b"<html>\n<title> - IS MY DATA ON HEALTHCARE.GOV SECURE?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n                             IS MY DATA ON\n                         HEALTHCARE.GOV SECURE?\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 19, 2013\n\n                               __________\n\n                           Serial No. 113-55\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n\n\n                                   _____\n\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n86-893PDF                      WASHINGTON : 2013 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nDANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas\nRALPH M. HALL, Texas                 ZOE LOFGREN, California\nF. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois\n    Wisconsin                        DONNA F. EDWARDS, Maryland\nFRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nPAUL C. BROUN, Georgia               DAN MAFFEI, New York\nSTEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida\nMO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts\nRANDY HULTGREN, Illinois             SCOTT PETERS, California\nLARRY BUCSHON, Indiana               DEREK KILMER, Washington\nSTEVE STOCKMAN, Texas                AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH ESTY, Connecticut\nCYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas\nDAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California\nTHOMAS MASSIE, Kentucky              MARK TAKANO, California\nKEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois\nJIM BRIDENSTINE, Oklahoma\nRANDY WEBER, Texas\nCHRIS STEWART, Utah\nCHRIS COLLINS, New York\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                           November 19, 2013\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     6\n    Written Statement............................................     7\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Minority Member, Committee on Science, Space, and Technology, \n  U.S. House of Representatives..................................     8\n    Written Statement............................................     9\n\n                               Witnesses:\n\nMr. Morgan Wright, Chief Executive Officer, Crowd Sourced \n  Investigations, LLC\n    Oral Statement...............................................    11\n    Written Statement............................................    14\n\nDr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in \n  Cyber Security, Southern Methodist University\n    Oral Statement...............................................    25\n    Written Statement............................................    27\n\nDr. Avi Rubin, Director, Health and Medical Security Laboratory \n  Technical Director, Information Security Institute, Johns \n  Hopkins University (JHU)\n    Oral Statement...............................................    35\n    Written Statement............................................    37\n\nMr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC\n    Oral Statement...............................................    41\n    Written Statement............................................    44\n\nDiscussion.......................................................    65\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Morgan Wright, Chief Executive Officer, Crowd Sourced \n  Investigations, LLC............................................   104\n\nDr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in \n  Cyber Security, Southern Methodist University..................   112\n\nDr. Avi Rubin, Director, Health and Medical Security Laboratory \n  Technical Director, Information Security Institute, Johns \n  Hopkins University (JHU).......................................   120\n\nMr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC......   124\n\n            Appendix II: Additional Material for the Record\n\nLetter from the Identify Theft Resource Center submitted for the \n  record by Representative Lamar S. Smith, Chairman, Committee on \n  Science, Space, and Technology.................................   132\n\nCenters for Medicare & Medicaid Services memorandum submitted for \n  the record by Representative Larry Bucshon, Committee on \n  Science, Space, and Technology.................................   135\n\n \n                  IS MY DATA ON HEALTHCARE.GOV SECURE?\n\n                              ----------                              \n\n\n                       TUESDAY, NOVEMBER 19, 2013\n\n                  House of Representatives,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Committee met, pursuant to call, at 10:04 a.m., in Room \n2318 of the Rayburn House Office Building, Hon. Lamar Smith \n[Chairman of the Committee] presiding.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Chairman Smith. The Committee on Science, Space, and \nTechnology will come to order. Good morning to everyone. Our \nhearing today is on the subject of the security of data on the \nHealthCare.gov website. I am going to recognize myself for an \nopening statement and then the Ranking Member.\n    Many Americans are beginning to experience the ill effects \nof Obamacare. That is because the President's broken promises \nare piling up. He promised that if you like your health care \nplan you can keep it. But for millions of Americans, that is \nnot true. He said that the law would make health insurance more \naffordable. But across the country, Americans are seeing their \npremiums go up, not down. And when launching HealthCare.gov, \nthe Obama Administration said that the website was safe, secure \nand open for business. We now know that isn't true either.\n    The data obtained by HealthCare.gov is one of the largest \ncollections of personal information ever assembled. It links \ninformation between seven different Federal agencies and state \nagencies and government contractors. The website requires users \nto provide personal information like birth dates, Social \nSecurity numbers and household incomes in order to obtain \ninformation about potential health coverage. But security \nexperts have expressed concern about flaws in the site that put \nthis personal data at risk and subject users to the threat of \nidentity theft.\n    The Science Committee oversees the agencies responsible for \nsetting privacy and security policies and standards for the \nrest of the federal government, the White House Office of \nScience and Technology Policy and the National Institute for \nStandards and Technology. The Obama Administration has a \nresponsibility to ensure that the personal and financial data \ncollected by the government is secure. Unfortunately, in their \nhaste to launch the HealthCare.gov website, it appears the \nAdministration cut corners that leaves the site open to hackers \nand other online criminals. So the question for today's hearing \nis: Can Americans trust the federal government with their \npersonal information on the HealthCare.gov website?\n    Today, we are going to hear from witnesses from outside the \ngovernment who are experts in cybersecurity and hacking \nwebsites. Our witnesses will provide their professional \nassessment of the vulnerabilities that underlie HealthCare.gov. \nSeveral vulnerabilities have already been identified, and we \nknow of at least 16 attempts to hack into the system. And I \nheard this morning that there were another 50. But we can \nassume that many more security breaches have not been reported.\n    Here are some real-life examples. Mr. Thomas Dougall of \nSouth Carolina received a surprise phone call from a stranger \none Friday evening explaining that he had just downloaded a \nletter off the HealthCare.gov website containing Dougall's \npersonal information. And when Lisa Martinson of Missouri \ncalled HealthCare.gov's customer service after forgetting her \npassword, she was told three different people were given access \nto her account, address and Social Security number.\n    Also, it turns out that Federal employees called navigators \nwho help users apply for insurance on the HealthCare.gov \nwebsite have not received background checks yet they are able \nto access the personal information of thousands of people.\n    Many Americans have been the victims of identity theft by \ncomputer hackers. Identity theft jeopardizes credit ratings and \npersonal finances. The massive amount of personal information \ncollected by the HealthCare.gov website creates a tempting \ntarget for scam artists. These threats to Americans' well-being \nand financial security should make us question the future of \nObamacare. Perhaps it is time to take Obamacare off of life \nsupport.\n    Americans deserve a healthcare system that works and that \nthey can trust. Obamacare is no cure.\n    [The prepared statement of Mr. Smith follows:]\n             Prepared Statement of Chairman Lamar S. Smith\n\n    Many Americans are beginning to experience the ill effects of \nObamacare. That's because the President's broken promises are piling \nup. He promised that if you like your health care plan you can keep it. \nBut for millions of Americans, that's not true.\n    He said that the law would make health insurance more affordable. \nBut across the country, Americans are seeing their premiums go up, not \ndown. And when launching HealthCare.gov, the Obama administration said \nthat the website was safe, secure and open for business. We now know \nthat isn't true either.\n    The data obtained by HealthCare.gov is one of the largest \ncollections of personal information ever assembled. It links \ninformation between seven different federal agencies and state agencies \nand government contractors.\n    The website requires users to provide personal information like \nbirth dates, social security numbers and household incomes in order to \nobtain information about potential health coverage. But security \nexperts have expressed concern about flaws in the site that put this \npersonal data at risk and subject users to the threat of identity \ntheft.\n    The Science Committee oversees the agencies responsible for setting \nprivacy and security policies and standards for the rest of the federal \ngovernment--the White House Office of Science and Technology Policy and \nthe National Institute for Standards and Technology.\n    The Obama administration has a responsibility to ensure that the \npersonal and financial data collected by the government is secure. \nUnfortunately, in their haste to launch the HealthCare.gov website, it \nappears the administration cut corners that leaves the site open to \nhackers and other online criminals.\n    So the question for today's hearing is: Can Americans trust the \nfederal government with their personal information on the \nHealthCare.gov website?\n    Today, we're going to hear from witnesses from outside the \ngovernment who are experts in cybersecurity and hacking websites. Our \nwitnesses will provide their professional assessment of the \nvulnerabilities that underlie HealthCare.gov.\n    Several vulnerabilities have already been identified, and we know \nof at least 16 attempts to hack into the system. And I heard this \nmorning that there were another 50. But we can assume that many more \nsecurity breaches have not been reported.\n    Here are some real-life examples. Mr. Thomas Dougall of South \nCarolina received a surprise phone call from a stranger one Friday \nevening explaining that he had just downloaded a letter off the \nHealthCare.gov website containing Dougall's personal information.\n    And when Lisa Martinson of Missouri called HealthCare.gov's \ncustomer service after forgetting her password, she was told three \ndifferent people were given access to her account, address and social \nsecurity number.\n    Also, it turns out that federal employees--called navigators--who \nhelp users apply for insurance on the HealthCare.gov website have not \nreceived background checks. Yet they are able to access the personal \ninformation of thousands of people.\n    Many Americans have been the victims of identity theft by computer \nhackers. Identity theft jeopardizes credit ratings and personal \nfinances. The massive amount of personal information collected by the \nHealthCare.gov website creates a tempting target for scam artists.\n    These threats to Americans' well-being and financial security \nshould make us question the future of Obamacare. Perhaps it is time to \ntake Obamacare off of life-support.\n    Americans deserve a healthcare system that works and that they can \ntrust. Obamacare is no cure.\n\n    Chairman Smith. I now recognize the Ranking Member, the \ngentlewoman from Texas, Ms. Johnson, for her opening statement.\n    Ms. Johnson. Good morning, and thank you very much, Mr. \nChairman. Let me welcome our witnesses. I look forward to your \ntestimony today.\n    In light of the startup problems that have been reported \nwith the HealthCare.gov website, problems that need to get \nfixed as quickly as possible, some Americans may be concerned \nabout the security of their personal information on the \nwebsite. I can understand such concerns, because anytime any of \nus go to the internet, we are vulnerable to those who would \nattack public and private databases to get access to our \ninformation. That said, we have not heard much about security \nfailures at HealthCare.gov. There is one recorded instance \nwhere an individual was mistakenly given access to the records \nof another person. There were initially security issues with \nthe password reset function. The site has also been attacked by \nhackers in a denial-of-service attack. However, my \nunderstanding is that these issues were quickly fixed and the \ncyber attack was successfully prevented.\n    The reality is that HealthCare.gov is subject to the same \nattacks as every other website and every other internet-\naccessible database. Every Member of this Committee knows that \ncomputer vulnerabilities are exploited every day at companies \nand government offices across the world, leading to the \ncompromise of a wide range of personally sensitive information.\n    I would like to draw your attention to a graphic that tries \nto illustrate major security failures of computer systems \nresulting in personal information being compromised. It is on \nthe screens. As you can see, some of the biggest and most \nexperienced internet firms have suffered attacks, and often the \npersonal information that is accessed goes well beyond \nidentifying information to include credit card and sensitive \nfinancial information. Governmental institutions have also seen \nmaterials stolen.\n    Last year, Symantec's annual 2012 Cybercrime Report found \nthat 556 million individuals in 24 countries, including the \nUnited States, were victims of one sort of consumer cyber crime \nor another. This equates to 1.5 million victims every day.\n    One might conclude that the only way to avoid being \nvulnerable to such attacks is to not be connected to the \ninternet at all. However, in the 21st century, that is not a \nreasonable option for most government agencies, businesses or \nindividuals. So, I think we have to be realistic about the \nability of any internet-connected database to be completely \ninvulnerable to being compromised. I also think we have to be \nhonest about what information actually will be available to a \ncyber attacker through HealthCare.gov. In my work as a \npsychiatric nurse, I saw how patients' medical records were \nroutinely accessed by large numbers of people every day. \nSeveral years ago my own electronic medical records were \nbreached, and I received a letter from the UT Southwestern \nMedical School Hospital in Dallas telling me that.\n    So how vulnerable are medical records on HealthCare.gov? \nSome including two of the witnesses invited to testify today \nhave made public claims that the website will have all kinds of \nsensitive personal medical records in its database. That is \nsimply not true. HealthCare.gov will not have patient or health \ncare case information about anyone. HealthCare.gov will have \nthe name, date of birth, Social Security number and address of \nparticipants, but that information is also potentially \navailable through every insurance company, bank, credit card \ncompany and government agency that anyone deals with, and I \nhave already pointed out the data breaches that have occurred \nand are occurring in these sectors of our economy.\n    So while there can be legitimate concerns about the privacy \nin the health care field, HealthCare.gov should not be the case \nof any exceptional fears in that regard. By saying that, I am \nnot excusing the startup failures to implement the Affordable \nCare Act website in an effective way nor am I saying security \nfailures are acceptable; they are not. I expect HHS will take \nevery measure available to them to make the site secure and to \nmaintain a high level of security going forward. However, I \nwant everyone to keep the issues of security in perspective, \nand I hope that none of us will use this hearing to engage in \nfear-mongering in an effort to destroy participation in the \nAffordable Care Act. That would be irresponsible and, frankly, \ncruel. The Americans who most need the Affordable Care Act to \nwork are those that are among the most vulnerable members of \nour society. Their personal medical data is not at risk on \nHealthCare.gov. In fact, it can be argued that this Committee's \nefforts to force sensitive information out of the EPA and \nHarvard and the American Cancer Society are a bigger threat to \npatients' privacy than HealthCare.gov.\n    In closing, I hope that today's hearing will not become a \nsoapbox for growing fear and confusion. Let us stay focused on \nthe facts.\n    With that, I again want to thank our witnesses and yield \nback the balance of my time. Thank you.\n    [The prepared statement of Ms. Johnson follows:]\n\n       Prepared Statement of Ranking Member Eddie Bernice Johnson\n\n    Good morning, and welcome to our witnesses. I look forward to your \ntestimony.\n    In light of the startup problems that have been reported with the \nHealthCare.gov website--problems that need to get fixed as quickly as \npossible--some Americans may be concerned about the security of their \npersonal information on the website. I can understand such concerns, \nbecause anytime any of us go on the internet, we are vulnerable to \nthose who would attack public and private databases to get access to \nour information.\n    That said, we have not heard much about security failures at \nHealthCare.gov. There is one recorded instance where an individual was \nmistakenly given access to the records of another person. There were \ninitially security issues with the password reset function. The site \nhas also been attacked by hackers in a ``denial of service'' attack. \nHowever, my understanding is that these issues were quickly fixed and \nthe cyber-attack was successfully prevented.\n    The reality is that HealthCare.gov is subject to the same attacks \nas every other website and every other internet-accessible data base. \nEvery Member of this Committee knows that computer vulnerabilities are \nexploited every day at companies and government offices across the \nworld, leading to the compromise of a wide range of personally \nsensitive information.\n    I would like to draw your attention to a graphic that tries to \nillustrate major security failures of computer systems resulting in \npersonal information being compromised.\n    As you can see, some of the biggest and most experienced internet \nfirms have suffered attacks--and often the personal information that is \naccessed goes well beyond identifying information to include credit \ncard and sensitive financial information. Governmental institutions \nhave also seen materials stolen.\n    Last year, Symantec's annual 2012 Cybercrime Report, found that 556 \nmillion individuals in 24 countries, including the United States, were \nvictims of one sort of consumer cybercrime or another. This equates to \n1.5 million victims every day.\n    One might conclude that the only way to avoid being vulnerable to \nsuch attacks is to not be connected to the internet at all. However, in \nthe 21st century that is not a reasonable option for most government \nagencies, businesses or individuals. So, I think we have to be \nrealistic about the ability of any internet-connected database to be \ncompletely invulnerable to being compromised.\n    I also think we have to be honest about what information actually \nwill be available to a cyber-attacker through HealthCare.gov. In my \nwork as a psychiatric nurse I saw how patients' medical records were \nroutinely accessed by large numbers of people every day. Several years \nago my own electronic medical records were breached and I received a \nletter informing me about this from the hospital in Dallas.\n    So how vulnerable are our medical records on HealthCare.gov? Some, \nincluding two of the witnesses invited to testify today, have made \npublic claims that the website will have all kinds of sensitive \npersonal medical records in its database. That is simply not true.\n    HealthCare.gov will not have patient or healthcare case information \nabout anyone. HealthCare.gov will have the name, date of birth, social \nsecurity number and address of participants, but that information is \nalso potentially available through every insurance company, bank, \ncredit card company and government agency that anyone deals with, and \nI've already pointed out the data breaches that have occurred and are \noccurring in those sectors of our economy.