Was MNsure's help line hacked in 2016? That's still unsolved, for now

Just before Election Day in 2016, Minnesota's health insurance exchange launched open enrollment. It was a debacle.

Within hours, the MNsure call center was deluged. As insurance shoppers complained of long wait times, Gov. Mark Dayton announced that the state's IT division found that automated systems were flooding the phone lines.

"Somebody's trying to jam the call center, and making robocalls to try to snafu the thing — which is deplorable," Dayton said publicly at the time.

It was a striking claim: that a bad actor invested in seeing MNsure fail conspired to sabotage a system set up to help Minnesotans shop for health insurance.

Since that time, more than a year ago, Minnesotans have heard nothing more about it.

Minnesota IT Services (MNIT), the division that manages state computer networks, referred to its year-old statement on the incident, which said the investigation had been forwarded to the FBI.

The FBI declined to comment.

MNIT, responding to a similar request, released to the Star Tribune a brief e-mail chain from Nov. 23, 2016.

In an e-mail to an FBI agent, a MNIT investigator said there was no evidence the problem was internal.

"We have not been able to determine any legitimate, system-based explanation" for the incident, the state investigator wrote.

Dayton's DFL Party tallied major losses in the election a week after the health insurance snafu and alleged hacking of the phone help line, the latest bad headlines about a continuing source of trouble for his administration.

Republicans and many consumers blamed changes to the health insurance market for premium increases of 50 percent or more in 2016.

If Dayton was right, however, he was calling attention to a new and dark chapter in the nation's increasing political polarization, this time manifested at the state level: sabotaging a duly elected government for partisan advantage.

"It's a state analog to the Russia cybersabotage" of the 2016 presidential election, said Steven Schier, a Carleton College political scientist who has studied and written about partisan polarization.

The question of whether the call-center failure could have been the result of a saboteur, perhaps intending to embarrass Dayton's DFL government a week before the election, is not as outlandish as it might sound.

While not commenting on this specific case, Michael Krause, FBI supervisory special agent, said attacks on government bodies from disgruntled employees and citizens are an emerging threat.

"They don't like some political decision or public policy decision" and try to create mischief, he said.

"As a technical matter, it's both highly plausible and reasonably simple — the sort of thing a [misguided] computer science undergrad could pull off with a couple of hours' work," he said.

In this scenario, the attacker would flood the system with data packets while masking the origin of the calls by making it seem like they were all coming from one number, a technique known as spoofing.

Michael Johnson, chair in Security Technologies at the University of Minnesota, emphasized he was merely speculating based on limited information.

But he said the incident was "more likely than not caused by a malicious party."

Mark Lanterman, chief technology officer at Computer Forensics Services in Minnetonka, was more circumspect: "It wouldn't be my first case in which a large project fails, heads are rolling and you need an explanation," he said.

"The nature of a denial-of-service attack is that it's a blunt instrument: crude and easy to put together, but also easy to overcome," Edelman said. "That's why it's surprising that [state government] did not have a plan in place to defend its networks."

Cambray Crozier, a spokeswoman for MNIT, said the state took steps this year to protect the MNsure open enrollment rollout, which was smoother than in years past. MNIT said the 2016 incident is evidence of the need for more state spending in cybersecurity.

"Nearly every government function that Minnesotans depend on is reliant on technology, but many of the systems we use today run on outdated, unsupported technology that makes them a prime target for attack," said Aaron Call, the state's chief information security officer. "Recognizing the growing threat, we have been advocating the critical need to modernize state systems and strengthen cyberdefenses to better protect Minnesotans."

Now, Minnesota faces the prospect of political sabotage, which is commonplace in other parts of the world.

"It's something we should be worried about," Edelman said. "More than just politicians or parties, we've seen attempts to disrupt entire elections this way in Bulgaria and Ukraine. In other words, increasingly, a denial-of-service attack is on page one in the tyrant's [or desperate politician's] playbook."

Sabotage, Schier said, is a telling metaphor.

"It's a military metaphor," he said. "And military conflict usually involves spying and sabotage on both sides."

If the MNsure phone line was sabotaged, can the crime be solved?

"There's no perfect crime," said the FBI's Krause.

Kyle Loven, a former chief division counsel at the FBI in Minneapolis now at Computer Forensics Services, said attackers' ability to conceal their digital fingerprints often make these crimes difficult to solve.