Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov's website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security "expert".
While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform penetration testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.
Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:
In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:
While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform penetration testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.
Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:
“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”In my opinion, this raises serious ethical issues on the part of Mr. Kennedy and his company TrustedSec LLC. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to "out" the vulnerabilities found on a client's website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined "passive" vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he'd be sued.
In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:
“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”What a concept. Do a proper investigation and then provide an informed opinion based upon facts.