b'<html>\n<title> - HEALTHCARE.GOV: CONSEQUENCES OF STOLEN IDENTITY</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n                      HEALTHCARE.GOV: CONSEQUENCES\n                           OF STOLEN IDENTITY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            JANUARY 16, 2014\n\n                               __________\n\n                           Serial No. 113-62\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n86-900                    WASHINGTON : 2014\n----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nDANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas\nRALPH M. HALL, Texas                 ZOE LOFGREN, California\nF. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois\n    Wisconsin                        DONNA F. EDWARDS, Maryland\nFRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nPAUL C. BROUN, Georgia               DAN MAFFEI, New York\nSTEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida\nMO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts\nRANDY HULTGREN, Illinois             SCOTT PETERS, California\nLARRY BUCSHON, Indiana               DEREK KILMER, Washington\nSTEVE STOCKMAN, Texas                AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH ESTY, Connecticut\nCYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas\nDAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California\nTHOMAS MASSIE, Kentucky              MARK TAKANO, California\nKEVIN CRAMER, North Dakota           ROBIN KELLY, Illinois\nJIM BRIDENSTINE, Oklahoma\nRANDY WEBER, Texas\nCHRIS COLLINS, New York\nVACANCY\n                            C O N T E N T S\n\n                            January 16, 2013\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................     7\n    Written Statement............................................     8\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................     9\n    Written Statement............................................    10\n\n                               Witnesses:\n\nMr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC\n    Oral Statement...............................................    13\n    Written Statement............................................    16\n\nMr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc.\n    Oral Statement...............................................    30\n    Written Statement............................................    32\n\nMr. Michael Gregg, Chief Executive Officer, Superior Solutions, \n  Inc.\n    Oral Statement...............................................    40\n    Written Statement............................................    42\n\nDr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute\n    Oral Statement...............................................    49\n    Written Statement............................................    52\n\nDiscussion.......................................................    57\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC......    88\n\nMr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc.............   102\n\nMr. Michael Gregg, Chief Executive Officer, Superior Solutions, \n  Inc............................................................   108\n\nDr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute....   113\n\n            HEALTHCARE.GOV: CONSEQUENCES OF STOLEN IDENTITY\n\n                              ----------                              \n\n\n                       THURSDAY, JANUARY 16, 2014\n\n                  House of Representatives,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Committee met, pursuant to call, at 9:13 a.m., in Room \n2318 of the Rayburn House Office Building, Hon. Lamar Smith \n[Chairman of the Committee] presiding.\n\n\n\n[GRAPHIC] [TIFF OMITTED] 86900.003\n\n[GRAPHIC] [TIFF OMITTED] 86900.004\n\n[GRAPHIC] [TIFF OMITTED] 86900.005\n\n    Chairman Smith. The Committee on Science, Space, and \nTechnology will come to order.\n    Welcome to today\'s hearing titled ``HealthCare.gov: \nConsequences of Stolen Identity.\'\' I will recognize myself for \nan opening statement and then the Ranking Member.\n    When the Obama Administration launched HealthCare.gov, \nAmericans were led to believe that the website was safe and \nsecure. As the Science, Space, and Technology Committee learned \nat our hearing last November, this was simply not the case. We \nheard troubling testimony from online security experts who \nhighlighted the many vulnerabilities of the Obama website. \nThese flaws pose significant risks to Americans\' privacy and \nthe security of their personal information.\n    One witness, Mr. David Kennedy, who has been re-invited for \ntoday\'s hearing, testified that there are ``clear indicators \nthat even basic security was not built into the HealthCare.gov \nwebsite.\'\' In addition, all four experts testified that the \nwebsite is not secure and should not have been launched. Mr. \nKennedy will update the Committee on the security of the \nwebsite since November 30, 2013, which was the Administration\'s \nself-imposed deadline for when it would be fixed.\n    Since the November hearing, other events have emerged that \nprompted the need for today\'s hearing. In December, a former \nsenior security expert at the Centers for Medicare and Medicaid \nServices stated that she recommended against launching the \nHealthCare.gov website on October 1st because of ``high-risk \nsecurity concerns.\'\'\n    A letter addressed to the Committee from Mr. Kennedy and \nindependently signed by seven other security researchers who \nreviewed his analysis of vulnerabilities presents some very \ntroubling information. To paraphrase one of the experts, Mr. \nKevin Mitnick, who was once the world\'s most wanted hacker, \nbreaking into HealthCare.gov and potentially gaining access to \nthe information stored in these databases would be a hacker\'s \ndream. According to Mr. Mitnick, a breach may result in massive \nidentity theft never seen before. Without objection, Mr. \nKennedy\'s letter will be made a part of the record.\n    Chairman Smith. Further, a recent report by the credit \nbureau and consumer data tracking service Experian forecasts an \nincrease in data breaches in 2014, particularly in the \nhealthcare industry. Specifically, the report states: ``The \nhealthcare industry, by far, will be the most susceptible to \npublicly disclosed and widely scrutinized data breaches in \n2014. Add to that the Health Care Insurance Exchanges, which \nare slated to add seven million people into the healthcare \nsystem, and it becomes clear that the industry, from local \nphysicians to large hospital networks, provide an expanded \nattack surface for breaches.\'\' Experian provides the identity \nverification component of the Health Insurance Marketplace \nenrollment process.\n    Because of increased accessibility to HealthCare.gov, \nconcerns continue to grow about the security of personal \ninformation. The work of this Committee will help Congress make \ndecisions about what actions may be necessary to further inform \nand safeguard the American people.\n    We are here today to discuss whether the Americans who \nsigned up for healthcare plans have put their personal \ninformation at risk. If Americans\' information is not secure, \nthen the theft of their identities is inevitable and dangerous.\n    [The prepared statement of Mr. Smith follows:]\n\n             Prepared Statement of Chairman Lamar S. Smith\n\n    When the Obama Administration launched Healthcare.gov, Americans \nwere led to believe that the website was safe and secure. As the \nScience, Space, and Technology Committee learned at our hearing in \nNovember, this was not the case.\n    We heard troubling testimony from online security experts who \nhighlighted the many vulnerabilities of the Obamacare website. These \nflaws pose significant risks to Americans\' privacy and the security of \ntheir personal information.\n    One witness, Mr. David Kennedy, who has been re-invited for today\'s \nhearing, testified that there are ``clear indicators that even basic \nsecurity was not built into the Healthcare.gov website.\'\'\n    In addition, all four experts testified that the website is not \nsecure and should not have been launched. Mr. Kennedy will update the \nCommittee on the security of the website since November 30, 2013, which \nwas the Administration\'s self-imposed deadline for when it would be \nfixed.\n    Since the November hearing, other events have emerged that prompted \nthe need for today\'s hearing. In December, a former senior security \nexpert at the Centers for Medicare and Medicaid Services stated that \nshe recommended against launching the Healthcare.gov website on October \n1st because of ``high risk security concerns.\'\'\n    A letter addressed to the Committee from Mr. Kennedy and \nindependently signed by seven other security researchers who reviewed \nhis analysis of vulnerabilities presents some very troubling \ninformation.\n    To paraphrase one of the experts, Mr. Kevin Mitnick, who was once \nthe world\'s most wanted hacker, breaking into Healthcare.gov and \npotentially gaining access to the information stored in these databases \nwould be a hacker\'s dream. According to Mr. Mitnick, ``A breach may \nresult in massive identity theft never seen before.\'\'\n    Further, a recent report by the credit bureau and consumer data \ntracking service Experian forecasts an increase in data breaches in \n2014, particularly in the healthcare industry. Specifically, the report \nstates: ``The healthcare industry, by far, will be the most susceptible \nto publicly disclosed and widely scrutinized data breaches in 2014. Add \nto that the Healthcare Insurance Exchanges, which are slated to add \nseven million people into the healthcare system, and it becomes clear \nthat the industry, from local physicians to large hospital networks, \nprovide an expanded attack surface for breaches."\n    Experian provides the identity verification component of the Health \nInsurance Marketplace enrollment process.\n    Despite increased accessibility to Healthcare.gov, concerns \ncontinue to grow about the security of personal information.