\n    So while there can be legitimate concerns about privacy in the \nhealth care field, HealthCare.gov should not be the cause of any \nexceptional fears in that regard. By saying that, I am not excusing the \nstartup failures to implement the ACA website in an effective way, nor \nam I saying security failures are acceptable. They are not. I expect \nHHS will take every measure available to them to make the site secure \nand to maintain a high level of security going forward. However, I want \neveryone to keep the issues of security in perspective, and I hope that \nnone of us will use this hearing to engage in fear-mongering in an \neffort to destroy participation in the ACA. That would be irresponsible \nand, frankly, cruel. The Americans who most need the ACA to work are \nthose that are among the most vulnerable members of our society.\n    Their personal medical data is not at risk on HealthCare.gov. In \nfact, it can be argued that this Committee's efforts to force sensitive \ninformation out of EPA, Harvard, and the American Cancer Society are a \nbigger threat to patient privacy than is HealthCare.gov.\n    In closing, I hope that today's hearing will not become a soap box \nfor sowing fear and confusion. Let's stay focused on the facts.\n    With that, I again want to welcome our witnesses, and I yield back \nthe balance of my time.\n\n    Chairman Smith. Thank you.\n    Our first witness, Mr. Morgan Wright, is the Chief \nExecutive Officer of Crowd Sourced Investigations, LLC. Mr. \nWright is a former Kansas State Trooper, officer and detective \nwith almost 18 years of service. He has also worked for the \nDepartment of Justice, the intelligence community, the \nDepartment of Homeland Security, and State Department. Mr. \nWright has taught behavioral analysis interviewing at the \nNational Security Agency. He holds degrees in human resource \nmanagement and computer information systems from Friends \nUniversity and is a 2011 graduate of the Executive Leadership \nand Management program at the University of Notre Dame.\n    Our second witness, Dr. Fred Chang, is the Bobby B. Lyle \nEndowed Centennial Distinguished Chair in Cybersecurity and \nProfessor in the Department of Computer Science and Engineering \nat Southern Methodist University in Dallas, Texas. Dr. Chang \nbrings us today over 30 years of public and private sector \ncybersecurity knowledge, serving as the Director of Research at \nthe National Security Agency and then in an executive role at \nthe SBC Communications. Dr. Chang is also a member of the Texas \nCybersecurity Education and Economic Development Council, and \nhe has taught at both the University of Texas in San Antonio \nand the University of Texas in Austin. Dr. Chang received his \nBachelor's degree from the University of California-San Diego \nand his Master's and Ph.D. degrees from the University of \nOregon.\n    Our third witness, Dr. Avi Rubin, is a Professor of \nComputer Science at Johns Hopkins University and is the \nTechnical Director of their Information Security Institute. He \nis also President and Co-founder of Independent Security \nEvaluators, a computer security consulting company. Prior to \njoining the faculty at Johns Hopkins, Dr. Rubin worked in the \nSecure Systems Research Department at AT&T Labs Research. Dr. \nRubin received his bachelor's, Master's and Ph.D. degrees from \nthe University of Michigan.\n    Our final witness, Mr. David Kennedy, is the President and \nCEO of TrustedSEC, LLC. Previously Mr. Kennedy was a Chief \nSecurity Officer for a Fortune 1000 company located in over 77 \ncountries with over 18,000 employees. Mr. Kennedy is considered \na leader in the security field. He has spoken at many \nconferences worldwide including Blackhat, Defcon, INFOSEC \nWorld, and the Information Security Summit, among others. Mr. \nKennedy is the creator of several widely popular open source \ntools and has coauthored a book on internet security that was \nnumber one on Amazon.gov for over six months. Prior to moving \nto the private sector, Mr. Kennedy worked for the National \nSecurity Agency and the United States Marines in cyber warfare \nand forensics analysis. Mr. Kennedy received his Bachelor's \ndegree from Malone University.\n    We welcome you all, and Mr. Wright, if you will begin?\n\n                TESTIMONY OF MR. MORGAN WRIGHT,\n\n                    CHIEF EXECUTIVE OFFICER,\n\n               CROWD SOURCED INVESTIGATIONS, LLC\n\n    Mr. Wright. Thank you, Chairman Smith, Ranking Member \nJohnson and Members of the Committee, I am pleased to be here \ntoday. Thank you for allowing me to testify. Again, I am Morgan \nWright.\n    During my testimony, I just want to cover four major areas \nthat we want to provide a high-level overview to: end-to-end \nsecurity testing, user account creation and registration, cyber \nsquatting and domain name confusion, and the insider threat.\n    Just to set the stage, because we were talking about the \nsize and scope of HealthCare.gov, it has been reported to have \nover 500 million lines of code. At the same time, Facebook, who \nhas addressed similar privacy threats and issues, has less than \n20 million lines of code running, 772 million daily active \nusers, and 1.2 billion monthly users. So, when we start looking \nat this, we start looking at the complexities and \ninterdependencies of the current government sites and the \npotential for disruption, compromise of security of \nidentifiable information, frauds and scams, and I think one of \nthe larger issues is the insider threat. This vast amount of \ncode also means that it becomes very challenging from an \nindustry standpoint and best practices standpoint to give a \ncertification and assurance that the site is secure, especially \nas it relates to FISMA.\n    So, in the end-to-end security testing, I think one of the \nfirst major issues is the lack and the inability to conduct a \ncomplete end-to-end security assessment. Even when the \ncontractors were here and testifying, they said it would take \ntwo months to complete this. It is essential when you are \ndealing with information that you have a top-down view, and in \na system this complex, and having worked on major intelligence \nsystems and the number of places we have to go out and touch \ndata, you have to have that top-down view of security. It has \nto be something that is embedded in everything you do. There \nare five major types of data: voice, video, data, mobility, and \nthen you apply security around that. That has to be put into it \nat the beginning.\n    A recent news article, in fact, on October 30th in the \nWashington Post stated that--and Ranking Member Johnson, I \nbelieve, brought this out--the security flaw with user name and \npassword. The issue that it was not identified and rectified \nuntil three weeks after the site was launched is an indication \nof the lack of comprehensive security controls and awareness of \none of the basic functions HealthCare.gov is designed to \ncreate, which is that experience, that user account, and the \nway you secure that is with your password.\n    There is a document here I would like to have put into the \nrecord a little bit later, but it came from Troy Trenkle, who \nwas the CIO at that time of CMS. In the authorization to \noperate, one of the things he highlighted is that the Federal \nFacilitated Marketplace has an open high finding in terms of a \nsecurity issue, but in the finding description, it says the \nthreat and risk potential is limitless. These were the words \nfrom the authorization to operate, and the fix date, it is due \nMay 31, 2014, is when this is required to be fixed. And then on \nthe next page, on page 3, there is another finding, and it says \nit is a high finding but there is no finding description, it \nhas all been redacted out, with a fix date of February 26, \n2015. So just from an industry perspective, being on both the \npublic side and the private sector side, there has to be some \naccountability from a security standpoint, if you go out and \nyou say that the threat and risk potential is limitless. There \nis a lot of accountability in the private sector from \nshareholder lawsuits, civil litigation if information like that \nis found out. And from an industry perspective, it is \ncontravention of what would be considered best practices from a \nsecurity standpoint.\n    So the user account creation and registration, this was the \nsecond major issue because this is how people access the \nmarketplace. I think one of the issues that caused some of the \nsecurity concerns was the decision to move the submission of \npersonally identifiable information before you could access the \nhealth care information, which meant that a user had to give, \nas was stated, name, date of birth, Social Security number, \naddress and some other information in order to be able to see \nthe plans. That creates an issue to where now--and I know David \nwill talk about this a little bit later--is that when you start \ntelling people the norm is to give your personally identifiable \ninformation, things that identify you before you are allowed to \nsee the marketplace, it would be the equivalent of saying you \ncan't go in and see a car on the car lot and kick the tires \nuntil you fill out a credit app and you are approved. This is \nnot the way consumers do business but it creates the potential \nfor fraud because now you have established a norm for \nfraudulent sites and deceptive sites to say it is a norm that \nyou give us your personally identifiable information first \nbefore we give you access to the rest of the information.\n    The third issue is about cyber squatting and domain name \nconfusion, and why would this be an issue? As a former law \nenforcement officer, I can tell you it was tough enough as we \nstarted getting into technology to defend one site or do an \ninvestigation into one site. One of the articles that came out \nfrom the Washington Examiner quoted another cybersecurity \nexpert who said that HealthCare.gov had 221 sites that were \nattempting to exploit it, and on the state exchanges, there \nwere 499 sites. So from a purely law enforcement standpoint, \nyou have given a lot of ground for people to use and establish \nthe norm that you have to give your personally identifiable \ninformation first before you can access it.\n    And then the very last thing is the insider threat. If you \nwere to assume that HealthCare.gov had reasonable security, it \nran reasonably well and it was within acceptable limits, the \nfact that people who access this information and access the \ninformation from the consumers do not undergo at least a \nbackground check from a position of public trust, which is \nalready established by OMB standard form 85-P--it is a limited \nbackground check to identify people with felonies or certain \nconvictions that would prohibit you from having positions \nwithin the government. At least a similar background check like \nthat would expose deficiencies and then you apply rigorous \nauditing and accounting to that to make sure that you learn \nfrom those lessons and prevent future issues. So when dealing \nwith the insider threat, you have to remember, trust is not a \ncontrol and hope is not a strategy. If anything, Edward Snowden \nhas taught us that no matter how much trust you give somebody, \nthings can still happen.\n    Thank you, Mr. Chairman.\n    [The prepared statement of Mr. Wright follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Smith. Thank you, Mr. Wright. You got a lot into \nfive minutes there.\n    Dr. Chang.\n\n                  TESTIMONY OF DR. FRED CHANG,\n\n                    BOBBY B. LYLE CENTENNIAL\n\n             DISTINGUISHED CHAIR IN CYBER SECURITY,\n\n                 SOUTHERN METHODIST UNIVERSITY\n\n    Dr. Chang. Chairman Smith, Ranking Member Johnson and \nMembers of the Committee, thank you for the opportunity to \ntestify before you today. As Chairman Smith mentioned, my name \nis Frederick R. Chang. I am the Bobby B. Lyle Centennial \nDistinguished Chair in Cybersecurity, Professor in the Computer \nScience and Engineering Department, and Senior Fellow in the \nTower Center for Political Studies at SMU in Dallas, Texas.\n    On the backdrop of the 25th anniversary of the internet \nworm of 1988, which caused a major disruption on the internet \nin its day, let me start by saying that when considering the \nvolume and sensitive data associated with HealthCare.gov, it \nwould be unwise to underestimate the motivation, patience and \ncreativity of today's cyber adversaries. They will find seams \nin the system. They will change the rules. They will attack you \nin ways that you won't expect, and I will return to this theme \nat the end of my oral comments.\n    In my written testimony, I pointed out three types of risk \nthat I see, and I will describe these briefly now. In the near \nterm, I think there is a large risk from bogus websites because \nthere is not one single website for people to use, there will \nbe confusion, and adversaries will take advantage of this \nconfusion. I believe there will be people who will launch a \nsearch from a search engine and they will see many choices. I \nwould invite you to try that, by the way. It is pretty \ninstructive. Additionally, people will make typos when entering \na web address, and this will lead them to the wrong site or \nthey will receive spam emails taking advantage of the launch of \nthe new Affordable Care Act. I read one report indicating that \nover 700 fake websites had been set within the first few weeks \nof the October 1st launch. If you combine that volume with the \nfact that people may be more likely than normal to enter \nsensitive information over the web because it has to do with \nhealth insurance coverage, you get especially concerned about \nthe potential for loss of sensitive information. It is \ndifficult to know how much traffic these bogus websites will \nsiphon off from authentic websites, but I saw one estimate that \nwas disturbingly high.\n    The second risk concerns the inherent risk in delivering \napplications over the web. There are a plethora of security \nrisks facing any organization, public or private, as they \ncontemplate delivery of an application over the web. The web \nwas originally designed for the delivery of static read-only \npages. Today, of course, we perform a wide array of interactive \nservices over the web from buying books, videos and pet food to \nchecking in for our airline flights and so much more. The \nconvenience and business benefits are clear. It is really hard \nto imagine not using the web this way. Unfortunately, the \nconvenience and benefits come at a price, and that price is \nsecurity. The security risks constantly change and the top \nrisks have been well chronicled in the field. I did not do any \nform of security analysis myself personally on HealthCare.gov \nbut I did read some posts where people had done some \nunobtrusive passive analysis, and concerns were raised, and I \nthink David is going to have some more to say about that \nshortly.\n    The final risk that I mention in my written testimony was \nthe risk from complexity. Many in the security field have noted \nthat complexity is the enemy of security. As we ask for more \nand more functionality and capability from our software \napplications, the technologists and software developers are \nonly happy to oblige. The result is more complexity including \nmore defects and seams, and the attackers will try to exploit \nthese. I am not an expert in health insurance exchanges but as \nI looked at the many sensitive back-end databases that are \nbeing accessed as a result of HealthCare.gov and thought about \nthe many interactions, increased traffic load, the increased \naccesses, I believe that one can rightfully be concerned about \nthe possibility of increased malevolent activity.\n    My wife asked me this weekend why haven't the hackers \nalready launched the big one on HealthCare.gov. She thought \nthat now might be the perfect time as the website was in \nstartup mode. There was a hearing by the Homeland Security \nCommittee chaired by Congressman McCaul in which it was \nreported that about 16 cyber attacks had been detected against \nHealthCare.gov. I don't have any detail on those attacks, but \nregarding my wife's question about the big one, I answered it \nthe same way I mentioned in my opening remarks. It would be \nunwise to underestimate our adversaries in cyberspace. They are \nsmart, they are creative. They will look for seams to exploit. \nThey will change the rules, and importantly, they will be \npatient.\n    Thank you for your attention, and I look forward to your \nquestions.\n    [The prepared statement of Dr. Chang follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Smith. Thank you, Dr. Chang.\n    Dr. Rubin.\n\n                  TESTIMONY OF DR. AVI RUBIN,\n\n             DIRECTOR, HEALTH AND MEDICAL SECURITY\n\n                 LABORATORY TECHNICAL DIRECTOR,\n\n                INFORMATION SECURITY INSTITUTE,\n\n                 JOHNS HOPKINS UNIVERSITY (JHU)\n\n    Dr. Rubin. Chairman Smith, Ranking Member Johnson and \nMembers of the Committee, good morning, and thank you for the \nopportunity to speak to you today. My name is Avi Rubin, and I \nam a Computer Science Professor at Johns Hopkins University. I \nam the Technical Director of the Johns Hopkins Information \nSecurity Institute, and I direct the Health and Medical \nSecurity Lab at Johns Hopkins.\n    I was asked to comment to you today on general security \nissues for large web installations and specifically about \nsecurity issues that could affect a site such as \nHealthCare.gov. As we all know from reading the press, \nHealthCare.gov got off to a rocky start, and as a software \nengineer, it is not surprising to me that this happened. When \nwe think about large systems and rolling out a large software \nsystem, the way this is typically done by companies such as \nGoogle and Amazon and other companies that roll out large \nsoftware services, they roll it out in a small way to some \ncontrolled number of users. They identify bugs and problems \nwith the system. They fix those. They get the system stable, \nand then they scale it up to a larger number of users. Once \nagain they discover that now there are all kinds of new \nproblems based on the bigger scale. Why would that be? Because \nof increased communication requirements, storage and what we \nmight call race conditions that happen when you have a lot more \nusers than you had before. And so then someone rolling out a \nlarge software package will roll it out to more users, get it \nstable and keep rolling it out. It is not very common to roll \nout a huge system with a ton of users on one day, and so it \nwasn't surprising to me that there were a lot of problems when \nthis was initially rolled out.\n    Another thing is that when a project gets--a software \nproject gets behind schedule, it is not very easy to recover \nfrom that. You might think well, just add more developers to \nit, but in software engineering, it is well understood that \nwhen you add additional programmers to a late software project, \nyou often make it later. In HealthCare.gov, there are many \ninteroperating components and links to many different systems \nincluding the IRS, the Social Security Administration, \nDepartment of Homeland Security, Experian, state exchanges and \nmany more, and we know, as was stated earlier, that the more \ncomplex a system, the more vulnerabilities there will be, the \nmore interfaces there are the greater likelihood of problems.\n    We also know, and it has been stated, that there are great \nrisks to high-profile websites. We hear breaches reported in \nthe major media all the time, and the attackers are growing in \ntheir creativity, sophistication, talent and resources. In \nfact, just last week there was a report of a denial-of-service \nattack against HealthCare.gov.\n    Maintaining a secure website is not easy, especially if it \nmanages sensitive information, if it requires ongoing \nmaintenance, keeping up with vendor patches, requiring highly \nskilled administrators, reporting mechanisms for reporting \nincidents, contingency plans, and the list goes on. I provided \na list, a longer list in my written testimony. And all of that \nsaid, the industry--the computer industry has many success \nstores. There are large, complex websites that have no major \nbreaches that I know of. Examples of these are the airline \nreservation system, which manages a very complex array of \ninterdependencies, and even other sites like Orbitz and \nTravelocity, which have to tap into those airline reservation \nsystems. Large social sites--Facebook and LinkedIn--they got \nattacked all of the time and yet there hasn't been, to my \nknowledge, a major compromise of these top sites that in a \nwholesale manner exposed all the private information of the \nusers. We have Amazon.com, a shopping site. And while no system \nis perfect, there are best practices in the industry that work \nwell for the most part. In my written testimony, I provided a \nlist of best practices and recommendations for the \nHealthCare.gov website. I don't have time in my oral testimony \nto go into them but to summarize what they are about, I suggest \na few of the security annually by outside experts, focusing on \nthe interfaces among the components and across systems, \nreviewing authentication mechanisms, checking for known \nstandard vulnerabilities such as SQL injection attacks, \nsanitization of user inputs, cross-site scripting, and we have \na long list of technical things to look for.