White House Going With 'Security By Obscurity' As Excuse For Refusing To Release Healthcare.gov Security Details
from the hackers! dept
These days, in the computer security world, it’s pretty well known that if you’re relying on security by obscurity, you’re not being secure. Somehow that message has not reached the techies working on Healthcare.gov. I guess it shouldn’t be much of a surprise, given what a disaster the rollout of that site was, but everyone was claiming that the whole thing was under control these days, since real techies had been brought in to fix things. In fact, everyone was so happy with Mikey Dickerson’s miraculous saving of the program that the White House set up a special US Digital Service for him to lead, allowing him to save other US government projects from near certain disaster.
But when the Associated Press filed a Freedom of Information Act request to find out how Healthcare.gov was handing its security it got rejected because, according to the White House, it might teach hackers how to break into the system:
In denying access to the documents, including what’s known as a site security plan, Medicare told the AP that disclosing them could violate health-privacy laws because it might give hackers enough information to break into the service.
“We concluded that releasing this information would potentially cause an unwarranted risk to consumers’ private information,” CMS spokesman Aaron Albright said in a statement.
Of course, that suggests that merely revealing the security steps the site has taken will reveal massive vulnerabilities — and, as most people with even the slightest bit of technological knowledge know, if that’s the case, then it’s likely the site has already been compromised. If revealing the security setup for the site will leave it open to being hacked, we should probably assume the site was hacked a long, long time ago. If they’re deploying security right, merely telling the world what they’re doing wouldn’t increase the risk. The fact that they’re afraid it will suggests that the security plan is dangerously weak.