The Belarusian Connection
Obamacare network vulnerable to cyber attack
The Washington Free Beacon
Bill Gertz
2/3/2014
Excerpt:
U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
The intelligence agencies notified the Department of Health and Human Services, the agency in charge of the Healthcare.gov network, about their concerns last week. Specifically, officials warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks, according to U.S. officials familiar with the concerns.
The software links the millions of Americans who signed up for Obamacare to the federal government and more than 300 medical institutions and healthcare providers.
“The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks,” one official said.
Cyber security officials said the potential threat to the U.S. healthcare data is compounded by what they said was an Internet data “hijacking” last year involving Belarusian state-controlled networks. The month-long diversion covertly rerouted massive amounts of U.S. Internet traffic to Belarus—a repressive dictatorship located between Russia, Poland, and Ukraine.
“Belarusian President [Alexander] Lukashenko’s authoritarian regime is closely allied with Russia and is adversarial toward the United States,” the official added.
The combination of the Belarus-origin software, the Internet re-routing, and the anti-U.S. posture of the Belarusian government “makes the software written in Belarus a potential target of cyber attacks for identity theft and privacy violations” of Americans, the official said.
Security officials urged HHS to immediately conduct inspections of the network software for malicious code. The software currently is used in all medical facilities and insurance companies in the United States.
The officials also recommended that HHS use security specialists not related to software vendors for the inspections to reduce further risks.
Officials disclosed the software compromise last week after the discovery in early January of statements by Belarusian official Valery Tsepkalo, director of the government-backed High-Technology Park (HTP) in Minsk.
Tsepkalo told a Russian radio station in an interview broadcast last summer that HHS is “one of our clients,” and that “we are helping Obama complete his insurance reform.”
“Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient,” Tsepkalo said June 25 on Voice of Russia Radio.
White House National Security Council spokeswoman Caitlin Hayden said an intelligence report on the Belarusian software was “recalled by the intelligence community shortly after it was issued.”
The report has prompted HHS to conduct a review to determine if software related to the Affordable Care Act “was written by Belarusian software developers,” she said.
“So far HHS has found no indications that any software was developed in Belarus,” Hayden said. “However, as a matter of due diligence, they will continue to review the supply chain. Supply chain risk is real and it is one of our top concerns in the area of cyber-security.”
A senior administration official questioned whether suspect software mentioned in the report would be valuable to a nation state.
“Nation states are generally not interested in [personal identification information] for its own sake,” the official said. “Given that, we would be surprised to see a nation-state capability applied in this matter. But we are doing a thorough review anyway.”
HSS spokeswoman Dori Salcido referred questions about the matter to Richard A. Olague, spokesman for the HHS’ Centers for Medicare and Medicaid Services (CMS). Olague declined to discuss the software vulnerability.
He also would not say if CMS is conducting a search for malicious software emanating from Belarus.
CMS said in a statement to the Washington Free Beacon that assessments by independent security contractors are conducted regularly by companies such as MITRE and Blue Canopy.
The website also is continuously monitored by CMS technicians and electronic sensors, and weekly penetration tests to check the security of the system are carried out.
A CMS security team in place also seeks to “identify anomalous activity, and to deter and prevent any unauthorized access,” the statement said.
“In addition, as new website functions continue to go live, CMS follows a rigorous and regular change management process with ongoing testing and mitigation strategies implemented in real time,” the statement said. “This occurs on a regular basis, in between the [source code analysis] testing periods.”
A spokeswoman for CGI Federal, the main federal contractor for the healthcare network, also had no immediate comment.
Intel chair calls for probe
House Permanent Select Committee on Intelligence Chairman Rep. Mike Rogers (R., Mich) said he was surprised by media reports from Belarus indicating “some parts of Healthcare.gov or systems connected to it may have in fact been written overseas.” He called for an independent security review of the Obamacare website.
Rogers said he was especially concerned by the potential software vulnerability because a CGI executive, Vice President Cheryl Campbell, testified to Congress that all software work for the network had been done in the United States.
........................................
View the complete article at:
http://freebeacon.com/the-belarusian-connection/
Obamacare network vulnerable to cyber attack
The Washington Free Beacon
Bill Gertz
2/3/2014
Excerpt:
U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.