\n    Data at rest should be encrypted, and the keys should be \nmanaged carefully just like all of those sites that I mentioned \ndo. There should be mandatory incident reporting and \ncontingency plans in place for every possible conceivable \nscenario. The list of recommendations that I have submitted is \npartial, but I believe that with the proper administration and \nthe proper expertise, a website such as HealthCare.gov can be \ndeployed in a practical manner.\n    Thank you for the opportunity to speak with you today, and \nI look forward to addressing your questions in the Q&A.\n    [The prepared statement of Dr. Rubin follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Smith. Thank you, Dr. Rubin.\n    Mr. Kennedy.\n\n                TESTIMONY OF MR. DAVID KENNEDY,\n\n                    CHIEF EXECUTIVE OFFICER,\n\n                        TRUSTEDSEC, LLC\n\n    Mr. Kennedy. Thank you, Mr. Chairman and Members of the \nCommittee. I appreciate your time today.\n    Just to give you a brief background of my history, because \nI think it will parlay into the security issues that we \nidentified with HealthCare.gov. We work with customers, large \nand small, everything from Fortune 10 to Fortune 500 or Fortune \n1000 companies all the time, and we do security assessments \nwhere we basically break into computer sites all the time as \nhackers. So I am a hacker on the good side, a white-hat hacker, \nin those terms. So we break into websites all the time to \nidentify risks and exposure. We do it for government sites, we \ndo it for private sector sites all the time. And if you look at \nthe security industry, it has evolved significantly over the \npast ten years. We didn't have dedicated security conferences, \nfolks that are dedicated to protecting infrastructure and \nsecurity. Technology has advanced so far and so fast that we \nare really trying to still grasp our hands around how to \nactually do it the right way, but there are things in place to \ndo it the right way and to make it right, and so there are \ncompanies that have successfully deployed websites without any \nmajor security exposures. There are websites out there that \naren't necessarily unhackable but they are very difficult to \nbreak into, and we are hackers who break into them all the time \nand it becomes very difficult for us. And the purpose of \nsecurity isn't to say hey, we are 100 percent unpenetrable all \nthe time but can we detect the hackers in the very early stages \nof their lifecycle of the attack, monitor that and prevent the \nattacks from happening, and none of those are clearly being \ndone on the HealthCare.gov websites and all of its sub-websites \nthemselves.\n    What we did--and again, this is purely from a \nreconnaissance perspective. We did not hack into the site in \nany way, shape or form. We are not authorized to hack into the \nwebsite in any way, shape or form. But just by looking at the \nwebsite, we can see that there is just fundamental security \nprinciples that are not being followed, things that are basic \nin nature that any security tester like my myself or anybody \nthat we hire to test these sites would actually test for prior \nto it being released, and these are things that could actually \ncompromise sensitive information for people that have \nregistered for the website and actually compromise the entire \nsite itself and everything around it.\n    One thing to also mention is that not only is there Social \nSecurity numbers and information in there that was mentioned \nbut also there is tight integration into state exchanges, the \nIRS, DHS and third parties like Experian. So the infrastructure \nitself has trust factors to multiple different areas that it \npulls and feeds information from, so not only is HealthCare.gov \nat risk but you also have the infrastructure that it was built \noff of that is at risk as well, which happens to be a lot of \nthose different areas.\n    And so if you read the written testimony that I placed into \nthere, I think we identified around 17 different direct \nexposures. A lot of those have been addressed. We reported \nthem, and they have been addressed. Some of them have not been, \nand they have not been included in the report. We are very keen \non what is called responsible disclosure and not putting \nanything at harm when we do these type of things, but there are \ncritical flaws, there are critical exposures right now that are \ncurrently on the website that hackers could use to extract \nsensitive information. I am actually going to demonstrate one \nthat has already been addressed and fixed and one that I cannot \ndemonstrate because it would release sensitive information for \nU.S. citizens.\n    So I would like to flip to the actual screen here, and you \ncan actually see the actual attack itself, and this attack and \nthis actual demonstration I am going to show was actually shown \nfrom an independent researcher named Gillis Jones, who \nidentified this exposure on finder.HealthCare.gov. I want to \nshow you different things. There is multiple sites that support \nthe infrastructure. You have chat.HealthCare.gov, \ndata.HealthCare.gov, finder.HealthCare.gov. These are all \ncomponents that make up everything that is HealthCare.gov. It \npulls from different areas, different functionality, different \nfeatures. They all make up what we consider HealthCare.gov. In \nthis case here, if you notice on the right-hand side, and it is \na little hard to see, but what we do here is, if we can send an \nemail to anybody that is registered for the website and we can \nactually extract a lot of that information. As soon as they \nclick this link, and you will see here, as soon as they click \nthis link, it will automatically redirect them back to a \nmalicious website where they actually hack the computer, and \nthis website itself is legitimate. It is finder.HealthCare.gov. \nIt is the website that folks go to. It looks legitimate. It is \nregistered by the government. It is a federal government site. \nAnd as soon as somebody goes to this website and clicks on it, \nyou notice here, we are going to go to that website and we are \ngoing to log in to it, and as soon as you log in to it, a \nbanner pops up that looks just like HealthCare.gov. We get a \nlittle warning here that says HealthCare.gov enrollment. Now, \nfor folks that have actually been on the website, you know that \nthis isn't legitimate. This doesn't necessarily happen when it \npops up like this. The individuals going to the website \nwouldn't know this. And as soon as they click ``run,'' it \nactually hacks their entire computer. It escapes antivirus \npreventative technologies. It doesn't get detected by anything. \nAnd from there we can actually enable their web cam, monitor \ntheir web cam, listen to their microphone, steal passwords. \nAnything that they do on their computer, we now have full \naccess to. And here I am on the hacker computer, and you can \nactually see--I can see the person's display here. You can see \neverything that is on it. You can actually monitor everything \nthat person is doing, all the communications, and you can do \nthis on a large scale because the information is readily \navailable and the direct exposures that are actually on the \nwebsite.\n    And one other thing I want to show you, and this is a \nsanitized version of this, which is, there was an exposure that \nwe identified at TrustedSEC, and I am not going to say which \nwebsite is involved in it, but basically allows us to extract \npersonal information of over 100,000 individuals including \nfirst name, last name, email addresses, their user account \ninformation as well as a lot of other additional information \nthat we can fully extract from the website itself. I just want \nto show you an example, and this information has been sanitized \nas to not actually show individual people that have been \nexposed to this, but you notice here, you can see it up here. \nWhat we are going to do is we are going to track one record for \nsomeone that has actually registered for the site. Notice here, \nthe first record that we pull back is actually an administrator \nfor the website itself, so notice here, permission or \nadministrator. Now I am going to extract the next 10 records in \nthere. Now we have three admins, and then sanitized information \nof individuals that have registered for the website. So we can \nsee here that we can extract over 100,000 individuals' \ninformation from the website itself.\n    And one last thing--I know I am running low on time here--\nis the talk that this attack has only happened 16 times and \nthat the website has only been attacked 16 times is not \npossible. The attacks that happen on the internet are so \nfrequently used and so frequently done that that means that \nthere is not much detection capabilities on HealthCare.gov. And \njust as an example, this was recently posted yesterday. If I \nthrow a semicolon into the search field, you can actually see \nthe top results for the websites for semicolons, and those are \nall what we call SQL injection attacks, which means that \nhackers are continuously trying to find vulnerabilities in \nthis, and the training program results on the website are \nactual attacks happening on the website itself. So the attacks \nthat are happening are much larger scale right now. They are \ntrying to infiltrate the website. They are trying to break into \nit, and there is definitely data on the website itself that is \nindicative of that.\n    I appreciate your time. Thank you very much.\n    [The prepared statement of Mr. Kennedy follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Smith. Thank you, Mr. Kennedy. I will recognize \nmyself for five minutes to ask questions, and Mr. Wright, let \nme direct my first couple of questions to you.\n    Mr. Wright. Yes, sir.\n    Chairman Smith. The first is this. Does any other \ngovernment website collect so much personal information as does \nHealthCare.gov?\n    Mr. Wright. When you look at all the interdependencies like \nDavid laid out, when we looked around and obviously we are \nlimited to what is in the open source, but there doesn't appear \nto be anything else that collects information and then uses \nthat information then to check associated records in multiple \nother databases. So this becomes a central point of attack that \nif you can compromise one area, you can get into others.\n    Chairman Smith. Okay. Next question is this. Is the fact \nthat other websites can be hacked any justification for the \nlack of security with HealthCare.gov?\n    Mr. Wright. What we would hope is that by learning from the \nknown vulnerabilities out there and the other attacks that \nhappen is that you would have guarded against this in the \ninitial design to say we know this is going to happen, we know \nthis is going to happen. The password issues and the issues \nDavid just showed are things that are so common, they should \nhave been prevented against before the site was even launched.\n    Chairman Smith. Okay. And on HealthCare.gov, do you think \nas a practical measure it can be fixed, or should we start over \nagain?\n    Mr. Wright. You know one of my examples, my neighbor helped \nbuild the Russian Embassy. I told him shame on you, the one \nthat had all the bugs in it. It was easier and much safer to \ntear down the Embassy and start over again than it was to spend \nuntold number of years and man-hours to remediate the problem, \nand that is just one issue. I mean, that is--you know, I am not \na political person, we are not here to talk politics, but if \nyou are asking from a technology standpoint, it would be easier \nto start over again, lay a foundation of security and start \nfrom the beginning because security has to be the foundation of \nthis site, period.\n    Chairman Smith. Thank you, Mr. Wright.\n    Mr. Kennedy, let me go to your last point, and I know you \ncannot confess to having hacked HealthCare.gov yourself, that \nwould be illegal, so let me just ask you if you are confident \nthat HealthCare.gov has been hacked and can be hacked?\n    Mr. Kennedy. Mr. Chairman, I am very confident on the \nsecurity ramifications that we can see, basic attacks that you \ncould do at the website, that it is very susceptible to attack \nand that hackers could break into it. And just as an example, I \ngot an email, a random email from somebody that I have never \nmet before that had about 14 to 30 different exposures on the \nHealthCare.gov website that they were posting to me personally \non my email saying that they had contacted individuals and that \nthey hadn't had any responses back for these security \nexposures, and some of them are very critical in nature. So \nthese are definitely happening. Hackers are definitely after \nit. If I had to guess based on what I can see, and again, this \nis purely from a reconnaissance perspective, I don't have any \nunderstanding of the back-end infrastructure, but I would say \nthat the website is either hacked already or will be soon.\n    Chairman Smith. Okay. Thank you, Mr. Kennedy.\n    Let me address my last question to Mr. Kennedy, Dr. Chang \nand Mr. Wright, and it is this: what dangers do Americans face \nif there is a security breach with HealthCare.gov? In other \nwords, if HealthCare.gov is hacked, what are the real-life \nthreats, dangers to the American people who have provided that \npersonal information? Mr. Kennedy?\n    Mr. Kennedy. Well, if you look at the type of information \nthat is stored, it is not only, you know, Social Security \nnumbers and data, it is everything that integrates into the \nstate exchanges, the IRS, DHS, multiple other areas. There are \nsome large exposures for personal information being done, \nfraudulent-type activities being performed, but I think, you \nknow, if you look at what this actually is, it is one of the \nlargest collections of U.S.-based data, Social Security numbers \nand everything else, that we have ever seen in history. So for \nattackers, I would go after that personally if I was a bad guy \nto try to get that information for fraudulent activity, of if \nyou have ever heard the term state-sponsored or other \ngovernment agencies going after information based on U.S.-based \ncitizens, and while there is no medical records specifically in \nthe website itself, the integration into all the other sites \nthat they have access to, you know, we use that as a trusted \nconnection in term of hacking so getting access to that trusted \ninfrastructure, that the sites trust themselves, allows us to \naccess into that type of information.\n    Chairman Smith. Okay. Thank you, Mr. Kennedy.\n    Dr. Chang?\n    Dr. Chang. It is the general risk from identity theft. I \ndon't know if you have talked to people who have had identity \ntheft, it ends up being a major pain in the rear end to kind of \nget yourself out of that. So, extreme inconvenience and \ndifficulty.\n    I would also mention that from the perspective of the U.S. \ngovernment, once identity theft happens, a bunch of other bad \nthings can happen. So if you look--I mention in my testimony \nabout the loss from fraudulent tax returns so as people end up \nstealing identities, they start--they end up, you know, kind of \ndoing fraudulent tax returns. In 2012, I think the number was \nsomething like in excess of $3 billion loss in fraudulent tax \nreturns, so it is just sort of an implication if identity \ntheft.\n    Chairman Smith. Okay. Thank you, Dr. Chang.\n    And Mr. Wright.\n    Mr. Wright. This becomes the largest collection of \npersonally identifiable information, and as a taxpayer and a \nconsumer, I don't want my government becoming the unwitting \naccomplice in the largest disclosure of personally identifiable \ninformation. David's point is right, and Ranking Member \nJohnson, you expressed concerns about some of the medical \nrecords. It is not so much the medical records, it is the fact \nthat once I can obtain your identity and I can now--medical \ninsurance fraud is actually a very large growing area. I can \nactually go in and receive services. My issue as a consumer is \nthat if my medical records get conflated with somebody else's \nand that I am now given a diagnosis or information that says I \nhave something I don't have or I don't have something I do \nhave, that is one of my biggest concerns, and I think the \nthreat--it is the threat of the unknown.\n    Chairman Smith. Thank you, Mr. Wright, and thank you all, \nand the gentlewoman from Texas is recognized for her questions.\n    Ms. Johnson. Thank you very much, Mr. Chairman, and thank \nall of you for being here.\n    Mr. Kennedy, you mentioned that you were able to get \n100,000 user names from a website but you did not mention which \nsite that was. Was this the HealthCare.gov?\n    Mr. Kennedy. It is part of the same infrastructure. Without \ndisclosing----\n    Ms. Johnson. Excuse me. Was it a part of the \nHealthCare.gov?\n    Mr. Kennedy. Yes.\n    Ms. Johnson. So you were able to get that information from \nHealthCare.gov?\n    Mr. Kennedy. It is from the infrastructure from \nHealthCare.gov. It is from--if you look at what makes up \nHealthCare.gov, if you go to www.HealthCare.gov, that is one \nsite and server. But what makes up HealthCare.gov is \nchat.HealthCare.gov, finder.HealthCare.gov, \ndata.HealthCare.gov. There are multiple things that feed \ninformation into the main website. So you have all of these \ndifferent working parts that feed into what makes up \nHealthCare.gov and that entire infrastructure, and that is what \nwe found the exposure on.\n    Ms. Johnson. HealthCare.gov?\n    Mr. Kennedy. On the infrastructure, on one of the sub-sites \nfor HealthCare.gov.\n    Ms. Johnson. But not the site of HealthCare.gov?\n    Mr. Kennedy. That is correct.\n    Ms. Johnson. Thank you.\n    Dr. Rubin, before--I mentioned earlier before I came to \nCongress I was a nurse, and in fact, I graduated from St. \nMary's at the University of Notre Dame over 50 years ago, and \nmy master's from SMU over 30 years ago. I went there because \nthere was no school of first class in Texas that I could attend \nin nursing at that time. So that tells you how old I am, which \nI am very proud of.\n    But Dr. Rubin, what is your impression of the security in \nthe health care industry? I have worked in the health care \nindustry, and I have not found anybody seeking health care \ninformation to make a profit. Most of the time it is some \nscheme for people seeking information that they want to do \nthat. In the Affordable Care Act, the preexisting conditions is \nno longer a factor, and so while I am not trying to make a \njudgment on the information, I am trying to understand why is \nthere such an outcry at this point when medical records have \nbeen so available in any institution that I have worked in. \nAnyone who has any kind of hospital identification, whether it \nis a janitor or the nutritionist, a physician, a nurse can \naccess a patient's chart that has everything on there that is \ngoing to happen or is happening to that patient while they are \nin the hospital, and that is something I know from personal \nexperience. So I am trying to understand, is the health care \nindustry lagging in these security measures or why--what is it \nabout this non-security in the past is going to impact where we \nare now?\n    Dr. Rubin. So to answer your question about where the \nhealth care industry stands with respect to security, I have \ndone consulting in many different vertical industries--\nfinancial, all commercial--and in the last few years I have \nbeen working in the health care industry doing tours of \nhospitals and doctors' offices to assess their security, and I \nhave found it is actually perhaps the most far behind in terms \nof the security at hospitals, even things in the emergency room \nthat surprised me and the operating room. And so to your \nquestion, I think that the health care IT industry needs to \nlearn a lot from some of the other industries in order to bring \nits security up to par.\n    Ms. Johnson. Thank you. Thank you, Mr. Chairman.\n    Chairman Smith. Thank you, Ms. Johnson.\n    I would like to ask unanimous consent to put into the \nrecord a letter from the Identify Theft Resource Center, and \nthey make the point, medical identity theft is one of the worst \nforms of identity theft for many reasons. For one, it is \nextremely attractive for identity thieves and hackers because \nthe sale of medical identities is so lucrative. Second, medical \nidentity theft is extremely difficult to mitigate, and lastly, \nmedical identity theft is extremely dangerous. Without \nobjection.\n    [The information appears in Appendix II]\n    Chairman Smith. And then the gentleman from California, Mr. \nRohrabacher, is recognized for his----\n    Ms. Johnson. Mr. Chairman, before you go to the gentleman--\n--\n    Chairman Smith. Before the gentleman from California is \nrecognized, the gentleman from Texas, Ms. Johnson.\n    Ms. Johnson. Woman. I just wanted some clarification. Do \nthey talk about the profitability sources in that letter?\n    Chairman Smith. If you are asking about the letter that we \njust put in the record, I will give you a copy right there.\n    Ms. Johnson. Okay, because I am trying to figure out the \nvalue to anyone to access medical records, and I think this--\ndid you say it spoke to it?\n    Chairman Smith. Yes. The gentleman from California.