[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
                      HEALTHCARE.GOV: CONSEQUENCES
                           OF STOLEN IDENTITY

=======================================================================

                                HEARING

                               BEFORE THE

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            JANUARY 16, 2014

                               __________

                           Serial No. 113-62

                               __________

 Printed for the use of the Committee on Science, Space, and Technology


       Available via the World Wide Web: http://science.house.gov





                  U.S. GOVERNMENT PRINTING OFFICE
86-900                    WASHINGTON : 2014
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001



              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas                 ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois
    Wisconsin                        DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
PAUL C. BROUN, Georgia               DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida
MO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois             SCOTT PETERS, California
LARRY BUCSHON, Indiana               DEREK KILMER, Washington
STEVE STOCKMAN, Texas                AMI BERA, California
BILL POSEY, Florida                  ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky              MARK TAKANO, California
KEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS COLLINS, New York
VACANCY
                            C O N T E N T S

                            January 16, 2013

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................     7
    Written Statement............................................     8

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................     9
    Written Statement............................................    10

                               Witnesses:

Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC
    Oral Statement...............................................    13
    Written Statement............................................    16

Mr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc.
    Oral Statement...............................................    30
    Written Statement............................................    32

Mr. Michael Gregg, Chief Executive Officer, Superior Solutions, 
  Inc.
    Oral Statement...............................................    40
    Written Statement............................................    42

Dr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute
    Oral Statement...............................................    49
    Written Statement............................................    52

Discussion.......................................................    57

             Appendix I: Answers to Post-Hearing Questions

Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC......    88

Mr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc.............   102

Mr. Michael Gregg, Chief Executive Officer, Superior Solutions, 
  Inc............................................................   108

Dr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute....   113

            HEALTHCARE.GOV: CONSEQUENCES OF STOLEN IDENTITY

                              ----------                              


                       THURSDAY, JANUARY 16, 2014

                  House of Representatives,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Committee met, pursuant to call, at 9:13 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. Lamar Smith 
[Chairman of the Committee] presiding.



[GRAPHIC] [TIFF OMITTED] 86900.003

[GRAPHIC] [TIFF OMITTED] 86900.004

[GRAPHIC] [TIFF OMITTED] 86900.005

    Chairman Smith. The Committee on Science, Space, and 
Technology will come to order.
    Welcome to today's hearing titled ``HealthCare.gov: 
Consequences of Stolen Identity.'' I will recognize myself for 
an opening statement and then the Ranking Member.
    When the Obama Administration launched HealthCare.gov, 
Americans were led to believe that the website was safe and 
secure. As the Science, Space, and Technology Committee learned 
at our hearing last November, this was simply not the case. We 
heard troubling testimony from online security experts who 
highlighted the many vulnerabilities of the Obama website. 
These flaws pose significant risks to Americans' privacy and 
the security of their personal information.
    One witness, Mr. David Kennedy, who has been re-invited for 
today's hearing, testified that there are ``clear indicators 
that even basic security was not built into the HealthCare.gov 
website.'' In addition, all four experts testified that the 
website is not secure and should not have been launched. Mr. 
Kennedy will update the Committee on the security of the 
website since November 30, 2013, which was the Administration's 
self-imposed deadline for when it would be fixed.
    Since the November hearing, other events have emerged that 
prompted the need for today's hearing. In December, a former 
senior security expert at the Centers for Medicare and Medicaid 
Services stated that she recommended against launching the 
HealthCare.gov website on October 1st because of ``high-risk 
security concerns.''
    A letter addressed to the Committee from Mr. Kennedy and 
independently signed by seven other security researchers who 
reviewed his analysis of vulnerabilities presents some very 
troubling information. To paraphrase one of the experts, Mr. 
Kevin Mitnick, who was once the world's most wanted hacker, 
breaking into HealthCare.gov and potentially gaining access to 
the information stored in these databases would be a hacker's 
dream. According to Mr. Mitnick, a breach may result in massive 
identity theft never seen before. Without objection, Mr. 
Kennedy's letter will be made a part of the record.
    Chairman Smith. Further, a recent report by the credit 
bureau and consumer data tracking service Experian forecasts an 
increase in data breaches in 2014, particularly in the 
healthcare industry. Specifically, the report states: ``The 
healthcare industry, by far, will be the most susceptible to 
publicly disclosed and widely scrutinized data breaches in 
2014. Add to that the Health Care Insurance Exchanges, which 
are slated to add seven million people into the healthcare 
system, and it becomes clear that the industry, from local 
physicians to large hospital networks, provide an expanded 
attack surface for breaches.'' Experian provides the identity 
verification component of the Health Insurance Marketplace 
enrollment process.
    Because of increased accessibility to HealthCare.gov, 
concerns continue to grow about the security of personal 
information. The work of this Committee will help Congress make 
decisions about what actions may be necessary to further inform 
and safeguard the American people.
    We are here today to discuss whether the Americans who 
signed up for healthcare plans have put their personal 
information at risk. If Americans' information is not secure, 
then the theft of their identities is inevitable and dangerous.
    [The prepared statement of Mr. Smith follows:]

             Prepared Statement of Chairman Lamar S. Smith

    When the Obama Administration launched Healthcare.gov, Americans 
were led to believe that the website was safe and secure. As the 
Science, Space, and Technology Committee learned at our hearing in 
November, this was not the case.
    We heard troubling testimony from online security experts who 
highlighted the many vulnerabilities of the Obamacare website. These 
flaws pose significant risks to Americans' privacy and the security of 
their personal information.
    One witness, Mr. David Kennedy, who has been re-invited for today's 
hearing, testified that there are ``clear indicators that even basic 
security was not built into the Healthcare.gov website.''
    In addition, all four experts testified that the website is not 
secure and should not have been launched. Mr. Kennedy will update the 
Committee on the security of the website since November 30, 2013, which 
was the Administration's self-imposed deadline for when it would be 
fixed.
    Since the November hearing, other events have emerged that prompted 
the need for today's hearing. In December, a former senior security 
expert at the Centers for Medicare and Medicaid Services stated that 
she recommended against launching the Healthcare.gov website on October 
1st because of ``high risk security concerns.''
    A letter addressed to the Committee from Mr. Kennedy and 
independently signed by seven other security researchers who reviewed 
his analysis of vulnerabilities presents some very troubling 
information.
    To paraphrase one of the experts, Mr. Kevin Mitnick, who was once 
the world's most wanted hacker, breaking into Healthcare.gov and 
potentially gaining access to the information stored in these databases 
would be a hacker's dream. According to Mr. Mitnick, ``A breach may 
result in massive identity theft never seen before.''
    Further, a recent report by the credit bureau and consumer data 
tracking service Experian forecasts an increase in data breaches in 
2014, particularly in the healthcare industry. Specifically, the report 
states: ``The healthcare industry, by far, will be the most susceptible 
to publicly disclosed and widely scrutinized data breaches in 2014. Add 
to that the Healthcare Insurance Exchanges, which are slated to add 
seven million people into the healthcare system, and it becomes clear 
that the industry, from local physicians to large hospital networks, 
provide an expanded attack surface for breaches."
    Experian provides the identity verification component of the Health 
Insurance Marketplace enrollment process.
    Despite increased accessibility to Healthcare.gov, concerns 
continue to grow about the security of personal information.
    The work of this Committee will help Congress make decisions about 
what actions may be necessary to further inform and safeguard the 
American people.
    We are here today to discuss whether the Americans who have signed 
up for health plans have put their personal information at risk. If 
Americans' information is not secure, then the theft of their 
identities is inevitable and dangerous.
    Chairman Smith. That concludes my opening statement, and 
the gentlewoman from Texas, Ms. Johnson, is recognized for 
hers.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    Since we held our November 19th hearing highlighting 
security issues at HealthCare.gov, up to 110 million people 
have had their debit card or credit card information 
compromised by a hack of Target store records. But Target was 
not alone in being successfully hacked: The Washington Post, 
Facebook, Gmail, LinkedIn, Twitter, YouTube, Yahoo, JP 
MorganChase, SnapChat, and my friends at the Dallas-based 
Neiman Marcus stores have all announced security breaches.
    However, do you know one system that has not been 
successfully hacked since the last hearing? HealthCare.gov. 
Also since the last hearing the Center for Medicare and 
Medicaid Services (CMS) staff and contractors have been working 
around the clock to improve the performance and security of 
HealthCare.gov. There have been numerous fixes to the website 
that have improved the site's responsiveness compared to its 
first 60 days. Millions of Americans have been able to access 
the site and obtain medical coverage.
    During that entire time top security contractors, including 
Blue Canopy, Frontier Security and the Mitre Corporation have 
been working to test the system and identify weaknesses that 
need to be addressed. The Chief Information Security Officer 
has also been running weekly penetration tests to support 
security mitigation steps for CMS. Further, CMS says that none 
of the Majority's witnesses' concerns voiced in that November 
hearing have turned into any actual breach of security.
    The last hearing did not feature a single witness who had 
any actual information about the security architecture of 
HealthCare.gov, nor what is being done to maintain the 
integrity of the website. Today, we have the same kind of 
hearing. As smart and experienced as these witnesses are, not 
one of them has actual knowledge of the security structure at 
HealthCare.gov. The best that they can do is speculate about 
vulnerabilities. I think it would be good for Members to 
remember that.
    I am concerned that the intentions in this hearing appears 
to be to scare Americans away from the HealthCare.gov site. 
This appears to present a continuation of a cynical campaign to 
make the Affordable Care Act fail through lack of 
participation. While we are holding this hearing, both the 
House Oversight and Government Reform Committee and the Energy 
and Commerce Committee are holding similar events, all with the 
apparent goal to create a sense of fear, thereby manufacturing 
an artificial security crisis.
    It is my hope that all of our witnesses can agree that it 
is important to make HealthCare.gov work for the American 
people to help give all our citizens access to affordable 
healthcare. I do not want to believe that any of the witnesses 
testifying today want the site to be hacked or shut down, or 
even see the program fail, or see Americans go without 
healthcare insurance.
    This country faces a lot of real issues and real policy 
challenges. If we are truly interested in hacking and identity 
theft, we should have representatives of the largest retail 
institutions in the country here to discuss the challenges they 
face in protecting people's information. Instead, it appears 
that the Majority has allowed the Committee to become a tool of 
political messaging to a degree that I have never witnessed any 
time in my time in Congress, and I am in my 22nd year.
    Thank you. I hope that the Committee hearing will be the 
last of this topic, absent some actual allegations of 
wrongdoing, so that we can focus on legitimate oversight issues 
facing the country and this Committee.
    Mr. Chairman, before I yield, I would also like to comment 
on the letter you want to put in the record. I was hoping after 
reading it that you would have some testimony or give the 
people opportunity other than a 24-hour showing of this letter, 
but you don't have to take my word on this. Mr. Kennedy's own 
document reads, this report is for public use. The report is 
not appended to his testimony, and I imagine it was not added 
because it would violate our 48-hour rule. He did not give us 
testimony in time but late yesterday afternoon presented this 
report out of the blue, and I am guessing your counsel told him 
to make it a letter because we routinely accept outside letters 
from groups and experts all the time with minimal notice.
    So the report now pretends to be a letter addressed to you 
and to me. However, I cannot remember another time that a 
witness for the Committee also felt they had to write us a 
letter. I think it is an elaborate way to try to get testimony 
before the Committee in violation of the 48-hour rule.
    As the substance of the report, it includes what amounts to 
testimony from experts who are not appearing before this 
Committee and is against the practice of the Committee to 
accept testimony from people who are not personally available 
to answer our questions.
    The one thing I do know is that none of the individuals who 
signed these statements in the packet have worked on 
HealthCare.gov or the security protocols behind the website. In 
other words, they know no more about the actual security of the 
site than does Mr. Kennedy. In deference to the Chairman, I 
will withdraw my objection but I would point out that this 
report includes language that I consider vulgar and beneath the 
dignity of the Committee. That alone should be reason to keep 
it out.
    Even if the Chairman is comfortable with the way our rules 
are being stretched, if you insist, I will withdraw, but I want 
the record to reflect that we have gone beyond professional 
behavior of this Committee. Thank you.
    [The prepared statement of Ms. Johnson follows:]