\n    The work of this Committee will help Congress make decisions about \nwhat actions may be necessary to further inform and safeguard the \nAmerican people.\n    We are here today to discuss whether the Americans who have signed \nup for health plans have put their personal information at risk. If \nAmericans\' information is not secure, then the theft of their \nidentities is inevitable and dangerous.\n    Chairman Smith. That concludes my opening statement, and \nthe gentlewoman from Texas, Ms. Johnson, is recognized for \nhers.\n    Ms. Johnson. Thank you very much, Mr. Chairman.\n    Since we held our November 19th hearing highlighting \nsecurity issues at HealthCare.gov, up to 110 million people \nhave had their debit card or credit card information \ncompromised by a hack of Target store records. But Target was \nnot alone in being successfully hacked: The Washington Post, \nFacebook, Gmail, LinkedIn, Twitter, YouTube, Yahoo, JP \nMorganChase, SnapChat, and my friends at the Dallas-based \nNeiman Marcus stores have all announced security breaches.\n    However, do you know one system that has not been \nsuccessfully hacked since the last hearing? HealthCare.gov. \nAlso since the last hearing the Center for Medicare and \nMedicaid Services (CMS) staff and contractors have been working \naround the clock to improve the performance and security of \nHealthCare.gov. There have been numerous fixes to the website \nthat have improved the site\'s responsiveness compared to its \nfirst 60 days. Millions of Americans have been able to access \nthe site and obtain medical coverage.\n    During that entire time top security contractors, including \nBlue Canopy, Frontier Security and the Mitre Corporation have \nbeen working to test the system and identify weaknesses that \nneed to be addressed. The Chief Information Security Officer \nhas also been running weekly penetration tests to support \nsecurity mitigation steps for CMS. Further, CMS says that none \nof the Majority\'s witnesses\' concerns voiced in that November \nhearing have turned into any actual breach of security.\n    The last hearing did not feature a single witness who had \nany actual information about the security architecture of \nHealthCare.gov, nor what is being done to maintain the \nintegrity of the website. Today, we have the same kind of \nhearing. As smart and experienced as these witnesses are, not \none of them has actual knowledge of the security structure at \nHealthCare.gov. The best that they can do is speculate about \nvulnerabilities. I think it would be good for Members to \nremember that.\n    I am concerned that the intentions in this hearing appears \nto be to scare Americans away from the HealthCare.gov site. \nThis appears to present a continuation of a cynical campaign to \nmake the Affordable Care Act fail through lack of \nparticipation. While we are holding this hearing, both the \nHouse Oversight and Government Reform Committee and the Energy \nand Commerce Committee are holding similar events, all with the \napparent goal to create a sense of fear, thereby manufacturing \nan artificial security crisis.\n    It is my hope that all of our witnesses can agree that it \nis important to make HealthCare.gov work for the American \npeople to help give all our citizens access to affordable \nhealthcare. I do not want to believe that any of the witnesses \ntestifying today want the site to be hacked or shut down, or \neven see the program fail, or see Americans go without \nhealthcare insurance.\n    This country faces a lot of real issues and real policy \nchallenges. If we are truly interested in hacking and identity \ntheft, we should have representatives of the largest retail \ninstitutions in the country here to discuss the challenges they \nface in protecting people\'s information. Instead, it appears \nthat the Majority has allowed the Committee to become a tool of \npolitical messaging to a degree that I have never witnessed any \ntime in my time in Congress, and I am in my 22nd year.\n    Thank you. I hope that the Committee hearing will be the \nlast of this topic, absent some actual allegations of \nwrongdoing, so that we can focus on legitimate oversight issues \nfacing the country and this Committee.\n    Mr. Chairman, before I yield, I would also like to comment \non the letter you want to put in the record. I was hoping after \nreading it that you would have some testimony or give the \npeople opportunity other than a 24-hour showing of this letter, \nbut you don\'t have to take my word on this. Mr. Kennedy\'s own \ndocument reads, this report is for public use. The report is \nnot appended to his testimony, and I imagine it was not added \nbecause it would violate our 48-hour rule. He did not give us \ntestimony in time but late yesterday afternoon presented this \nreport out of the blue, and I am guessing your counsel told him \nto make it a letter because we routinely accept outside letters \nfrom groups and experts all the time with minimal notice.\n    So the report now pretends to be a letter addressed to you \nand to me. However, I cannot remember another time that a \nwitness for the Committee also felt they had to write us a \nletter. I think it is an elaborate way to try to get testimony \nbefore the Committee in violation of the 48-hour rule.\n    As the substance of the report, it includes what amounts to \ntestimony from experts who are not appearing before this \nCommittee and is against the practice of the Committee to \naccept testimony from people who are not personally available \nto answer our questions.\n    The one thing I do know is that none of the individuals who \nsigned these statements in the packet have worked on \nHealthCare.gov or the security protocols behind the website. In \nother words, they know no more about the actual security of the \nsite than does Mr. Kennedy. In deference to the Chairman, I \nwill withdraw my objection but I would point out that this \nreport includes language that I consider vulgar and beneath the \ndignity of the Committee. That alone should be reason to keep \nit out.\n    Even if the Chairman is comfortable with the way our rules \nare being stretched, if you insist, I will withdraw, but I want \nthe record to reflect that we have gone beyond professional \nbehavior of this Committee. Thank you.\n    [The prepared statement of Ms. Johnson follows:]\n\n       Prepared Statement of Ranking Member Eddie Bernice Johnson\n\n    Since we held our November 19th hearing highlighting security \nissues at healthcare.gov, up to 110 million people have had their debit \ncard or credit card information compromised by a hack of Target store \nrecords. But Target was not alone in being successfully hacked: The \nWashington Post, Facebook, Gmail, LinkedIn, Twitter, Youtube, Yahoo, JP \nMorganChase, SnapChat, and my friends at the Dallas-based Neiman Marcus \nstores have all announced security breaches.\n    However, do you know one system that has not been successfully \nhacked since that last hearing? Healthcare.gov.\n    Also since the last hearing the Center for Medicare and Medicaid \nServices (CMS) staff and contractors have been working around the clock \nto improve the performance and security of healthcare.gov. There have \nbeen numerous fixes to the website that have improved the site\'s \nresponsiveness compared to its first 60 days. Millions of Americans \nhave been able to access the site and obtain medical coverage.\n    During that entire time top security contractors, including Blue \nCanopy, Frontier Security and the Mitre Corporation, have been working \nto test the system and identify weaknesses that need to be addressed. \nThe Chief Information Security officer has also been running weekly \npenetration tests to support security mitigation steps for CMS.\n    Furthermore, CMS says that none of the Majority\'s witnesses \nconcerns voiced in that November hearing have turned into any actual \nbreach of security.\n    The last hearing did not feature a single witness who had any \nactual information about the security architecture of healthcare.gov, \nnor what is being done to maintain the integrity of the website. Today, \nwe have the same kind of hearing. As smart and experienced as these \nwitnesses are, not one of them has actual knowledge of the security \nstructure at healthcare.gov. The best that they can do is speculate \nabout vulnerabilities. I think it would be good for Members to remember \nthat.\n    I am concerned that the intention of this hearing appears to be to \nscare Americans away from the healthcare.gov site. This represents a \ncontinuation of a cynical campaign to make the Affordable Care Act fail \nthrough lack of participation. While we are holding this hearing, both \nthe House Oversight and Government Reform Committee and the Energy and \nCommerce Committee are holding similar events. All with the apparent \ngoal to create a sense of fear, thereby manufacturing an artificial \nsecurity crisis.\n    It is my hope that all of our witnesses can agree that it is \nimportant to make healthcare.gov work for the American people to help \ngive all our citizens access to affordable health care. I do not want \nto believe that any of the witnesses testifying today want the site to \nbe hacked or shut down, or see the program fail, or see Americans go \nwithout medical insurance.\n    The country faces a lot of real issues and real policy challenges. \nIf we are truly interested in hacking and identity theft, we should \nhave representatives of the largest retail institutions in the country \nhere to discuss the challenges they face in protecting people\'s \ninformation. Instead, it appears that the Majority has allowed the \nCommittee to become a tool of political messaging to a degree I have \nnever witnessed in my time in Congress.\n    Thank you, I hope that today\'s hearing will be the last on this \ntopic, absent some actual allegations of wrongdoing, so that we can \nfocus on all the legitimate oversight issues facing the country and \nthis Committee.\n    Chairman Smith. I will recognize myself to respond to the \nRanking Member\'s comments.