\n    Mr. Rohrabacher. Thank you very much, Mr. Chairman.\n    This has been a little bit overwhelming. Are you gentlemen \nsaying that basically the American people are being put at risk \nby this incredible effort that our government is making in \norder to set up a health care system that will serve the \npeople, that instead we are ending up putting them at risk?\n    Mr. Wright. Let me take the first pass at that, sir. Back \nin February 7th of 2000, I was leading the computer emergency \nresponse team for SCIC, and we had financial services client, \ngovernment clients. That date is significant because that was \nthe first distributed denial-of-service attack ever launched \nnationwide. It took down Amazon, Yahoo, CNN. And one of the \nthings we saw is, things don't happen on the first day. You \nhave to build up the critical mass. The issue with \nHealthCare.gov is, you will not see the attacks in the first \nday as a detective. Nobody ever robbed a bank while it was \nbeing built. They wait until it was built, it had the money in \nthere. What I am saying here is that yes, I mean, you are \nlooking at the first 30, 45 days. That is not the issue. I am \nmore concerned six months out at this information comes----\n    Mr. Rohrabacher. We are predicting that the American \npeople, unless there is a dramatic change in the way things are \nbeing put together, that families throughout this country will \nface huge problems, their bank accounts will be hacked into or \nmaybe there will be false information put into their health \ncare so if they go to the hospital, they won't get the right \nkind of medicine. Is this what we are talking about?\n    Mr. Kennedy. I can kind of speak to that. From a security \nperspective, there are things that we can see that are patterns \nof inconsistencies around security, and if you could see those \npatterns and you look at those patterns, you can see that there \nis not a lot of security built into this site, at least from \nwhat we can see from a 10,000-foot view, again, without \nactually attacking the site itself. And there are things that \nwe can do to prevent those, and if you look at how a website is \nsupposed to be developed, it is supposed to be developed from \nthe ground up with security integrated and being an integral \npart of that portion so you can protect sensitive data, U.S. \ncitizen-based data, and it does not appear to be done, from \nwhat we can see and what we are finding as far as independent \nresearchers and the information that is ready available out \nthere.\n    Mr. Rohrabacher. So when we are talking about hackers and \nyou say you are a hacker, and we are talking about the American \npeople being vulnerable, are we making the American people \nvulnerable to people, hackers from Russia or China or overseas?\n    Mr. Kennedy. Absolutely. There is, you know, really \ndifferent types if criteria of hackers. You have your hacker \nthat you picture, you know, probably me 20 years ago in my \nbasement, right, you know, hacking away or whatever. Then you \nhave the criteria of more of organized crime, which is more on \nthe monetary fraud perspective of just purely financial-type \ngain. And then you have obviously the state-sponsored element, \nwhich is more of like the folks that you see from governments \nof other areas, and they are looking for things like high-\nimpact vulnerabilities so they can actually exploit a system, \nget access to the data behind it and use that information \nagainst us.\n    Mr. Rohrabacher. But we are facilitating some of the worst \nscum in the world, not even in our own country, which we have \nenough problems of criminals in our own country, but the worst \ntype of elements throughout the world to actually now get at \nour citizens?\n    Mr. Kennedy. Objectively, we should have had a lot of \ndefensive capabilities put into this site well ahead of it \nbeing released. There is technologies, there is detection \ncapabilities, there is coding that we can do to make the site \nsecure.\n    Mr. Rohrabacher. And it should have happened before we----\n    Mr. Wright. It should have happened well before it was ever \nreleased, and that is what you see in commercial areas.\n    Mr. Rohrabacher. Let me--I only have one minute left. \nSomeone said, one of you testified, it would be better right \nnow, considering there is so much vulnerability that we now are \nputting our people in that it would be better to start all over \nagain and just restructure the system from zero rather than \ntrying to correct the problems that are in the system now \nbecause it was done wrong. Do you all agree with that? Is that \nsomething that we have come to agreement here? Is there someone \nwho disagrees with that?\n    Dr. Rubin. Well, I can personally say that I haven't looked \nat the system carefully enough to make that judgment. I do \nthink that we know as a computer industry how to build websites \nlike this that can be more secure and meet the best practices, \nand I think that what would be necessary would be a security \nreview of the system to establish whether there is a deep \ninfrastructural problem with it or whether it is just----\n    Mr. Rohrabacher. Okay. So you are not sure about that. The \nother witnesses would suggest that it would be better for us to \nstart over with security in mind rather than trying to correct \nthe problems in the current system. Is that correct?\n    Mr. Kennedy. If you build a house, a foundation off of \nsomething that is flawed from the beginning, the foundation \ndoesn't work, you know, the foundation sinks, it is crumbling, \nyou can put a metal door on, you can bolt different things to \nmake the house better but the foundation is still bad.\n    Mr. Rohrabacher. So if we don't, Mr. Chairman, we are \nputting average American citizens, we are making them \nvulnerable to the worst godawful people in the whole world who \nare malevolent human beings who now don't have that access to \nour people. This is mind-boggling. Thank you very much, Mr. \nChairman, for holding this hearing.\n    Chairman Smith. Thank you, Mr. Rohrabacher.\n    The gentlewoman from Oregon, Ms. Bonamici.\n    Ms. Bonamici. Thank you very much, Mr. Chairman and Ranking \nMember, for holding this hearing, and thank you so much to our \nwitnesses for participating in the hearing.\n    Certainly since HealthCare.gov came on line, many of us \nhave spoken with constituents who have had trouble navigating \nthe site and some have expressed concerns of course about \nprivacy on the site and further, I don't think there is a \nsingle Mmember who isn't somewhat frustrated about the problems \nthat have plagued the rollout of the website and also the \nwebsites in some of our states. But frankly, the Affordable \nCare Act isn't about a website. I know I am not the only one \nwho has spoken with just as many constituents whose biggest \nconcern isn't the functioning of the website, it is the fact \nthat they haven't been able to get health insurance or access \nhealth insurance or access health care, and in fact, right now \nthey can go to get health insurance by calling or applying in \nperson or by mail. The Affordable Care Act is designed to help \nthese people who haven't had access to health care, and we \nshould make that process as simple as possible, especially with \nregard to the website and make sure their personal information \nis protected.\n    I want to point out that right now in the United States, \nabout 83-1/2 percent of Americans e-file their taxes. Do you \nall e-file your taxes? Yes, do you e-file your taxes? So you \nall e-file your taxes? You are among the 83-1/2 percent?\n    Mr. Wright. I am sorry. That is--no offense, but what we do \nand how we do it only gives information to let people--we can \nneither confirm nor deny, and there is a reason the \nintelligence community says that because they don't want to \ntell people----\n    Ms. Bonamici. Understood.\n    Mr. Wright. --the threat vector that you can attack me on.\n    Ms. Bonamici. Well, I understand, but I just want to \nclarify that a lot of people e-file their taxes.\n    So I want to also talk about the sort of conflation of \nelectronic health records, which has been discussed here this \nmorning, and certain detractors are suggesting that \nHealthCare.gov is sort of a clearinghouse that includes access \nto electronic medical records. So I want to get this from--let \nus start with Dr. Rubin. Does HealthCare.gov collect or store \nelectronic medical records?\n    Dr. Rubin. It is my understanding that it does not.\n    Ms. Bonamici. Okay. And so let us talk a little bit about \nthe Data Hub, because we have been talking about how through \nHealthCare.gov there is certain enrollment information that \ngets verified through Data Hub, so it is my understanding, and \nI would like, Dr. Rubin, confirmation of this, the Data Hub is \nnot a database, it does not store information. Is that your \nunderstanding?\n    Dr. Rubin. My understanding of what the Data Hub is, is \nthat it is a queue of requests that are supposed to go out to \ndifferent entities for information and so once a request gets \nprocessed, it is taken off of the queue and it is not stored.\n    Ms. Bonamici. So the data is not stored. I just want to \nclarify that. It is used to verify information but not stored, \nit is not a database. It is also my understanding that it is \nnot necessary to actually--consumers can still shop on the \nwebsite without creating an account. It is my understanding \nthat that was originally the case but now consumers can shop \nand look for plans and compare plans without creating an \naccount first. Can somebody clarify that for me? Is that--has \nthat been changed so that you do not have to--consumers do not \nhave to set up an account?\n    Mr. Wright. In my written testimony, one of the security \nissues was, is that they required you to give you personally \nidentifiable information upfront and go through the \nregistration process before you were given access to that \ninformation. However, a website called healthsherpa.com created \nby three gentlemen in two weeks did exactly what you were \ntalking about, which should have been done is just puts in your \nage, your zip code and your sex and then you would be able to \nshop for plans based upon a range of options. But when I went \nthrough and started going through the process, it required you \nto, and to this day it requires you to give your information \nupfront.\n    Ms. Bonamici. Okay. Well, we will clarify that.\n    I wanted to ask Dr. Chang a question and also because I \nwant to give you an opportunity to say ``Go ducks'' like your \ncolleague said. In the lead-up to this hearing, we have heard \nthe reports about the attacks on the website, the distributed \ndenial-of-service attacks. So how would you describe those \nattacks, and how might they compromise the functionality of \nHealthCare.gov?\n    Dr. Chang. Go Ducks.\n    Ms. Bonamici. Thank you.\n    Dr. Chang. In the case of denial-of-service attacks, what \nthat would amount to is that it would essentially be an attack \non availability; people couldn't access the site, they couldn't \ngain access to it and do the business they want to perform. I \nguess I would mention sort of more generally as we talk about \nthe fact that the web is sort of this extremely powerful place, \nit is also sort of a dangerous place. I got some statistics out \nof 2012, and it basically talks about how 86 percent of \nwebsites have at least one serious vulnerability. The average \nwebsite had 56 serious flaws. The organization only fixed 61 \npercent of these, and it took an average of 193 days. I mean, \nso basically we have this powerful capability in which we can \nlaunch all these sort of wonderful things but the downside is \nthat this power results in some danger.\n    Ms. Bonamici. And my time is expired, but I want to thank \nyou for your expertise, all of you for being here today. It \nseems like there is a lot of places where people put in their \nSocial Security number and it doesn't--yes, we need to fix \nthings but that happens in a lot of places now. I yield back. \nThank you, Mr. Chairman.\n    Chairman Smith. Thank you, and the former Chairman of the \nCommittee, the gentleman from Texas, Mr. Hall, is recognized.\n    Mr. Hall. I thank you, Mr. Chairman. I thank you for having \nsuch a capable Committee here, a group here, and I am really \namazed as I read your backgrounds here, and I might ask Mr. \nWright, when you were doing security work in Kansas, were you \nworking under Governor Sebelius at that time?\n    Mr. Wright. No, I was working under Governor John Carlin \nand then Governor Mike Hayden, who became, I think, a secretary \nof one of the agencies out here.\n    Mr. Hall. And Dr. Chang, I am going to have some questions \nto ask you in just a minute because I am a little closer to \nyou. I am in Rockwall there, not too far from--come and get \nmore information from you if you don't tell me what I want to \nhear from you. I graduated from there in law school years ago. \nBoth my sons graduated from law school there, and I am amazed \nat SMU now, and I can't believe that Dave Kennedy being the CEO \nof all those places is a hacker light, I would call him \nsomething pretty capable. And might as well touch on Dr. Rubin \ntoo. When you say Johns Hopkins University, you are going to \nexpect some class testimony. So Mr. Chairman, you and Eddie \nBernice got together a good group for us here, and I think \nthere is a lot of information there that we can look to. You \nhave already talked pretty much about the house with no \nfoundation, and I think you doubt that it can be patched up, \nand I thank you all for your testimony.\n    As we examine the security of the website, HealthCare.gov, \nor as we are finding out, the lack of security of this website \nis in its current form, would you agree that if a system is not \nonly functioning--and that is my understanding from you. I \nthink that was your testimony, was it not, that you have a bad \nbasic for it. You have to go out and come in again, and that it \nis not functioning, and that is another thing wrong with the \nthrust of the health care that has been offered to the people.\n    So Dr. Chang, would you agree that if a system is not only \nnot functioning properly, that it is also not secure from \npossible breaches and other cyber attacks, does that give you \nsome anxiety?\n    Dr. Chang. Yeah, it would. You know, in medical ethics, \nthey use this term ``do no harm.''\n    Mr. Hall. Right.\n    Dr. Chang. The exploit that David talked about is quite \nliterally the website attacking the user. I mean, that is sort \nof the way to think about it. And you know, as others have \nmentioned, it is really critical that security get built in \nfrom the very beginning. If you are trying to add lines of code \nto a software program on a sort of fundamentally unsound base, \nthat is not good. So I think you are hearing some agreement \namong the folks around the table that security needs to be \nbuilt in from the very beginning, and to the extent it is not, \nthen that is----\n    Mr. Hall. Okay. How long do you think it would take to fix \nthese problems and assure public confidence in the website?\n    Dr. Chang. Pretty difficult to speculate. Maybe some of the \nother panelists--I would say it is maybe sort of a matter of \nmonths. I would be happy to----\n    Mr. Wright. I think Donald Rumsfeld said it best when he \ntalked about the levels of knowns. This is an unknown unknown. \nI mean, we don't know because there is no transparency. We have \nno information on the extent of the flaws. The information that \nis documented on the FISMA requirements in the authorization to \noperate have redacted information, so as practitioners, we \nactually are hamstrung to be able to give you our best advice \nbecause we don't have enough information to tell you we can \ngive you a best guess but a best guess can't translate into a \nproject plan in exact dollars.\n    Mr. Hall. And when you can't believe the information a \nPresident of the United States gives you, you don't want to say \nwhich time was he lying. I would rather say which time was he \nnot telling the truth, and I think that is where we are going \nto come up with all these things that are breaking down now, \nand I regret that we are trying to give them opportunities to \ncorrect a bad bill, a bad health bill, with additional \ninformation. Ought to kill it and start all over again and fix \nthe foundation.\n    Administrative officials have indicated that testing was \nperformed on pieces of the website, just on pieces of it, but \nthe entire website was not tested, and then how important, Dr. \nChang, is testing prior to launching a website of this \nmagnitude?\n    Dr. Chang. Extremely important. As you heard from the \nothers, this is what, you know, a professional website would \ndo. They would do testing before, during and after. In fact, I \nam aware of one company in the private sector that conducts \nquarterly unscheduled penetration tests after the site has gone \noperational.\n    Mr. Hall. Do you think three years provides sufficient \ntime? Just yes or no.\n    Dr. Chang. What, for testing?\n    Mr. Hall. Yes.\n    Dr. Chang. It seems reasonable.\n    Mr. Kennedy. Sir, on the actual testing piece, you know, it \nis not a matter of testing it, you know, stopping the code, \ntesting it, stopping the code, testing it. It should be built \ninto the process. So the process itself continuously tests the \nsecurity throughout the entire what we call the software \ndevelopment lifecycle, and then through there you have the \nsecurity issues that are remediated prior to it. It doesn't \nhinder or stop any type of production, and a three year time \nperiod definitely should have been adequate enough to do the \nsecurity testing to make sure that prior to any type of \nrelease, all those issues were vetted, and then from there you \ndo what is called penetration testing or hacking into the site \nto make sure that you didn't miss anything important.\n    Mr. Hall. I thank you. My time is up. I may want to inquire \nby mail to the four of you on some of these things. Thank you, \nMr. Chairman.\n    Chairman Smith. Thank you, Mr. Hall. The gentleman from \nMassachusetts, Mr. Kennedy, is recognized for his questions.\n    Mr. Kennedy of Massachusetts. Thank you, Mr. Chairman. I \nwant to thank the Ranking Member as well for holding the \nhearing, and thank each of our witnesses for your testimony.\n    Just want to echo my colleague's comments and say from \nsomebody from Massachusetts, obviously where we--coming from a \nstate that has gone through some of these challenges but a \nstate that now has nearly 100 percent of all adults covered--or \nexcuse me, 100 percent of all children covered, 98 percent of \nall adults covered, where our rate of cost increase for the \noverall health care system is right in line with our gross \nstate product, that for the risk pools for individuals and for \nsmall businesses is about 1.8 percent, at least current data \nfor the year upcoming. Contrast that to about ten percent what \nit was a decade ago. I think that Massachusetts has proudly \nevidenced that if there is a collective will to get health \ncare, meaningful health care reform bill passed and to continue \nto work on it, to continue to tweak it to make sure it works \ntogether, it can be successful. And to the extent that I am \nhearing from my colleagues today a new refrain of rather than \njust repeal but actually repeal and replace, I think we are \nfinally actually getting somewhere. So thank you.\n    With regards to the actual website itself, and \nunquestionably needs for improvement, and I want to thank the \nwitnesses for highlighting some of them, I did have a couple of \nbasic questions. First off, is it--Mr. Wright, is it clear that \nyou can actually get estimates about how much you are going to \npay for health insurance without having to put in any sort of \npersonal identifying information?\n    Mr. Wright. On the healthsherpa.com site, which has taken \nit directly from the government site, yes, but when I went \nthrough and tried it myself to get to the point to see how much \ninformation it would require, I couldn't get to that point \nwithout disclosing all of my information first.\n    Mr. Kennedy of Massachusetts. So would it surprise you to \nknow that in the past 5 minutes, I could log on to the \nHealthCare.gov website, put in an exchange, put in a county, \nput in no other identifying information other than age bracket \nfor me and whether I wanted coverage for myself or my spouse \nand click through and get an estimate of various costs?\n    Mr. Wright. No, it wouldn't surprise me. In fact, I am glad \nthat they did it because it means that they learned from the \ngentleman who created healthsherpa.com.\n    Mr. Kennedy of Massachusetts. Do you actually know who they \nlearned from?\n    Mr. Wright. No. That is the ones who originally did it, \nthat showed that model how it should be done.\n    Mr. Kennedy of Massachusetts. Okay. So----\n    Mr. Wright. But I am glad that they did it.\n    Mr. Kennedy of Massachusetts. Well, me too. Now, sir, your \ntestimony--and I take it from the chairman that the focus of \nthe testimony today in the hearing was, can Americans trust \ngovernment with the information on the HealthCare.gov website, \nand Mr. Wright, the testimony that you offered basically broke \nit down into four categories: the end-to-end security testing, \nthe user account creation and registration, the cyber squatting \ndomain name confusion, and insider threat. Is that right, those \nfour broad categories?