The NSA is famous for employing small focused teams of highly talented, highly recruited experts with special skills, said Chris Wysopal, a former hacker who is chief technology officer for Veracode in Burlington, Mass. But the Health and Human Services Department's website designers? "They are sort of your average developers," he said.
Ex-hacker Marc Maiffret, who once wore his hair green in spikes and is the chief technology officer at BeyondTrust of San Diego, said Beltway contractors who work on civilian technology projects usually are over-budget and under-performing. Teams putting together large IT systems are complex and must coordinate across different government agencies, insurance companies, states and contractors.
"They may have underestimated the complexity when they started on it, which is again not surprising," said Purdue University computer science professor Gene Spafford.
Motivation is important too. Patriotic hacking on behalf of the NSA is exciting, especially among the mostly young and mostly male demographic.
"Breaking in, it feels like special ops," Wysopal said. "Building something feels probably like you're in the Corps of Engineers. You're just moving a lot of dirt around."
It's also widely understood to be easier to break something down than to build it. Siphoning the Google and Yahoo data is simpler to do than building a secure website for millions of people to get health care, Wysopal and Maiffret said.
Besides, if the NSA had failed to collect all the data it wanted during a classified mission, few people would learn about it — unlike what happened almost immediately when the health care website was launched and immediately experienced problems, said Matt Green, a computer science professor at Johns Hopkins University.
"If the NSA doesn't do something, you and I don't hear about it," Green said.
The government generally spends more money researching how to attack, not defend, computers, said Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue.
The apparent contradiction between health care and the NSA, Spafford said, "is what makes computers magical."
Center for Education and Research in Information Assurance and Security: http://www.cerias.purdue.edu/site/about
Follow Seth Borenstein on Twitter at http://twitter.com/borenbears