       Prepared Statement of Ranking Member Eddie Bernice Johnson

    Since we held our November 19th hearing highlighting security 
issues at healthcare.gov, up to 110 million people have had their debit 
card or credit card information compromised by a hack of Target store 
records. But Target was not alone in being successfully hacked: The 
Washington Post, Facebook, Gmail, LinkedIn, Twitter, Youtube, Yahoo, JP 
MorganChase, SnapChat, and my friends at the Dallas-based Neiman Marcus 
stores have all announced security breaches.
    However, do you know one system that has not been successfully 
hacked since that last hearing? Healthcare.gov.
    Also since the last hearing the Center for Medicare and Medicaid 
Services (CMS) staff and contractors have been working around the clock 
to improve the performance and security of healthcare.gov. There have 
been numerous fixes to the website that have improved the site's 
responsiveness compared to its first 60 days. Millions of Americans 
have been able to access the site and obtain medical coverage.
    During that entire time top security contractors, including Blue 
Canopy, Frontier Security and the Mitre Corporation, have been working 
to test the system and identify weaknesses that need to be addressed. 
The Chief Information Security officer has also been running weekly 
penetration tests to support security mitigation steps for CMS.
    Furthermore, CMS says that none of the Majority's witnesses 
concerns voiced in that November hearing have turned into any actual 
breach of security.
    The last hearing did not feature a single witness who had any 
actual information about the security architecture of healthcare.gov, 
nor what is being done to maintain the integrity of the website. Today, 
we have the same kind of hearing. As smart and experienced as these 
witnesses are, not one of them has actual knowledge of the security 
structure at healthcare.gov. The best that they can do is speculate 
about vulnerabilities. I think it would be good for Members to remember 
that.
    I am concerned that the intention of this hearing appears to be to 
scare Americans away from the healthcare.gov site. This represents a 
continuation of a cynical campaign to make the Affordable Care Act fail 
through lack of participation. While we are holding this hearing, both 
the House Oversight and Government Reform Committee and the Energy and 
Commerce Committee are holding similar events. All with the apparent 
goal to create a sense of fear, thereby manufacturing an artificial 
security crisis.
    It is my hope that all of our witnesses can agree that it is 
important to make healthcare.gov work for the American people to help 
give all our citizens access to affordable health care. I do not want 
to believe that any of the witnesses testifying today want the site to 
be hacked or shut down, or see the program fail, or see Americans go 
without medical insurance.
    The country faces a lot of real issues and real policy challenges. 
If we are truly interested in hacking and identity theft, we should 
have representatives of the largest retail institutions in the country 
here to discuss the challenges they face in protecting people's 
information. Instead, it appears that the Majority has allowed the 
Committee to become a tool of political messaging to a degree I have 
never witnessed in my time in Congress.
    Thank you, I hope that today's hearing will be the last on this 
topic, absent some actual allegations of wrongdoing, so that we can 
focus on all the legitimate oversight issues facing the country and 
this Committee.
    Chairman Smith. I will recognize myself to respond to the 
Ranking Member's comments.
    All Committees, including this one, have a longstanding 
practice of affording Members the courtesy of entering items 
that they believe are relevant to the topic at hand into the 
record. I am sure the Ranking Member knows this. Members on 
both sides have generally approached the development of the 
record in the spirit of bipartisanship and comity. I am 
disappointed if the gentlewoman from Texas would now seek to 
question a letter I have asked to place in the record. We 
frequently place items in the record that express the opinion 
of various groups or make statements regarding an issue at the 
request of Members on both sides of the aisle. Often, those who 
have written those letters are not testifying before the 
Committee and have not been asked to do so, yet their opinions 
are still made part of the record.
    One such example is a 54-page submission that Mr. Maffei 
requested be placed in the record at a hearing last August. 
This document, which was not even addressed to the Committee, 
but instead to the Administrator of the EPA, was entered into 
the record without comments. It includes a letter from six 
different tribes signed by eight different people, none of whom 
testified before this Committee. It includes a letter from a 
lawyer who represented the tribes. He also did not testify 
before the Committee, yet we made his letter a part of the 
record. Finally, it includes another letter to the 
Administrator of the EPA that purports to be from 15 different 
national organizations, 17 international organizations, 75 
Alaskan organizations, and numerous other organizations from 
other states. None of these organizations testified before this 
Committee.
    I placed Mr. Kennedy's letter in the record here today. He 
is testifying before us shortly----
    Ms. Edwards. Mr. Chairman.
    Chairman Smith. --and Members will have the opportunity to 
question him on its contents.
    Ms. Edwards. Mr. Chairman.
    Chairman Smith. I am still in the middle of my statement.
    I regret the Ranking Member has questioned the longstanding 
prerogative of a Member to enter a relevant document into the 
record, especially when Members on her side of the aisle have 
done so many times without objection from the Majority.
    I hope this is not indicative of her desire to make this 
Committee's business more partisan.
    That concludes my statement, and I will now introduce the 
witnesses.
    Ms. Edwards. Mr. Chairman.
    Chairman Smith. I am going to introduce the witnesses, 
and----
    Ms. Edwards. Mr. Chairman, I object to the entry of the 
letter into the record.
    Chairman Smith. The letter has already been entered into 
the record and the objection is not timely.
    Ms. Edwards. Mr. Chairman, I would ask for a vote on 
whether we enter the letter into the record.
    Chairman Smith. That is no longer a proper motion because 
it is not timely.
    Ms. Edwards. Well, Mr. Chairman, I think you have deeply 
politicized this hearing.
    Chairman Smith. Well, I am sorry for the Ranking Member's 
comments that caused it, and now I will recognize and introduce 
our first witness.
    Mr. David Kennedy is the President and CEO of TrustedSEC 
LLC. Mr. Kennedy is considered a leader in the security field. 
He has spoken at many conferences worldwide including Black 
Hat, DefCon, Infosec World and Information Security Summit, 
among others. Prior to moving to the private sector, Mr. 
Kennedy worked for the National Security Agency and the United 
States Marines in cyber warfare and forensics analysis. Mr. 
Kennedy received his Bachelor's degree from Malone University.
    Our second witness, Mr. Waylon Krush, is the Co-Founder and 
CEO of Lunarline. He is also a founding member of the Warrior 
to Cyber Warrior program, a free six month cyber security boot 
camp for returning veterans. A veteran of the U.S. Army, Mr. 
Krush is a recipient of the Knowlton Award, one of the highest 
honors in the field of intelligence. Mr. Krush holds a 
Bachelor's degree in computer information science from the 
University of Maryland University College. He is also a 
certified information systems security professional, 
certification and accreditation professional, certified 
information systems auditor, and has more than 3,000 hours of 
training with the National Cryptologic School.
    Our third witness, Mr. Michael Gregg, is the CEO of 
Superior Solutions Inc., an IT security consulting firm. Mr. 
Gregg's organization performs security assessments and 
penetration testing for Fortune 1000 firms. He has published 
over a dozen books on IT security and is a well-known security 
trainer and speaker. Mr. Gregg is frequently cited by print 
publications as a cyber security expert and as an expert 
commentator for network broadcast outlets such as Fox, CBS, 
NBC, ABC and CNBC. Mr. Gregg holds two Associate's degrees, a 
Bachelor's degree and a Master's degree.
    Our final witness, Dr. Larry Ponemon, is the Chairman and 
Founder of the Ponemon Institute, a research think tank 
dedicated to advancing privacy, data protection and information 
security practices. Dr. Ponemon is considered a pioneer in 
privacy auditing and was named by Security magazine as one of 
the most influential people for security. Dr. Ponemon consults 
with leading multinational organizations on global privacy 
management programs. He has extensive knowledge of regulatory 
frameworks for managing privacy, data protection and cyber 
security including financial services, healthcare, 
pharmaceutical, telecom and Internet. Dr. Ponemon earned his 
Master's degree from Harvard University and his Ph.D. at Union 
College in Schenectady, New York. He also attended the doctoral 
program in system sciences at Carnegie Mellon University.
    We welcome you all and look forward to your expert 
testimony, and Mr. Kennedy, will you lead us off?

                TESTIMONY OF MR. DAVID KENNEDY,

                    CHIEF EXECUTIVE OFFICER,

                        TRUSTEDSEC, LLC

    Mr. Kennedy. Thank you, Mr. Chairman.
    Good morning to everybody in the House Science and 
Technology Committee, to the Honorable Mr. Smith as well as the 
Ranking Member of the House Science and Technology Committee, 
the Honorable Ms. Johnson. It is great to see you two folks 
again as well as all of the other Ranking Members here today. I 
appreciate your time to hear us discuss the issues with the 
HealthCare.gov security concerns as well as the consequences 
around stolen identities.
    What I want to first start off with is that to me, this is 
not a political issue. I take no political-party stance and I 
have no party affiliate. For me personally, this is a security 
issue. Working in the security industry for over 14 years 
including working for the National Security Agency as well as 
spending a number of years in Iraq and Afghanistan, my 
testimony here today is to talk about the issues with security, 
and that is it. So when I talk about the issues that we see 
here today, it is based on my expertise of working in the 
security industry, doing these assessments on a regular basis, 
being a chief security officer for a Fortune 1000 company for a 
number of years as well as running my own company.
    And I am not alone. The mention of the document that was 
released yesterday had seven independent security researchers 
that are well known in the security industry including a number 
of folks that have worked for the United States government, do 
training for the United States as well as work closely with the 
United States government. Today is not to talk about the 
political-party problems with it but also discuss just the 
security issues alone, and that is what I am here to talk about 
today.
    So I would like to give thanks to Kevin Mitnick, Ed 
Skoudis, Chris Nickerson, Chris Gates, Eric Smith, John Strand 
and Kevin Johnson for providing their comments on the issues 
that we see today. We are pretty unified in our approach. 
Everybody that I shared with, I put them under non-disclosure 
agreements and worked with them, and the consistent feedback 
that we got was that HealthCare.gov is not secure today, and 
nothing has really changed since the November 19th testimony. 
In fact, from our November 19th testimony, it is even worse.
    Additional security researchers have come into play, 
providing additional research, additional findings that we can 
definitely tell that the website is not getting any better. In 
fact, since the November 19, 2013, testimony, there has only 
been one-half of a vulnerability that we discovered that has 
been addressed or even close to being mitigated. When I say but 
one-half is that basically they did a little bit of work on it 
and it is still vulnerable today.
    I want to throw a disclaimer out there that in no way, 
shape or form did we perform any type of hacking on the 
websites. That is a misnomer. The type of techniques that we 
used is looking at the site from a health perspective, doing 
what we call passive reconnaissance, not attacking the site in 
any way, shape or form, not sending data to the site but really 
looking at the health of it. I would like to put in another 
analogy. Say my expertise wasn't being in the security 
industry, it wasn't anywhere near doing anything security 
related and I was a person that was a mechanic. I had 14 years 
of being a mechanic. And, a car drove past me that was puffing 
blue smoke out of the muffler, it was leaking oil, the engine 
was making clinking sounds, and basically a lot of symptomatic 
problems: the doors are open, the windows are open and 
everything else. As a mechanic, I can probably say with a 
reasonable level of assurance that the engine probably has some 
issues. Same thing with technology and Web applications. Web 
applications are no different than a car with an engine 
problem. There are a lot of pieces that make the car work. 
There are a lot of pieces that make a website work.
    From our testimony here today as well as what we have 
discovered in the past, there is a number of security issues 
that are still there today with the website. To put it in 
perspective, I would like to put for the record that there 
wasn't 70 to 110 million credit cards taken from Target. That 
is not accurate. The correct statistic is that there were 70 to 
110 million personal pieces of information taken about 
individual people that shopped at Target. There were 40 million 
credit cards that were taken. The issue with Target isn't 
specifically around credit cards. Credit cards can be reissued. 
Your credit that gets taken from the credit cards can be 
debited back into your account. You are not liable as a 
consumer. But what you can't fix is your personal identity. If 
you look at Target, for example, the 70 to 110 million personal 
pieces of information, that includes address, email addresses, 
phone numbers, additional information. That is what you can't 
replace, and we have already seen a number of individuals that 
are selectively being targeted from a personal information 
perspective because of that. That doesn't even include Social 
Security numbers. In fact, I just had another independent 
security person get targeted yesterday from an email claiming 
to be Target. As soon as they clicked the link, it hacked their 
computer and took full control of it.
    So this issue here doesn't relate specifically to just 
credit card data because that is obviously not in the 
HealthCare.gov website. The personal information around Social 
Security numbers, first name, last name, email addresses, home 
of record, those are all a recipe for disaster when it comes to 
what we see from personal information being stolen and theft. 
So it is not just that. As an attacker, if I had access to the 
HealthCare.gov infrastructure, it has direct integration into 
the IRS, DHS as well as third-party providers as well for 
credit checks. If I have access to those government agencies, I 
now can complete an entire online profile of an individual, 
everything that they do and their entire online presence.
    And this isn't just HealthCare.gov alone. I am not trying 
to single out HealthCare.gov alone. I am really focusing on a 
much larger issue, which is security in the federal government 
alone is at a really bad state. We need to really work together 
to fix it and work on more sweeping changes. Thank you.
    [The prepared statement of Mr. Kennedy follows:]
    [GRAPHIC] [TIFF OMITTED] 86900.010
    
    [GRAPHIC] [TIFF OMITTED] 86900.011
    
    [GRAPHIC] [TIFF OMITTED] 86900.012
    
    [GRAPHIC] [TIFF OMITTED] 86900.013
    
    [GRAPHIC] [TIFF OMITTED] 86900.014
    
    [GRAPHIC] [TIFF OMITTED] 86900.015
    
    [GRAPHIC] [TIFF OMITTED] 86900.016
    
    [GRAPHIC] [TIFF OMITTED] 86900.017
    
    [GRAPHIC] [TIFF OMITTED] 86900.018
    
    [GRAPHIC] [TIFF OMITTED] 86900.019
    
    [GRAPHIC] [TIFF OMITTED] 86900.020
    
    [GRAPHIC] [TIFF OMITTED] 86900.021
    
    [GRAPHIC] [TIFF OMITTED] 86900.022
    
    [GRAPHIC] [TIFF OMITTED] 86900.023
    
    Chairman Smith. Thank you, Mr. Kennedy.
    Mr. Krush.

                 TESTIMONY OF MR. WAYLON KRUSH,

              CO-FOUNDER AND CEO, LUNARLINE, INC.

    Mr. Krush. Chairman Smith, Ranking Member Johnson and 
Members of the Committee, thank you for this opportunity to 
testify on the important topic of cyber security.
    I am Waylon Krush, Founder and CEO of Lunarline. We are one 
of the fastest-growing cyber security companies. I am also a 
founder of the Warrior to Cyber Warrior program, as stated 
earlier.
    I have been asked to speak on cyber security today as it 
relates to HealthCare.gov, and just listening to Mr. Kennedy, I 
actually have some very simple points I want to make right 
away.
    First of all, if none of us here built HealthCare.gov, if 
we are not actively doing not a passive vulnerability 
assessment but an active vulnerability assessment and doing 
penetrations and running that exploitable code on 
HealthCare.gov, we can only speculate whether or not those 
hacks will work. So anything that has been said thus far, if we 
are talking about any type of dot gov or dot mil site just 
identifying passively a vulnerability and not actually working 
on the site, knowing how the protocols work in the back end, 
what type of defense in depth, how each one of the assets are 
locked down, nobody here at this table can tell you that they 
know that there is vulnerabilities.
    Another thing I would like to talk about today is in the 
federal government, something a little bit different than we 
have in the commercial organizations is, we use something 
called the risk management framework, and you know, this 
Committee has actually helped develop that as part of NIST, and 
I will tell you, that is one of the most rigorous processes as 
it relates to cyber security and privacy in the entire world, 
and when I say the entire world, most security standards are 
just a subset of the risk management framework. It is one of 
those areas from a security control perspective that has been 
taken to build other security standards or it is basically 
copy, cut, pasted to create new security standards. This is a 
six-step process. It includes categorization, selection, 
implementation, validation, authorization and, most 
importantly, continuous monitoring of all the controls. You 
know, just looking at it, you might think well, there is about 
360 controls in NIST Special Publication 800-53, revision 4. 
When you dig a little bit deeper, there is actually several 
thousand information security controls that our federal 
information systems must undergo from a security architecture 
perspective including they must be continuously testing.
    Another point I would like to make is that if anybody here 
actually went out to these websites, and I am not talking about 
passive, but if we have extracted addresses, if you went to the 
website and done anything outside the bounds of what is allowed 
in the federal government, you are basically breaking the law. 
You can't just go out and say I found this vulnerability and 
then exploit it to try to get, you know, media attention or 
anything like that. If you do that, you are breaking the law. 
It is pretty simple.
    And last but not least, you know, HealthCare.gov is one of 
many hundreds or even thousands of federal information systems 
out there in websites, and you know, I have worked in the 
threat area. I can tell you, my background is not only a 
soldier but was on the U.S. Army's Information Operations Red 
Team, Blue Teams, information system security monitoring teams, 
protocol analysis, signals analysis, and including working in 
critical infrastructure protection for AT&T for a few years all 
across the world. If you go out and tell someone--and this is 
just the truth when we are out actively taking down websites--I 
can sit here all day and speculate about a vulnerability but 
until I have actually exploited that vulnerability, there is no 
way to tell whether that attack will actually work. There is a 
lot more going on in the background that everybody needs to 
understand.
    Another note, and last but not least, about HealthCare.gov 
that everyone needs to understand is that with all of the media 
attention it is currently getting, you would think it is most 
high payoff target in the entire federal government. You would 
think that HealthCare.gov is something that everybody would 
want to go after. That is truly--that is media spin, if 
anything. HealthCare.gov is one of many websites that have 
personal information in it. It is connected to other systems 
but saying it is interconnected directly to all these systems 
and that leaves them vulnerable also shows kind of a lack of 
knowledge of the backend system capabilities, meaning that 
those connections are very secure and they are authorized on 
both sides.
    And you know, I have actually been lucky enough to work 
within CMS and HHS on cyber security deployments and 
configurations so out of everybody here at least at this table, 
I probably have the most hands-on knowledge but I can't come 
here and just speculate about what is actually vulnerable to 
the system and what is not. And the truth is, once again, on 
the threat side, as we have seen in media, you can probably 
tell that, you know, HealthCare.gov is not the one getting 
attacked. Most cyber criminals, especially those with advanced 
capabilities, they go where the money is, right? They are going 
to go after the Targets, they are going to go after the Neiman 
Marcus, they are going to go after these places that contain 
lots of data related to intellectual property because it just 
makes fiscal sense, right? If the U.S. government spends 
billions of dollars on our research and development and we 
don't protect it and some other country takes that, you just 
saved them billions of dollars. Thank you.
    [The prepared statement of Mr. Krush follows:]
    [GRAPHIC] [TIFF OMITTED] 86900.024
    
    [GRAPHIC] [TIFF OMITTED] 86900.025
    
    [GRAPHIC] [TIFF OMITTED] 86900.026
    
    [GRAPHIC] [TIFF OMITTED] 86900.027
    
    [GRAPHIC] [TIFF OMITTED] 86900.028
    
    [GRAPHIC] [TIFF OMITTED] 86900.029
    
    [GRAPHIC] [TIFF OMITTED] 86900.030
    
    [GRAPHIC] [TIFF OMITTED] 86900.031
    
    Chairman Smith. Thank you, Mr. Krush.
    Mr. Gregg.

