The experts said the site needed to be completely rebuilt to run more efficiently, making it easier to protect. They said HealthCare.gov runs on 500 million lines of code, or 25 times the size of Facebook, one of the world’s busiest sites.
“When your code base is that large it’s going to be indefensible,” Morgan Wright, CEO of a firm known as Crowd Sourced Investigations, said in an interview after testifying at the hearing.
“Do you want to defend the Great Wall of China or a very small line?”
David Kennedy, head of computer security consulting firm TrustedSec LLC and a former U.S. Marine Corps cyber-intelligence analyst, gave lawmakers a 17-page report that highlights the problems with the site and warned that some of them remain live.
The site lets people know invalid user names when logging in, allowing hackers to identify user IDs, according to the report, which also warns of other security bugs.
Avi Rubin, director of the Information Security Institute at Johns Hopkins University and an expert on health and medical security, said he needed more data before calling for a shutdown of the site.
“Bringing down the site is a very drastic response,” he told Reuters after the hearing.
But he would not use it because he is concerned about security bugs that have been made public, he said.
In written testimony, Kennedy said it would take a minimum of seven to 12 months to fix the problems with the site shut down, given the site’s complexity and size.