The intelligence agencies notified the Department of Health and Human Services, the agency in charge of the Healthcare.gov network, about their concerns last week. Specifically, officials warned that programmers in Belarus, a former Soviet republic closely allied with Russia, were suspected of inserting malicious code that could be used for cyber attacks, according to U.S. officials familiar with the concerns.
The software links the millions of Americans who signed up for Obamacare to the federal government and more than 300 medical institutions and healthcare providers.
“The U.S. Affordable Care Act software was written in part in Belarus by software developers under state control, and that makes the software a potential target for cyber attacks,” one official said.
Cyber security officials said the potential threat to the U.S. healthcare data is compounded by what they said was an Internet data “hijacking” last year involving Belarusian state-controlled networks. The month-long diversion covertly rerouted massive amounts of U.S. Internet traffic to Belarus—a repressive dictatorship located between Russia, Poland, and Ukraine.
“Belarusian President [Alexander] Lukashenko’s authoritarian regime is closely allied with Russia and is adversarial toward the United States,” the official added.
The combination of the Belarus-origin software, the Internet re-routing, and the anti-U.S. posture of the Belarusian government “makes the software written in Belarus a potential target of cyber attacks for identity theft and privacy violations” of Americans, the official said.
Security officials urged HHS to immediately conduct inspections of the network software for malicious code. The software currently is used in all medical facilities and insurance companies in the United States.
The officials also recommended that HHS use security specialists not related to software vendors for the inspections to reduce further risks.
Officials disclosed the software compromise last week after the discovery in early January of statements by Belarusian official Valery Tsepkalo, director of the government-backed High-Technology Park (HTP) in Minsk.
Tsepkalo told a Russian radio station in an interview broadcast last summer that HHS is “one of our clients,” and that “we are helping Obama complete his insurance reform.”
“Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient,” Tsepkalo said June 25 on Voice of Russia Radio.
White House National Security Council spokeswoman Caitlin Hayden said an intelligence report on the Belarusian software was “recalled by the intelligence community shortly after it was issued.”
The report has prompted HHS to conduct a review to determine if software related to the Affordable Care Act “was written by Belarusian software developers,” she said.
“So far HHS has found no indications that any software was developed in Belarus,” Hayden said. “However, as a matter of due diligence, they will continue to review the supply chain. Supply chain risk is real and it is one of our top concerns in the area of cyber-security.”
A senior administration official questioned whether suspect software mentioned in the report would be valuable to a nation state.
“Nation states are generally not interested in [personal identification information] for its own sake,” the official said. “Given that, we would be surprised to see a nation-state capability applied in this matter. But we are doing a thorough review anyway.”
HSS spokeswoman Dori Salcido referred questions about the matter to Richard A. Olague, spokesman for the HHS’ Centers for Medicare and Medicaid Services (CMS). Olague declined to discuss the software vulnerability.
He also would not say if CMS is conducting a search for malicious software emanating from Belarus.
CMS said in a statement to the Washington Free Beacon that assessments by independent security contractors are conducted regularly by companies such as MITRE and Blue Canopy.
The website also is continuously monitored by CMS technicians and electronic sensors, and weekly penetration tests to check the security of the system are carried out.
A CMS security team in place also seeks to “identify anomalous activity, and to deter and prevent any unauthorized access,” the statement said.
“In addition, as new website functions continue to go live, CMS follows a rigorous and regular change management process with ongoing testing and mitigation strategies implemented in real time,” the statement said. “This occurs on a regular basis, in between the [source code analysis] testing periods.”
A spokeswoman for CGI Federal, the main federal contractor for the healthcare network, also had no immediate comment.
Intel chair calls for probe
House Permanent Select Committee on Intelligence Chairman Rep. Mike Rogers (R., Mich) said he was surprised by media reports from Belarus indicating “some parts of Healthcare.gov or systems connected to it may have in fact been written overseas.” He called for an independent security review of the Obamacare website.
Rogers said he was especially concerned by the potential software vulnerability because a CGI executive, Vice President Cheryl Campbell, testified to Congress that all software work for the network had been done in the United States.
........................................
View the complete article at:
http://freebeacon.com/the-belarusian-connection/