\n    All Committees, including this one, have a longstanding \npractice of affording Members the courtesy of entering items \nthat they believe are relevant to the topic at hand into the \nrecord. I am sure the Ranking Member knows this. Members on \nboth sides have generally approached the development of the \nrecord in the spirit of bipartisanship and comity. I am \ndisappointed if the gentlewoman from Texas would now seek to \nquestion a letter I have asked to place in the record. We \nfrequently place items in the record that express the opinion \nof various groups or make statements regarding an issue at the \nrequest of Members on both sides of the aisle. Often, those who \nhave written those letters are not testifying before the \nCommittee and have not been asked to do so, yet their opinions \nare still made part of the record.\n    One such example is a 54-page submission that Mr. Maffei \nrequested be placed in the record at a hearing last August. \nThis document, which was not even addressed to the Committee, \nbut instead to the Administrator of the EPA, was entered into \nthe record without comments. It includes a letter from six \ndifferent tribes signed by eight different people, none of whom \ntestified before this Committee. It includes a letter from a \nlawyer who represented the tribes. He also did not testify \nbefore the Committee, yet we made his letter a part of the \nrecord. Finally, it includes another letter to the \nAdministrator of the EPA that purports to be from 15 different \nnational organizations, 17 international organizations, 75 \nAlaskan organizations, and numerous other organizations from \nother states. None of these organizations testified before this \nCommittee.\n    I placed Mr. Kennedy\'s letter in the record here today. He \nis testifying before us shortly----\n    Ms. Edwards. Mr. Chairman.\n    Chairman Smith. --and Members will have the opportunity to \nquestion him on its contents.\n    Ms. Edwards. Mr. Chairman.\n    Chairman Smith. I am still in the middle of my statement.\n    I regret the Ranking Member has questioned the longstanding \nprerogative of a Member to enter a relevant document into the \nrecord, especially when Members on her side of the aisle have \ndone so many times without objection from the Majority.\n    I hope this is not indicative of her desire to make this \nCommittee\'s business more partisan.\n    That concludes my statement, and I will now introduce the \nwitnesses.\n    Ms. Edwards. Mr. Chairman.\n    Chairman Smith. I am going to introduce the witnesses, \nand----\n    Ms. Edwards. Mr. Chairman, I object to the entry of the \nletter into the record.\n    Chairman Smith. The letter has already been entered into \nthe record and the objection is not timely.\n    Ms. Edwards. Mr. Chairman, I would ask for a vote on \nwhether we enter the letter into the record.\n    Chairman Smith. That is no longer a proper motion because \nit is not timely.\n    Ms. Edwards. Well, Mr. Chairman, I think you have deeply \npoliticized this hearing.\n    Chairman Smith. Well, I am sorry for the Ranking Member\'s \ncomments that caused it, and now I will recognize and introduce \nour first witness.\n    Mr. David Kennedy is the President and CEO of TrustedSEC \nLLC. Mr. Kennedy is considered a leader in the security field. \nHe has spoken at many conferences worldwide including Black \nHat, DefCon, Infosec World and Information Security Summit, \namong others. Prior to moving to the private sector, Mr. \nKennedy worked for the National Security Agency and the United \nStates Marines in cyber warfare and forensics analysis. Mr. \nKennedy received his Bachelor\'s degree from Malone University.\n    Our second witness, Mr. Waylon Krush, is the Co-Founder and \nCEO of Lunarline. He is also a founding member of the Warrior \nto Cyber Warrior program, a free six month cyber security boot \ncamp for returning veterans. A veteran of the U.S. Army, Mr. \nKrush is a recipient of the Knowlton Award, one of the highest \nhonors in the field of intelligence. Mr. Krush holds a \nBachelor\'s degree in computer information science from the \nUniversity of Maryland University College. He is also a \ncertified information systems security professional, \ncertification and accreditation professional, certified \ninformation systems auditor, and has more than 3,000 hours of \ntraining with the National Cryptologic School.\n    Our third witness, Mr. Michael Gregg, is the CEO of \nSuperior Solutions Inc., an IT security consulting firm. Mr. \nGregg\'s organization performs security assessments and \npenetration testing for Fortune 1000 firms. He has published \nover a dozen books on IT security and is a well-known security \ntrainer and speaker. Mr. Gregg is frequently cited by print \npublications as a cyber security expert and as an expert \ncommentator for network broadcast outlets such as Fox, CBS, \nNBC, ABC and CNBC. Mr. Gregg holds two Associate\'s degrees, a \nBachelor\'s degree and a Master\'s degree.\n    Our final witness, Dr. Larry Ponemon, is the Chairman and \nFounder of the Ponemon Institute, a research think tank \ndedicated to advancing privacy, data protection and information \nsecurity practices. Dr. Ponemon is considered a pioneer in \nprivacy auditing and was named by Security magazine as one of \nthe most influential people for security. Dr. Ponemon consults \nwith leading multinational organizations on global privacy \nmanagement programs. He has extensive knowledge of regulatory \nframeworks for managing privacy, data protection and cyber \nsecurity including financial services, healthcare, \npharmaceutical, telecom and Internet. Dr. Ponemon earned his \nMaster\'s degree from Harvard University and his Ph.D. at Union \nCollege in Schenectady, New York. He also attended the doctoral \nprogram in system sciences at Carnegie Mellon University.\n    We welcome you all and look forward to your expert \ntestimony, and Mr. Kennedy, will you lead us off?\n\n                TESTIMONY OF MR. DAVID KENNEDY,\n\n                    CHIEF EXECUTIVE OFFICER,\n\n                        TRUSTEDSEC, LLC\n\n    Mr. Kennedy. Thank you, Mr. Chairman.\n    Good morning to everybody in the House Science and \nTechnology Committee, to the Honorable Mr. Smith as well as the \nRanking Member of the House Science and Technology Committee, \nthe Honorable Ms. Johnson. It is great to see you two folks \nagain as well as all of the other Ranking Members here today. I \nappreciate your time to hear us discuss the issues with the \nHealthCare.gov security concerns as well as the consequences \naround stolen identities.\n    What I want to first start off with is that to me, this is \nnot a political issue. I take no political-party stance and I \nhave no party affiliate. For me personally, this is a security \nissue. Working in the security industry for over 14 years \nincluding working for the National Security Agency as well as \nspending a number of years in Iraq and Afghanistan, my \ntestimony here today is to talk about the issues with security, \nand that is it. So when I talk about the issues that we see \nhere today, it is based on my expertise of working in the \nsecurity industry, doing these assessments on a regular basis, \nbeing a chief security officer for a Fortune 1000 company for a \nnumber of years as well as running my own company.\n    And I am not alone. The mention of the document that was \nreleased yesterday had seven independent security researchers \nthat are well known in the security industry including a number \nof folks that have worked for the United States government, do \ntraining for the United States as well as work closely with the \nUnited States government. Today is not to talk about the \npolitical-party problems with it but also discuss just the \nsecurity issues alone, and that is what I am here to talk about \ntoday.\n    So I would like to give thanks to Kevin Mitnick, Ed \nSkoudis, Chris Nickerson, Chris Gates, Eric Smith, John Strand \nand Kevin Johnson for providing their comments on the issues \nthat we see today. We are pretty unified in our approach. \nEverybody that I shared with, I put them under non-disclosure \nagreements and worked with them, and the consistent feedback \nthat we got was that HealthCare.gov is not secure today, and \nnothing has really changed since the November 19th testimony. \nIn fact, from our November 19th testimony, it is even worse.\n    Additional security researchers have come into play, \nproviding additional research, additional findings that we can \ndefinitely tell that the website is not getting any better. In \nfact, since the November 19, 2013, testimony, there has only \nbeen one-half of a vulnerability that we discovered that has \nbeen addressed or even close to being mitigated. When I say but \none-half is that basically they did a little bit of work on it \nand it is still vulnerable today.\n    I want to throw a disclaimer out there that in no way, \nshape or form did we perform any type of hacking on the \nwebsites. That is a misnomer. The type of techniques that we \nused is looking at the site from a health perspective, doing \nwhat we call passive reconnaissance, not attacking the site in \nany way, shape or form, not sending data to the site but really \nlooking at the health of it. I would like to put in another \nanalogy. Say my expertise wasn\'t being in the security \nindustry, it wasn\'t anywhere near doing anything security \nrelated and I was a person that was a mechanic. I had 14 years \nof being a mechanic. And, a car drove past me that was puffing \nblue smoke out of the muffler, it was leaking oil, the engine \nwas making clinking sounds, and basically a lot of symptomatic \nproblems: the doors are open, the windows are open and \neverything else. As a mechanic, I can probably say with a \nreasonable level of assurance that the engine probably has some \nissues. Same thing with technology and Web applications. Web \napplications are no different than a car with an engine \nproblem. There are a lot of pieces that make the car work. \nThere are a lot of pieces that make a website work.