                TESTIMONY OF MR. MICHAEL GREGG,

                    CHIEF EXECUTIVE OFFICER,

                    SUPERIOR SOLUTIONS, INC.

    Mr. Gregg. Thank you, Chairman Smith, thank you, Ranking 
Member Johnson, Members of the Committee, for having me here 
today.
    My name is Michael Gregg. I am really going to break down 
my speech into three pieces and my presentation: first, how 
HealthCare.gov could potentially be hacked, why HealthCare.gov 
needs independent review by third parties, and also, what would 
be the result of this, what could be the potential impact.
    My concern is that HealthCare.gov is a major target 
potentially for hackers looking to steal not only personal 
identities but also information that could be used to steal 
their identity. Although I understand HealthCare.gov does not 
store that information, it passes that information back and 
forth between third-party government sites and other 
organizations. While there are many different ways that the 
site could be hacked, there are some prominent ones, and these 
are the same ones listed by prominent websites like OWASP. It 
could be things like cross-site scripting, SQL injection. It 
could be LDAP injection, it could be buffer overflow. There are 
many different ways that this could be done.
    Now, while that sounds foreign to many of you, the fact is, 
these are known attacks that are used against known sites every 
day from Target to Neiman Marcus to Google to many others. Some 
of the things that concern me are in the past we have seen, for 
example, the 834 data. That is data that is passed to the back 
end of the insurance companies. We have seen and we have heard 
reports of this information being corrupted and not being 
correct when it is being received. That indicates at some point 
the data is not being handled correctly, and all input data, 
all process data, all output data has to be correct. If not, 
there is some type of problem, meaning that data is not being 
properly parsed. That same kind of situation could lead to an 
attacker putting in some type of data and misusing that in some 
way or launching an attack.
    Also, as I said, HealthCare.gov is a very large attack 
service. This is a very large program or application. It was 
built very quickly. A large attack surface makes it very hard 
to secure. So I find it hard to believe that during the release 
and also the update of the site that all the items that our 
previous speaker spoke of as far as FISMA, FIPS 199, FIPS 200, 
were actually taken care of and it actually passed all those 
requirements that they are required to by law,and that those 
were properly completed.
    Microsoft, think of those folks, for example. They have 
spent almost 30 years trying to secure their operating systems 
and still we see Microsoft products or operating systems being 
brought under attack. To think that HealthCare.gov could be 
built so quickly and then be secured to me is very hard to 
believe.
    When we have a large application or website to be reviewed, 
typically we do it a couple of different ways. We start at the 
very beginning before the site is actually developed. We do 
things as far as audits. We do vulnerability assessments. We 
also do PIN testing. All three of these things are required to 
actually look at and examine the site. PIN testing is a very 
important part of this process because PIN testing means we are 
looking at the site the same way the attacker would. We are 
saying what would the attacker see, what could they use, what 
could they do with this and how could they leverage this 
potentially for attack. I don't believe those types of 
assessments have been done to this day and have been properly 
completed.
    So what has been reported currently is that when we see 
with HealthCare.gov that they are running weekly assessments, 
that they are potentially patching the site, but a lot of that 
activity we are talking about is reactive in nature. That means 
when we are finding a problem, we are actually fixing it. That 
doesn't mean we have already gone out and we have found all 
possible problems or all potential ways that an attacker may 
leverage that and get access to the site.
    Some might argue that if HealthCare.gov is actually 
vulnerable, why hasn't it already been attacked? Well, if you 
think about it from an attacker's standpoint, we have seen that 
attackers have the fortitude and also the patience to wait 
until the right time. Look at Target. Did they attack 
immediately? No, they waited until the right time and the right 
moment to actually do this. This could be the same thing. They 
are going to wait until after March. They are going to wait 
until the deadline. They are going to wait until there is a 
trove of information for them to go after. Then they are going 
to target it.
    So what could be the impact on consumers? Potentially 
reduced credit ratings. It could be increased difficulty 
getting loans, could be criminal issues. It could be emotional 
impact. It also could be very damaging as far as medical 
information that could be lost. It could be potentially people 
don't get hired for a job. It could be they get the wrong 
treatment because someone else has obtained treatment under 
their name for some other type of disease or some other type of 
problem that they didn't have. It could be potentially them 
being denied an application or job for some reason.
    And in closing, I would just like to say this. When our 
organization builds applications, we bring everybody together. 
We bring the end users, the developers. We bring everyone 
together, the security professionals, to make sure the site is 
secure and that security can be built in from the very 
beginning. I do not believe that has been done in this case. 
Hacking today is big business. It is no longer the lone hacker, 
the individual in their basement. Today is organized crime. It 
is very large groups potentially out of places like Russia and 
Eastern Europe. We can fix these problems, but for these 
problems to be fixed means that we need an external assessment 
of this site by independent third parties.
    Thank you very much for your time.
    [The prepared statement of Mr. Gregg follows:]
    [GRAPHIC] [TIFF OMITTED] 86900.032
    
    [GRAPHIC] [TIFF OMITTED] 86900.033
    
    [GRAPHIC] [TIFF OMITTED] 86900.034
    
    [GRAPHIC] [TIFF OMITTED] 86900.035
    
    [GRAPHIC] [TIFF OMITTED] 86900.036
    
    [GRAPHIC] [TIFF OMITTED] 86900.037
    
    [GRAPHIC] [TIFF OMITTED] 86900.038
    
    Chairman Smith. Thank you, Mr. Gregg.
    And Dr. Ponemon.

               TESTIMONY OF DR. LAWRENCE PONEMON,

                     CHAIRMAN AND FOUNDER,

                       PONEMON INSTITUTE

    Dr. Ponemon. Thank you, Mr. Chairman, and thank you for 
inviting me.
    Well, first, let me just start off by saying that I am the 
research wonk to this panel. These people are absolutely 
brilliant and they understand the technical aspects and the 
security issues. What I would like to do is talk a little bit 
about the consequences of identity theft and medical identity 
theft. That is really my focus, and the basis of my comments is 
research, research that my institute conducts. And sometimes, 
by the way, they call my institute the Pokemon Institute. It is 
actually Ponemon Institute, which is my last name.
    So I understand the purpose of my testimony today is to 
provide assistance in understanding the potentially devastating 
consequences of a data breach to individuals, to households and 
society as a whole. For more than a decade, we have studied the 
cost and consequences of data breach through extensive consumer 
studies as well as benchmark research on the privacy and data 
protection practices of companies in the private and public 
sectors. In the area of healthcare, we have conducted four 
annual studies on medical identity theft and patient privacy 
and security protections within hospitals and clinics. We also 
survey consumers on their perceptions about the organizations 
they trust the most to protect their privacy. Among the U.S. 
federal government sector, for example, we are pleased to 
report some good news, that the USPS, the Postal Service, gets 
very high marks for trust. Another, and this might be a little 
surprising, the IRS actually is trusted for privacy, not for 
anything else--no, just joking--but definitely for privacy 
practices, as well as the Veterans Administration, and they 
were a bad guy, right? You right remember, they lost a lot of 
data. I am a veteran and I was on that list of 26 million. But 
they turned things around and they are trusted for privacy.
    So today I have been asked to testify about the possibility 
of like identity theft on the HealthCare.gov website and the 
potential consequences to the American public. Identity theft 
and medical identity theft are not victimless crimes and affect 
those who are most vulnerable in our society such as the ill, 
the elderly and the poor.
    So beyond doing these numerous research studies that I just 
mentioned, this is an issue that really struck home for me. 
Last year, my mother, she is 88 years old, she lives alone in 
Tucson, Arizona, and she suffered from a stroke. She was rushed 
to a hospital and admitted immediately, and unbeknownst to her, 
an identity theft was on the premises and made photocopies of 
her driver's license, debit cards and credit cards that were in 
her purse. And by the way, she also has all the passwords to 
everything in a little Post-It note in her purse as well. She 
doesn't listen to me. That is the problem. The thief was able 
to wipe out her bank account and there were charges on her 
credit card and debit card amounting to thousands and thousands 
of dollars. In addition to dealing with her serious health 
issues, she also had to cope with the stress of recovering her 
losses and worrying about more threats to her finances and 
medical records.
    The situation with my mom in the hospital and those who are 
sharing personal information on HealthCare.gov are not 
dissimilar, and let me explain. My mother had a reasonable 
expectation that the personal information she had in her wallet 
would not be stolen, especially by a hospital employee, and 
those who visit and enroll in HealthCare.gov have an 
expectation that people who are helping them purchase health 
insurance will not steal their identity. They also have a 
reasonable expectation that all necessary security safeguards 
are in place to prevent cyber attackers or malicious insiders 
from seizing their personal data.
    Now, in my opinion, the controversy regarding security of 
the HealthCare.gov website is both a technical issue, as we 
heard from these gentlemen but it is also an emotional issue. 
In short, security controls alone will not ease the public's 
concerns about the safety and privacy of their personal 
information. Based on our research, regaining the public's 
trust will be essential to the ultimate acceptance and success 
of this initiative.
    So following are some key facts that we learned from our 
consumer research over the more than a decade of doing these 
kinds of studies. First, the public has actually a higher 
expectation that their data will be protected when they are 
dealing with government sites than commercial sites. In other 
words, when I am going to the Veterans Administration, I have a 
higher expectation of privacy. Whether it is rational or not, 
that is basically what we see. Second, the loss of one's 
identity can destroy a person's wealth and reputation and in 
some cases their health. Further, the compromise of credit and 
debit cards drives the cost of credit up for everyone, thus 
making it more difficult for Americans to procure goods and 
services. Third, medical identity theft negatively impacts the 
most vulnerable people in our Nation. Beyond financial 
consequences, the contamination of health records caused by 
imposters can result in health misdiagnosis and in extreme 
cases could be fatal. Because there are no credit reports to 
track medical identity theft, it is nearly impossible to know 
if you have become a victim.
    So what is the solution? Let me just give you three ideas. 
First, on the trust issue, let us think about accountability. 
It is important to demonstrate accountability, and the best way 
to do that, in my mind, is rigorous adherence to high 
standards, and I think we mentioned NIST. NIST is a great 
standard but very high standards above the bar and showing the 
American people that this particular website or any website 
that collects sensitive personal information is meeting or 
exceeding that standard.
    Number two is ownership. What I would like to see is the 
chief information security officer is your chief executive 
officer. That is good news when the CEO steps up to the plate 
and does what needs to be done, and in this case, I would love 
to see our President take ownership of the website and ensure 
that good security and privacy practices are met as a priority, 
not just by HealthCare.gov, but across the board.
    And third is verification. Now, I am an auditor. I have to 
admit this, so I am a little bit biased, or I used to be an 
auditor at PriceWaterhouseCoopers. You know, we can say that we 
are doing all of these good things, but having a third-party 
expert telling us that we are meeting and exceeding the 
standards is a very good idea and a noble idea.
    And with that being said, I think I am actually the first 
person concluding giving you some time back on the clock.
    [The prepared statement of Dr. Ponemon follows:]
    [GRAPHIC] [TIFF OMITTED] 86900.039
    