\n    Mr. Wright. Yes.\n    Mr. Kennedy of Massachusetts. And so the end-to-end \nsecurity testing, those were the overall basic security issues \nthat we have--that many of the people on the panel and you \nyourself talked about today, that every major website or most \nmajor websites come under attack for cybersecurity threats. Is \nthat right?\n    Mr. Wright. Well, the need for end-to-end testing, yes, and \nevery site is--you must assume every site is under attack.\n    Mr. Kennedy of Massachusetts. Yes. Fair enough. That user \naccount creation and registration, if my understanding of your \ntestimony is correct is that your concern there is that it \ncreates a new norm that could be exploited by other websites \nnot pertaining to HealthCare.gov.\n    Mr. Wright. When it was originally done and they required \nyou to give you personally identifiable information upfront, \nthat created a new norm that people would use then to exploit \nto say you must--this is the way we do it.\n    Mr. Kennedy of Massachusetts. Because so many people are \naccessing health care and have signed up for HealthCare.gov \nthat that many people has now created a new norm?\n    Mr. Wright. I am not sure exactly your point.\n    Mr. Kennedy of Massachusetts. Well, how do you create the \nnew norm by----\n    Mr. Wright. You establish the new normal by saying this is \nthe way we do it. I mean, it could be one people that have \nregistered or 50 but at some point if the government says the \nspeed limit is now 65, that doesn't mean everybody starts \ntraveling 65, but that starts becoming the new norm that you \nstart enforcing against.\n    Mr. Kennedy of Massachusetts. Okay. And we have see that \nproliferate across--you have seen that now proliferate across \nother websites and other domains, other user forums? If it is a \nnew norm, that norm is something that now spreads, right?\n    Mr. Wright. Well, if it is a new norm, what you do is, \npeople who create deceptive websites, or what David was \nshowing, is because you are used to doing that because it has \nbeen said that you do that on HealthCare.gov--.\n    Mr. Kennedy of Massachusetts. Have you seen that yet, sir?\n    Mr. Wright. Yeah, actually what David just showed.\n    Mr. Kennedy of Massachusetts. Now, have you seen that \nspread across--if it is a norm, that becomes the norm, right? \nHave we seen that?\n    Mr. Wright. I think we are probably getting into semantics, \nand I apologize, sir. I didn't mean to do that. When I said it \nstarts becoming the new norm is, you start setting a standard \nand people start doing it. Everything starts out with a low \nlevel of adoption, then you get critical mass, and if they \nchange it and they do that, you can actually prevent the fraud, \nwhich is a good thing, because you reestablish what the norm \nshould be, not that you should give personally identifiable \ninformation upfront.\n    Mr. Kennedy of Massachusetts. And I am just going to -- I \nknow I am running close over time. Thank you for clarifying, \nsir.\n    The last piece that I just want to touch on, I don't know \nif any of you--and I don't want to put anybody on the sot here \nbut applications for a passport where you have to submit--or it \nasks for information including identifying information, proof \nof citizenship, proof of identity off a website. We haven't had \nany hearings based on the confidentiality or security of those \nissues. Is that--have any of you investigated other government \nwebsite about the use of and the safety of classified--or of \nconfidential material?\n    Mr. Kennedy. And I can talk to that. One of the examples \nearlier was around the e-filing system. I have actually done \nsecurity testing around the e-filing application part, and they \nhave had security embedded into that at a very different type \nof level. There is actually state laws around the protection \naround what you have to do around Social Security numbers, and \nin the private sector there is what is called HIPAA around \nprotecting against, you know, patient health care information. \nSo there are laws and regulations around the protections of \nthose, and I have done actual security testing on those in the \npast and they have done pretty well.\n    Mr. Kennedy of Massachusetts. And you think HIPAA--but we \nheard a lot of concerns about confidential patient information \nand the mix-up of electronical medical records--or electronic \nmedical records, HIPAA.\n    Mr. Kennedy. So there is a difference between compliance \nand what we call proactive security. Compliance doesn't mean \nsecurity in any way shape or form but what HIPAA was designed \nto do was to put protections in place around patient health \ncare information, or PHI, and while that is not necessarily \nsuccessful across 100 percent of the board, I have run into \nsome outstanding medical institutions that have very good \nsecurity to protect patient health care information and take it \nvery seriously, just a matter of negligence versus folks that \ngo on the proactive side to actually fix the issues that they \nidentify.\n    Chairman Smith. Thank you, Mr. Kennedy.\n    Mr. Kennedy. Mr. Chairman, thank you for the extra time.\n    Chairman Smith. The gentleman from Texas, Mr. Neugebauer.\n    Mr. Neugebauer. Thank you, Mr. Chairman.\n    I think we need to make sure we are clear here because even \nwhen people call in to HealthCare.gov, they are talking to \nindividuals, but they are putting that data into the very same \nsystem that the web page is putting that and so basically all \nof that data is going into a central repository, and a number \nof these people that are helping put this data into the system \nare referred to as, I believe, navigators, and I think Ms. \nSebelius stated in a recent hearing that these people do not \nundergo a federal background check, and Dr. Chang, as someone \nthat was once the Director of Research at NSA, what are some of \nthe risks of allowing people that have not had background \nchecks run on them to have access to this kind of data?\n    Dr. Chang. Yeah, so you would basically be worried about \nthe issues of identity theft. I once went to a restaurant and \ngave the server my credit card. They wrote down my credit card \nand racked up some charges. So the worry would be to the extent \nthat these folks that haven't had background checks--and \nhonestly, I don't know how severe the backgrounds might be but \nif they haven't had background checks, who knows what they \ncould do with the information. It is valuable information, \nthere is a lot of it, and, you know, maybe they could do \nmalevolent things.\n    Mr. Neugebauer. Mr. Wright, do you want to comment on that?\n    Mr. Wright. Yes, sir. I actually conducted behavior \nanalysis training at the National Security Agency. We had the \ndamage assessments agents in from significant espionage cases \nlike Earl Edwin Pitts from the FBI, Aldridge Ames and Nicholson \nfrom the CIA, and one thing over and over again was, you can do \na background check, you can give a high level of trust, and it \nstill doesn't mean, as we know from Robert Hanson, for example, \npeople still don't turn bad, but from my experience and \ntraining and when we have gone and looked at the fact that you \ndon't do at least a cursory background check and eliminate the \nobvious threats from the beginning means that convicted felons, \npeople with other--you would no more want a convicted felon \nthan somebody with a conviction for child pornography having \naccess to certain government systems. There is the SF-85-P from \nOMB establishes at least a baseline of information you can use \nto weed out candidates who should be disqualified from holding \na position of public trust. The question is, would you define a \nnavigator from a policy standpoint as a position of public \ntrust, and if you do, the procedures are already in place to \nassess those backgrounds.\n    Mr. Neugebauer. Mr. Wright, when I was reading your \ntestimony, and I think you alluded to in your oral testimony, \nabout the fact that the HealthCare.gov has over five million \nlines of code----\n    Mr. Wright. Five hundred million.\n    Mr. Neugebauer. Five hundred million? Yeah, it's even worse \nthan stated. And that the Windows has 50 or 80 million lines of \ncode, I think one of the questions that I have is also about \nsecurity, but the American taxpayers, I think are going to pay \nlike $680 million for the system, or that is what is reported. \nSo the question is, you know, we have got a lot of e-commerce \nsites out there that have been in place for a very long period \nof time, why would the government choose to try to build \nsomething from scratch that already is pretty readily available \nout there? Is there something about the way that HealthCare.gov \noperates that is different from the rest of the world operates \nor should be different from the rest of the world?\n    Mr. Wright. Yes, there is, and it is the issue of \naccountability. If you are in the private sector and you have \nshareholders and you screw up, you are gone. I mean, there is \naccountability. There is also exposure to civil litigation. I \ncan tell you, I worked at Cisco for six years, great company. \nWe worked with a lot of countries and places. But the legal \nramifications of doing something wrong went up and down the \nchain of command. Here you don't have the same. The government \nhas a lot of immunity from liability. It should have gone out \nto the private sector to do this because what you have done -- \nmy example was, can you imagine if the government put out a \nrequest for proposal to build Facebook, what that would look \nlike. Facebook was built with 20 million lines of code and \nserves 1.2 billion people. This has 500 million lines of code \nand it has been challenged to provide the security and the \nfunctionality that you need. So yes, looking from the private \nsector, this actually would require a reinvention in terms of \nhow you go out for proposals as opposed to an IDIQ contract, \nwhich this was done under. It is actually to go out and say, \ngive us your best shot, we have a statement of objectives, here \nis what we would like to achieve, now innovate and build \ntowards that. Your costs would have gone down. The complexity \nof the code would have gone down, that Dr. Chang talked about.\n    Mr. Neugebauer. Thank you.\n    Mr. Kennedy, so the complexity of this program means that \nsome of the proven techniques that have been used out there in \nthe private sector that have run through these security checks \nmight not have been incorporated into this code and so \nbasically when you have this much new code, does that increase \nthe vulnerability of the system?\n    Mr. Kennedy. It does significantly and if you look at \nMicrosoft, everybody here has heard of Microsoft before, \nWindows, Microsoft Windows. You know, you hit the 50- to 80-\nmillion mark for lines of code. Microsoft still continues to \nthis day to have security flaws and exposures, albeit \nsignificantly less because they have done formal testing. They \nhave a great security program that actually looks at a lot of \nthese. But in its very early stages, it was definitely one of \nthe most hacked operating systems that there was out there with \nhackers basically breaching with what call zero days or \nexploits every single day. And so when you have 500 million \nlines of code, which is six times greater than the code of \nMicrosoft, you have significant problems with manageability of \ncode, the complexity of the code and the introduction of \nexposures that are out there as far as exploits and attackers. \nSo it is very difficult to manage something like that. It is \nvery difficult to fix something like that as well as even be \nable to address some of the security concerns you have in a \nshort period of time.\n    Mr. Neugebauer. Thank you, Mr. Chairman.\n    Chairman Smith. Thank you, Mr. Neugebauer. The gentleman \nfrom California, Dr. Bera, is recognized.\n    Mr. Bera. Thank you, Mr. Chairman. Thank you, witnesses, \nfor being here.\n    We never let politics get in the way of addressing health \ncare, addressing getting access to care. This body never would \nlet that happen. So since we are going to work together as \nDemocrats and Republicans to make sure we are able to get a \nsystem up and running, my goal is not to defend the \nHealthCare.gov website. Obviously this was a botched rollout. \nIt is to take advantage of the fact that we have some security \nexperts here, to take advantage of the fact that we have got to \nfix and make this better. My colleague from Massachusetts, Mr. \nKennedy, already identified one way that we have made this fix \nand made it better in terms of the sequencing, right? So when I \nhave gone to my home state exchange, Covered California, it \ndoesn't ask for any personal information. It allows me to just \nput basic information in, zip code, basic income level and then \nit gives me an estimate. It sounds like HealthCare.gov fixed \nthat. That is a good thing. It makes it more secure, right? \nEveryone would agree with that?\n    Dr. Chang, you mentioned that 86 percent of all websites \nhave at least one vulnerability. We are not here suggesting \nthat we shut down 86 percent of the internet. What we are \nsuggesting is we should be vigilant and address those \nvulnerabilities and we should do everything we can to the \nextent possible to make things secure. Again, I think we all \nagree on that.\n    Mr. Wright has mentioned four things. We just talked about \nsequencing. So this change in sequencing makes us better. Cyber \nsquatting, domain name threats. I know in my state last week, \nthe Attorney General shut down, I believe, 10 websites that \nwere posing as Covered California look-alikes. We should be \nable to address that as well if we are vigilant about that. I \nwould say we should just have someone looking at websites every \nday saying hey, these are fake website, let us go after them, \nlet us shut them down. That is something we should be able to \naddress, wouldn't you agree?\n    Mr. Kennedy. I think you can definitely address a lot of \nthose issues from identifying what sites are trying to \nimpersonate as the website itself. There is definitely \nproactive steps you can take to minimize the risk to the \nwebsite itself, absolutely.\n    Mr. Bera. So all of you would recommend that that is \nsomething worth doing?\n    Mr. Kennedy. Absolutely.\n    Mr. Bera. So we should make that recommendation and get on \nthat right away and make sure that no one is going to a fake \nwebsite that looks like HealthCare.gov and putting information \nin. So that is a recommendation I think we can make as a \nCommittee to immediately get on and it is something that should \nbe done today, if in fact it is not being done.\n    Mr. Wright. Dr. Bera, in fact, on the front page of the \nsite, one of the things I suggest is exactly that. It would be \nnice for people to know what is an authentic account. Like when \nyou get your banks, they say we will not ask for your password, \nwe will not do this, just getting information like that from \nthe government itself saying these are things we do and these \nare things we do not do and these are not authorized site, or \nhere is the only sites that count would actually go a long way \nto preventing that fraud.\n    Mr. Bera. So we could certainly make that recommendation.\n    In my State of California, it is my understanding that all \nthe navigators have to go through a background check, so I \nwould ask the Committee to verify which states are making \nnavigators go through background checks and which ones aren't. \nIt is my understanding that because of the government shutdown, \npart of our challenge in California is that there is a backlog \nof navigators at the Justice Department going through the \nbackground checks. So that is an easy recommendation that we \ncould make broadly as well, that at a minimum, the navigators \nshould go through at least a basic background check. I would \nask the Committee to verify which states are not doing \nnavigator background checks versus which ones are. I don't \nthink we can make a blanket statement that says navigators \naren't going through background checks because, again, my \nunderstanding is that my home State of California, they are \ngoing through background checks. So again, easy recommendation, \neasy fix, an easy way for us to make sure that we are not \ncompromising security.\n    And then the more complicated one--I am not a computer \nprogrammer, I did hear Dr. Rubin suggest that writing more \nlines of code doesn't always make a system more secure, in \nfact, it may make a system less secure. So, what I would \nencourage all of you, as well as all of the folks in the \nsecurity industry, is to get out there as patriotic Americans, \nwe want to make sure our country is secure. I would start \nmaking those recommendations to the federal government and I \nwould ask the Administration to be open to inviting folks in to \ncome in and make those suggestions because there is a lot of \nknowledge out there. You know, again, Dr. Chang suggested there \nare lots of vulnerabilities out there, so my message to the \nAdministration would be, instead of being insular, let us \nactually invite folks in, Democrats and Republicans, to look at \nthis website and make sure it is secure, and with that, I will \nyield back.\n    Chairman Smith. Okay. Thank you, Dr. Bera. The gentleman \nfrom Alabama, Mr. Brooks, is recognized.\n    Mr. Brooks. Thank you, Mr. Chairman.\n    I am not a computer security expert but I can read the \nwords of those who are. The Science, Space, and Technology \nCommittee staff prepared for Members' use a document called \nHearing Charter, and according to our hearing charter, in order \nto use HealthCare.gov, American citizens will be asked to input \nor verify this type of information: birth and Social Security \nnumbers for all family members, household salary, debt \ninformation, home mortgage information, credit card \ninformation, place of employment, previous addresses and the \nlike. So when I see that, that causes me to pause. It causes me \nto have concern because that is a lot of personal information. \nI am sure that some criminal identity theft type of individual \nwould consider that a dream, a wealth of information to get \ntheir hands on. Which brings me to the benefit of some of your \nwritten testimony, which of course is more extensive than your \noral testimony, and if the Committee will bear with me, I am \ngoing to read from some of the written testimony that we \nreceived before we heard the oral testimony. ``The vast amount \nof code also means applying industry standard security \npractices is a task that can have no real chance of success at \npresent.'' No real chance of success at present. ``The first \nmajor issue is the lack of an inability to conduct an end-to-\nend security test on the production system.'' Obamacare ``also \ncreates massive opportunity for fraud, scams, deceptive trade \npractices, identity theft and more.'' Another one: ``The lack \nof effective security controls has created the conditions for \nmassive fraud and hacking.'' Yet another one: ``The most \ntroubling insider threat aspect would be the lack of a \npersonnel policy that requires background checks for \nindividuals with access to PII''--personal information--``or \nsensitive information systems.''\n    During testimony November 6, 2013, Secretary Sebelius \nadmitted that convicted felons could be hired as navigators and \nthat no federal policy existed to require background checks. So \nwe have got the insider threat. Another one: ``There are clear \nindicators that even basic security was not built into the \nHealthCare.gov website.'' Another one: ``There are systemic and \nserious concerns with the HealthCare.gov website. Based on our \nexperience in large web applications such as this, there are a \nfew options available in order to address the security concerns \nwith the website,'' and the list just goes on and on and on.\n    It seems to me that the Obamacare website is the mother \nlode for identity theft, internet fraud and other criminal \nactivity. It is quite frankly frightening and outrageous that \nthe White House so callously and cavalierly exposes so many \nAmericans to risk of debilitating financial damage, and all of \nthis brings me to my questions. If HealthCare.gov identity \ntheft occurs, an American citizen is financially damaged. What \nrecourse does that citizen have under Obamacare against the \nfederal government for compensation for financial losses \noccurred because we American citizens use the website we were \ntold to use under Obamacare? Can any of you all describe to me \nwhat remedies, what recourse, what compensation can a citizen \nreceive from the federal government for use of the website we \nare mandated to use that results in identity theft or other \nadverse effects?\n    Mr. Wright. My very quick answer is, what form do I fill \nout to get my identity back because there is no way to do that. \nYou can give me a credit card, you can fix my card, but once my \nidentity is taken how do I get that back. That is probably one \nof the key things that has concerned me just from a technology \nstandpoint is the protection from an identity theft standpoint. \nWe can fix a lot of other stuff but your identity is what makes \nyou who you are.