\n    From our testimony here today as well as what we have \ndiscovered in the past, there is a number of security issues \nthat are still there today with the website. To put it in \nperspective, I would like to put for the record that there \nwasn\'t 70 to 110 million credit cards taken from Target. That \nis not accurate. The correct statistic is that there were 70 to \n110 million personal pieces of information taken about \nindividual people that shopped at Target. There were 40 million \ncredit cards that were taken. The issue with Target isn\'t \nspecifically around credit cards. Credit cards can be reissued. \nYour credit that gets taken from the credit cards can be \ndebited back into your account. You are not liable as a \nconsumer. But what you can\'t fix is your personal identity. If \nyou look at Target, for example, the 70 to 110 million personal \npieces of information, that includes address, email addresses, \nphone numbers, additional information. That is what you can\'t \nreplace, and we have already seen a number of individuals that \nare selectively being targeted from a personal information \nperspective because of that. That doesn\'t even include Social \nSecurity numbers. In fact, I just had another independent \nsecurity person get targeted yesterday from an email claiming \nto be Target. As soon as they clicked the link, it hacked their \ncomputer and took full control of it.\n    So this issue here doesn\'t relate specifically to just \ncredit card data because that is obviously not in the \nHealthCare.gov website. The personal information around Social \nSecurity numbers, first name, last name, email addresses, home \nof record, those are all a recipe for disaster when it comes to \nwhat we see from personal information being stolen and theft. \nSo it is not just that. As an attacker, if I had access to the \nHealthCare.gov infrastructure, it has direct integration into \nthe IRS, DHS as well as third-party providers as well for \ncredit checks. If I have access to those government agencies, I \nnow can complete an entire online profile of an individual, \neverything that they do and their entire online presence.\n    And this isn\'t just HealthCare.gov alone. I am not trying \nto single out HealthCare.gov alone. I am really focusing on a \nmuch larger issue, which is security in the federal government \nalone is at a really bad state. We need to really work together \nto fix it and work on more sweeping changes. Thank you.\n    [The prepared statement of Mr. Kennedy follows:]\n    [GRAPHIC] [TIFF OMITTED] 86900.010\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.011\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.012\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.013\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.014\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.015\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.016\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.017\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.018\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.019\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.020\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.021\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.022\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.023\n    \n    Chairman Smith. Thank you, Mr. Kennedy.\n    Mr. Krush.\n\n                 TESTIMONY OF MR. WAYLON KRUSH,\n\n              CO-FOUNDER AND CEO, LUNARLINE, INC.\n\n    Mr. Krush. Chairman Smith, Ranking Member Johnson and \nMembers of the Committee, thank you for this opportunity to \ntestify on the important topic of cyber security.\n    I am Waylon Krush, Founder and CEO of Lunarline. We are one \nof the fastest-growing cyber security companies. I am also a \nfounder of the Warrior to Cyber Warrior program, as stated \nearlier.\n    I have been asked to speak on cyber security today as it \nrelates to HealthCare.gov, and just listening to Mr. Kennedy, I \nactually have some very simple points I want to make right \naway.\n    First of all, if none of us here built HealthCare.gov, if \nwe are not actively doing not a passive vulnerability \nassessment but an active vulnerability assessment and doing \npenetrations and running that exploitable code on \nHealthCare.gov, we can only speculate whether or not those \nhacks will work. So anything that has been said thus far, if we \nare talking about any type of dot gov or dot mil site just \nidentifying passively a vulnerability and not actually working \non the site, knowing how the protocols work in the back end, \nwhat type of defense in depth, how each one of the assets are \nlocked down, nobody here at this table can tell you that they \nknow that there is vulnerabilities.\n    Another thing I would like to talk about today is in the \nfederal government, something a little bit different than we \nhave in the commercial organizations is, we use something \ncalled the risk management framework, and you know, this \nCommittee has actually helped develop that as part of NIST, and \nI will tell you, that is one of the most rigorous processes as \nit relates to cyber security and privacy in the entire world, \nand when I say the entire world, most security standards are \njust a subset of the risk management framework. It is one of \nthose areas from a security control perspective that has been \ntaken to build other security standards or it is basically \ncopy, cut, pasted to create new security standards. This is a \nsix-step process. It includes categorization, selection, \nimplementation, validation, authorization and, most \nimportantly, continuous monitoring of all the controls. You \nknow, just looking at it, you might think well, there is about \n360 controls in NIST Special Publication 800-53, revision 4. \nWhen you dig a little bit deeper, there is actually several \nthousand information security controls that our federal \ninformation systems must undergo from a security architecture \nperspective including they must be continuously testing.\n    Another point I would like to make is that if anybody here \nactually went out to these websites, and I am not talking about \npassive, but if we have extracted addresses, if you went to the \nwebsite and done anything outside the bounds of what is allowed \nin the federal government, you are basically breaking the law. \nYou can\'t just go out and say I found this vulnerability and \nthen exploit it to try to get, you know, media attention or \nanything like that. If you do that, you are breaking the law. \nIt is pretty simple.\n    And last but not least, you know, HealthCare.gov is one of \nmany hundreds or even thousands of federal information systems \nout there in websites, and you know, I have worked in the \nthreat area. I can tell you, my background is not only a \nsoldier but was on the U.S. Army\'s Information Operations Red \nTeam, Blue Teams, information system security monitoring teams, \nprotocol analysis, signals analysis, and including working in \ncritical infrastructure protection for AT&T for a few years all \nacross the world. If you go out and tell someone--and this is \njust the truth when we are out actively taking down websites--I \ncan sit here all day and speculate about a vulnerability but \nuntil I have actually exploited that vulnerability, there is no \nway to tell whether that attack will actually work. There is a \nlot more going on in the background that everybody needs to \nunderstand.\n    Another note, and last but not least, about HealthCare.gov \nthat everyone needs to understand is that with all of the media \nattention it is currently getting, you would think it is most \nhigh payoff target in the entire federal government. You would \nthink that HealthCare.gov is something that everybody would \nwant to go after. That is truly--that is media spin, if \nanything. HealthCare.gov is one of many websites that have \npersonal information in it. It is connected to other systems \nbut saying it is interconnected directly to all these systems \nand that leaves them vulnerable also shows kind of a lack of \nknowledge of the backend system capabilities, meaning that \nthose connections are very secure and they are authorized on \nboth sides.\n    And you know, I have actually been lucky enough to work \nwithin CMS and HHS on cyber security deployments and \nconfigurations so out of everybody here at least at this table, \nI probably have the most hands-on knowledge but I can\'t come \nhere and just speculate about what is actually vulnerable to \nthe system and what is not. And the truth is, once again, on \nthe threat side, as we have seen in media, you can probably \ntell that, you know, HealthCare.gov is not the one getting \nattacked. Most cyber criminals, especially those with advanced \ncapabilities, they go where the money is, right? They are going \nto go after the Targets, they are going to go after the Neiman \nMarcus, they are going to go after these places that contain \nlots of data related to intellectual property because it just \nmakes fiscal sense, right? If the U.S. government spends \nbillions of dollars on our research and development and we \ndon\'t protect it and some other country takes that, you just \nsaved them billions of dollars. Thank you.\n    [The prepared statement of Mr. Krush follows:]\n    [GRAPHIC] [TIFF OMITTED] 86900.024\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.025\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.026\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.027\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.028\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.029\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.030\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.031\n    \n    Chairman Smith. Thank you, Mr. Krush.\n    Mr. Gregg.\n\n                TESTIMONY OF MR. MICHAEL GREGG,\n\n                    CHIEF EXECUTIVE OFFICER,\n\n                    SUPERIOR SOLUTIONS, INC.\n\n    Mr. Gregg. Thank you, Chairman Smith, thank you, Ranking \nMember Johnson, Members of the Committee, for having me here \ntoday.\n    My name is Michael Gregg. I am really going to break down \nmy speech into three pieces and my presentation: first, how \nHealthCare.gov could potentially be hacked, why HealthCare.gov \nneeds independent review by third parties, and also, what would \nbe the result of this, what could be the potential impact.