The attacks – and the thwarting of them – were confirmed to CNN by a Homeland Security Department official.
It’s no wonder that the site has become a target, considering the sheer number of people hitting the HealthCare.gov website (26,794 have signed up online via the site for insurance, but millions have visited), and the fact that it involves personal information and healthcare. The site should be like catnip with nefarious types.
The attacks are under investigation to uncover the perpetrators, the official said, and added that the government is also investigating a distributed denial-of-service (DDoS) tool called, rather unimaginatively, “Destroy Obama Care!”, which was first reported by Arbor Networks earlier in the month.
The tool’s goal is to alternate requests to both the homepage and the “Contact Us” page in hopes of overloading the site with traffic. But Arbor researcher Marc Eisenbarth said that it can hardly live up to its name: it has a limited request rate, the lack of significant distribution certain features in its underlying code that hamstring its effectiveness.
The official line from the administration is that cybersecurity is not a serious issue. Acting Assistant Homeland Security Secretary Roberta Stempfley of the Office of Cybersecurity and Communications, testifying at a hearing of the House Homeland Security Committee, said only that "we are aware of one open-source action attempting to perpetrate a denial of service attack against the HealthCare.gov site that has been unsuccessful." Department officials were quick to later say that Stempfley was not referring to any actual attack, but rather merely the unsuccessful software tool.
Meanwhile, in another hearing on Capitol Hill, Health and Human Services CIO, Frank Baitman, said that his department had uncovered items related to attempted security breaches that were disclosed in a report, but which were not serious and had been resolved.
In the House Homeland Security hearing, database expert Luke Chang warned that the so-far smooth sailing on the cyber-front could soon become choppy. "When you have an environment where the developer can barely get the website functional, security is way down on the list of things to take care of,” he warned. “Security has to be built in at the very beginning, not at the very end."