\n    Mr. Brooks. Dr. Chang, do you have any compensation that a \ncitizen who has been wronged can get from the government for \nuse of Obamacare's website?\n    Dr. Chang. I think I would just maybe respond sort of \ngenerally. There is this notion kind of in credit card fraud \nthat you basically hold the consumers harmless. This is very \ncomplex. They talk about 500 million lines of code, all this \nkind of scripting and stuff. It is very complex, and to expect \nusers to have any sort of deep understanding of it, you might \nsay gee, it is sort of like a credit card. You kind of hold \nthem harmless.\n    Mr. Brooks. I have only got 30 seconds left, so I am going \nto conclude with one quick question. Given HealthCare.gov's \nsecurity issues and assuming for the moment that you would be \npersonally responsible for all damages incurred, if any, from \nyour advice, would any of you advise an American citizen to use \nthis website as the security issues now exist? Yes or no.\n    Mr. Kennedy. No, sir, not at this time.\n    Mr. Wright. Same answer.\n    Dr. Chang. Same answer.\n    Dr. Rubin. Yeah, I wouldn't yet.\n    Dr. Brooks. So it is a unanimous no, don't use the web site \nbecause of the security risks?\n    Dr. Rubin. I would say that the security would have to be \nstudied a lot more carefully before I would agree to that.\n    Mr. Kennedy. And disclosed.\n    Mr. Brooks. Thank you for your insight. I hope the American \npeople are listening. With that, Mr. Chairman, thank you for \nthe time.\n    Chairman Smith. Thank you, Mr. Brooks. You elicited a \nunanimous response on that question.\n    The gentleman from California, Mr. Takano, is recognized.\n    Mr. Takano. Thank you, Mr. Chairman. I am disappointed that \nthe Committee is spending its time this morning adding to the \npolitical drama around the Affordable Care Act. There have \nalready been over 40 hearings this year on the Affordable Care \nAct by House committees, 15 of those since open enrollment \nbegan on October 1. And now we can add the Science Committee to \nthat list.\n    While there certainly have been issues with the rollout of \nthe website, the stories of how the Affordable Care Act is \nalready helping millions of people are drowned out by the scare \ntactics used by my colleagues on the other side of the aisle. I \nhave here the Republican playbook for undermining the ACA. It \nis filled with examples of how to scare constituents away from \nObamacare. It is in the American people's best interest to \nencourage participation in the exchanges to help bring down \npremiums for everyone. But for my colleagues, it seems it is \nnot about the American people winning, it is about them \nwinning.\n    This hearing is just another attempt to undermine the \nPresident's signature law and follow their playbook.\n    Mr. Rohrabacher. Mr. Speaker, Mr. Chairman----\n    Mr. Takano. Well, I would like to----\n    Mr. Rohrabacher. Mr. Chairman, I----\n    Mr. Takano. While I would like to balance the record and \nshare----\n    Mr. Rohrabacher. Mr. Chairman, might I ask----\n    Mr. Takano. Mr. Chairman, I do not yield. I reclaim my \ntime.\n    Mr. Rohrabacher. I am not asking you to yield. I am asking \nthe Chairman to make a decision as to whether or not what you \njust did was impugning the integrity of those who are \ndisagreeing with you on this side of the aisle which is----\n    Chairman Smith. Yeah, I would say the gentleman from \nCalifornia----\n    Mr. Rohrabacher. --inconsistent with the rules of this \nCommittee.\n    Chairman Smith. I appreciate the gentleman from California \nbringing that issue up, but in the Chair's judgment, the \naccusation was general enough and not specifically addressed \ntowards any individual. So I am sure the gentleman will not \nrepeat it. But I would not say at this point it was out of \norder.\n    Mr. Rohrabacher. Thank you very much.\n    Mr. Takano. Thank you, Mr. Chairman. I would like to \nbalance the record and share a bit about how the ACA is helping \nmy constituents. Twenty-four percent of my constituents are \nuninsured. That is 175,000 people in my district alone. The \nAffordable Care Act will get them covered so they don't have to \nworry about going bankrupt or being unable to get care if they \nbecome sick. Just yesterday I heard from a constituent who lost \nher insurance when her husband became sick with Parkinson's \ndisease at the age of 50. Now through Covered California, she \nand her sons are able to get robust coverage, and they are \nsaving more than $600 a year.\n    Yes, the federal rollout has been complicated, and yes, we \nshould be sure the website is protected from attack and \nAmericans' personal information is secure. The law is about \nmore than the website. It is about peace of mind for millions \nof Americans who need and deserve affordable coverage.\n    Now, I have seen a lot of--I am an English teacher, and I \nhave seen a lot of rhetorical, a lot of red herring, rhetorical \nconfusion sort of statements and testimony being made, and I \njust want to clarify something with you, Mr. Kennedy. I have--\nyou were asking, responding to--excuse me. Before the hearing, \nyou met with staff to discuss the vulnerability you found on \nthe Data.HealthCare.gov site. In that meeting you said that you \ncould not know what the architecture of Data.HealthCare.gov, \nwhat it was or how it was connected at the systemic level with \nHealthCare.gov. These are two separate websites.\n    Now you are saying that they share an infrastructure. I am \nnot sure what you mean by that, but it implies that they are \none in the same site. Now, let me ask you a simple question. \nYou could see the account information for Data.HealthCare.gov, \na site that is not designed for consumers but for researchers \nwho look at national aggregations of data on health plans. Is \nan account at Data.HealthCare.gov also an account at \nHealthCare.gov? Are they the same?\n    Mr. Kennedy. There are two questions there. The first is, \nis the account the same.\n    Mr. Takano. Are they the same? That is my question.\n    Mr. Kennedy. They are not the same.\n    Mr. Takano. Okay. Thank you. Dr. Rubin, based on what you \nwere able to learn preparing for this hearing, what are the \nvulnerabilities at HealthCare.gov implicit in Mr. Kennedy's \ndiscovery about the data website managed by CMS?\n    Dr. Rubin. It is really not clear to me. The \nData.HealthCare.gov, I went to it and looked at it, and it is a \ndifferent kind of a site. And I am not sure. I would need to \nstudy the linkage between, if there is any, the accounts on \nHealthCare.gov and the accounts on Data.HealthCare.gov.\n    Mr. Takano. Okay. So Mr. Kennedy, do you believe there is \nany connection?\n    Mr. Kennedy. I do. I do believe that there is significant \nconnection. If you think HealthCare.gov, it is not just \nwww.HealthCare.gov. Think of a house where you have a door \nwhich may be the entryway into it. There are things that \nsupport that website that pull data feeds in, and there are \ndirect data feeds that get pulled in from Data.HealthCare.gov \nthat are directly represented on HealthCare.gov. Information \nconsists----\n    Mr. Takano. But are consumers going to be going to that \nsite?\n    Mr. Kennedy. Not necessarily. I don't know enough about the \ninfrastructure to say whether or not consumers----\n    Mr. Takano. So you don't know anything about the \ninfrastructure?\n    Mr. Kennedy. I don't know enough about the infrastructure--\n--\n    Mr. Takano. Yet, in your testimony there is an implication \nthat people could draw that there is one.\n    Mr. Kennedy. Well, there are over 100,000 individuals \nregistered for that website. It would be indicative that it is.\n    Mr. Takano. Well, I think this is kind of an example of the \nconfusionous sort of testimony, a red herring to make the \nAmerican people--to scare the American people.\n    Mr. Kennedy. I would say that extracting 100,000 \nindividuals' email addresses----\n    Mr. Takano. Again, you don't know the infrastructure.\n    Chairman Smith. Mr. Takano, would you mind letting the \nwitness answer one of those questions?\n    Mr. Takano. Thank you. My time is up, Mr. Chairman.\n    Chairman Smith. Okay.\n    Mr. Wright. Mr. Chairman, could I actually add something? I \nwanted to clarify something. I just talked with your staff.\n    I just went through to create an account because the \nimplication was made is that they have changed it. I am \nactually here right now with an account asking me to verify my \nhome mortgage, Social Security number and stuff. So in terms of \nmy testimony, I just wanted to make sure to be factual is that \nit still requires me to verify and provide personally \nidentifiable information, Social Security number, credit \ninformation before I can create an account.\n    Chairman Smith. Thank you for that clarification. The \ngentleman from Utah, Mr. Stewart, is recognized for his \nquestions.\n    Mr. Stewart. Mr. Chairman, could I beg to defer my question \nfor several and come back?\n    Chairman Smith. Absolutely. We will return to you in just a \nminute. We will go to the gentleman from New York, Mr. Collins.\n    Mr. Collins. Thank you, Mr. Chairman. I think it is \nprobably appropriate after that give and take, I am just going \nto ask six yes/no questions. How is that? We will start with \nMr. Wright, go down the line, and there are six of them.\n    Number one, would any of you have launched HealthCare.gov, \nrecommended the launch, given the factual, known status of the \nwebsite on October 1?\n    Mr. Wright. No.\n    Dr. Chang. No.\n    Dr. Rubin. No.\n    Mr. Kennedy. No.\n    Mr. Collins. Number two, would any of you have signed off \nas experts on the front-end requirement to enter personal data \nto be able to go get pricing and other information?\n    Mr. Wright. No.\n    Dr. Chang. No.\n    Dr. Rubin. No.\n    Mr. Kennedy. No.\n    Mr. Collins. Do any of you today think today that the site \nis secure?\n    Mr. Wright. No.\n    Dr. Chang. No.\n    Dr. Rubin. No.\n    Mr. Kennedy. No.\n    Mr. Collins. While this is a hypothetical, in your opinion \ndo any of you think the site will be secure on November 30?\n    Mr. Wright. No.\n    Dr. Chang. No.\n    Dr. Rubin. No.\n    Mr. Kennedy. No.\n    Mr. Collins. In your opinion, how long do you think it will \nbe before the site could be secure? Just give me an estimate of \nmonths.\n    Mr. Wright. Unknown.\n    Dr. Chang. Hard to estimate.\n    Dr. Rubin. I don't have enough information.\n    Mr. Kennedy. A long time.\n    Mr. Collins. And finally, last question. This will be a \nrecord, Mr. Chairman, in a five minute questioning session. \nWould you recommend today that this site be shut down until it \nis verified to be secure?\n    Mr. Wright. Yes.\n    Dr. Chang. Yes.\n    Dr. Rubin. I would need more information.\n    Mr. Kennedy. Yes.\n    Mr. Collins. Thank you, gentlemen.\n    Chairman Smith. Thank you, Mr. Collins. You would be a \ndangerous lawyer. The gentleman from Texas, Mr. Veasey, is \nrecognized for his questions.\n    Mr. Veasey. Thank you, Mr. Chairman. I wanted to \nspecifically ask you about a couple of events that have been in \nthe press here lately. One was a large bank, financial \ninstitution that had their information compromised. CitiGroup \nhad an attack of about 146,000 people that had their Social \nSecurity numbers, their date of births and other information \nthat was compromised, and there was also a large defense \ncontractor that also had over 70,000 individuals that had their \nnames, Social Security numbers, date of birth, blood type, \nother contact info. Can you explain how individuals are at \ngreater risk of identity theft under HealthCare.gov than any of \nthese other sites that I have just named?\n    Mr. Kennedy. I can take that, and I appreciate your \nquestion there. There is no doubt that the hacking community \nand what is going on right now with technology is a great \nthreat. I mean, it is happening all the time. There are attacks \nhappening all over the world from different locations on \ndifferent companies as well as government agencies.\n    And so what we need to do and what we need to bring \nawareness to, and this is why we are here as experts on the \nsecurity side, is bring awareness to what you can do to prevent \nthese type of attacks from happening because they are \npreventable. You can do secure coding. You can do things that \nprevent hackers from breaking in. You can stop them in the very \nearly stages of an actual attack. And these companies that \nexperience these type of breaches fundamentally had flaws in \ntheir security program that allowed these type of exposures to \nhappen. There is a lot of success stories that have happened, a \nlot of companies that haven't experienced breaches. And those \nare the companies that I think hold true to proper secure \ncoding practices, proper testing and ensuring that they have \nsecurity injected into their software development lifecycle to \nprevent these type of exposures in the meantime.\n    Mr. Veasey. Dr. Rubin, I would be interested to hear what \nyou have to say.\n    Dr. Rubin. I mean, he was echoing my thoughts exactly----\n    Mr. Veasey. Okay.\n    Dr. Rubin. --that there are known practices that if they \nare followed with proper personnel and proper training and \nproper security practices and encryption and the right software \nand the right software life cycle. You can't ever make a system \nthat any security professional would claim is entirely secure, \nbut you can make something that should stand up to the attacks \nthat we are seeing today.\n    And so the sites that have been compromised, if you dig \ndeep, and I have had experience and opportunity to dig deep in \nsome of the sites that have been compromised, you often find \nthat they either weren't vigilant enough, were running the \nwrong software or weren't following some well-known best \npractice that would have prevented the problem.\n    Mr. Veasey. Have any of you, particularly because of the \nquestion that you just answered from the previous \nCongressperson on the dais on the Republican side, have any of \nyou done a security assessment of HealthCare.gov? Because I \nmean, for you to be able to say that, no, you think that it \nshould be shut down, I am assuming that you have done a \nsecurity assessment.\n    Mr. Kennedy. To answer that question, what we can see is \nindicators of security flaws, things that would be basic for an \nattacker to go after that should be addressed, even by the most \nsimplistic scans or ways of detecting exposures. So to answer \nyour question, I have not performed a security assessment on \nHealthCare.gov because I am not authorized to. However, based \non using public information and information that is readily \navailable, there are clear indicators that there are major \nsecurity concerns on the website based off of what we can \nidentify without actually attacking the site itself.\n    Mr. Veasey. I would like for everybody to answer that one.\n    Mr. Wright. Yeah, and what he is getting at, too, it is \njust the example I was talking about when the original denial \nof service attacks happened. They didn't happen right away. \nThey built up until they got critical mass over a period of six \nmonths. The Chinese People's Liberation Army, the Mandient \nreport, advance persistent threat one did this for years. You \nwill not see the massive attack in the first 30 to 60 days, but \nwhat you have are the precursors and the indicators and in a \nsense warnings is that all the conditions are there, the \nvulnerabilities are there, the lack of an end-to-end security \ntest is there which will create the condition in the future, \njust like a forest fire. It is a recipe for disaster at some \npoint in the future if it is not remediated.\n    Dr. Chang. Yeah, I guess I would echo what some of the \nothers have based on information that seems to be publically \navailable, based on the testimony of David, and just this \ngeneral idea that I mentioned before that the web is basically \na pretty dangerous place, and some of these precautions haven't \nbeen inserted is cause for concern.\n    Dr. Rubin. I think that the attacks that have been \npublished so far and that I have seen have all been ones that \nare easily fixable, and the ones that have been around for a \nlittle while have been fixed. And before I would recommend \nshutting something down, I would have to know that there was \nsome inherent security problem or architectural flaw that \nnecessitated that as opposed to some small superficial type \nrisks that can be easily fixed. I don't want to minimize them, \nbut if they can be fixed, that is better than shutting it down.\n    Mr. Veasey. And to clarify the exchange that you had with \nMr. Kennedy a little bit earlier, you talked about the HIPPA \nprotocols, I just want to clarify something for everybody that \nmay be watching this. HIPPA applies to medical records which \nare not stored in HealthCare.gov, is that correct?\n    Dr. Rubin. That is my understanding.\n    Mr. Veasey. Okay. All right. Mr. Chairman, thank you.\n    Chairman Smith. Thank you, Mr. Veasey. The gentleman from \nArizona, Mr. Schweikert is recognized for his questions.\n    Mr. Schweikert. And thank you, Mr. Chairman, and to a \ncouple of my fellow Members, thank you for letting me skip \nahead. I have another appointment in a moment. I need to \ndisclose, I am sort of a junior-level SQL programmer which \nmakes me just dangerous enough to think I know what is going \non. Not that I wouldn't know about any of these blogs, but \nwhile sitting here I went on a couple of the hacker blogs that \nI have some familiarity with. Some of them, you all know, \nbecause I am sure when you are hunting for public information--\nthat is why I have been a little surprised at some of the \ndialogue back and forth here saying let's have sort of a \ntechnical discussion instead of a political one that seems to \nbe coming from the other side.\n    Outside of the, what is it, a DDoS type attacks, which are \neasy conceptually, mechanically, I found one whole discussion \ngroup talking about SQL injections. I would think that would \nhave been just a junior-level thing to have avoided and tested \nfor. So Mr. Wright, should I have a level of concern that just \nin sitting here in 40 minutes I was able to find a number of \nblogs talking about here is a script you might try?\n    Mr. Wright. I am shocked it took you that long because it \nis out there. You look at the common vulnerability expressions, \nbasically a common vulnerability database. One of the things \nyou can do that is a very easy check is to check your site \nagainst the top 20 things that are out there and see how you \nrank against that. That is public information. The FBI does \nthat. I think it is the San Francisco Field Office in concert \nwith the security administrator networks. It is called SANS, I \nthink, and then MITRE has that. There is stuff out there you \ncan already test it again.\n    Mr. Schweikert. It is an automated script. You can just \nload it in and test your----\n    Mr. Wright. And you can do--there is a lot of automated \ntesting. But again, to David's point, there is no authorization \nfrom our side to conduct that and nobody wants to run afoul of \nthe law. So you can only do things that are passively or \nrecognizance. You can't do anything active against the site.\n    Mr. Schweikert. Dr. Chang?\n    Dr. Chang. So I guess I would relate back to this idea that \nhackers will be patient. So David talked about, you know, kind \nof probes and scans. They are basically going to sort of check \nthings out, try to understand if they will recognizance. They \nwill, you know, press and probe. They will be patient.\n    Mr. Schweikert. Dr. Rubin?\n    Dr. Rubin. Yeah. I mean, I think that the sequel injection \nattacks are one of the better-known types of attacks, and they \ncan easily be prevented up front. From the demonstration that \nMr. Kennedy did, it shows that people are actively trying out \nto see if there are sequel injection vulnerabilities.\n    Mr. Schweikert. Mr. Kennedy, I was going to actually go to \nsomething else because it is come up now I think two or three \ntimes in the discussion. HealthCare.gov, we should think of it \nas a portal that is reaching out and touching a number of \ndifferent databases, and those different databases all, you \nknow, most likely have also entries into those. So it is a \nconnected web. And there has been some of the absurdity of some \nof the argument coming here is, well, you know, is it \nHealthCare.gov? If there is lots of ways to get into the hub, \nyou will have lots of different paths of vulnerability. And I \nmean, I am trying to describe it as simply as possible. Am I \ndoing okay?\n    Mr. Kennedy. You are perfect. It is entirely accurate. If \nyou look at what was mentioned, the data hub and the different \nsites that make up HealthCare.gov, HealthCare.gov is what we \ncall the end-user experience, the user interface, the UI. That \nis when people browse and kind of view and things like that. \nBut data that comes in from there comes from different areas. \nIt comes from state exchanges, it comes from \nData.HealthCare.gov. If you want to click on the live chat \nbutton on the bottom right, it takes you to \nChat.HealthCare.gov. So there are different sites that make up \nwhat you see in your browser.\n    Mr. Schweikert. And that is often the vulnerability. It \ncould be over here just a discussion group that actually has \naccess in and that is my path in the line of code.