\n    My concern is that HealthCare.gov is a major target \npotentially for hackers looking to steal not only personal \nidentities but also information that could be used to steal \ntheir identity. Although I understand HealthCare.gov does not \nstore that information, it passes that information back and \nforth between third-party government sites and other \norganizations. While there are many different ways that the \nsite could be hacked, there are some prominent ones, and these \nare the same ones listed by prominent websites like OWASP. It \ncould be things like cross-site scripting, SQL injection. It \ncould be LDAP injection, it could be buffer overflow. There are \nmany different ways that this could be done.\n    Now, while that sounds foreign to many of you, the fact is, \nthese are known attacks that are used against known sites every \nday from Target to Neiman Marcus to Google to many others. Some \nof the things that concern me are in the past we have seen, for \nexample, the 834 data. That is data that is passed to the back \nend of the insurance companies. We have seen and we have heard \nreports of this information being corrupted and not being \ncorrect when it is being received. That indicates at some point \nthe data is not being handled correctly, and all input data, \nall process data, all output data has to be correct. If not, \nthere is some type of problem, meaning that data is not being \nproperly parsed. That same kind of situation could lead to an \nattacker putting in some type of data and misusing that in some \nway or launching an attack.\n    Also, as I said, HealthCare.gov is a very large attack \nservice. This is a very large program or application. It was \nbuilt very quickly. A large attack surface makes it very hard \nto secure. So I find it hard to believe that during the release \nand also the update of the site that all the items that our \nprevious speaker spoke of as far as FISMA, FIPS 199, FIPS 200, \nwere actually taken care of and it actually passed all those \nrequirements that they are required to by law,and that those \nwere properly completed.\n    Microsoft, think of those folks, for example. They have \nspent almost 30 years trying to secure their operating systems \nand still we see Microsoft products or operating systems being \nbrought under attack. To think that HealthCare.gov could be \nbuilt so quickly and then be secured to me is very hard to \nbelieve.\n    When we have a large application or website to be reviewed, \ntypically we do it a couple of different ways. We start at the \nvery beginning before the site is actually developed. We do \nthings as far as audits. We do vulnerability assessments. We \nalso do PIN testing. All three of these things are required to \nactually look at and examine the site. PIN testing is a very \nimportant part of this process because PIN testing means we are \nlooking at the site the same way the attacker would. We are \nsaying what would the attacker see, what could they use, what \ncould they do with this and how could they leverage this \npotentially for attack. I don\'t believe those types of \nassessments have been done to this day and have been properly \ncompleted.\n    So what has been reported currently is that when we see \nwith HealthCare.gov that they are running weekly assessments, \nthat they are potentially patching the site, but a lot of that \nactivity we are talking about is reactive in nature. That means \nwhen we are finding a problem, we are actually fixing it. That \ndoesn\'t mean we have already gone out and we have found all \npossible problems or all potential ways that an attacker may \nleverage that and get access to the site.\n    Some might argue that if HealthCare.gov is actually \nvulnerable, why hasn\'t it already been attacked? Well, if you \nthink about it from an attacker\'s standpoint, we have seen that \nattackers have the fortitude and also the patience to wait \nuntil the right time. Look at Target. Did they attack \nimmediately? No, they waited until the right time and the right \nmoment to actually do this. This could be the same thing. They \nare going to wait until after March. They are going to wait \nuntil the deadline. They are going to wait until there is a \ntrove of information for them to go after. Then they are going \nto target it.\n    So what could be the impact on consumers? Potentially \nreduced credit ratings. It could be increased difficulty \ngetting loans, could be criminal issues. It could be emotional \nimpact. It also could be very damaging as far as medical \ninformation that could be lost. It could be potentially people \ndon\'t get hired for a job. It could be they get the wrong \ntreatment because someone else has obtained treatment under \ntheir name for some other type of disease or some other type of \nproblem that they didn\'t have. It could be potentially them \nbeing denied an application or job for some reason.\n    And in closing, I would just like to say this. When our \norganization builds applications, we bring everybody together. \nWe bring the end users, the developers. We bring everyone \ntogether, the security professionals, to make sure the site is \nsecure and that security can be built in from the very \nbeginning. I do not believe that has been done in this case. \nHacking today is big business. It is no longer the lone hacker, \nthe individual in their basement. Today is organized crime. It \nis very large groups potentially out of places like Russia and \nEastern Europe. We can fix these problems, but for these \nproblems to be fixed means that we need an external assessment \nof this site by independent third parties.\n    Thank you very much for your time.\n    [The prepared statement of Mr. Gregg follows:]\n    [GRAPHIC] [TIFF OMITTED] 86900.032\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.033\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.034\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.035\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.036\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.037\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.038\n    \n    Chairman Smith. Thank you, Mr. Gregg.\n    And Dr. Ponemon.\n\n               TESTIMONY OF DR. LAWRENCE PONEMON,\n\n                     CHAIRMAN AND FOUNDER,\n\n                       PONEMON INSTITUTE\n\n    Dr. Ponemon. Thank you, Mr. Chairman, and thank you for \ninviting me.\n    Well, first, let me just start off by saying that I am the \nresearch wonk to this panel. These people are absolutely \nbrilliant and they understand the technical aspects and the \nsecurity issues. What I would like to do is talk a little bit \nabout the consequences of identity theft and medical identity \ntheft. That is really my focus, and the basis of my comments is \nresearch, research that my institute conducts. And sometimes, \nby the way, they call my institute the Pokemon Institute. It is \nactually Ponemon Institute, which is my last name.\n    So I understand the purpose of my testimony today is to \nprovide assistance in understanding the potentially devastating \nconsequences of a data breach to individuals, to households and \nsociety as a whole. For more than a decade, we have studied the \ncost and consequences of data breach through extensive consumer \nstudies as well as benchmark research on the privacy and data \nprotection practices of companies in the private and public \nsectors. In the area of healthcare, we have conducted four \nannual studies on medical identity theft and patient privacy \nand security protections within hospitals and clinics. We also \nsurvey consumers on their perceptions about the organizations \nthey trust the most to protect their privacy. Among the U.S. \nfederal government sector, for example, we are pleased to \nreport some good news, that the USPS, the Postal Service, gets \nvery high marks for trust. Another, and this might be a little \nsurprising, the IRS actually is trusted for privacy, not for \nanything else--no, just joking--but definitely for privacy \npractices, as well as the Veterans Administration, and they \nwere a bad guy, right? You right remember, they lost a lot of \ndata. I am a veteran and I was on that list of 26 million. But \nthey turned things around and they are trusted for privacy.\n    So today I have been asked to testify about the possibility \nof like identity theft on the HealthCare.gov website and the \npotential consequences to the American public. Identity theft \nand medical identity theft are not victimless crimes and affect \nthose who are most vulnerable in our society such as the ill, \nthe elderly and the poor.\n    So beyond doing these numerous research studies that I just \nmentioned, this is an issue that really struck home for me. \nLast year, my mother, she is 88 years old, she lives alone in \nTucson, Arizona, and she suffered from a stroke. She was rushed \nto a hospital and admitted immediately, and unbeknownst to her, \nan identity theft was on the premises and made photocopies of \nher driver\'s license, debit cards and credit cards that were in \nher purse. And by the way, she also has all the passwords to \neverything in a little Post-It note in her purse as well. She \ndoesn\'t listen to me. That is the problem. The thief was able \nto wipe out her bank account and there were charges on her \ncredit card and debit card amounting to thousands and thousands \nof dollars. In addition to dealing with her serious health \nissues, she also had to cope with the stress of recovering her \nlosses and worrying about more threats to her finances and \nmedical records.\n    The situation with my mom in the hospital and those who are \nsharing personal information on HealthCare.gov are not \ndissimilar, and let me explain. My mother had a reasonable \nexpectation that the personal information she had in her wallet \nwould not be stolen, especially by a hospital employee, and \nthose who visit and enroll in HealthCare.gov have an \nexpectation that people who are helping them purchase health \ninsurance will not steal their identity. They also have a \nreasonable expectation that all necessary security safeguards \nare in place to prevent cyber attackers or malicious insiders \nfrom seizing their personal data.