    [GRAPHIC] [TIFF OMITTED] 86900.040
    
    [GRAPHIC] [TIFF OMITTED] 86900.041
    
    [GRAPHIC] [TIFF OMITTED] 86900.042
    
    [GRAPHIC] [TIFF OMITTED] 86900.043
    
    Chairman Smith. Well----
    Dr. Ponemon. Oh, no.
    Chairman Smith. --not exactly.
    Dr. Ponemon. I wasn't watching the time. I am sorry.
    Chairman Smith. Thank you, Dr. Ponemon. I appreciate your 
testimony. I will recognize myself for questions. Let me direct 
my first one to Mr. Kennedy.
    Mr. Kennedy, the Administration maintains that there has 
not been a successful security attack on HealthCare.gov. Is 
that an accurate statement?
    Mr. Kennedy. Thank you, Mr. Chairman. Basically what we 
know for the monitoring and detection capabilities within the 
HealthCare.gov infrastructure is as of November 17th, they had 
not stood up a security operation center or had the 
capabilities to even detect an actual attack. So it also stated 
that they detected 32 attacks overall. However, if you have no 
monitoring detection capabilities, period, how are you 
detecting all the different attacks that are happening? So I 
would say that the statement is accurate because they don't 
necessarily know the actual attacks that are occurring in 
there.
    In addition, I would like to also mention that the Chief 
Information Security Officer from HHS, Kevin Charest, also said 
that, ``I would say that the HealthCare.gov website did not 
follow best practices.'' So as a testament to Mr. Krucsh's 
testimony, the 800-53 and best practices were not followed and 
did not meet best practices when it was implemented.
    Chairman Smith. And Mr. Gregg----
    Mr. Krush. Let me talk to----
    Chairman Smith. I am sorry, Mr. Krush. You can get time 
from someone else. I would like to ask a question to Mr. Gregg.
    Do you agree generally with the assessment by Mr. Kennedy 
that they don't have the capability? And furthermore, let me 
say that you did have Administration officials say in November 
that there was 16, I think, security breaches or incidents and 
then 32 in December. Are those figures plausible, and where do 
they get them?
    Mr. Gregg. Well, they are potentially plausible if they 
either weren't monitoring or they didn't pick up the attacks. 
For most of the sites we look at, and companies we work with, 
we see anywhere from hundreds potentially, a thousand or more 
hits a day. Now, a lot of that stuff is scripted but for a 
number to be that low, I would either think, one, they are not 
detecting it, or two, their detection capability is not 
correct.
    Chairman Smith. Okay. Thank you, Mr. Gregg.
    Dr. Ponemon, do the security standards, protections and 
breach notification standards for Obamacare even meet the 
minimal standards put in place for the private sector?
    Dr. Ponemon. I think the private sector for the most part 
has--and it does vary quite a bit. There are industry 
standards, for example, that actually are much higher than the 
standards we see in the government. But NIST, for example, and 
the need to comply with certain standards, for example, around 
cloud computing and fed ramp, and there are standards that 
exist that are actually fairly reasonable. For the most part, 
though, I think if you are looking for best practices, you 
probably would be looking at industry versus the government.
    Chairman Smith. Thank you, Dr. Ponemon.
    Mr. Kennedy, another question for you. Is Mr. Krush right 
in what he said in his oral testimony that passive 
reconnaissance of HealthCare.gov is not sufficient to raise 
concerns about the website's security?
    Mr. Kennedy. Thank you, Mr. Chairman. I would like to 
address that direct on, which would be, passive reconnaissance, 
you have the ability to enumerate exposures and 
vulnerabilities. Any security researcher or tester that has 
been in the industry for a number of years, especially in the 
technical side, will be able to collaborate that. In fact, all 
seven of the security researchers also said the same exact 
thing, that the website itself is vulnerable. This isn't 
speculation. These are actual exposures that are on the website 
today that could lead to personal information being exposed as 
well as other critical flaws of actually attacking individual 
people just by visiting the website.
    To answer your question, by doing passive reconnaissance, 
you can absolutely identify exposures. There are absolutely 
techniques out there without actually attacking the site for 
doing it, and I would question that the other seven security 
researchers that also testified that looked at the same type of 
research, came to the same exact conclusion as myself.
    Chairman Smith. Okay. Thank you, Mr. Kennedy.
    Mr. Krush, I do have a question for you. Apparently you 
have contracts with a company that does work for CMS. Is that 
accurate?
    Mr. Krush. That is accurate.
    Chairman Smith. And what is the amount of those contracts, 
both past and present?
    Mr. Krush. I actually don't know that off the top of my 
head but I have----
    Chairman Smith. Okay. I think----
    Mr. Krush. --tens of millions of dollars of contracts in 
the federal government right now.
    Chairman Smith. All right. Okay. So you have tens of 
millions of dollars of business with CMS directly or 
indirectly?
    Mr. Krush. Not CMS.
    Chairman Smith. With a company that does work for CMS?
    Mr. Krush. No, that--those amounts are very high. I am 
talking across the government. I am not--I just don't know 
specifically with CMS. That is why I can actually talk from a 
technical perspective and not speculate on some of the----
    Chairman Smith. With CMS, according to your Truth in 
Testimony that you filed, I think it is $1.5 million that you 
do have in those contracts.
    Mr. Krush. Okay. That sounds good.
    Chairman Smith. If you will take my word for it?
    Mr. Krush. Yes.
    Chairman Smith. In that case, isn't it natural that we 
might suspect that your testimony is a result of your being 
paid by--directly or indirectly by CMS and here you are not 
going to actually testify against them if you have $1.5 million 
worth of contracts with them? Isn't that a reasonable 
assumption?
    Mr. Krush. Well, Chairman Smith, actually as it relates to 
CMS, if you look at the GAO docket, I actually have been 
protesting with them. You know, on the contracting side, me and 
CMS are not necessarily best of friends. I am here to talk 
about the cyber security in what----
    Chairman Smith. I know what you would rather be talking 
about but it still seems to me $1.5 million in contracts does 
perhaps influence your testimony. That is all I have to say on 
that. My time is up, and the gentlewoman from Texas is 
recognized for her questions.
    Ms. Johnson. Thank you very much. Very interesting hearing.
    Mr. Krush, you were cut off earlier when you were going to 
make a comment on Mr. Kennedy's testimony. Would you like to 
make that now?
    Mr. Krush. I actually have a few here, so just across the 
board. Earlier Mr. Gregg talked to the fact that, you know, the 
HealthCare.gov didn't implement what we call FIPS 199 and FIPS 
200. Just to clarify what that is for everyone here, FIPS 199 
is Federal Information Processing Standard 199. It requires you 
to categorize an information system in accordance with the 
confidentiality, integrity and availability of an information 
system. We know that that was completed because there was a 
letter from Ms. Tavener out as part of the authorization 
process that 200 is the baseline controls for all federal 
information systems. We also know that that was completed 
because they had an ATO letter that specified some of the 
vulnerabilities and what actual the process dealing with the 
healthcare.gov was. So I just wanted to talk to that point.
    And, you know, talking about also waiting, from Target's 
perspective, waiting until, you know, a certain time to act. I 
don't think any of us here have also worked on the Target.com 
website or the backend database, and I would tell you that a 
lot of the advanced attackers, you know, unless you have done 
the forensic sampling and you have actually picked up the 
crumbs, you don't know when they actually attacked, and I think 
that that is under investigation right now.
    HealthCare.gov, Mr. Kennedy brought up the point that there 
was no security operation centers. Some of those one point 
whatever million dollars that have been allocated to my company 
was actually related to those early on. There is actually two 
security operation centers within HHS you might want to know. 
They have a centralized one which does monitoring of the entire 
enterprise, and on top of that, CMS has its own security 
operation center, and I can tell you from a technology 
perspective, some of the technologies they have implemented is, 
you know, top notch. It is what you would expect in a top-tier 
security operations in the U.S. federal government.
    Ms. Johnson. Thank you. According to Mr. Gregg's testimony 
that this site is a major target, but the attacks won't be 
accurate or of interest or of value until after March, what do 
you anticipate that March will bring?
    Mr. Krush. Nothing. You know, the truth is, when it comes 
to March, if an attacker wants something off the site, they are 
going to continuously do whatever they can to gain access. I 
think one of the things that was also said is that, you know, 
there is a certain number of incidents, and those numbers do 
sound low, but once again, everybody here, none of us have 
worked in the security operations center, which does exist 
within CMS, and so we don't necessarily know what the 
escalation requirements are. So, for example, most government 
websites literally are enumerated passively, meaning--and this 
is still considered an incident via DHS. If you go through and 
you do scans on a website, meaning that you are looking for 
open protocols and services, that is considered an incident. 
Now, does every organization report those? No, because you 
would have hundreds of thousands of reports a day.
    However, some of the--I got a call last night from actually 
a news reporter and they called me up to talk about Mr. 
Kennedy's, you know, analysis he had done on the website, and I 
just want to be clear that, you know, if him and his security 
researchers actually did go to a dot gov, they did passively 
enumerate and actually pulled data in an unauthorized manner, 
then that is a very significant issue. I went to the course 
while I was in the military for the FBI, and I can tell you 
that that is of grave--it is great concern to us when anybody 
goes out to federal government website without permission and 
is actually passively enumerating then executing something to 
pull data off that website.
    Ms. Johnson. Thank you very much.
    Dr. Ponemon, you indicated that your mother had this 
incident happen with her identity. What about that stolen 
information affected her healthcare?
    Dr. Ponemon. You know, in the case of my mom, she would 
fall into the category of an identity--she is an identity theft 
victim but not a medical identity theft victim because really, 
her medical records were not exposed, and so that would be a 
different crime, and thank goodness she is a medical identity 
theft victim because that is bad news. It is really hard.
    Ms. Johnson. Thank you.
    Dr. Ponemon. Thank you.
    Ms. Johnson. My time is expired but I hope someone will ask 
the value of someone having hacked the HealthCare.gov.
    Chairman Smith. Thank you, Ms. Johnson.
    Mr. Hall has said that because Mr. Broun has a time 
commitment that is almost immediate, he is going to allow Mr. 
Broun to go ahead of him in the questioning, so Mr. Broun is 
recognized.
    Mr. Broun. Thank you, Mr. Chairman, and thank you, Mr. 
Hall, for giving me this opportunity.
    It has come to the Oversight Subcommittee of this 
Committee's attention that there is or at least was an 
Affordable Care Act Information Technology Exchanges Steering 
Committee chaired by senior White House officials, established 
back in May 2012, almost a year and a half before the rollout 
of HealthCare.gov. The White House steering committee's charter 
explicitly directed the formulation of working groups, 
including one on security. It also turns out that a chairman of 
this Obamacare website steering committee is the U.S. Chief 
Technology Officer in the White House Science Office, who also 
happens to be the immediate past CTO of the Department of 
Health and Human Services.
    Upon learning this, I, as Chairman of the Oversight 
Subcommittee, along with the full Committee Chairman, Mr. 
Smith, and Research and Technology Subcommittee Chairman, Dr. 
Bucshon, sent a letter to the White House requesting that Mr. 
Todd Park, the U.S. CTO and HealthCare.gov's steering committee 
chairman, make himself available to the Committee to answer 
questions regarding the security issues with HealthCare.gov by 
January 10th, last Friday.
    The White House has ignored that letter and the Committee's 
request until just yesterday when it provided a last-minute 
response that rebuffed this Committee--let me repeat: rebuffed 
this Committee. And that letter did not come from the Senate-
confirmed President's Science Advisor, to whom the letter was 
addressed, but from the politically appointed OSTP Legislative 
Affairs Director.
    My question for the panel simply is this: don't the 
American people deserve answers from those who are in charge of 
overseeing implementation of the Obamacare website's security 
protocol? After all, Mr. Park is an Assistant to the President. 
As the Chief Technology Officer of the United States and the 
chair of HealthCare.gov's steering committee, wouldn't Mr. 
Park, or shouldn't he, know and be involved in the security 
details of the website? Starting with Mr. Kennedy.
    Mr. Kennedy. Thank you, sir. When we look at a website and 
its security, there are multiple people that need to be 
involved to understand the progress of it. I would agree with 
your assessment that there should be some involvement in that 
case.
    In addition, I also would like to clarify that a lot of 
information that we are getting around these security exposures 
has actually been vast. The Chief Information Security Officer 
from HHS saying it didn't follow best practices. You have a 
number of other individuals saying the security operations 
center hadn't been started yet. You have the HealthCare.gov 
infrastructure, which is completely independent and was started 
completely independent of HHS being part of that. So this is a 
mismanaged issue. I don't understand how we are still 
discussing whether or not the website is insecure or not. It 
is. There is no question about that.
    Mr. Broun. It is insecure?
    Mr. Kennedy. It is insecure, absolutely 100 percent. There 
is no questioning that. People from HHS have said that. You 
know, it is not a question of whether or not it is insecure. It 
is what we need to do to fix it.
    And just to point to Mr. Krush's point, he also said to 
Reuters, which is the article that he also mentioned earlier, 
Krush said he has not reviewed Kennedy's findings or done any 
work on HealthCare.gov's site itself. So, you know, this is all 
purely speculation. It is a bunch of hogwash, and personally, 
it seemed to be politically biased, unfortunately.
    Mr. Broun. Thank you, Mr. Kennedy. I appreciate your long 
answer but this is actually a yes or no answer.
    Mr. Krush, do the American people deserve to know?
    Mr. Krush. Yes.
    Mr. Broun. Okay. Mr. Gregg?
    Mr. Gregg. Yes, they do. However, I would like to add, I 
understand the NIST process and others quite well. I co-
authored a book on it, also developed a course for Villanova 
University on certification and accreditation. Finally, his 
statement ends to a scan. A scan is not passive. A scan is 
active. But yes, they do deserve an answer on this.
    Mr. Broun. Doctor?
    Dr. Ponemon. Ditto, yes.
    Mr. Broun. And I agree, the answer is yes. I am very 
disappointed with the Administration. We have asked for 
information. The American people deserve to have that 
information, and I will do everything that we can to try to get 
Mr. Park to give us that information or the Administration.
    Mr. Chairman, my time has run out so I yield back.
    Chairman Smith. Okay. Thank you, Dr. Broun. The gentlewoman 
from Maryland, Ms. Edwards, is recognized for her questions.
    Ms. Edwards. Thank you, Mr. Chairman, and thank you to our 
witnesses today.
    Just very quickly, Mr. Kennedy, do you have any federal 
contracts for security? Any?
    Mr. Kennedy. As of right now, no.
    Ms. Edwards. Have you had?
    Mr. Kennedy. Yes, I have.
    Ms. Edwards. And what were they?
    Mr. Kennedy. Working for the federal government?
    Ms. Edwards. Yes, federal security contracts.
    Mr. Kennedy. Yes.
    Ms. Edwards. What were they?
    Mr. Kennedy. I would be happy to disclose those.
    Ms. Edwards. I would appreciate it in writing, if you 
would.
    Mr. Kennedy. Sure.
    Ms. Edwards. If you would tell us the federal contracts 
that you have had in dealing with information security in the 
areas that you claim to be an expert in.
    Mr. Kennedy. I would be happy to write that.
    Ms. Edwards. And Mr. Krush, I just want to ask you really 
briefly if you could tell us security standards, compare those 
that are used for the federal government as to the private 
sector. You have alluded to that a bit, if you could just very 
quickly?
    Mr. Krush. Sure. So one thing to understand, and just to go 
back to Mr. Gregg, you know, I have also co-authored a book on, 
we have taken over 10,000 pages of information from the 
National Institute of Standards and Technology, the Department 
of Defense instructions, the intelligence community directives 
and also, you know, some of the SAP programs and consolidated 
that, and that book is actually used in places such as Syracuse 
University to teach people that actually want to understand 
this very rigorous federal process. I am also co-author of NIST 
Special Publication 800-53 alpha. That is the process where we 
actually do the assessments per se. So----
    Ms. Edwards. I trust your expertise. I just want to know 
the rigor of the standards for the federal government compared 
to the private sector.
    Mr. Krush. Sure. So that is a great question, Ms. Edwards. 
One of the things to understand is that NIST Special 
Publication 800-53 starting at revision 2, and we are now up to 
revision 4, integrated all of the commercial standards. At rev 
3, so meaning, you know, the most ISO, Carnegie Mellon, a lot 
of these organizations that had kind of best practices out 
there, they were integrated into that revision. By revision 4, 
we have actually integrated the Department of Defense 
standards, the intelligence community standards, also a lot of 
standards that are kind of outside the realms, they are threat-
based. As you will find, most auditing organizations don't look 
for those.
    Ms. Edwards. So are the----
    Mr. Krush. There is definitely rigor compared from a 
commercial organization to what you will get in the government, 
and I have worked on both sides. Fifty percent of my contracts 
are with Fortune 50 and 100 companies, so I can tell you the 
depth and rigor that you implement on a federal information 
system, as it should be, is just more much intense than what 
you see in the commercial markets.
    Ms. Edwards. And is HealthCare.gov, is the rigor attached 
to HealthCare.gov any different from any of these other federal 
systems that you have indicated?
    Mr. Krush. No, this process is the same across the U.S. 
government.
    Ms. Edwards. Thank you. So I wonder if the standards that 
you described are above--and I think you said this--are above 
those that you would find in the commercial sector?
    Mr. Krush. I would say yes.
    Ms. Edwards. Thank you.
    Mr. Gregg, you mentioned some information or speculation 
about medical records vis-a-vis HealthCare.gov. Are you aware 
of any medical record that is maintained on HealthCare.gov?
    Mr. Gregg. No, the information is simply passed through.
    Ms. Edwards. Exactly. Is there any medical record, personal 
medical record, contained on HealthCare.gov?
    Mr. Gregg. No.
    Ms. Edwards. Thank you.
    And then Dr. Ponemon, just out of curiosity, you talked 
about your mother's experience, which just sounds really 
horrible, but she didn't experience identity theft through 
HealthCare.gov. Isn't that correct?
    Dr. Ponemon. Absolutely not.
    Ms. Edwards. Right. Thank you.
    And I just wonder, Mr. Krush, if you could help me, if you 
will. Of the experience that you have had in developing and 
working on federal information systems, is it your conclusion 
that you would feel safe in putting your personal information 
through HealthCare.gov?
    Mr. Krush. Ms. Edwards, I actually put that in my 
testimony. I would put my personal information on 
HealthCare.gov. I said this more than once, and you know, I 
continue to stand by that.
    Ms. Edwards. Thank you.
    And Mr. Kennedy, lastly, I want to go back to your federal 
work I mean that I can find disclosed. I know that you got a 
small business loan from the Small Business Administration for 
``businesses that do not qualify for credit in the open 
market.'' Again, what is the other federal security work that 
you have done?
    Mr. Kennedy. I would be happy to disclose that in written 
testimony.
    Ms. Edwards. Can you just give me an example right here on 
the record?
    Mr. Kennedy. I would need to get permission from my 
customer. I work on non-disclosure agreements and 
confidentiality of information.
    Ms. Edwards. Okay. What I would like to do, I will write 
you a letter. Your financial disclosure that you have submitted 
in this record requires that. Did you put that in your 
financial disclosure?
    Mr. Kennedy. No. No, I--listen to me. My experience----
    Ms. Edwards. Did you----
    Mr. Kennedy. The question you asked me was, did I have 
federal experience in the----
    Ms. Edwards. It is my time, Mr. Kennedy.
