On November 19, 2013, Strauss Center Distinguished Scholar Dr. Fred Chang testified before the U.S. House Committee on Science, Space and Technology regarding the cybersecurity threats posed to the government’s new health care website: healthcare.gov. In his testimony, Dr. Chang stated that in cyberspace we currently face intelligent and able opponents, capable of penetrating and compromising entire systems. These adversaries are already taking advantage of the risks inherent in healthcare.gov.

One risk is its “complexity,” which makes the system prone to more flaws and seams that can be exploited by cyber adversaries. For example, to get a quote for health insurance the system needs to access servers and databases with enormous amounts of sensitive information. Says Chang, “[By] increasing the access channels into these sensitive databases […] the size of the “attack surface” has increased.” Other risks include “bogus websites.” Because there is not one single webpage on which people can sign up for coverage, users can be easily confused. Fake websites that look like the federal or state marketplaces have already sprung up, potentially collecting sensitive information from users (such as social security numbers) and spreading malware.

Dr. Chang concluded his remarks by speaking of the urgent need for a “science of cybersecurity.” While short term measures should be taken to improve the security of healthcare.gov, he argues that there are many longer term issues that should also be addressed, for the threats to cybersecurity will not go away anytime soon. His testimony in-full can be found online, here.