Tuesday could have been a great day for Republicans.
Oct. 1 marked the launch of the Affordable Care Act's insurance exchanges, and sure enough -- as they predicted, and the administration acknowledged -- there were glitches. Plenty of glitches.
Since glitches could undermine public confidence in Obamacare and Republicans hate the idea of providing coverage to the uninsured and fear nothing more than the eventual success of the law, this was "good news" on the right.
Too bad for them the government shutdown they're responsible for deprived almost all other national news of oxygen. While most government agencies are shuttered for the time being, the Affordable Care Act is humming along on autopilot, its implementation scarcely impacted by the shutdown. Under cover of the media's obsession with GOP infighting and attendant dysfunction, the administration will have a second chance to make a first impression.
But that means no taking anything for granted. ACA supporters everywhere, including the president, attributed first day snafus to an unexpected traffic tsunami. It was all good news, they claimed. The demand for Obamacare is greater than expected.
They need to be careful not to let their counter-spin become sanguinity.
Eventually -- actually, very soon -- these websites will need to work reliably for every eligible person who wants to access benefits. That means fixing real internal problems as well as being on guard for inevitable mischief on the part of Obamacare's myriad political foes.
Matthew Prince is CEO and cofounder of CloudFlare, a company that helps clients improve their services and protects them from bad actors online.
He told me via phone on Tuesday that the early stories about problems with healthcare.gov and other exchange sites around the country don't suggest sabotage… yet. For now it looks like a mix of technical hiccups and unexpected traffic driven by organic interest in the launch of the program.
But he believes the attacks will come.
"There are three reasons people launch these attacks: extortion … competition … and the third, which is almost certainly going to be the case with these healthcare exchanges and other apparatuses around the bill, is political. And because this is a politically sensitive project, it's probably inevitable that there will be attacks intended to harm the program and embarrass the administration," Prince said.
There are two main kinds of DDOS or distributed denial of service attacks, Prince said, one of which is almost certainly not happening now and one of which would be difficult to spot from the user experience stories and screen grabs featured in Obamacare Day One stories.
"For the denial of service attacks, there's one that does not appear to be going on, which is a volume based attack where you send a huge amount of data to the site," Prince said. "If that were to happen, you'd just get an error page like 'this site isn't available' instead of error messages form the application."
The second type of attack, called an "application layer attack," is better disguised. Unlike the former, which directs a deluge of garbage data, an application layer attack looks like a bunch of legitimate requests, which ultimately overwhelm the backend resources of the site.
"That may be going on today," Prince said. "If I had to guess, this is first day glitches. The challenge of distinguishing between an attack and more traffic than a site can handle is that a denial of service attack is sending more traffic than a site can handle."
It might sound like a stretch to assume that Obamacare opponents will resort to breaking these portals, denying uninsured people the ability to shop for insurance. But anyone who's covered the official and grass-roots Obamacare sabotage efforts knows how likely it is.
"In terms of the level of skill required to launch denial of service attacks, this is the equivalent of a caveman with a club. It's not rocket science," Prince said. "There are services that you can pay by the hour to launch the attacks. Anyone with political ax to grind, if there's an online component, that online component is going to be subject to attack."
Fortunately there are steps administrators can take to protect the sites from these kinds of attacks. But it's not clear that they've taken them yet. The head of New York's exchange is looking into whether an immense flood of traffic to the site yesterday was an act of mischief.
Prince says the consequences of the attacks will be survivable, but believes potential attackers saw Tuesday's problems and identified weaknesses.
"That's taught the attackers and political opponents that it's possible to knock these sites offline," he said. "I would be surprised if it doesn't morph into a political attack going forward. It'll be costly and embarrassing and shake trust, but ultimately it'll get resolved."