\n    Now, in my opinion, the controversy regarding security of \nthe HealthCare.gov website is both a technical issue, as we \nheard from these gentlemen but it is also an emotional issue. \nIn short, security controls alone will not ease the public\'s \nconcerns about the safety and privacy of their personal \ninformation. Based on our research, regaining the public\'s \ntrust will be essential to the ultimate acceptance and success \nof this initiative.\n    So following are some key facts that we learned from our \nconsumer research over the more than a decade of doing these \nkinds of studies. First, the public has actually a higher \nexpectation that their data will be protected when they are \ndealing with government sites than commercial sites. In other \nwords, when I am going to the Veterans Administration, I have a \nhigher expectation of privacy. Whether it is rational or not, \nthat is basically what we see. Second, the loss of one\'s \nidentity can destroy a person\'s wealth and reputation and in \nsome cases their health. Further, the compromise of credit and \ndebit cards drives the cost of credit up for everyone, thus \nmaking it more difficult for Americans to procure goods and \nservices. Third, medical identity theft negatively impacts the \nmost vulnerable people in our Nation. Beyond financial \nconsequences, the contamination of health records caused by \nimposters can result in health misdiagnosis and in extreme \ncases could be fatal. Because there are no credit reports to \ntrack medical identity theft, it is nearly impossible to know \nif you have become a victim.\n    So what is the solution? Let me just give you three ideas. \nFirst, on the trust issue, let us think about accountability. \nIt is important to demonstrate accountability, and the best way \nto do that, in my mind, is rigorous adherence to high \nstandards, and I think we mentioned NIST. NIST is a great \nstandard but very high standards above the bar and showing the \nAmerican people that this particular website or any website \nthat collects sensitive personal information is meeting or \nexceeding that standard.\n    Number two is ownership. What I would like to see is the \nchief information security officer is your chief executive \nofficer. That is good news when the CEO steps up to the plate \nand does what needs to be done, and in this case, I would love \nto see our President take ownership of the website and ensure \nthat good security and privacy practices are met as a priority, \nnot just by HealthCare.gov, but across the board.\n    And third is verification. Now, I am an auditor. I have to \nadmit this, so I am a little bit biased, or I used to be an \nauditor at PriceWaterhouseCoopers. You know, we can say that we \nare doing all of these good things, but having a third-party \nexpert telling us that we are meeting and exceeding the \nstandards is a very good idea and a noble idea.\n    And with that being said, I think I am actually the first \nperson concluding giving you some time back on the clock.\n    [The prepared statement of Dr. Ponemon follows:]\n    [GRAPHIC] [TIFF OMITTED] 86900.039\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.040\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.041\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.042\n    \n    [GRAPHIC] [TIFF OMITTED] 86900.043\n    \n    Chairman Smith. Well----\n    Dr. Ponemon. Oh, no.\n    Chairman Smith. --not exactly.\n    Dr. Ponemon. I wasn\'t watching the time. I am sorry.\n    Chairman Smith. Thank you, Dr. Ponemon. I appreciate your \ntestimony. I will recognize myself for questions. Let me direct \nmy first one to Mr. Kennedy.\n    Mr. Kennedy, the Administration maintains that there has \nnot been a successful security attack on HealthCare.gov. Is \nthat an accurate statement?\n    Mr. Kennedy. Thank you, Mr. Chairman. Basically what we \nknow for the monitoring and detection capabilities within the \nHealthCare.gov infrastructure is as of November 17th, they had \nnot stood up a security operation center or had the \ncapabilities to even detect an actual attack. So it also stated \nthat they detected 32 attacks overall. However, if you have no \nmonitoring detection capabilities, period, how are you \ndetecting all the different attacks that are happening? So I \nwould say that the statement is accurate because they don\'t \nnecessarily know the actual attacks that are occurring in \nthere.\n    In addition, I would like to also mention that the Chief \nInformation Security Officer from HHS, Kevin Charest, also said \nthat, ``I would say that the HealthCare.gov website did not \nfollow best practices.\'\' So as a testament to Mr. Krucsh\'s \ntestimony, the 800-53 and best practices were not followed and \ndid not meet best practices when it was implemented.\n    Chairman Smith. And Mr. Gregg----\n    Mr. Krush. Let me talk to----\n    Chairman Smith. I am sorry, Mr. Krush. You can get time \nfrom someone else. I would like to ask a question to Mr. Gregg.\n    Do you agree generally with the assessment by Mr. Kennedy \nthat they don\'t have the capability? And furthermore, let me \nsay that you did have Administration officials say in November \nthat there was 16, I think, security breaches or incidents and \nthen 32 in December. Are those figures plausible, and where do \nthey get them?\n    Mr. Gregg. Well, they are potentially plausible if they \neither weren\'t monitoring or they didn\'t pick up the attacks. \nFor most of the sites we look at, and companies we work with, \nwe see anywhere from hundreds potentially, a thousand or more \nhits a day. Now, a lot of that stuff is scripted but for a \nnumber to be that low, I would either think, one, they are not \ndetecting it, or two, their detection capability is not \ncorrect.\n    Chairman Smith. Okay. Thank you, Mr. Gregg.\n    Dr. Ponemon, do the security standards, protections and \nbreach notification standards for Obamacare even meet the \nminimal standards put in place for the private sector?\n    Dr. Ponemon. I think the private sector for the most part \nhas--and it does vary quite a bit. There are industry \nstandards, for example, that actually are much higher than the \nstandards we see in the government. But NIST, for example, and \nthe need to comply with certain standards, for example, around \ncloud computing and fed ramp, and there are standards that \nexist that are actually fairly reasonable. For the most part, \nthough, I think if you are looking for best practices, you \nprobably would be looking at industry versus the government.\n    Chairman Smith. Thank you, Dr. Ponemon.\n    Mr. Kennedy, another question for you. Is Mr. Krush right \nin what he said in his oral testimony that passive \nreconnaissance of HealthCare.gov is not sufficient to raise \nconcerns about the website\'s security?\n    Mr. Kennedy. Thank you, Mr. Chairman. I would like to \naddress that direct on, which would be, passive reconnaissance, \nyou have the ability to enumerate exposures and \nvulnerabilities. Any security researcher or tester that has \nbeen in the industry for a number of years, especially in the \ntechnical side, will be able to collaborate that. In fact, all \nseven of the security researchers also said the same exact \nthing, that the website itself is vulnerable. This isn\'t \nspeculation. These are actual exposures that are on the website \ntoday that could lead to personal information being exposed as \nwell as other critical flaws of actually attacking individual \npeople just by visiting the website.\n    To answer your question, by doing passive reconnaissance, \nyou can absolutely identify exposures. There are absolutely \ntechniques out there without actually attacking the site for \ndoing it, and I would question that the other seven security \nresearchers that also testified that looked at the same type of \nresearch, came to the same exact conclusion as myself.\n    Chairman Smith. Okay. Thank you, Mr. Kennedy.\n    Mr. Krush, I do have a question for you. Apparently you \nhave contracts with a company that does work for CMS. Is that \naccurate?\n    Mr. Krush. That is accurate.\n    Chairman Smith. And what is the amount of those contracts, \nboth past and present?\n    Mr. Krush. I actually don\'t know that off the top of my \nhead but I have----\n    Chairman Smith. Okay. I think----\n    Mr. Krush. --tens of millions of dollars of contracts in \nthe federal government right now.\n    Chairman Smith. All right. Okay. So you have tens of \nmillions of dollars of business with CMS directly or \nindirectly?\n    Mr. Krush. Not CMS.\n    Chairman Smith. With a company that does work for CMS?\n    Mr. Krush. No, that--those amounts are very high. I am \ntalking across the government. I am not--I just don\'t know \nspecifically with CMS. That is why I can actually talk from a \ntechnical perspective and not speculate on some of the----\n    Chairman Smith. With CMS, according to your Truth in \nTestimony that you filed, I think it is $1.5 million that you \ndo have in those contracts.\n    Mr. Krush. Okay. That sounds good.\n    Chairman Smith. If you will take my word for it?\n    Mr. Krush. Yes.\n    Chairman Smith. In that case, isn\'t it natural that we \nmight suspect that your testimony is a result of your being \npaid by--directly or indirectly by CMS and here you are not \ngoing to actually testify against them if you have $1.5 million \nworth of contracts with them? Isn\'t that a reasonable \nassumption?\n    Mr. Krush. Well, Chairman Smith, actually as it relates to \nCMS, if you look at the GAO docket, I actually have been \nprotesting with them. You know, on the contracting side, me and \nCMS are not necessarily best of friends. I am here to talk \nabout the cyber security in what----\n    Chairman Smith. I know what you would rather be talking \nabout but it still seems to me $1.5 million in contracts does \nperhaps influence your testimony. That is all I have to say on \nthat. My time is up, and the gentlewoman from Texas is \nrecognized for her questions.