\n    Mr. Kennedy. In fact, right before this all started, I got \nan email from an individual that had sent me basically about 14 \ndifferent exposures that they identified, and one of them was \nbasically how to manipulate data that could be directly \nportrayed on the HealthCare.gov website because it pulls in \nfrom these different areas.\n    So, to put this conceptually and easy, it hooks into IRS, \nit hooks into DHS, it hooks into Experion which is a third \nparty. You have all these trusted connections. You have all \nthese things that make up the site itself. But the pieces that \nactually make up www.HealthCare.gov are multiple areas.\n    Mr. Schweikert. Yeah, I just need everyone to sort of \nunderstand that because there seems to be a misunderstanding of \nthinking it was a siloed website, and it is just the opposite. \nYou know, think of it sort of as the spider web.\n    In my 20 remaining seconds, we have half-a-billion lines of \ncode. Market value or market pricing right now for really \nbeautiful, high-end code is what, 45 bucks a line? 50?\n    Mr. Kennedy. It averages and depends based on what type of \nprogramming language and infrastructure, but sure.\n    Mr. Schweikert. And so that is where I have been trying to \nget my head around saying if just half-a-billion lines of code, \nparticularly when you are reaching out and pulling in out of \nother databases and then standardizing it, does something seem \nalmost absurd?\n    Mr. Wright. Well, there is also another paradigm, to, that \nif it costs you $1 to fix it before you launch, it will cost \nyou up to $100 to fix it after you launch.\n    Mr. Schweikert. You beat me to the punch line.\n    Mr. Wright. Oh, sorry about that.\n    Mr. Schweikert. No, it is okay. Mr. Chairman, thank you for \ntolerance, and thank you everybody.\n    Chairman Smith. Thank you, Mr. Schweikert. The gentleman \nfrom Illinois, Mr. Lipinski, is recognized for his questions.\n    Mr. Lipinski. Thank you, Mr. Chairman. As Mr. Veasey had \nsaid and others have said, I think it is important enough to \nmake the point again for those watching as I have been in my \noffice up until now, HealthCare.gov does not store any \npersonal, medical information or other information. So a hacker \ncould get access to sensitive information, the hacker could not \nsimply access all a person's life and medical history. I think \nit is important that we make clear that to the American people.\n    You know, it should be said that also cyber security \nthreats are not unique to HealthCare.gov, and I have some \nconcerns that we are just focusing on the security of \nHealthCare.gov but not other potentially vulnerable systems. \nJust yesterday, for example, the Treasury Inspector General for \nTax Administration issued a report which found the security \nconfiguration settings on IRS servers were not set in \naccordance with IRS policy. The report stressed that if these \nservers were accessed by unauthorized persons, they might be \nable to access large amounts of sensitive information.\n    So I think that there are other things we should be looking \nat. It is easy right now to beat up on HealthCare.gov, but I \nthink we should make sure we are doing our job in looking at \nall of the potential vulnerabilities in cyberspace, with cyber \nsecurity, with government systems. But everyone would have to \nadmit that the HealthCare.gov website rollout has been an \nunmitigated disaster. My personal experience with DC Health \nLink so far has not been very good, either, but I don't think--\nwe are not talking about that right now.\n    Apart from the obvious issues of the lack of usability of \nthe website, there have been security flaws present at the time \nof the launch which would have compromised the data that people \nentered into the site as has been mentioned. The fact the \ninformation is not stored on the website would be cold comfort \nto anyone who had their Social Security number and other \nsensitive info stolen as it was submitted to the website. I \nnever want to downplay that importance.\n    In a memo on September 27, the CMS Administrator, Marilyn \nTavenner, revealed that a contractor had not had access to all \nthe security controls to test the system. The memo went on to \nsay that, ``From a security perspective, the aspects of the \nsystems that were not tested expose a level of uncertainty that \ncan be deemed a high risk.''\n    So we certainly have examples of problems with \nHealthCare.gov. We have talked about those. I have long been \nconcerned about cyber security issues in general, which is why \nin the last three Congresses I have cosponsored the Cyber \nSecurity Enhancement Act with Congressman McCaul. This \nlegislation would improve federal research and workforce \ndevelopment in the field of cyber security. I am glad that we \nhave moved that here in this Congress.\n    I have also sponsored several bills which would make \nnecessary changes to the Affordable Care Act including one to \ndelay the individual mandate unless HHS's IG was able to \ncertify that the website was working by November 30. I did not \nvote for the Affordable Care Act, but I think that we owe it to \nthe American people to put partisanship aside and make \nnecessary changes to the Affordable Care Act when they are \nrequired. I have certainly stepped forward to try to do that.\n    So with that long introduction, my question for the panel--\nhope you had some time to rest there--is whether a similar \napproach in some ways is needed for HealthCare.gov. So I want \nto ask, would it be helpful to have the--and this is for \neverybody. Would it be helpful to have HHS's IG certify that \nall known security issues have been dealt with and that a \nprocess was in place to proactively identify and address major \nsecurity issues as they arise? Do you feel that an adequate \nprocess is currently in place. That is we talked a lot about \nissues here. Do we need to have a system maybe, like I said, \nHHS's IG or someone else who is looking at this and making sure \nthat the processes are in place as these things are found? We \nnever know for certain every single possible weakness. But \nwould you think that would be helpful to help moving security \nalong on this system?\n    Dr. Chang. I wrote down some questions that are kind of \nalong those lines. Maybe I will read them now. They might be \nuseful. I think I would ask questions like how resilient is \nHealthCare.gov to a hacking attempt? What is your evidence? \nWhen there is a breach, how will we respond? What is our \nprocess for monitoring the security of HealthCare.gov? When a \nvulnerability is found, how quickly is it remediated? Are we \ntaking all reasonable steps to protect the sensitive data on \nHealthCare.gov? What is the evidence?\n    Mr. Wright. And to your point, it would be helpful because \nthen we are dealing with a known. Now we have a report, and it \nmay be is that the report would ameliorate a lot of the \nuncertainty that is out there. But on the other hand, you have \nto be prepared for the fact is that the report would identify \nthe structural deficiencies that cannot go on and still allow \nthe site to operate. But at any point, a knowledge base as Dr. \nRubin was talking about would be helpful to make the proper \nassessment by experts and trusted people in the field to give \nyou an idea, they, yeah, this can be fixed or no, it can't be \nfixed.\n    Dr. Rubin. I think it is important to do what you are \nsuggesting and to have reviews both at the high level because \nthe questions that Dr. Chang was asking were high-level \nquestions but as well as the low-level questions, a technical \nchecklist of particularly known problems and making sure that \nall of those are addressed.\n    Mr. Kennedy. I think the fundamental differences that we \nhave here is there's no question that there is no security \nvulnerabilities with the website or that there are security \nissues that we know about right now with the website itself. So \nwe know that there are vulnerabilities. We know that there are \nsecurity concerns.\n    So having a process in place to actually address those in a \nvery quick manner is a very good process to have and ensuring \nthat they get remediated in a very timely, effective manner. \nNow, the question I would pose back is it is so complex that \nintroducing changes to what we call a production site or \nsomething that is live and running becomes extremely critical \nand very hard to do because of the working code that is behind \nit.\n    So meeting those timeframes and meeting the ability to \nactually fix those issues may become more difficult to do in \nthe current working environment that you have right now.\n    Mr. Lipinski. Thank you.\n    Chairman Smith. Thank you, Mr. Lipinski. The gentleman from \nUtah, Mr. Stewart, is recognized.\n    Mr. Stewart. Thank you, Mr. Chairman. Thanks for holding \nthe hearing, and to the witnesses, thanks for your service. \nThanks for being here today.\n    You know, I am just a guy. I am not a genius, but I got to \ntell you, you don't have to be a genius to listen to your \ntestimony today and to be scared to death. If I were in my \nliving room or home doing dishes, listening to you as you have \ntestified today, I would be scared to death. Americans should \nbe scared to death.\n    I would like to come back to my friend, Mr. Collins, and \nhis series of questions. I am not going to ask you to repeat or \nanswer these questions again but just to review them for you \nand your response. Would any of you have launched \nHealthCare.gov? Unanimously, the answer was no. Would any of \nyou have signed off on the front-end personal data requirement? \nAgain, unanimously the answer was no. Is the site secure now? \nOnce again, no. Will the site be secure on December 1? Once \nagain, the answer is no, that you provided.\n    I would add one more, and I would ask your response on \nthat. Is it possible to know how many attacks have occurred \nagainst HealthCare.gov and its associated sites? Are you aware \nof any? And let me kind of frame it in this question. If you \nwere a Chinese cyber terrorist, wouldn't you consider this just \na target-rich environment?\n    Mr. Wright. So sir, to that point, you can only manage what \nyou can measure, and if you are incapable of measuring the \nattacks and you don't have the capacity, you won't even be \naware that those attacks have occurred.\n    So the point where they say they have only had so many \nattacks, that is based on what they know. Again, I go back to \nwhat Donald Rumsfeld said, you know what you know, you know \nwhat you don't know. What we are dealing with----\n    Mr. Stewart. Sure.\n    Mr. Wright. --here is we don't know what we don't know, and \nuntil you have a comprehensive review of the site and you \nreally understand your security posture and then put the \ndefense in-depth strategies in place you have absolutely no \nidea about how many attacks.\n    Mr. Stewart. But there is no reason for us to be optimistic \nabout the number of attacks or the vulnerabilities of this \nsite, wouldn't you agree?\n    Mr. Wright. I would say the number of attacks vastly \nunderstate the actual threat.\n    Mr. Stewart. Yeah, absolutely.\n    Dr. Chang. Yes, I would happen to agree. We are very early \non in the start-up of this website. My concern would be that \nthey are spending now time basically kind of, you know, \ninvestigating, analyzing, kind of preparing. So this is the \nprep phase.\n    Mr. Stewart. Okay. Anyone else, if you have something to \nadd? Okay. Let me kind of make this point then. If you were a \nfederal official who had the authority and this was a private \ncompany and you were examining this company and saw the issues \nthat you do with HealthCare.gov, and again, if you had the \nauthority, would you shut that site down?\n    Mr. Wright. Yes, and I will tell you what we suffered from. \nIf you think of the Challenger disaster and the Apollo \nmissions, people had go fever. This was going to happen on \nOctober 1 no matter what. No matter what risk finding you had \nand regardless of how serious it was, go fever said that we \nwere going to launch on October 1. That is not the way to run a \nbusiness.\n    Mr. Stewart. Okay. Anyone else want to----\n    Dr. Rubin. Sure. I agree that it is pretty bad to have a \nparticular date in mind that you are going to go no matter \nwhat. I think that the shutting down again will require a \nreview to ascertain whether there are fundamental security \nproblems or kind of scratching the surface security problems \nthat can be easily fixed.\n    Mr. Stewart. Yeah. You know, I just think the irony isn't \nlost on people when they say the government, one of the \nresponsibilities they have is to help set up processes to \nprotect my personal information. And yet we have exactly the \nopposite here where not only are they not protecting them but \nthey are requiring them and allowing the government to move \nforward with the program that is going to do exactly the \nopposite which then, if I could make my final point and \nquestion to you, what would you say to your constituents if you \nwere me? What should I tell the people that I represent, the \nAmerican people? I mean, how could I in good conscience go back \nand encourage them to participate in this program when we know \nthat they are exposing themselves if they do? Can you help me \nwith that? I mean, I would appreciate any advice you got on \nthat.\n    Mr. Wright. That is the advantage on being on this side of \nthe table is I don't have to.\n    Mr. Stewart. Okay.\n    Mr. Wright. No, you are in a very tough--and it is very \ntough. But at some point, people intuitively know. You have to \ntell them the truth. They have to make their own decisions. \nStill, the consumer needs to be aware. Educate them, tell them \nwhat the risks are, and if they choose to do it, it is still a \nconsumer issue. But what we are dealing with here is a lack of \nawareness, education and people really understanding what the \nrisk is. If they choose to take the risk, that is their issue \nat that point. But without knowing it, it is very hard to make \nthat decision.\n    Mr. Stewart. Anyone else want to counsel us on that? Thank \nyou. Mr. Wright, I think you hit on the key to that is all we \ncan do is tell the truth, and I think that is the purpose of \nthis hearing here is to help people understand what is the \ntruth, what is actually happening here. And that is why I think \nthis has been valuable.\n    So Mr. Chairman, with that I yield back my remaining two \nseconds.\n    Chairman Smith. Thank you, Mr. Stewart. Dr. Chang, I know \nyou have to leave at noon. We are now a couple minutes past \nthat in order to catch your flight. So thank you for being here \ntoday and thank you for your testimony.\n    Dr. Chang. Okay. Thank you.\n    Chairman Smith. Thank you. And we'll go to the gentleman \nfrom Oklahoma, Mr. Bridenstine, for his questions.\n    Mr. Bridenstine. Thank you, Mr. Chairman. I just wanted to \nask the panel--first of all, thank you so much for being here, \nand thank you for your service. There has been a lot of \naccusations from the other side of the room. I just wanted to \nask the panel, did any of you guys come here because you wanted \nto scare the American people in an effort to bring down this \nlaw? Was that the intention of anybody on the panel?\n    Mr. Kennedy. The purpose for us coming here is to explain \nwhat issues we identify. We are agnostic when it comes to the \npolitics side. We are security researchers. We are folks that \nunderstand security, and our whole purpose here is to educate \naround what security concerns that we can see. I mean, I don't \nunderstand how you do your day-to-day jobs and how you work the \ngovernment in every single side of the House. But I understand \nsecurity. I understand how security works, and these things can \ndefinitely be fixed ahead of time. And it is not to instill \nfear at all. It is just to get the awareness out there, to get \nthe information out there to help better educate and fix the \nissues that are apparent with the site.\n    Mr. Bridenstine. Thank you.\n    Mr. Wright. I think it was Harry Truman who said it best. \nWe don't give them hell, we just tell the truth. They think it \nis hell. No, there is no R or D or I in computer codes. It is \nones and zeros. The computer is agnostic about what it does. We \nhad discussions--everybody here, we are not here to talk about \nthe political issue, should it be up or down. We are saying if \nyou are asking us, based on our background and experience and \nput our reputation on the line to say should we do this, it is \nabout the technology. That is why, Congressman Stewart, I am \nglad we are on this side because you deal with the politics, we \ndeal with the technology which sometimes is far easier than \nwhat you deal with. But no, the purpose coming here today is \neducate, awareness, give you our opinions. But we don't control \nthose levers of power. What we do, as David said and Dr. Rubin \nsays, we are here to give you our unbiased opinion what we \nthink.\n    Mr. Bridenstine. Dr. Rubin?\n    Dr. Rubin. Yes, I agree with both of them.\n    Mr. Bridenstine. Okay. Speaking of it, you mentioned the \ncode, the code is non-partisan, there are 500 million lines of \ncode. What is the risk? When you talk about 500 million lines, \ncan you give me some comparisons and share with me what does \nthat mean as far as risk?\n    Mr. Kennedy. Whenever you introduce this amount of \ncomplexity, you introduce a significant amount of risk, \nespecially from what we are understanding around the security \ntesting, which was rushed out the door and not all components \nactually tested. So it is very much a critical risk from the \nlines of code that were developed, and to be honest with you, I \nhave not seen--and I have worked for Fortune 10, Fortune 50, \nFortune 100, Fortune 1000 companies as well as on the \ngovernment side, I have not seen an application that pales in \ncomparison to 500 million lines of code, including some of the \nlargest applications you would ever see in the history of man.\n    Mr. Wright. Just to put it in perspective, the website \nshould be similar to a game of checkers. It should be that easy \nto understand. Instead, we are trying to find a chess master \nwho can play 20 games of 3-D chess at the same time. That is \nthe difference in the complexity of code because when you have \ntwo pieces of data, there's just not one possibility. There are \nactually four possibilities. There is no data, one piece, the \nother piece and then both pieces together. So when you add 500 \nmillion lines, then you are talking do the old checkerboard \nthing, put a penny and keep doubling it until you get to the 64 \nsquare, that is the complexity we are talking about.\n    Mr. Bridenstine. So when you talk about this complexity, \nMr. Wright, I think you are hitting on a critical component \nthat it is hard for people who aren't computer programmers to \nwrap our brains around which is if you fix one piece of that \n500 million lines of code, what are the--I mean, there's got to \nbe some side-effects that result from that, is that correct? \nAnd how does that work?\n    Mr. Wright. Side-effects is a good term. Yeah, you create \nan unintended series of cascading events that you have no \ncontrol over because you don't have a grasp of what the code is \nactually doing. And to David's point, and he can actually show \nyou these vulnerabilities, you think you have changed one \nthing, by doing that you have opened up a Pandora's box of \nvulnerabilities on the other side because you could not account \nfor the path, the 72 places it had to go to before it finally \ngot there. It is so complex, you can't manage that.\n    Mr. Kennedy. And just taking it from the functionality \nside, when you introduce a piece of code that fixes a flaw, you \ncould break the functionality piece that users see on a regular \nbasis, too, because again it is so complex. So you fix one, you \nbreak another. It doesn't necessarily mean you fixed the \nsecurity issue. You may not be able to actually browse a site \nor visit what you intended to actually use.\n    Mr. Bridenstine. Just out of curiosity, if you had to \nassess the length of time it would take even to assess the \nsecurity risk, how long of a period of time are we talking?\n    Mr. Kennedy. To look at 500 million lines of code, there is \na process we call source code analysis where you actually look \nat the code itself. And that is going to be your most \ncomprehensive way of looking at the actual exposures.\n    And then you have what is called dynamic testing which is \non top of it to look at the live running sites. So you marry \nthose two together to perform kind of a holistic approach to \nlooking at the overall security around the site itself. Five \nhundred million lines of code? I would say to do it properly \nwould probably take about six months or so just to do the \nreview cycle of it.\n    Mr. Bridenstine. And then after that you would have to do \nthe fixes to secure it. How much longer would that take?\n    Mr. Kennedy. And that is the problem. So in my written \ntestimony, I gave three different options for recommendations \non how to actually address the concerns with this because if \nyou look at it then, let's just say that 20 percent of the code \nneeds to be rewritten based on the exposures that are \nidentified. If you introduce 20 percent new code into a running \nwebsite that is up there right now, you are absolutely going to \nhave some major systemic issues with the stability of the site \nas well as introducing new exposures to it.