Good News: parts of healthcare.gov designed by Putin allies
**Posted by Phineas
Security holes? What are those? And did you hear about Chris Christie closing a bridge in New Jersey??
U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
The intelligence agencies notified the Department of Health and Human Services, the agency in charge of the Healthcare.gov network, about their concerns last week. Specifically, officials warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks, according to U.S. officials familiar with the concerns.
The software links the millions of Americans who signed up for Obamacare to the federal government and more than 300 medical institutions and healthcare providers.
“The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks,” one official said.
Belarus has been described as Europe’s last Stalinist country, and apparently they work very hard to prove themselves worthy allies of Moscow. According to Gertz’s article, in addition portions of healthcare.gov’s software being designed by an entity controlled by the Belarussian government, last year that same government successfully hijacked massive amounts of US Internet traffic for nearly a month:
According to the New Hampshire-based security firm Renesys, which discovered the data diversion, throughout February 2013, Internet traffic from the United States was sent to Belarus. The purpose likely was to allow hackers or government agencies to sift for data for financial, economic, or government intelligence.
The data also may have been modified for other purposes before being returned to the original U.S. and other foreign destinations.
The bulk diversion technique is called border gateway protocol hijacking. It involves using a series of network addresses to mask the data diversion through numerous Internet hubs around the world.
Renesys traced the data diversion from Washington to New York and Moscow and finally to Minsk, the Belarusian capital. It was returned to the United States via connections in Moscow, Frankfurt, and New York.
Combine the two and you have a very, very big potential problem. Administration officials of course claimed the site was secure and pooh-pooed the idea that nation-states would want to steal personal information, but that’s disingenuous at best.
First, foreign intelligence agencies would very much like to get their hands on conveniently collected personal information, since it would make the creation of solid cover identities for agents much easier. Second, as the article mentions, both the use of a foreign contractor and the internet hijacking make it very easy to implant altered data and even malicious code to do… lots of stuff. Remember Stuxnet?
The elephant in the room that the administration isn’t talking about is the real danger in this: the PPACA created a wealth of interconnected networks with the Federal Data Services Hub at the center of the spider’s web. This hub is connected to agencies such as the IRS and Homeland Security. Even if Lukashenko isn’t interested in chatting with Putin about Joe Six-Pack’s cholesterol, you can darn well bet they’re both very interested in any security holes that allow their spies access to these other networks and to others connected to them.
And with the ability to divert traffic and implant clandestine code… Critics are right: the whole site needs to be shut down and vetted from top to bottom. Even if Obamacare is eventually repealed and the system dismantled, it’s a huge risk while it’s still operational.
As Instapundit likes to say, we’re in the best of hands.
PS: By the way, the now-fired healthcare.gov site builder, CGI Federal, assured the US government that only US contractors were used. Where was the HHS oversight of this?
PPS: Read the whole thing.
RELATED: Between this and Edward Snowden’s invaluable service to Russian intelligence, do we have any secrets from our enemies at all? Also, on a lighter note, Belarus’ Lukashenko is totally not a paranoid nut. Earlier articles about healthcare.gov security vulnerabilities.
(Crossposted at Public Secrets)