\n    Ms. Johnson. Thank you very much. Very interesting hearing.\n    Mr. Krush, you were cut off earlier when you were going to \nmake a comment on Mr. Kennedy\'s testimony. Would you like to \nmake that now?\n    Mr. Krush. I actually have a few here, so just across the \nboard. Earlier Mr. Gregg talked to the fact that, you know, the \nHealthCare.gov didn\'t implement what we call FIPS 199 and FIPS \n200. Just to clarify what that is for everyone here, FIPS 199 \nis Federal Information Processing Standard 199. It requires you \nto categorize an information system in accordance with the \nconfidentiality, integrity and availability of an information \nsystem. We know that that was completed because there was a \nletter from Ms. Tavener out as part of the authorization \nprocess that 200 is the baseline controls for all federal \ninformation systems. We also know that that was completed \nbecause they had an ATO letter that specified some of the \nvulnerabilities and what actual the process dealing with the \nhealthcare.gov was. So I just wanted to talk to that point.\n    And, you know, talking about also waiting, from Target\'s \nperspective, waiting until, you know, a certain time to act. I \ndon\'t think any of us here have also worked on the Target.com \nwebsite or the backend database, and I would tell you that a \nlot of the advanced attackers, you know, unless you have done \nthe forensic sampling and you have actually picked up the \ncrumbs, you don\'t know when they actually attacked, and I think \nthat that is under investigation right now.\n    HealthCare.gov, Mr. Kennedy brought up the point that there \nwas no security operation centers. Some of those one point \nwhatever million dollars that have been allocated to my company \nwas actually related to those early on. There is actually two \nsecurity operation centers within HHS you might want to know. \nThey have a centralized one which does monitoring of the entire \nenterprise, and on top of that, CMS has its own security \noperation center, and I can tell you from a technology \nperspective, some of the technologies they have implemented is, \nyou know, top notch. It is what you would expect in a top-tier \nsecurity operations in the U.S. federal government.\n    Ms. Johnson. Thank you. According to Mr. Gregg\'s testimony \nthat this site is a major target, but the attacks won\'t be \naccurate or of interest or of value until after March, what do \nyou anticipate that March will bring?\n    Mr. Krush. Nothing. You know, the truth is, when it comes \nto March, if an attacker wants something off the site, they are \ngoing to continuously do whatever they can to gain access. I \nthink one of the things that was also said is that, you know, \nthere is a certain number of incidents, and those numbers do \nsound low, but once again, everybody here, none of us have \nworked in the security operations center, which does exist \nwithin CMS, and so we don\'t necessarily know what the \nescalation requirements are. So, for example, most government \nwebsites literally are enumerated passively, meaning--and this \nis still considered an incident via DHS. If you go through and \nyou do scans on a website, meaning that you are looking for \nopen protocols and services, that is considered an incident. \nNow, does every organization report those? No, because you \nwould have hundreds of thousands of reports a day.\n    However, some of the--I got a call last night from actually \na news reporter and they called me up to talk about Mr. \nKennedy\'s, you know, analysis he had done on the website, and I \njust want to be clear that, you know, if him and his security \nresearchers actually did go to a dot gov, they did passively \nenumerate and actually pulled data in an unauthorized manner, \nthen that is a very significant issue. I went to the course \nwhile I was in the military for the FBI, and I can tell you \nthat that is of grave--it is great concern to us when anybody \ngoes out to federal government website without permission and \nis actually passively enumerating then executing something to \npull data off that website.\n    Ms. Johnson. Thank you very much.\n    Dr. Ponemon, you indicated that your mother had this \nincident happen with her identity. What about that stolen \ninformation affected her healthcare?\n    Dr. Ponemon. You know, in the case of my mom, she would \nfall into the category of an identity--she is an identity theft \nvictim but not a medical identity theft victim because really, \nher medical records were not exposed, and so that would be a \ndifferent crime, and thank goodness she is a medical identity \ntheft victim because that is bad news. It is really hard.\n    Ms. Johnson. Thank you.\n    Dr. Ponemon. Thank you.\n    Ms. Johnson. My time is expired but I hope someone will ask \nthe value of someone having hacked the HealthCare.gov.\n    Chairman Smith. Thank you, Ms. Johnson.\n    Mr. Hall has said that because Mr. Broun has a time \ncommitment that is almost immediate, he is going to allow Mr. \nBroun to go ahead of him in the questioning, so Mr. Broun is \nrecognized.\n    Mr. Broun. Thank you, Mr. Chairman, and thank you, Mr. \nHall, for giving me this opportunity.\n    It has come to the Oversight Subcommittee of this \nCommittee\'s attention that there is or at least was an \nAffordable Care Act Information Technology Exchanges Steering \nCommittee chaired by senior White House officials, established \nback in May 2012, almost a year and a half before the rollout \nof HealthCare.gov. The White House steering committee\'s charter \nexplicitly directed the formulation of working groups, \nincluding one on security. It also turns out that a chairman of \nthis Obamacare website steering committee is the U.S. Chief \nTechnology Officer in the White House Science Office, who also \nhappens to be the immediate past CTO of the Department of \nHealth and Human Services.\n    Upon learning this, I, as Chairman of the Oversight \nSubcommittee, along with the full Committee Chairman, Mr. \nSmith, and Research and Technology Subcommittee Chairman, Dr. \nBucshon, sent a letter to the White House requesting that Mr. \nTodd Park, the U.S. CTO and HealthCare.gov\'s steering committee \nchairman, make himself available to the Committee to answer \nquestions regarding the security issues with HealthCare.gov by \nJanuary 10th, last Friday.\n    The White House has ignored that letter and the Committee\'s \nrequest until just yesterday when it provided a last-minute \nresponse that rebuffed this Committee--let me repeat: rebuffed \nthis Committee. And that letter did not come from the Senate-\nconfirmed President\'s Science Advisor, to whom the letter was \naddressed, but from the politically appointed OSTP Legislative \nAffairs Director.\n    My question for the panel simply is this: don\'t the \nAmerican people deserve answers from those who are in charge of \noverseeing implementation of the Obamacare website\'s security \nprotocol? After all, Mr. Park is an Assistant to the President. \nAs the Chief Technology Officer of the United States and the \nchair of HealthCare.gov\'s steering committee, wouldn\'t Mr. \nPark, or shouldn\'t he, know and be involved in the security \ndetails of the website? Starting with Mr. Kennedy.\n    Mr. Kennedy. Thank you, sir. When we look at a website and \nits security, there are multiple people that need to be \ninvolved to understand the progress of it. I would agree with \nyour assessment that there should be some involvement in that \ncase.\n    In addition, I also would like to clarify that a lot of \ninformation that we are getting around these security exposures \nhas actually been vast. The Chief Information Security Officer \nfrom HHS saying it didn\'t follow best practices. You have a \nnumber of other individuals saying the security operations \ncenter hadn\'t been started yet. You have the HealthCare.gov \ninfrastructure, which is completely independent and was started \ncompletely independent of HHS being part of that. So this is a \nmismanaged issue. I don\'t understand how we are still \ndiscussing whether or not the website is insecure or not. It \nis. There is no question about that.\n    Mr. Broun. It is insecure?\n    Mr. Kennedy. It is insecure, absolutely 100 percent. There \nis no questioning that. People from HHS have said that. You \nknow, it is not a question of whether or not it is insecure. It \nis what we need to do to fix it.\n    And just to point to Mr. Krush\'s point, he also said to \nReuters, which is the article that he also mentioned earlier, \nKrush said he has not reviewed Kennedy\'s findings or done any \nwork on HealthCare.gov\'s site itself. So, you know, this is all \npurely speculation. It is a bunch of hogwash, and personally, \nit seemed to be politically biased, unfortunately.\n    Mr. Broun. Thank you, Mr. Kennedy. I appreciate your long \nanswer but this is actually a yes or no answer.\n    Mr. Krush, do the American people deserve to know?\n    Mr. Krush. Yes.\n    Mr. Broun. Okay. Mr. Gregg?\n    Mr. Gregg. Yes, they do. However, I would like to add, I \nunderstand the NIST process and others quite well. I co-\nauthored a book on it, also developed a course for Villanova \nUniversity on certification and accreditation. Finally, his \nstatement ends to a scan. A scan is not passive. A scan is \nactive. But yes, they do deserve an answer on this.\n    Mr. Broun. Doctor?\n    Dr. Ponemon. Ditto, yes.\n    Mr. Broun. And I agree, the answer is yes. I am very \ndisappointed with the Administration. We have asked for \ninformation. The American people deserve to have that \ninformation, and I will do everything that we can to try to get \nMr. Park to give us that information or the Administration.\n    Mr. Chairman, my time has run out so I yield back.\n    Chairman Smith. Okay. Thank you, Dr. Broun. The gentlewoman \nfrom Maryland, Ms. Edwards, is recognized for her questions.\n    Ms. Edwards. Thank you, Mr. Chairman, and thank you to our \nwitnesses today.\n    Just very quickly, Mr. Kennedy, do you have any federal \ncontracts for security? Any?\n    Mr. Kennedy. As of right now, no.\n    Ms. Edwards. Have you had?