    Mr. Kennedy. Yes, ma'am.
    Ms. Edwards. Did you put that financial disclosure 
information in the record as required by our Committee?
    Mr. Kennedy. I am not required to put that in there.
    Ms. Edwards. Thank you very much.
    Mr. Kennedy. Thank you. It is not on behalf of TrustedSEC. 
Thank you.
    Chairman Smith. Thank you, Ms. Edwards. The gentleman from 
Texas, Mr. Neugebauer, is recognized for his question.
    Mr. Neugebauer. Thank you, Mr. Chairman.
    So, Mr. Gregg, I ask you this question: could a security 
breach of HealthCare.gov result in people's medical files being 
accessed?
    Mr. Gregg. Yes, sir, it could. The information could be 
accessed, and then the real damage would come afterwards, how 
that information could be used. It could be used potentially to 
gain information of financial data. It could be used for 
identity theft. It could be misused many different ways. And 
that damage, as Mr. Kennedy alluded to earlier, is not just 
something as simple as replacing a credit card. This can be 
long-term. It can be very damaging to an individual.
    Mr. Neugebauer. Now, there was a recent GAO report that 
documented that there was a 111 percent increase in federal 
agency data breaches in the past three years. Specifically, the 
GAO report noted that there were 22,156 incidents revealing 
sensitive personal information since 2012, up from 10,000 in 
2009. Interestingly enough, the Centers for Medicare and 
Medicaid Services, the HealthCare.gov operator, had the second-
most breaches in the report for Fiscal Year 2012. Mr. Krush 
said that the hackers are going where the money is and not 
necessarily interested in these government sites, but yet we 
see a substantial increase in the number of incidents that are 
happening. Mr. Kennedy, do you agree with Mr. Krush that people 
really aren't interested in these government sites or what is 
your opinion on that?
    Mr. Kennedy. Thank you, sir. I do not agree with Mr. 
Krush's testimony there. I believe that the hackers move where 
the money is and there is a lot of money to still be made in 
the personal information side as well as other government 
agencies that look to do demise to us, especially on our 
information technology-related issues. Having direct access 
into DHS, IRS is a treasure trove for additional attackers out 
there. There is a lot of money for the organized crime, there 
is a lot of money for what we call state-sponsored attacks, so 
I would not agree with his assessment. There is plenty of money 
to be made in the government space and there are breaches 
happening all the time there.
    Mr. Neugebauer. If I go to a government site and I am a 
hacker, what are the treasures out there that I am going to 
glean that are going to help me do whatever bad thing I have in 
mind?
    Mr. Kennedy. Sure. I think that is in the question. It 
depends purely on the motivation of the attacker. So you have 
really three criteria of the attackers. You have your average 
black hat that may be politically motivated to prove a specific 
point or street credibility. You have your organized crime, 
which is specifically looking for monetary value or persistent 
access into organizations. There is also a huge black market 
right now that surpassed the credit card industry for what we 
call carders. Selling compromised infrastructures and 
organizations is a huge market right now. If I can say, hey, I 
compromised Government X or HealthCare.gov, I can sell that to 
an attacker for thousands of dollars to make a big buck off of 
it.
    Additionally--so you have that portion of it, the identity 
theft, the fraud, other areas there. Then you have the state-
sponsored element, which is other government entities attacking 
infrastructure in order to infiltrate, gain access and 
intelligence on us, and that is a huge business right now. We 
see it obviously happening off of different, multiple other 
government entities, as well as Eastern European countries.
    Mr. Neugebauer. Would you feel comfortable putting your 
personal information in HealthCare.gov?
    Mr. Kennedy. Absolutely not.
    Mr. Neugebauer. Yes. Mr. Gregg?
    Mr. Gregg. No, sir, I would not.
    Mr. Neugebauer. Dr. Ponemon, would you?
    Dr. Ponemon. I am not sure.
    Mr. Neugebauer. You know, I want to go back to you, Dr. 
Ponemon. One of the things that, you know, you talked about was 
that you wanted to talk about the consequences of stolen 
identity.
    Dr. Ponemon. Sure.
    Mr. Neugebauer. Yes. So one of the things I think might be 
helpful is people that are forced to go to access their 
healthcare through government--HealthCare.gov, what would you 
advise them to do? You know, they are going to have to access 
that. As they are filling out that information, are there some 
preventative things that they can do that would minimize some 
of the potential consequences if the system is breached?
    Dr. Ponemon. Well, obviously, if the site is secure, that 
is a good step, right, but as an individual, whether we are 
doing it on HealthCare.gov or whether it is a website like 
Amazon.com, we need to be smart. We need to understand that our 
data could be at risk. The bad guys are really smart. For 
example, we should not be using the same password over and over 
again. Our computer should have the most current version of 
antivirus or anti-malware technology. These commonsensical 
approaches do make a difference and that should be across the 
board.
    But again, if you have data that is extremely sensitive and 
confidential, then basically your guard, your level of concern 
should go up. And a lot of people don't think about these 
issues well enough or they don't think that they will become a 
victim. But as we know, with 110 million records here and 90 
million records there, everyone, every single person in this 
room is a victim of some data loss and probably at least had 
one data breach notification in the last five years. So it is a 
big problem.
    Mr. Neugebauer. Thank you, Mr. Chairman. I yield back.
    Chairman Smith. Thank you, Mr. Neugebauer.
    The gentlewoman from Oregon, Ms. Bonamici, is recognized 
for her questions.
    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank 
you to our witnesses for being here today.
    This hearing is ostensibly about HealthCare.gov but I just 
want to make a big picture comment that the Affordable Care Act 
is certainly about more than a website; it is about an issue of 
great importance, which is about the availability of healthcare 
to all Americans.
    Now, when I saw the title of this hearing, I was pretty 
interested. I actually have a background in consumer 
protection. I used to work at the Federal Trade Commission, 
have worked on identity theft issues. I was a little baffled 
frankly about why we are doing this in the context of 
HealthCare.gov and in the Science Committee.
    That being said, we all acknowledge that there have been 
some serious technological problems rolling out the Affordable 
Care Act, but I am really concerned that some people listening, 
our constituents, might really be concerned that there are 
risks involved in enrolling through the website that aren't 
really there. So I want to clarify a couple of things.
    First of all, I want to make it clear to our constituents 
that identity theft is already a federal crime, that if someone 
knowingly commits identity theft, that is a federal crime. If 
they do it--aggravated identity theft, there are enhanced 
penalties. So I want to make clear that if there is identity 
theft, that is already against the law. The Department of 
Justice prosecutes that. The Federal Trade Commission has 
several laws dealing with it. So identity theft is an issue we 
should be concerned about but I am baffled about why we are 
talking about it in the terms of HealthCare.gov.
    So, Mr. Krush, I want to ask you a couple of questions. 
First, I want to acknowledge and thank you for your service to 
this country. I understand, Dr. Ponemon, you are a veteran as 
well. Thank you for your service.
    Mr. Krush, you talked about how some people are suggesting 
that HealthCare.gov is a major target for hackers. Based on 
your background, your military and cyber security background, 
could you discuss the range of hackers and their different 
motives and talk about where HealthCare.gov is on the scale of 
high payoff targets. And you mentioned this in your testimony, 
but will you talk about that range just a bit, please.
    Mr. Krush. Yes. Actually, it is very interesting in that, 
you know, we are here on the Committee of Science, Space, and 
Technology, and I will tell you something from a high payoff 
target perspective, especially when you are dealing with 
advanced attackers, the more a nation--nation-sponsored 
attackers and those even on the criminal organizations, they 
are after some very specific targets. And, you know, I am not 
going to go into those but I will tell you from a government 
perspective in all reality if you are looking at the .mil and 
the .gov kind of domains, you know, HealthCare.gov is not 
really a huge high payoff target.
    Space systems, technology related to weapons systems, 
intellectual property stores, information related to 
clearances, information related to quite possibly not only 
personal information on a person that may be weaknesses such as 
relationship issues where they can be played on or through 
blackmail. There is--websites that include information on 
criminals that are actually part of the court systems, 
literally we keep all of this information online now. As you 
can imagine from an attacker's perspective, you could 
literally, you know, not delete the paper but there are ways 
that you can get into a system and change an outcome of quite 
possibly, you know, cases or what actually you have done in the 
past. So there is lots of high-profile targets.
    Ms. Bonamici. Thank you. Thank you so much. I want to 
follow up a little bit. It is my understanding that we have 
already established that there aren't medical records on 
HealthCare.gov, and Mr. Gregg confirmed that in response to 
Representative Edwards' question. Do you agree with that, there 
are no medical records on HealthCare.gov?
    Mr. Krush. Correct. Those would be at the providers.
    Ms. Bonamici. And would you agree that there is more 
personal information in a federal tax return than there is in a 
HealthCare.gov insurance application?
    Mr. Krush. I agree.
    Ms. Bonamici. Mr. Kennedy, do you agree with that?
    Mr. Kennedy. I do agree.
    Ms. Bonamici. Mr. Gregg?
    Mr. Gregg. I do agree.
    Ms. Bonamici. Dr. Ponemon?
    Dr. Ponemon. I agree.
    Ms. Bonamici. Terrific. Okay. So about 80 percent of the 
people in this country file their tax returns online. Mr. 
Krush, do you file your tax returns online?
    Mr. Krush. I do.
    Ms. Bonamici. Mr. Gregg, do you file your tax returns 
online?
    Mr. Gregg. No.
    Ms. Bonamici. Dr. Ponemon, do you file your tax returns 
online?
    Dr. Ponemon. I am old-fashioned. No.
    Ms. Bonamici. Mr. Kennedy?
    Mr. Kennedy. I am old-fashioned as well.
    Ms. Bonamici. So when you understand that about 80 percent 
of the people in this country file their tax returns online, we 
are talking about security with HealthCare.gov when there is 
more personal information on a federal tax return. I just want 
to highlight that, that we are talking about security with 
HealthCare.gov when the majority of people file their tax 
returns online.
    All of you call for third-party--third parties to conduct 
security testing, and the MITRE Corporation, Blue Canopy, and 
Frontier Security have all been doing that for months. In your 
opinion, are those companies competent to do the work, yes or 
no? Dr.--or Mr. Krush?
    Mr. Krush. Yes.
    Ms. Bonamici. Mr. Kennedy?
    Mr. Kennedy. Yes.
    Ms. Bonamici. Mr. Gregg?
    Mr. Gregg. Yes.
    Ms. Bonamici. Dr. Ponemon?
    Dr. Ponemon. I only have knowledge of MITRE and the answer 
is yes.
    Ms. Bonamici. Thank you. Mr. Krush, to be clear, there have 
been no cases of a person's identity being stolen through 
HealthCare.gov at this point, is that correct?
    Mr. Krush. That is correct.
    Ms. Bonamici. Okay. I just want to clear that up because 
the title of the hearing suggests that one of the consequences 
of signing up through HealthCare.gov is going to be identity 
theft. So I wanted to clarify that.
    So I--my time is expired. Thank you, Mr. Chairman. I yield.
    Chairman Smith. Thank you, Ms. Bonamici.
    The gentleman from Texas, the Chairman Emeritus Mr. Hall, 
is recognized for questions.
    Mr. Hall. Thank you, Mr. Chairman, and thank you for the 
hearing and the witnesses. I like old-fashioned people. I don't 
know why. But I will ask my fellow Texan there, Mr. Gregg. 
There has been talk about March the 31st, and I think you 
mentioned that since the deadline for open enrollment is not 
until March the 31st, wouldn't hackers be kind of foolish to 
exploit the website now because they potentially would have the 
opportunity to retrieve a heck of a lot more information after 
that date?
    Mr. Gregg. Well----
    Mr. Hall. Do they think like that or is that too----
    Mr. Gregg. No, sir. They do in many ways look for the big 
payoff, and as was mentioned earlier, cybercrime can be broken 
down into two areas. One is the individuals looking for 
military, looking for that type of information, but a big other 
portion of it today is monetarily driven. We see a lot of that 
out of places like Eastern Europe. We see it out of places like 
Russia. And those individuals are looking for personal 
information. They are looking for things that they can make a 
financial payoff from. And to wait until the time was right 
would very much be to their advantage. While it is true 
information is not held on HealthCare.gov, information is 
passed through that site that they could potentially manipulate 
or take advantage of.
    Mr. Hall. Thank you. And I have heard of a lot of problems, 
but given the problems of the website to date, would you say it 
is highly likely that there will be breaches to the healthcare 
website?
    Mr. Gregg. Yes, sir. I do believe it is very possible or it 
is probable at this current state of the site that that could 
happen.
    Mr. Hall. And once one has occurred, how quickly can 
experts find out about the breach?
    Mr. Gregg. That all depends. We have seen in previous cases 
with things like Gh0st RAT, GhostNet Trojan. We have seen in 
cases like with Google and Aurora and others, in some instances 
those organizations didn't know until weeks or months later.
    Mr. Hall. How quickly should the American people be 
notified in the event of a breach?
    Mr. Gregg. Immediately.
    Mr. Hall. Within hours, days, weeks, or just right now?
    Mr. Gregg. Right now.
    Mr. Hall. That is pretty clear. Once a breach has occurred 
and people have been notified, what actions should people take?
    Mr. Gregg. Immediately start to do things like Dr. Ponemon 
mentioned as far as change passwords, change IDs, especially 
notify and talk to your credit card companies----
    Mr. Hall. Now is----
    Mr. Gregg. --look at your credit card statements, also 
check your credit rating and look at the credit rating 
organizations because many times, just like a period of about a 
week ago I got an email from Amazon that someone tried to open 
up an account under my name and I immediately called my credit 
card provider and found out someone had charged about $5,000 
worth of merchandise under my name because someone had stolen 
my credit card. So you immediately need to take action for that 
stuff to put a stop to it if the credit card company doesn't 
catch it.
    Mr. Hall. This is not like Target where you can check with 
your bank or your credit card company for even suspicious 
activity or something you think might be happening and that----
    Mr. Gregg. That----
    Mr. Hall. I think that is what you are telling me.
    Mr. Gregg. Yes, sir, that is correct.
    Mr. Hall. And how do you find out if--how did you find out 
if your Social Security number--is that the way they got to 
you?
    Mr. Gregg. No, sir, they got a credit card number from me.
    Mr. Hall. Credit card?
    Mr. Gregg. Yes, credit card.
    Mr. Hall. And if medical information had been compromised, 
what would you do about it?
    Mr. Gregg. It would be very tough. With medical information 
or someone has intentionally obtained medical services under 
your name, you may not find out until you actually get the 
bill, or if they have sent that to another address, you may not 
find out until you maybe get denied for a job because they said 
you had a preexisting condition they didn't know of.
    Mr. Hall. Well, just briefly, what are the steps involved 
in repairing a breach?
    Mr. Gregg. It is very tough.
    Mr. Hall. And should a website be shut down while these 
remedies are being considered?
    Mr. Gregg. I would say yes, it should, and I mean it is 
very tough because, first, you have to contest those charges. 
And if it is related to medical, as soon as you contest it 
under HIPAA and other laws, then you have no access to the 
records or information because it is not your information 
anymore. So it can be very difficult.
    Mr. Hall. Well, my time is almost gone. I believe that all 
of you would agree that while no website can be 100 percent 
safe, every precaution needs to be taken to ensure the security 
of the site.
    Now, Mr. Chairman, there are far too many questions 
surrounding the launch of the healthcare website, and until 
these are resolved, the security of Americans' personal 
information is going to remain at risk. That is your 
understanding. Is that why we are having this hearing?
    Chairman Smith. That is exactly correct, Mr. Chairman.
    Mr. Hall. And I thank you for the work on this issue and I 
thank each of you. And thank you, Mr. Chairman, for a good 
hearing.
    Chairman Smith. Thank you, Mr. Hall. Would you yield me the 
balance of your time?
    Mr. Hall. I yield my balance of my time today, tomorrow, or 
next week or any time.
    Chairman Smith. Mr. Kennedy, I would like for you to 
reemphasize the point you made in response to my initial 
question about why the government doesn't even know whether it 
has been hacked or not--that is HealthCare.gov. Why the 
government really can't say or state credibly that there had 
been no successful security attacks.
    Mr. Kennedy. Yes, sir. So if you look at the HealthCare.gov 
infrastructure, it was built independently of HHS, including 
the Security Operations Center piece. There is contractual 
language on that. There is testimony from the Congress that 
also states that as well. So the Security Operations Center, as 
of November 17, had not been built or implemented, which means 
that they didn't have the security monitoring or detection 
capabilities to detect the attacks that are being mentioned 
here today. So to reemphasize, they don't know.
    Chairman Smith. And they don't know. That is why they can 
say there hasn't been any. They are not in a position to know 
one way or the other.
    Mr. Kennedy. That is correct.
    Chairman Smith. Okay. Thank you, Mr. Kennedy.
    Mr. Kennedy. Yes, sir.
    Chairman Smith. The gentleman from California, Mr. Takano, 
is recognized for his questions.
    Mr. Takano. Thank you, Mr. Chairman.
    Mr. Krush, would you like to respond to that?
    Mr. Krush. Sure, I would love to. Actually, we have been 
talking about all of these supposed breaches that have been 
going on related to HealthCare.gov. If they couldn't monitor 
those, how in the world do you have a number? The number would 
be zero if there was no capability to actually look at what 
kind of attacks are coming through the ether.
    Mr. Takano. Okay. Thank you very much.
    Mr. Gregg, I would like to focus on a couple of areas of 
your testimony. First, you argue that the site HealthCare.gov 
really needs a third party working to probe the system for 
weaknesses; and second, you assert that medical records are at 
risk on HealthCare.gov and you list the kind of damage that can 
be done with stolen medical records. And you state previously 
in a post--Huffington Post post that ``however, the United 
States has some of the very best minds in the world when it 
comes to cyber security and there is no doubt that 
HealthCare.gov can be fixed if the right people are given the 
chance to test it.'' Do you still feel that way?
    Mr. Gregg. Yes, sir. That is one of the reasons why I am 
here today----
    Mr. Takano. Okay.
    Mr. Gregg. --is because I believe with independent third-
party assessment and the right assessment done, we can get to 
the bottom of this.
    Mr. Takano. Okay. Well, thank you. I just want know were 
you aware prior to your testimony today that MITRE, Blue 
Canopy, and Frontier Security were all working on third-party 
verification?
    Mr. Gregg. MITRE, yes; the others, no.
    Mr. Takano. Okay. You were aware that MITRE was aware, so I 
don't understand how, you know, in your testimony you still 
assert that third-party work needs been done but you had 
knowledge that a third-party audit was actually being conducted 
by MITRE?
    Mr. Gregg. Yes. One, the article was written before that. 
It was written before that time. And two, I do not know if 
MITRE has finished their research or not or what the findings 
of those are.
    Mr. Takano. Okay. But you did raise this question as if 
third-party verification--I was led to the impression that 
third-party verification wasn't being done, but in fact, you 
had knowledge it was being done?
    Mr. Gregg. Not at the time of the article.
    Mr. Takano. Okay. But in your testimony you lead us to 
believe that you raise it as a concern but it has----
    Mr. Gregg. You quoted the article and you quoted a 
statement directly from the article that I said that needed to 
be done. At that time nothing had been done.
    Mr. Takano. But it is not in your----
    Mr. Gregg. Is that the question?
    Mr. Takano. The testimony that you submitted for this 
