News in Brief
Cyber problems at HealthCare.gov, cyber sharing at the Pentagon and more
Audit finds cybersecurity lacking at HealthCare.gov
The federal government stored sensitive personal information on millions of health insurance customers in a computer system that had basic security flaws, according to an audit conducted by the Department of Health and Human Services.
The Obama administration said it acted quickly to fix all the problems identified by the audit of the Multidimensional Insurance Data Analytics System (MIDAS), the electronic backbone and central storehouse for information collected under the 2010 health care law.
MIDAS does not handle medical records, but it does include the names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial account information of millions of customers on HealthCare.gov and state insurance marketplaces.
Among the problems uncovered:
- Unencrypted user sessions, contrary to standard practices on financial websites.
- A shared read-only account for access to the database that contained individuals' personal information, a serious vulnerability if data is stolen.
- Failure to disable "generic accounts" used for maintenance or other special access during testing.
- Failure to conduct certain automated vulnerability scans that mimic known cyberattacks.
GAO to Pentagon: Share more cyber resources with small businesses
As of July, the Defense Department's Office of Small Business Programs "had not identified and disseminated cybersecurity resources" in its outreach to small businesses, according to a Government Accountability Office report.
GAO identified 15 existing federal resources for doing so, including online training from the Defense Security Service and a planning tool for small businesses provided by the Federal Communications Commission.
The DOD office is considering including cybersecurity resources in its outreach to small companies, according to GAO. Doing so would be in line with the Pentagon's Cyber Strategy, which calls for more collaboration with the private sector to build layered cyber defenses, the report states.
Cyber Command official shares more on joint exercise
A joint cyber exercise that the Pentagon held in June gave defense officials clearer insight into how cyberthreats drive business operations in the private sector, according to a U.S. Cyber Command official.
This was the fourth year of the exercise but the first time it included private-sector participants. Rear Adm. Kevin Lunday, Cyber Command's director of exercises and training, shed a bit more light on the classified exercise at a Sept. 24 conference at Georgetown University. One of the nightmarish scenarios simulated in the exercise was the disruption of a major shipping port in Britain by a cyberattack, Lunday said at the conference, which was sponsored by the National Geospatial-Intelligence Agency.
"This wasn't a prediction or a forecast of what might happen," he said. "It's simply a realization that there is a tremendous amount of uncertainty out there."
The three-week exercise was sponsored by the FBI and the Department of Homeland Security and held at a Joint Staff J-7 facility in Suffolk, Va. Representatives of the energy, financial, IT and transportation sectors were on hand for the exercise, Lunday said.
During the exercise, teams from the Pentagon, other federal agencies, the National Guard and elsewhere work to repel simulated attacks on a closed, classified computer network.
Lunday said publicizing the exercise might serve as a deterrent for adversaries considering cyberattacks on U.S infrastructure.
State developing social media and analytics platform
The State Department is building a real-time, cross-platform content management and analytics system for its social media accounts, GCN reports.
Officials are working with the Winvale Group, a business management consultant, to develop a mobile-enabled platform that will allow them to communicate, contribute and collaborate in real time and schedule and publish content across multiple social media platforms.
Connect with the FCW staff on Twitter @FCWnow.