\n    So the first recommendation was to rebuild it in a sense of \nkind of like a version 2.0 which incorporates all of these \nchanges or is rewritten from scratch to really kind of address \nit.\n    The second option was shutting down the site itself, making \nthe changes and putting it back up after you've addressed \nthose.\n    The third option was basically letting the website run and \nintroducing new code into that environment which would \nobviously create stability concerns.\n    Each one of those has different links and times. If you do \na version 2.0, based on the knowledge you already have with how \nto integrate into the already-running state exchanges, that \nwould probably take six months to develop a new site that would \nbe operational. The three folks that built it in two weeks are \ndefinitely a testament, but to do a fully production instance I \nthink would take about six months. To shut it down, to actually \nshut it down and recode would probably take four to six months \nto get the critical concerns out of the way to at least get it \nback up and running an stable.\n    The portion around keeping it stable or keeping it up and \nrunning while introducing it could take years.\n    Mr. Bridenstine. Mr. Chairman, I yield back.\n    Chairman Smith. Thank you, Mr. Bridenstine. The gentleman \nfrom Texas, Mr. Weber, is recognized.\n    Mr. Weber. Thank you, Mr. Chairman. Have any of you all \nassessed on a scale of one to ten the cost of this website with \nthe volume of stores, the interaction, the cost per \nparticipant? In other words, you are going to have--I forget. I \nthink they have said 100-something thousand had been on there, \nwhatever it is, but versus private industry. From your \nknowledge about those websites and how they have been created \nand produced, on a scale of one to ten, ten being the most \nefficient bang for the buck, what would you give this? We will \nstart with Mr. Wright.\n    Mr. Wright. Back-of-a-napkin calculation, I mean, it is got \nto be somewhere around a two. Your average cost per user is \nsignificantly high because you have got few users and you have \ngot a lot of money in it.\n    Mr. Weber. Right. Got you.\n    Dr. Rubin. I haven't had that data to perform a cost \nanalysis.\n    Mr. Weber. Okay.\n    Mr. Kennedy. When you look at the website the \ninfrastructure supported, I believe there was a statistic that \ncame out that they could handle 600 users per second on the \nsite during registration process. So if you look at that \ninfrastructure, you look at the amount of money that was spent \non this, and it was in excess of I believe $600 million? Is \nthat correct?\n    Mr. Weber. That is huge. Yes.\n    Mr. Kennedy. I would give this a one as far as operational \nefficiency and the type of money that was spent on it.\n    Mr. Weber. All right. Thank you. And my second--we are \ngoing to talk projected costs going forward because if it so \nexpensive to maintain this thing and they can't hire the right \npeople, then Americans' security is going to be at risk.\n    So going forward, if there was going to be a maintenance \ncontract on maintaining this thing, which I am assuming there \nis, you are going to have to have personnel that are doing \nthat. Now, my colleague form Utah said this would be a great \nvulnerability for Chinese cyber terrorists was the word he \nused. But I would submit that there might be some Edward \nSnowdens. They don't have to be in China.\n    From what you know, is that system available to disallow \nsomething like that happening where somebody inside could walk \nout with just tons of information? Yes or no.\n    Mr. Wright. Based on what we know, no. Or at least what I \nknow.\n    Mr. Weber. Right.\n    Dr. Rubin. I don't have enough information again about how \nthe system is architected to answer that.\n    Mr. Weber. Okay.\n    Mr. Kennedy. And I don't have enough information on the \nback-end process for that, but it is my understanding no.\n    Mr. Weber. I got you. What I wanted to is guarantee a \nplatform, but that couldn't happen. So let's go back now. We \nranked the efficiency on the dollar, but how about on a \nsecurity scale? I think I am going to know this answer, one to \nten, ten being the most secure, you have got to give this \nabysmal ratings, right?\n    Mr. Wright. Based on what we previously said that we would \nnot allow it to go. It would have to be a zero.\n    Mr. Weber. Absolutely, has to be--okay. Go ahead.\n    Dr. Rubin. So I think we have seen a bunch of security \nproblems that were easily fixed, and a deeper dive is necessary \nin order to determine where we are on that scale of one to ten.\n    Mr. Weber. But versus what you know about the private \nindustry----\n    Dr. Rubin. There is no doubt that compared to a private \nsystem that goes live, this system has more problems than you \nwould expect to see.\n    Mr. Weber. Well, I don't know that that is accurate because \nthis is the federal government. We expect a lot of problems.\n    And then finally, Mr. Henry Chao I guess is how you say \nthat, the Chief Information Officer for the CMS, said that the \nsite was no problem. He would recommend it to his sister. I \ndon't know, you all probably didn't read that. It is in our \nnotes. So I guess this question is for Mr. Kennedy. You are the \nhacker. How long do you think it would take you to get his \nsister's information or do you already have it?\n    Mr. Kennedy. I am not going to confirm that second one, but \nno.\n    Mr. Weber. Okay.\n    Mr. Kennedy. No, I do not have any type of public \ninformation. But you know, confidently I would say, and this is \nbeing very generous, I would say within a day to two days.\n    Mr. Weber. One to two days you could go in and hack the \nsite based on the platform that is there now, which is not \nguaranteeing zero or one level of security, if that is even----\n    Mr. Kennedy. Yes, sir, and that is just understanding the \namount of time it takes to understand an application is where \nthe bulk of the one to two days comes in. It is just \nunderstanding how the infrastructure works, being able to start \nto kind of probe it a bit. It would take about a day or so. I \ncould probably, you know--to be honest with you, it would \nprobably take a few hours, but I am giving myself two days.\n    Mr. Weber. All right. That is great. I mean, that is good \nnews and bad news. It is bad news what you are saying it could \nbe done, but it is good news is the American public is going to \nknow this. So once you learn that system and get into it, then \nyou can hack anybody's information really quickly.\n    Mr. Kennedy. That is correct. Yes, sir.\n    Mr. Weber. Makes me feel more secure.\n    Mr. Wright. And sir, I think the biggest danger, too, is \neverybody keeps talking about the data hub. But what concerns \nme about the data hub is it operates as a trusted broker. In \nother words, all these other systems trust the data hub to say \nthe transaction is authenticated, it is trustworthy. If that is \nnot the case, you have just unintentionally done it similar to \na Donnie Brasco, introduce somebody in that everybody trusts \nbecause of the introduction, not because it is actually \ntrustworthy.\n    Mr. Weber. So not only do we have politicians saying trust \nme, I am from the federal government, now we have computers \nsaying it.\n    Mr. Wright. Essentially yes. I mean, there's a certain \nlevel of trust that comes from the data hub.\n    Mr. Weber. Mr. Chairman, I yield back.\n    Chairman Smith. Thank you, Mr. Weber. The gentleman from \nIndiana, Mr. Bucshon, is recognized.\n    Mr. Bucshon. Thank you, Mr. Chairman. First of all, I am a \nmedical doctor, I was, before coming to Congress, and I want to \nbriefly comment on some of the comments that were made about \npersonal health information and whether that is profitable or \nnot profitable, and I would ask the question would anyone in \nthis room want to let everyone in this room know all their \npersonal medical information? And I would say that the answer \nto that is no because it is personal. This is about people. \nThis is not about profit on medical information.\n    Let me give you an example. When you ask people to direct \ndonate blood, for example. Say someone is having surgery and \ntheir family members want to donate blood. Actually \nstatistically, the blood from the regular pool is safer than \nhaving your family donate blood for you. Why is that? The \nreason is is because you don't know what all kinds of health \nproblems that your family members have had because they haven't \ntold you. And so I would argue this is a personal privacy \nissue, and if there's any chance that people's medical \ninformation can get out there based on a government website, it \nis not correct.\n    The other thing I would like to say is quickly, and then I \nwill have a question, is just because other websites of the \nfederal government or in the private sector have problems \ndoesn't justify this website having problems. I have heard that \nhere today, too. Well, this website has been breached and this \nprivate sector has given up information. That doesn't matter. \nWe are not talking about that. We are talking about this \nwebsite, and it doesn't justify failures of this website.\n    So with that said, on September 3, 2013, a memo signed by \nthe Chief Information Officer, there were at least two open \nhigh findings for the federally facilitated marketplace, the \nFederal exchanges. The first high finding, although \nsubstantially redacted, indicates that the threat and risk \npotential is limitless. It indicates corrective action must be \ntaken by May 31, 2014. And information on the second high \nfinding is completely redacted. It indicates that due date for \ncorrective action is February 26, 2015. I think we have \nmentioned that before.\n    As cyber security experts, based on these findings, would \nanyone recommend that the federally facilitated marketplace, \nthe Federal exchanges, be made publically available?\n    Mr. Wright. Yes, sir. That is exactly the same memo I \nreferenced earlier, and when the phrase is said the threat and \nrisk potential is limitless, I don't know how you accept risk \nbased on the fact as you can't quantify the risk.\n    Mr. Kennedy. To also address that situation, in the private \nsector, those type of exposures are what we call showstoppers, \nthings that would not allow the website to be put into \nproduction until they actually were remediated, and that would \nbe especially ones that never heard the term limitless before \nwhich would mean that basically access to everything and \neverything that would be part of that infrastructure would be \nmy guess. You would not put that into any type of production \nenvironment or go live with it in any way.\n    Mr. Bucshon. Mr. Chairman, if this hasn't been introduced \nin the record--I can't remember if Mr. Wright did that--I would \nlike unanimous consent to introduce the memo from CMS into the \nrecord.\n    Chairman Smith. Okay. Without objection, it'll be made a \npart of the record.\n    [The information appears in Appendix II]\n    Mr. Wright. And if I could add one more point in \nclarification, too, the difference in the private sector versus \nthe government is that, gain, it goes back to liability, \nshareholder lawsuits. If a memo like this came out in \nlitigation, you would find the firm facing financial ruin \nbasically because they knew, they knew they shouldn't have done \nit and they did it anyway. And that is the basis for company \nkilling litigation.\n    Mr. Bucshon. Dr. Rubin, at this point, could you recommend, \nbased on the fact we don't know what the redacted information \nis but that there was a high finding, would you recommend \nopening these up to the public at this point? I think it is a \nsimilar question that has been asked before about the website. \nBut this is specifically related to the exchanges.\n    Dr. Rubin. Yeah, I mean before I would answer that \nquestion, I would want to see the details, the technical \ndetails of what the problems really are.\n    Dr. Bucshon. It is my point these are redacted and not \npublically available, and that is an issue because outside \npeople can't assess what the threat is because we have redacted \ninformation. And maybe since they have released this, they have \nmade it public, but I don't think that is the case.\n    Mr. Kennedy, is it common--would anyone out there launch a \nwebsite with these types of warnings before corrective action \nis completed? I mean, anybody out there? I mean, would it be \nprudent to do that?\n    Mr. Kennedy. I come from very much a programming \nbackground, one that works with organizations on developing \nsoftware for life cycles and building applications that are \nlarge like this.\n    So what I can say is that it depends on the risk of the \norganization and what they are able to accept. Based off of \nwhat we have seen and the information that is been publically \navailable, I would not know of a company that would release a \nsite like this with the functionality and security concerns \nthat there were ahead of time.\n    Mr. Bucshon. So it would be important for the public to \nknow what the concerns were and then you could make a better \nassessment?\n    Mr. Kennedy. Absolutely.\n    Mr. Bucshon. That is what you are saying? I think that is \nwhat Dr. Rubin has said also.\n    Dr. Rubin. Yeah, I agree. I am sorry. I agree. I think that \nthe public should know what the concerns were.\n    Mr. Bucshon. Okay.\n    Mr. Wright. And just to add one point, sir, a final thing. \nWhen they establish the advanced encryption standard which \nbecame the basis for our encryption, that math, those \nalgorithms were in the public. They were in the public domain. \nPeople got to view those, and to this day you can look at all \nthe people who submitted things. Bruce Shneer submitted I think \nit was called ``Two Fish.'' You have got the AES. The math is \npublic. It was subject to peer review, and if there was any \nissues, it would have been exposed. And that is really--\nsunlight is the best thing when you are looking at remediating \nsecurity problems. Expose it, let it be shown and let the \npeople weigh in on it who've got the expertise. You will find \npeople will crowd source and help you solve the problem.\n    Mr. Bucshon. Thank you, Mr. Chairman. I yield back.\n    Chairman Smith. Thank you, Dr. Bucshon. The gentlewoman \nfrom Wyoming, Ms. Lummis, is recognized for her questions.\n    Mrs. Lummis. Thank you, Mr. Chairman. Mr. Kennedy, in a \nrecent article by Fox News you were quoted as saying if I was \nallowed to attack the website by myself and I had approval to \ngo and do it, it would be very simple for me to break into it, \nsteal all the information that is in the database, including \nall of your personal information that you use to register for \nthose sites, Social Security numbers, everything like that, \nbasically that is what you were saying to one of the previous \nMembers who was talking about Mr. Chao's sister. You mentioned \nthat you'd like to have two days to get in to access her \ninformation.\n    We have also learned today that these systems are \nintegrated, that they are talking back and forth, that there's \nintegration between HealthCare.gov and the IRS website and \nHomeland Security and others. Would you be able to get into \nHealthCare.gov and then use it to get into the IRS website?\n    Mr. Kennedy. Without knowing enough about the \ninfrastructure behind it, I can't say yes or no. However, what \nI can say is that as attackers and as hackers break into \ninfrastructure, they usually use a conduit, a website, to use a \ntrusted connection back to other infrastructure to gain access \nto that back end.\n    So without understanding infrastructure, I can't say yes, \n100 percent. But based on the information that we know, you can \nlook at the privacy policy on the website itself, it shows who \nit actually interacts with and the type of information it \nsends. If you look at that, it is pretty indicative that you \ncould, you know, use that HealthCare.gov as a leaping point and \nkind of a back door into the other agencies, other Federal \nportions of government, like the IRS or DHS. And again, I can't \nsay without certainty but it is definitely a common technique \nthat a hacker would use to do it. It is called what we call, \nyou know, pivoting and further attacking into the \ninfrastructure.\n    Mrs. Lummis. And gentlemen, based on that information, \nwould you have recommended that HealthCare.gov be walled off \nfrom other federal government databases that have very \nsensitive information?\n    Dr. Rubin. Let me address your first question, and then \nI'll address the second question. First, just one \nclarification, that is it is not the IRS website. It is a back-\nend database of the IRS that is being accessed. And the way the \ndata is being accessed is through this hub where requests are \nbeing sent. And so if the site were designed with proper \nsecurity, with good security practices and principles, there \nwould be a very, very limited interfaced between HealthCare.gov \nand the IRS where the IRS's database responses would be very \nlimited in their nature. They could only answer certain queries \nto answer eligibility questions. If the site were designed very \npoorly and the interface was designed poorly, then I think that \ncould be open. I don't know what kind of design they use, but \nin my written testimony I talked about focusing on those \ninterfaces, keeping them very simple and very basic and using \nthe hub simply to query those back-end databases at these other \nsites and get the responses back.\n    Mrs. Lummis. Mr. Wright?\n    Mr. Wright. I think one of the challenges--and this is why \nI went back and confirmed after Congressman Kennedy said that--\nis that you still have to provide this information up front. So \npart of the issue you can get to make the site more secure and \nmake it function better is to not put all this overhead on the \ninitial transaction because the closer you are to the \npresentation layer to where the user is actually interfacing \nwith it means it is easier to get that information to your \npoint, not necessarily walled off and playing off what Dr. \nRubin said, but I would like to push that kind of transaction \nback farther to where I can maintain better security. My \nsecurity perimeter gets smaller. I can defend against things \nbetter. As opposed to the Great Wall of China, we are trying to \nsecure the great fence of China, and instead what I want to do \nis have a smaller, tighter core that I can defend against and \nhave that data hub, and those types of transactions happen in a \nsmaller, confined area. You can't wall it off because it still \nhas to interface, but you can reduce the risk and the threats \nby reducing the amount of waste and the places that to David's \npoint an attacker can come in because they will do that. They \nwill come in and they will use the same methodologies, the same \nseven-stage terrorism planning cycle that is in the traditional \nworld is also used in cyber terrorism.\n    Mrs. Lummis. Well, we do know that there are countries that \nhire hackers, governments that hire hackers that attempt to \nhack into information in the United States all the time, and we \nknow that some of those government-hired hackers hack for their \ngovernment by day and they hack for hire by night. And so there \nare mercenary hackers out there that will hack for money.\n    Mr. Kennedy, are there vulnerabilities that you've not \nidentified publically out of fear that the consequences are so \nexploitable that it would be like telling a criminal where you \nhide the spare key to your house?\n    Mr. Kennedy. Yes, there is. There are exposures that I have \nidentified that are not public.\n    Mrs. Lummis. Have you identified them to someone who can \nuse them to plug those holes?\n    Mr. Kennedy. Yes, I have. Any time that I discover an \nexposure or criticality, it is sent to the appropriate people \nto get addressed and fixed. That is where we come in from the \nresponsible disclosure side of doing the right thing.\n    Mrs. Lummis. Gentlemen, I really thank you for your \nexpertise and your presence here today. Mr. Chairman, I yield \nback.\n    Chairman Smith. Thank you, Mrs. Lummis. I would like to \nthank our witnesses today for being here and helping us better \nunderstand the many privacy and security concerns that have \nbeen voiced concerning HealthCare.gov. Unfortunately, the \npersonal information that has already been entered into \nHealthCare.gov is vulnerable to online criminals and identity \nthieves. This security flaw endangers a large number of \nAmericans who already have used the website. President Obama \nhas a responsibility to ensure that the personal and financial \ndata collected as part of Obamacare is secure. It is clear this \nis not the case.\n    There is only one reasonable course of action. Mr. \nPresident, take down this website.\n    That concludes our hearing, and thank you again for \ntestifying and we stand adjourned.\n    Mr. Wright. Thank you.\n    [Whereupon, at 12:35 p.m., the Committee was adjourned.]\n\n\n\n\n\n\n\n\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 [all]\n\x1a\n</pre></body></html>\n"