Committee doesn't acknowledge it but yet you are telling me 
here you had knowledge of it that it was being done.
    Mr. Gregg. I----
    Mr. Takano. Your testimony leads us to believe that it was 
not being done.
    Mr. Gregg. As of this hearing, I do have knowledge.
    Mr. Takano. Okay. But your--but you----
    Mr. Gregg. At the time of the article, no.
    Mr. Takano. Okay. Okay. Very well. You know, Dr. Ponemon, 
you talk about the medical records, you know, and identity 
theft, and a lot of your work has shown that 95 percent of the 
people who commit these sort of deeds are motivated by Robin 
Hood motivations. Would you explain about that a little bit?
    Dr. Ponemon. It is not 90 percent but it is a large 
percentage. I think it is 29 or 30 percent, but it is still 
pretty significant. A Robin Hood crime, as we define it in the 
research, is where someone, for example, has a family member or 
friend who basically has an illness and they are not insured 
and basically they will kind of look the other way if you will 
and allow that person to use their insurance credentials so 
that when they show up at a hospital or clinic, they are 
getting better treatment than just right off the street.
    Mr. Takano. Well, common sense would sort of tell me if 
that is sort of the big motivation, what would motivate someone 
to go and----
    Dr. Ponemon. Sure.
    Mr. Takano. --try to steal someone's identity, that 
expanding healthcare coverage, providing quality coverage for 
more and more people would reduce this--the likelihood of this 
sort of crime.
    Dr. Ponemon. You have to understand I will be biased in 
that because I think we all deserve good healthcare. So if 
basically you had good healthcare, the value of a credential 
would be meaningless, right, because we all have that 
credential. So there is no value if you will in stealing 
someone's credential because everyone is going to have a 
credential that will give them reasonable healthcare.
    Mr. Takano. So actually, if we made this healthcare 
website--you know, if it was very successful and more and more 
people got enrolled, the actual--we would reduce the risk of 
the misuse of medical records?
    Dr. Ponemon. It could work one way or another. It is really 
hard to determine that. In theory, you are right. I mean you 
could basically say that 29 or 30 percent, the Robin Hood 
portion of the crime, the medical identity theft might actually 
be nonexistent.
    Mr. Takano. So we would remove--we could possibly remove a 
huge motive for people to try to hack into this system if they 
were trying.
    Dr. Ponemon. Well, yes, but remember, the value of a 
medical record is more than just getting the insurance. You 
see, that is only a very small part of it. There is a lot of 
information, rich information, and you--we have done studies 
and the Russian Federation, other parts of the world, and if 
you had a look at the most valuable piece of information right 
now on an individual basis, it would be a medical record. And 
in fact, just yesterday in Fox News, business news, they did an 
article on the value of different types of information, and 
medical information in the black market is much, much more 
valuable than, say, credit or debit card information or 
authentication data.
    Mr. Takano. Okay. Well, thank you very much, Dr. Ponemon.
    Dr. Ponemon. And thank you.
    Mr. Takano. Thank you.
    Chairman Smith. Thank you, Mr. Takano.
    The gentleman from Indiana, Mr. Bucshon, is recognized for 
his questions.
    Mr. Bucshon. Well, thank you all for being here. It is a 
fascinating hearing. We had a previous hearing, which was also 
very fascinating. And we were four for four no one would get on 
the website last time, but we are three for four this time.
    In my view, this is about confidence the American people 
have in their government and whether or not their government is 
doing everything they can to protect their privacy. It is not 
about healthcare at all. We could be talking about any other 
website that the federal government has. And we know the GAO 
came out and reported thousands of breaches across the federal 
government, so to argue that this website is going to be secure 
and that nothing is going to happen I think is a false argument 
because it is going to be breached. There is going to be 
information stolen.
    I think from my perspective--I was a medical doctor before. 
I think when you throw in the healthcare part of it, it becomes 
very personal for people. I understand people out there in my 
district are concerned about the Department of Defense being 
hacked, maybe a few people, but when you start talking about 
the potential for information that they perceive, whether it is 
real or whether it is perceived, is personal information. I 
think all of us in hearings like this and across government and 
the Administration, in both political parties, need to 
recognize the fact we need to do whatever we can to regain the 
confidence of the American people that we are protecting their 
personal information as best we can. Even though I do recognize 
the website itself doesn't have that on there, it does have 
portals that people that are smart can potentially access that.
    And this is actually one of the biggest problems in 
electronic medical records, that we have. My medical practice 
established an electronic medical record in 2005. I love 
electronic medical records but there are two issues. There is 
of course security issues and then there is compatibility 
issues about getting medical information across different types 
of electronic medical records.
    So, I think it is unfortunate that all of you are somewhat 
subjected to a national discussion about healthcare, and I 
appreciate all of you trying to confine your comments to the 
security aspects and not the larger national debate about how 
we provide quality affordable healthcare to all our citizens, 
which I think is a goal we all have and certainly as a medical 
doctor I have. So it really doesn't matter if HealthCare.gov is 
a low-propensity target by some hackers out there. In the minds 
of the American people when you mention their healthcare, this 
is the biggest target in the federal government in their minds. 
Whether that is real or perceived doesn't really make a 
difference.
    So Mr. Krush, the GAO came out with this report, as you 
know, in 2012, saying there were 22,156 data breaches, 4,000 at 
CMS alone. And you have a relationship with CMS so you have to 
recognize that we can't make the case that any website is going 
to be secure to try to make a political argument to prove that 
the way we are managing healthcare is the right way to go. I 
mean that is not the discussion, is it? The discussion is how 
do we protect information? You would have to agree with that, 
wouldn't you?
    Mr. Krush. I absolutely agree with that. I will just say 
that I agree with that and with the idea that the process that 
we use, you know, to secure the data on federal information 
systems is just very rigorous, and that is my complete argument 
here.
    Mr. Bucshon. Yes. And I would agree with that. I think when 
it comes to the confidence, I know we have discussed third-
party people out there looking at this. And I will be honest 
with you. I am a Member of Congress and I have no idea whether 
there is a third-party person out there--and there obviously 
is--looking at this. So our charge is to get that to the 
American people, because if the American people don't know--and 
I can tell you as a political person trying to get a message 
across to 700,000 people is difficult and that is just 700,000 
people. We need to do better getting the information out that 
there are actually people that are in government that are 
looking at this to preserve people's personal records. That is 
my view. Mr. Kennedy, how do we do that?
    Mr. Kennedy. Well, I think if you look at the broader 
picture here and not just HealthCare.gov but just in the 
federal space, end-to-end testing, proactive security measures, 
things that are definitely outlined as being best-of-breed 
security practices need to be performed. And I am not saying 
that NIST doesn't have those. It is just that they are loosely 
followed. And, to comply with FISMA is not necessarily a 
rigorous process.
    So what I have to say to that is, we have to focus on 
putting security in the very forefront, in the very beginning 
stages of what we hire a contractor or we go after an 
organization, throughout the entire process of that. 
HealthCare.gov is a prime example of the failures of being able 
to implement security in a rigorous manner or in a process that 
includes security throughout the entire life cycle. And if you 
do that, you have a better product. You have something that 
people can stand by and say, listen, we are doing our 
reasonable amount of assurance here and we are protecting your 
information, not just, kind of slapping it together and 
throwing it out there.
    Mr. Bucshon. My time is expired. I would like to say let's 
all of us work together to regain the confidence of the 
American people. Thank you.
    Ms. Edwards. Parliamentary inquiry----
    Chairman Smith. Thank you.
    Ms. Edwards. --Mr. Chairman.
    Chairman Smith. Thank you, Dr. Bucshon.
    I am sorry?
    Ms. Edwards. Mr. Chairman, I have a parliamentary inquiry.
    Chairman Smith. The gentlewoman is recognized for her 
parliamentary inquiry.
    Ms. Edwards. Thank you. Mr. Chairman, isn't it true that 
the Committee and House rules require witnesses to submit 
factually correct financial disclosures forms?
    Chairman Smith. There are certain limitations to that, but 
within those limitations, I think that is the case and I think 
all of our witnesses have done so today.
    The gentleman from--
    Ms. Edwards. Mr. Chairman?
    Chairman Smith. Yes. The gentlewoman continues to be 
recognized.
    Ms. Edwards. Mr. Chairman----
    Ms. Johnson. Point of order----
    Ms. Edwards. --I yield to----
    Ms. Johnson. Point of order, Mr. Chairman.
    Chairman Smith. The gentlewoman is recognized.
    Ms. Johnson. I make a point of order that the witness 
testifying today has not complied with the House Committee's 
rules regarding financial disclosure. And under those 
circumstances, I request that the testimony be stricken from 
the record. I am very----
    Chairman Smith. Obviously, I object to that and----
    Ms. Johnson. I expected that.
    Chairman Smith. --I am afraid that the gentlewoman is not 
the one to make that determination.
    Ms. Johnson. I am not finished.
    Chairman Smith. Well, does the gentlewoman have----
    Ms. Johnson. I am recognized, Mr. Chairman, and I have----
    Chairman Smith. Does the gentlewoman have something to say 
that is pertinent to her inquiry?
    Ms. Johnson. --not finished my statement. I am very 
concerned about the testimony we heard from Mr. Kennedy a 
moment ago. He testified on the record that he did not disclose 
government contracts in his truth-and-testimony form that he 
and his company have received, and our Committee Rules 
require----
    Chairman Smith. He also said he was not----
    Ms. Johnson. --a witness disclosure----
    Chairman Smith. --required under the----
    Ms. Johnson. --requirement to be filed out by each--filled 
out by each witness. On that form Mr. Kennedy answered the 
question saying ``not applicable.'' This means that he did not 
comply with the rules of our committee, and as such, I ask that 
he be removed----
    Chairman Smith. That is not necessarily----
    Ms. Johnson. --from--the testimony from the Committee----
    Chairman Smith. --a legitimate----
    Ms. Johnson. --until he accurately and fully discloses the 
federal grants and contracts that the entity he represents have 
received on or after October 1, 2011----
    Chairman Smith. Mr. Kennedy, do you want to respond whether 
you were required to disclose that or not?
    Mr. Kennedy. Thank you, sir. The question was have I done 
work in the federal space prior in the past or currently. The 
answer to that is on behalf of TrustedSEC, we do not work in 
the public sector or government, which is what I disclosed in 
the statement there. In addition, I have worked for NASA as 
well as other federal government agencies in my capacity as a 
Chief Security Officer for a Fortune 1000 company, as well as 
my prior roles as a security consultant for former entities. So 
to answer the question there on what was submitted, I do not do 
work for the public sector. I am plenty busy in the private 
sector keeping everybody else protected. Thank you.
    Chairman Smith. Thank you, Mr. Kennedy. I think you have 
answered the question.
    And I would like to continue our questions. And the 
gentleman from Massachusetts, Mr. Kennedy, is recognized for 
his.
    Mr. Kennedy of Massachusetts. Thank you, Mr. Chairman, and 
thank you to the witnesses for being here today.
    I want to start out by saying I know--I think Teresa Fryer 
was mentioned earlier in this hearing, and I know that she is 
actually testifying I think at this moment or just moments ago 
in front of the Committee on Oversight and Government Reform. 
And her testimony before was referenced about--some of the--her 
remarks on HealthCare.gov and she just recently said today that 
the HealthCare.gov website is secure based on a December 18 
security assessment. She stated that the system exceeds the 
best practices to ensure security and that the risk mitigation 
policies are being implemented and executed as planned. As a 
result, attacks have been successfully prevented. She 
recommends that a new ATO should be given when the current one 
expires just to make sure that we are all up to date on the 
current testimony.
    Now, a couple of, I think, points of clarification: Mr. 
Kennedy, I think one of us here supports the ACA, but I will 
leave that up for the gallery to decide. The--now, I noticed at 
the--I think in your initial testimony and the initial 
testimony of the witnesses, you were nodding your head when Mr. 
Krush said that unless you are actually able to dive into the 
inner workings of the website, which you have made clear that 
you did not hack into, you did not do anything illegal, but 
that you would not have any way of knowing in detail what part 
was vulnerable to attack unless you had done so. Is that 
accurate?
    Mr. Kennedy. We can't tell the inside of HealthCare.gov 
without actually testing it. That is 100 percent accurate. What 
we can see are symptoms of a much larger issue. And if you 
wouldn't mind for just--if I can read a--one of the things that 
I submitted from Ed Skoudis just as an example if you are okay 
with that, sir.
    Mr. Kennedy of Massachusetts. Yes, go ahead.
    Mr. Kennedy. Thank you. Mr. Skoudis said, ``I have worked 
on dozens of large-scale breach cases over the past 12 years 
looking at the root cause of vulnerabilities of attacker 
methods. Reviewing the security issues discovered in 
HealthCare.gov, I can tell you this is a breach waiting to 
happen. Or given the numerous vulnerabilities, perhaps a breach 
has already happened. These are exactly''--and he emphasized on 
that--``the kind of security flaws bad guys exploit on large-
scale breaches.''
    Mr. Kennedy of Massachusetts. So, Mr. Kennedy--and I 
appreciate that, but the point is--and I think we have heard it 
actually reiterated a number of times here--is that we don't 
know. You don't know. You testified before that HHS doesn't 
know. If HHS doesn't know, you don't know, so much of this is 
in fact--it is a concern but it is speculative, right?
    Mr. Kennedy. It is an underlying portion of HealthCare.gov, 
absolutely, yes.
    Mr. Kennedy of Massachusetts. Okay. So--now--thank you. 
And, Mr. Krush, do you--out of your expertise, can you just 
give me off the top of your head what you believe to be the 
biggest data breaches--recent data breaches? This is something 
that is fairly common. Obviously, Target and Neiman Marcus in 
the news today. How many--are you aware of others?
    Mr. Krush. Well, interestingly enough, you know, the 
thing--when it comes to data breaches, I think Target is a 
perfect example of someone that had the capability to identify 
a breach. The thing that is of most concern to me is that there 
are a lot of industry and even government organizations that 
don't have the capability to do that.
    Mr. Kennedy of Massachusetts. So, sir, Target, Neiman 
Marcus obviously in the news now. Do you recall Heartland 
Payment Systems data breach back in 2008? Does that ring a bell 
with you?
    Mr. Krush. It does.
    Mr. Kennedy of Massachusetts. At least from some estimates 
134 million credit cards exposed. How about TJX Companies in 
2006, 94 million credit cards exposed; Epsilon, which exposed 
the emails of millions of customers stored in over 108 
different retail chains; RSA Security, top-notch security firm; 
Sony Playstation Network, over 77 million Playstation Network 
accounts exposed, all private sector, yes?
    Mr. Krush. Yes.
    Mr. Kennedy of Massachusetts. This is something the private 
sector invests billions of dollars a year in trying to protect, 
yes?
    Mr. Krush. Yes.
    Mr. Kennedy of Massachusetts. This is something that is 
very difficult and has to be on the cutting edge in order to 
defend against, yes?
    Mr. Krush. Yes.
    Mr. Kennedy of Massachusetts. Are you aware of how many 
times the House of Representatives has voted to cut funding or 
appeal the Affordable Care Act this Congress?
    Mr. Krush. I am not.
    Mr. Kennedy of Massachusetts. Would the number close to 50 
seem accurate to you?
    Mr. Krush. Unfortunately, I just don't have that insight.
    Mr. Kennedy of Massachusetts. Okay.
    Mr. Krush. I can talk about risk assessment----
    Mr. Kennedy of Massachusetts. Well, take my word for it.
    Mr. Krush. --if you like.
    Mr. Kennedy of Massachusetts. Take my word for it.
    I yield back the balance of my time.
    Chairman Smith. Thank you, Mr. Kennedy.
    The gentleman from Oklahoma, Mr. Bridenstine, is recognized 
for his questions.
    Mr. Bridenstine. Thank you, Mr. Chairman. I appreciate the 
time.
    I would like to start by asking our witnesses a question. 
Are you familiar with Tony Trenkle? He was the Chief 
Information Officer for the Centers for Medicare and Medicaid 
Services. And his job was to oversee the development of 
HealthCare.gov and his job was to,--as--you know, the last 
thing before launching the website he had a security waiver he 
was supposed to sign. Do you guys remember any of this by 
chance? And he didn't sign it. He refused to sign it and he 
resigned. His boss, Marilyn Tavenner, CMS Administrator, who is 
not a Chief Information Officer, who arguably would not be 
qualified to sign off on a security waiver, she signed it. He 
didn't. He is qualified. She did, she is not qualified. She is 
an appointee of the President of the United States.
    Interestingly, her boss, Secretary of Health and Human 
Services Kathleen Sebelius, testified before Congress that she 
had no idea that a security waiver was supposed to be signed, 
that it didn't get signed, and that her subordinate, another 
Barack Obama appointee, signed it. She didn't know. It would 
seem to me you have a qualified person not signing it and then 
having to resign, and the Administration was not clear about 
why that person had to resign, namely Tony Trenkle. In fact, 
they didn't answer the question why. But it would appear--and 
this gives me concern--that people are making decisions for 
political reasons, not in the best interest of security of our 
citizens.
    And so some of you on this panel are CEOs, I think three of 
you. And then, one leads a research institution. Just a quick 
yes-or-no answer, in your institutions if this was going on, 
would you guys have an issue with it? Would somebody in your 
organization be fired? We will start with you, Mr. Kennedy, and 
just go down the row.
    Mr. Kennedy. Coming from being a Chief Security Officer for 
a Fortune 1000 company, I would say the answer to that would be 
yes. That would raise a major concern for me.
    Mr. Krush. I would just talk to the point that the 
authorizing official, if it was the CSO and he or she was the 
one authorized to sign for the system, you know, this is 
actually one of the breakdowns in the risk management framework 
right now. You have what is called--you usually have the CIO or 
the director that are in charge of maybe a program, an 
organization, and they are directed as the authorizing 
official. I would say if we are going to look at one of the 
weaknesses in the process government-wide is that that Chief 
Information Security Officer should be where the buck stops 
always. Right now, there is----
    Mr. Bridenstine. So you are acknowledging that he should 
have signed it if it was secure, and his refusal is a big 
breach of trust here with the American people?
    Mr. Krush. I acknowledge that under the current process----
    Mr. Bridenstine. And then he was forced to resign, 
arguably.
    Mr. Krush. The current process allows for the authorizing 
official to be whoever is directly in charge of the entire 
information system. So, that being said, I think that that is a 
weakness in the process. Right now, it should be the Chief 
Information Security Officer where it stops. They are supposed 
to know the system, the security capabilities, and they are 
supposed to be the ones that should be responsible, but that is 
not the process that we are currently using in the government.
    Mr. Bridenstine. Well, it was the process that was supposed 
to be used until he refused and then resigned. Going down the 
line?
    Mr. Gregg. I would also say yes and I would add to that 
that, as we talked about earlier, with external third parties 
looking at this, that is just a piece of it, them looking at 
it. The other part is those items are actually implemented and 
they are signed off on.
    Dr. Ponemon. It is my turn, I suppose. Yes, it is a big 
ethical issue in my opinion. I think the key variable is that 
the security of our country and the citizens of our country 
