CNBC that Stempfley referred to this tool in her testimony.
Fortunately for HealthCare.gov, the tool is simplistic, with limited efficacy, Holden said.
Still, Holden said he worries that once HealthCare.gov is functional, there could be successful cyberattacks.
"If the site wasn't properly engineered to function, what would lead us to believe security is better engineered than functionality?"