should be more than a political issue.
    Mr. Bridenstine. Agreed.
    Dr. Ponemon. But I don't think the solution is to have 
local CSOs, people who are middle-level management. It should 
be a major, major function of the government to have a CSO for 
the entire United States and then----
    Mr. Bridenstine. I am going to bring back my time. I have 
only have 30 more seconds but I appreciate your answer and you 
can submit it for the record.
    Dr. Ponemon. Absolutely.
    Mr. Bridenstine. But I would like to just say that I am not 
going to put this in for the record, Mr. Chairman, because I 
don't want it to create any issues on the other side of the 
aisle, but this comes from an article from CBS News dated 
November 6, 2013. So people watching at home have access to it. 
It is on the internet. It has all been disclosed.
    And I would like to say, finally, in my last five seconds 
this is exactly why the American people have lost trust in 
their government. This is exactly why the American people have 
lost trust in their government.
    Mr. Chairman, I yield back.
    Chairman Smith. Thank you, Mr. Bridenstine.
    The gentleman from Illinois, Mr. Hultgren, is recognized 
for his questions.
    Mr. Hultgren. Thank you, Mr. Chairman. Thank you all for 
being here. This is such an important topic and something I am 
certainly hearing from my constituent as I travel around my 
District of great concern and wanting answers and so I 
appreciate you being here.
    I have got a couple of different questions. I am going to 
address the first one to Mr. Krush if I could. According to 
your written testimony, you say that based on what you have 
read publicly thus far, ``HealthCare.gov is most likely 
categorized as a moderate system referring to the National 
Institute of Standards and Technology or NIST's security levels 
of low, moderate, and high.'' I wonder, is that an appropriate 
categorization for this kind of personal data that we are 
talking about here being available and accessible through the 
HealthCare.gov website, including people's medical files?
    Mr. Krush. So usually we reserve high for, you know, grave 
danger to national security, to the confidentiality, integrity, 
and availability could, you know--for most of the high systems. 
So usually to me when something is categorized with that, it is 
usually life or death. And since HealthCare.gov is not that, 
it--there are some areas where, depending on the organization, 
there is something called organizationally defined parameters. 
That allows the organization to say if they process, store, 
transmit, manage, or review privacy data, it allows them to 
make the recommendation to go to high. But from what I have 
read thus far about the site, because of the interactions with 
the other websites, meaning the handing off through the 
controlled APIs and the way that it deals with 
interconnections, it still would be moderate. If one of those 
interconnections are high, then they--then what they have to do 
is actually--they do--well, we are going to do this anyway. 
They have to develop what is called an ISA, an Interconnection 
Security Agreement. And what that requires both sides to do is 
agree on the cyber security rules, including on how quickly 
they report any instance related to those.
    Mr. Hultgren. Let me jump in here real quick. I would say 
again for my constituents this is of high concern to them and I 
think for us as well. And I would agree with my colleagues of 
how important this is in people's lives. And, boy, talking 
about medical care, it sounds like life and death to me 
oftentimes is making sure that our medical records are 
protected.
    I am going to jump to Mr. Gregg. Is there any evidence that 
HealthCare.gov meets NIST's data security standards and who 
should certify that HealthCare.gov complies with the Federal 
Information Security Management Act?
    Mr. Gregg. I have not seen that evidence as far as whether 
or not they have been certified so I cannot say on that.
    Mr. Hultgren. Okay. Let me open this up to any others. Mr. 
Kennedy, Dr. Ponemon, let me open this up to you all, any 
thoughts you might have. National Institute of Standards and 
Technology, NIST again, provides agencies with the guidance 
they need to develop and launch networks and websites that are 
fully and properly secure. Should NIST's role be expanded or 
increased with any new authority and responsibility 
specifically in regards to HealthCare.gov? Would NIST be best 
qualified to verify and certify how well agencies meet their 
security standards' compliance? And in today's case, should 
NIST review HealthCare.gov? Start with Mr. Kennedy.
    Mr. Kennedy. I would agree with that. I think if you look 
at not just technology-specific areas. You have the CDC, the 
Centers for Disease Control. Prevention, which is really about 
getting information to the American people about diseases, 
things like that. The same oversight needs to be there and the 
expanse of NIST needs to be there for more of a governance 
structure over our security practices inside the government. 
Again, NIST is more of a guidance role right now to adhere to. 
I think the expansion on this is really to bring more security 
integration throughout the whole government, the whole federal 
government, to really build best practices in. Right now, it is 
kind of intermittent not whether they do it or not. So I agree 
that, yes.
    Mr. Hultgren. Okay. Any other comments or thoughts?
    Mr. Krush. They currently write the guidelines, the NIST--
National Institute of Standards and Technology special 
publications and also they write different guidance on 
different types of technologies. I think just understanding 
systems from a risk perspective, if you have one organization 
that is in charge of the information security for every single 
government organization, it is--you will never come to the same 
risk decision. The problem lies in the fact that somebody at 
HHS is going to know about HHS systems and the security and the 
requirements better than someone, you know, in an office 
somewhere up at NIST.
    Mr. Hultgren. I think that my fear is accountability, too. 
Sometimes I see it in bureaucracies, there is a desire to 
protect, hey, if we have a breach, don't let anybody know. I 
want to make sure that doesn't happen.
    Mr. Gregg, do you have any thoughts on this?
    Mr. Gregg. No, but I would agree many times this stuff is 
covered up and it is not released immediately. We even see with 
Target that we are getting some information, but yet to see the 
full picture.
    Mr. Hultgren. Okay. Dr. Ponemon, real quick, what are some 
of the serious consequences that consumers face in the wake of 
medical identity theft? Are there financial consequences in 
addition to medical consequences?
    Dr. Ponemon. Yes, and our research we find that a fairly 
large percentage of our sample suffered some financial 
consequences, and sometimes it is just staggering. It could be 
thousands or tens of thousands of dollars. Keep in mind that 
the people who are at risk are not necessarily wealthy people, 
people who are low income. And so on a proportional level it 
could be their total yearly income just basically the costs 
associated with cleaning up your medical record.
    Mr. Hultgren. Doctor, you are right, and I think that is my 
fear is those who are most vulnerable are right on the edge----
    Dr. Ponemon. Absolutely.
    Mr. Hultgren. --something happens there, they don't have 
anything to fall back on. People with significant resources do.
    Thank you again for being here. Chairman, I appreciate the 
opportunity and I yield back.
    Chairman Smith. Thank you, Mr. Hultgren.
    The gentleman from Texas, Mr. Weber, is recognized for his 
questions.
    Mr. Weber. Thank you.
    Mr.--is it Krush or Krush? I have heard it both ways.
    Mr. Krush. It is Krush but in the Army I used to say Krush.
    Mr. Weber. It is Krush, okay. All right. Well, just call 
you for dinner is the main thing, right?
    Mr. Krush, you said, I think, that you were lucky enough to 
have worked for the HHS or was it the CMS?
    Mr. Krush. So I was fortunate enough to work early on on 
the central office at HHS.
    Mr. Weber. Okay.
    Mr. Krush. I have also provided training actually related 
to the risk management framework and we develop online training 
for CMS.
    Mr. Weber. I want to draw attention to the word luck. You 
said you were lucky but then later you said you had contracts 
totaling around $10 million? $1 million? $10 million?
    Mr. Krush. $1 million.
    Mr. Weber. $1 million. Okay.
    Mr. Krush. But I would say when I was talking about luck, I 
was actually talking about the individuals that are at the 
central office are probably some of the most talented cyber 
security people I have met. And that is just the truth. I have 
worked with them when they were contractors and now they are--
--
    Mr. Weber. Okay. And then you said I am working for the 
CMS--and I wrote it down--you weren't ``best of friends'' 
with----
    Mr. Krush. That is correct, with CMS.
    Mr. Weber. --was the words you used.
    Mr. Krush. We actually had a recent protest with them.
    Mr. Weber. Okay.
    Mr. Weber. But you had government contracts so you might 
not have been best of friends, but you weren't enemies, right?
    Mr. Krush. Absolutely not.
    Mr. Weber. Yes, you weren't enemies. It wasn't maybe a 
marriage, but at that dollar rate, you might be interested in a 
long-term relationship? What do you think?
    Mr. Krush. At those dollar amounts----
    Mr. Weber. Yes, sir.
    Mr. Krush. --a long-term relationship? If it was a little 
bit more probably.
    Mr. Weber. Okay. I see. You are going to play hard to get. 
So were you hired on experience and good performance?
    Mr. Krush. Absolutely.
    Mr. Weber. Okay. So you think performance is important?
    Mr. Krush. Absolutely.
    Mr. Weber. So would you say that the performance in rolling 
out HealthCare.gov was sterling or problematic?
    Mr. Krush. It was problematic.
    Mr. Weber. Very problematic. Can you understand how some 
Americans would question the ability of the company that put 
together HealthCare.gov?
    Mr. Krush. I can.
    Mr. Weber. Sure, makes sense. So it is no surprise to you 
that their credibility has been called into question.
    Mr. Krush. Um-hum.
    Mr. Weber. Do you fault us for doing our due diligence to 
try to protect the American public?
    Mr. Krush. I do not.
    Mr. Weber. So you think it is a good thing what we are 
doing here?
    Mr. Krush. I think that every time--unfortunately, we are 
as a nation fairly reactive, just like, you know, industry. We 
wait until something big happens before we talk about it. You 
know, cyber security----
    Mr. Weber. That is a yes or no. It is a good thing we are 
doing here because I am running out of time.
    Mr. Krush. Oh, absolutely it is a good thing--
    Mr. Weber. Yes, good. Well, I am glad----
    Mr. Krush. --to talk about it.
    Mr. Weber. Good. I am glad to hear you say that.
    Mr. Kennedy, you also think it is a good thing?
    Mr. Kennedy. Absolutely I do.
    Mr. Weber. How about--Mr. Gregg?
    Mr. Gregg. Yes, I do.
    Mr. Weber. Doctor?
    Dr. Ponemon. Yes, I do.
    Mr. Weber. Okay. Well, I am glad to hear that we are 
finally doing something that is advantageous. You know, that is 
kind of rare for Congress.
    Mr. Krush, on February the 19th, 2013, you tweeted ``don't 
just worry about China breaking into systems.'' And then you 
went on Fox News and talked about it. Do you recall that?
    Mr. Krush. I don't remember that tweet but, yes, I am 
very--actually, I don't tweet that much at all but I did go on 
Fox News related to the APT, correct.
    Mr. Weber. Yes, I know. You don't do a lot of tweeting. I 
looked at them.
    Mr. Krush. Yes.
    Mr. Weber. When you tweeted out ``don't just worry about 
China breaking into systems,'' what did you mean by that?
    Mr. Krush. Actually, I think, sir, that was probably--when 
I was tweeting, I just reposted a news article and that was 
probably just the title.
    Mr. Weber. But you recognize that we have a lot of cyber 
security attacks hitting our government, like a million a year.
    Mr. Krush. Oh, absolutely. I have helped to develop many 
security operation centers in the government and industry, and 
there are organizations constantly knocking at our door and 
trying to knock it down.
    Mr. Weber. But China would only attack those military 
websites. They would never go for HealthCare.gov, would they?
    Mr. Krush. Interestingly enough, most organizations, you 
know, state-sponsored organizations--and I put this in my 
testimony--they are always looking for jump points, .gov, .mil, 
period.
    Mr. Weber. So the people in China that are attacking us, is 
their level of proficiency low, medium, high?
    Mr. Krush. Very high.
    Mr. Weber. So we are well advised to warn the American 
people that they are going to have information on 
HealthCare.gov that may be spread across the globe?
    Mr. Krush. You are well advised to warn everybody in the 
federal government and even in industry that cyber security and 
privacy absolutely needs to be one of your top priorities.
    Mr. Weber. Okay. Well, I appreciate you understanding that, 
Mr. Chairman, I yield back.
    Chairman Smith. Thank you, Mr. Weber.
    The gentleman from New York, Mr. Collins, is recognized for 
his questions.
    Mr. Collins. Thank you, Mr. Chairman. And I find that it 
has been about two months since our last meeting. Mr. Kennedy, 
welcome back.
    As one of the last witnesses, I tend to see that there are 
times people will try to defend the indefensible, and the best 
way to defend the indefensible is to confuse the issue and muck 
it up and raise other things. I have heard and seen some of 
that today. So I would like to come back here at the end and 
remind everyone that all four witnesses last time, including 
the Democrat witness, testified absolutely the website was not 
secure on October 1. They testified that absolutely the website 
was not secure on November 19. We couldn't get agreement as to 
whether we should shut it down immediately or not, but the 
testimony indicated that October 1 was a date certain set by 
the Obama Administration to launch HealthCare.gov irrespective 
of whether it was ready, and I think the American public know 
it was not ready.
    So I think it brings into question if it was a date 
certain, it wasn't let's launch the website when it is ready. 
Let's launch it when it will do the job and handle the traffic. 
Let's launch it when it was secure. No. It was let's launch it 
on October 1 because we promised it would be October 1 whether 
it is ready, whether it is secure, doesn't matter. Launch it. 
And we did. And the American public in watching this hearing 
can see for themselves that that was the overriding concern, 
certainly not security.
    So now, here we are today, and yes, we have a different 
witness, but I guess I would ask our witness, Mr. Krush, 
whether you think the website was ready to be launched on 
October 1 or not? That is a yes or no.
    Mr. Krush. That is a no.
    Mr. Collins. And do you think it was secure then on October 
1?
    Mr. Krush. So if you have read my testimony and my previous 
testimony, you will see that I said the process was followed 
and a risk-based decision was made. That is why it is called 
risk management framework and not the no-risk process.
    Mr. Collins. So I guess what I come back to here is that 
there are those today that tried to say this was a politicized 
hearing and so forth, which I don't think it is. I think we are 
just back to talking to the American public who are being told 
that, to sign up, they must share this delicate information, 
including Social Security numbers.
    I think the fact that Target or Neiman Marcus happened to 
have had their issues doesn't defend this. Two wrongs don't 
make a right by any stretch of the imagination. But I am trying 
to point out and remind folks this website was launched on 
October 1 for only one reason: political reasons. It was not 
ready. The Administration knew it was not ready. If it is not 
ready, it is not secure. It wasn't secure. We know it wasn't 
secure. Now, we are being told today to trust the 
Administration and, Mr. Krush, to trust some of your judgment. 
Something happened in the last week or two or month. It is now 
secure. Well, I guess I am not quite ready to accept that just 
because you say it is so. That doesn't necessarily make it so. 
So, I am just trying to bring us back to where we were October 
1, where we were on November 19, where we are today. And 
certainly, I am confident three of our witnesses today, Mr. 
Kennedy, do you think it is secure today?
    Mr. Kennedy. Absolutely not.
    Mr. Collins. Mr. Gregg?
    Mr. Gregg. No, I do not. And usually when sites are rolled 
out, they are rolled out in a beta first----
    Mr. Collins. Right.
    Mr. Gregg. --very small group, and then to a large group.
    Mr. Collins. Mr. Ponemon, do you believe it is secure 
today?
    Dr. Ponemon. You know, it is hard to tell. I am not--these 
people are the experts, but they simply--based on what I am 
hearing, again as a citizen of this country, I am concerned. I 
am not happy with what I am hearing here today.
    Mr. Collins. Okay. And, Mr. Krush, I will let you answer 
that as well, please.
    Mr. Krush. I think my testimony and everything I have been 
saying here is none of us worked on HealthCare.gov, so 
speculating that it is either secure or not is just not 
something I am willing to say.
    Mr. Collins. So you would say today you would not state 
affirmatively to the American public that it is secure?
    Mr. Krush. Based on the information that I have read, a 
risk-based decision was made. There was a mitigation strategy 
that was very clear. They are doing weekly scans. They are 
doing daily scans. They are doing mitigation and remediation.
    Mr. Collins. Okay. I was kind of hoping for a yes or no.
    Mr. Krush. I would say that is pretty secure.
    Mr. Collins. So you are stating, yes, it is secure?
    Mr. Krush. I am stating based on the information I have 
right now I would say it is secure.
    Mr. Collins. Okay. Well, we can have that difference of 
opinion and I guess I will leave it at that for the American 
public to make their own decisions.
    Mr. Chairman, I yield back.
    Chairman Smith. Thank you, Mr. Collins.
    The gentlewoman from Illinois, Ms. Kelly, is recognized for 
her questions.
    Ms. Kelly. Thank you, Mr. Chair.
    Mr. Krush, unlike some of the other witnesses, you have 
extensive experience working on federal government websites 
from the inside developing countermeasures against potential 
attacks and ensuring that websites are as secure as possible. 
Is it true that what might appear like a security vulnerability 
or even a successful exploit from the outside does not actually 
always result in a security threat?
    Mr. Krush. That is correct, Ms. Kelly. Actually, we like to 
set up things called honey pots meaning that we will set up--we 
want to know what the attackers are actually doing to our 
websites and our systems, so we set up ports, protocols, and 
services that may not have anything to do with the website to 
kind of find out who is coming in, what they are doing, and so 
that we can then build countermeasures internally to deal with 
those type of things.
    Ms. Kelly. I have also been told that a site security team 
will leave the appearance of a weakness in place so that 
hackers will waste their time. There are other times, as I 
understand it, seeming weaknesses are purposely put in place 
and what IT professionals--like you just said, honey pots, 
where a genuine hack or even a white hacker gets caught trying 
to penetrate a system. And you just said that that was true. Do 
you imagine with HealthCare.gov that is--honey pots are in 
place or----
    Mr. Krush. So, Ms. Kelly, because I didn't set up the honey 
pot, I can't speculate on that either, but it is a very normal 
practice and best practice in the government to set up honey 
pots so that we can understand what our adversaries or external 
organizations are trying to gain access to and what type of 
things they are actually doing to our websites.
    Ms. Kelly. Okay. And lastly, the HealthCare.gov website 
uses remote authentication to help verify that the users are 
who they claim they are in order to help cut down on medical 
fraud. These sorts of security practices can sometimes make 
websites clunky and the user interface problematic. Can you 
address this issue for us? Is it possible that these sorts of 
kinks and glitches experienced on HealthCare.gov were do to its 
enhanced security measures by any chance?
    Mr. Krush. The great thing about security is if it is done 
right, it won't work. No, I am joking. So a lot of times when 
we lock down systems in the federal government, if we followed 
every single security control that is put forward for us, we 
would turn that box or that system into a completely unusable, 
you know, locked-down box meaning I couldn't log into it as an 
administrator but neither could you. So what we do is we look 
at the controls from a security engineering perspective and 
decide what are the best, you know, security controls to 
implement and how that is going to affect our operational user 
base. And so to answer your question that is a possibility but 
I didn't actually do the identity management system so, once 
again, I can't really talk to that fact.
    Ms. Kelly. Thank you so much. I yield the rest of my time.
    Chairman Smith. Okay. Thank you, Ms. Kelly.
    I don't see any other Members here to ask questions so this 
concludes our hearing today. Thank you all again for your 
contributions to the subject at hand. We heard a lot of good 
testimony and we will continue to be in touch.
    We stand adjourned.
    [Whereupon, at 11:12 a.m., the Committee was adjourned.]
                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions




                   Answers to Post-Hearing Questions
Responses by Mr. David Kennedy
[GRAPHIC] [TIFF OMITTED] 86900.045

[GRAPHIC] [TIFF OMITTED] 86900.046

[GRAPHIC] [TIFF OMITTED] 86900.047

[GRAPHIC] [TIFF OMITTED] 86900.048

[GRAPHIC] [TIFF OMITTED] 86900.049

[GRAPHIC] [TIFF OMITTED] 86900.050

[GRAPHIC] [TIFF OMITTED] 86900.051

[GRAPHIC] [TIFF OMITTED] 86900.052

[GRAPHIC] [TIFF OMITTED] 86900.053

[GRAPHIC] [TIFF OMITTED] 86900.054

[GRAPHIC] [TIFF OMITTED] 86900.055

[GRAPHIC] [TIFF OMITTED] 86900.056

[GRAPHIC] [TIFF OMITTED] 86900.057

[GRAPHIC] [TIFF OMITTED] 86900.058

Responses by Mr. Waylon Krush
[GRAPHIC] [TIFF OMITTED] 86900.059

[GRAPHIC] [TIFF OMITTED] 86900.060

[GRAPHIC] [TIFF OMITTED] 86900.061

[GRAPHIC] [TIFF OMITTED] 86900.062

[GRAPHIC] [TIFF OMITTED] 86900.063

[GRAPHIC] [TIFF OMITTED] 86900.064

Responses by Mr. Michael Gregg
[GRAPHIC] [TIFF OMITTED] 86900.065

[GRAPHIC] [TIFF OMITTED] 86900.066

[GRAPHIC] [TIFF OMITTED] 86900.067

[GRAPHIC] [TIFF OMITTED] 86900.068

[GRAPHIC] [TIFF OMITTED] 86900.069

Responses by Dr. Lawrence Ponemon
[GRAPHIC] [TIFF OMITTED] 86900.070

[GRAPHIC] [TIFF OMITTED] 86900.071

[GRAPHIC] [TIFF OMITTED] 86900.072

[GRAPHIC] [TIFF OMITTED] 86900.073

                                 