\n    Mr. Kennedy. Yes, I have.\n    Ms. Edwards. And what were they?\n    Mr. Kennedy. Working for the federal government?\n    Ms. Edwards. Yes, federal security contracts.\n    Mr. Kennedy. Yes.\n    Ms. Edwards. What were they?\n    Mr. Kennedy. I would be happy to disclose those.\n    Ms. Edwards. I would appreciate it in writing, if you \nwould.\n    Mr. Kennedy. Sure.\n    Ms. Edwards. If you would tell us the federal contracts \nthat you have had in dealing with information security in the \nareas that you claim to be an expert in.\n    Mr. Kennedy. I would be happy to write that.\n    Ms. Edwards. And Mr. Krush, I just want to ask you really \nbriefly if you could tell us security standards, compare those \nthat are used for the federal government as to the private \nsector. You have alluded to that a bit, if you could just very \nquickly?\n    Mr. Krush. Sure. So one thing to understand, and just to go \nback to Mr. Gregg, you know, I have also co-authored a book on, \nwe have taken over 10,000 pages of information from the \nNational Institute of Standards and Technology, the Department \nof Defense instructions, the intelligence community directives \nand also, you know, some of the SAP programs and consolidated \nthat, and that book is actually used in places such as Syracuse \nUniversity to teach people that actually want to understand \nthis very rigorous federal process. I am also co-author of NIST \nSpecial Publication 800-53 alpha. That is the process where we \nactually do the assessments per se. So----\n    Ms. Edwards. I trust your expertise. I just want to know \nthe rigor of the standards for the federal government compared \nto the private sector.\n    Mr. Krush. Sure. So that is a great question, Ms. Edwards. \nOne of the things to understand is that NIST Special \nPublication 800-53 starting at revision 2, and we are now up to \nrevision 4, integrated all of the commercial standards. At rev \n3, so meaning, you know, the most ISO, Carnegie Mellon, a lot \nof these organizations that had kind of best practices out \nthere, they were integrated into that revision. By revision 4, \nwe have actually integrated the Department of Defense \nstandards, the intelligence community standards, also a lot of \nstandards that are kind of outside the realms, they are threat-\nbased. As you will find, most auditing organizations don\'t look \nfor those.\n    Ms. Edwards. So are the----\n    Mr. Krush. There is definitely rigor compared from a \ncommercial organization to what you will get in the government, \nand I have worked on both sides. Fifty percent of my contracts \nare with Fortune 50 and 100 companies, so I can tell you the \ndepth and rigor that you implement on a federal information \nsystem, as it should be, is just more much intense than what \nyou see in the commercial markets.\n    Ms. Edwards. And is HealthCare.gov, is the rigor attached \nto HealthCare.gov any different from any of these other federal \nsystems that you have indicated?\n    Mr. Krush. No, this process is the same across the U.S. \ngovernment.\n    Ms. Edwards. Thank you. So I wonder if the standards that \nyou described are above--and I think you said this--are above \nthose that you would find in the commercial sector?\n    Mr. Krush. I would say yes.\n    Ms. Edwards. Thank you.\n    Mr. Gregg, you mentioned some information or speculation \nabout medical records vis-a-vis HealthCare.gov. Are you aware \nof any medical record that is maintained on HealthCare.gov?\n    Mr. Gregg. No, the information is simply passed through.\n    Ms. Edwards. Exactly. Is there any medical record, personal \nmedical record, contained on HealthCare.gov?\n    Mr. Gregg. No.\n    Ms. Edwards. Thank you.\n    And then Dr. Ponemon, just out of curiosity, you talked \nabout your mother\'s experience, which just sounds really \nhorrible, but she didn\'t experience identity theft through \nHealthCare.gov. Isn\'t that correct?\n    Dr. Ponemon. Absolutely not.\n    Ms. Edwards. Right. Thank you.\n    And I just wonder, Mr. Krush, if you could help me, if you \nwill. Of the experience that you have had in developing and \nworking on federal information systems, is it your conclusion \nthat you would feel safe in putting your personal information \nthrough HealthCare.gov?\n    Mr. Krush. Ms. Edwards, I actually put that in my \ntestimony. I would put my personal information on \nHealthCare.gov. I said this more than once, and you know, I \ncontinue to stand by that.\n    Ms. Edwards. Thank you.\n    And Mr. Kennedy, lastly, I want to go back to your federal \nwork I mean that I can find disclosed. I know that you got a \nsmall business loan from the Small Business Administration for \n``businesses that do not qualify for credit in the open \nmarket.\'\' Again, what is the other federal security work that \nyou have done?\n    Mr. Kennedy. I would be happy to disclose that in written \ntestimony.\n    Ms. Edwards. Can you just give me an example right here on \nthe record?\n    Mr. Kennedy. I would need to get permission from my \ncustomer. I work on non-disclosure agreements and \nconfidentiality of information.\n    Ms. Edwards. Okay. What I would like to do, I will write \nyou a letter. Your financial disclosure that you have submitted \nin this record requires that. Did you put that in your \nfinancial disclosure?\n    Mr. Kennedy. No. No, I--listen to me. My experience----\n    Ms. Edwards. Did you----\n    Mr. Kennedy. The question you asked me was, did I have \nfederal experience in the----\n    Ms. Edwards. It is my time, Mr. Kennedy.\n    Mr. Kennedy. Yes, ma\'am.\n    Ms. Edwards. Did you put that financial disclosure \ninformation in the record as required by our Committee?\n    Mr. Kennedy. I am not required to put that in there.\n    Ms. Edwards. Thank you very much.\n    Mr. Kennedy. Thank you. It is not on behalf of TrustedSEC. \nThank you.\n    Chairman Smith. Thank you, Ms. Edwards. The gentleman from \nTexas, Mr. Neugebauer, is recognized for his question.\n    Mr. Neugebauer. Thank you, Mr. Chairman.\n    So, Mr. Gregg, I ask you this question: could a security \nbreach of HealthCare.gov result in people\'s medical files being \naccessed?\n    Mr. Gregg. Yes, sir, it could. The information could be \naccessed, and then the real damage would come afterwards, how \nthat information could be used. It could be used potentially to \ngain information of financial data. It could be used for \nidentity theft. It could be misused many different ways. And \nthat damage, as Mr. Kennedy alluded to earlier, is not just \nsomething as simple as replacing a credit card. This can be \nlong-term. It can be very damaging to an individual.\n    Mr. Neugebauer. Now, there was a recent GAO report that \ndocumented that there was a 111 percent increase in federal \nagency data breaches in the past three years. Specifically, the \nGAO report noted that there were 22,156 incidents revealing \nsensitive personal information since 2012, up from 10,000 in \n2009. Interestingly enough, the Centers for Medicare and \nMedicaid Services, the HealthCare.gov operator, had the second-\nmost breaches in the report for Fiscal Year 2012. Mr. Krush \nsaid that the hackers are going where the money is and not \nnecessarily interested in these government sites, but yet we \nsee a substantial increase in the number of incidents that are \nhappening. Mr. Kennedy, do you agree with Mr. Krush that people \nreally aren\'t interested in these government sites or what is \nyour opinion on that?\n    Mr. Kennedy. Thank you, sir. I do not agree with Mr. \nKrush\'s testimony there. I believe that the hackers move where \nthe money is and there is a lot of money to still be made in \nthe personal information side as well as other government \nagencies that look to do demise to us, especially on our \ninformation technology-related issues. Having direct access \ninto DHS, IRS is a treasure trove for additional attackers out \nthere. There is a lot of money for the organized crime, there \nis a lot of money for what we call state-sponsored attacks, so \nI would not agree with his assessment. There is plenty of money \nto be made in the government space and there are breaches \nhappening all the time there.\n    Mr. Neugebauer. If I go to a government site and I am a \nhacker, what are the treasures out there that I am going to \nglean that are going to help me do whatever bad thing I have in \nmind?\n    Mr. Kennedy. Sure. I think that is in the question. It \ndepends purely on the motivation of the attacker. So you have \nreally three criteria of the attackers. You have your average \nblack hat that may be politically motivated to prove a specific \npoint or street credibility. You have your organized crime, \nwhich is specifically looking for monetary value or persistent \naccess into organizations. There is also a huge black market \nright now that surpassed the credit card industry for what we \ncall carders. Selling compromised infrastructures and \norganizations is a huge market right now. If I can say, hey, I \ncompromised Government X or HealthCare.gov, I can sell that to \nan attacker for thousands of dollars to make a big buck off of \nit.\n    Additionally--so you have that portion of it, the identity \ntheft, the fraud, other areas there. Then you have the state-\nsponsored element, which is other government entities attacking \ninfrastructure in order to infiltrate, gain access and \nintelligence on us, and that is a huge business right now. We \nsee it obviously happening off of different, multiple other \ngovernment entities, as well as Eastern European countries.\n    Mr. Neugebauer. Would you feel comfortable putting your \npersonal information in HealthCare.gov?\n    Mr. Kennedy. Absolutely not.\n    Mr. Neugebauer. Yes. Mr. Gregg?\n    Mr. Gregg. No, sir, I would not.\n    Mr. Neugebauer. Dr. Ponemon, would you?\n    Dr. Ponemon. I am not sure.\n    Mr. Neugebauer. You know, I want to go back to you, Dr. \nPonemon. One of the things that, you know, you talked about was \nthat you wanted to talk about the consequences of stolen \nidentity.\n    Dr. Ponemon. Sure.\n    Mr. Neugebauer. Yes. So one of the things I think might be \nhelpful is people that are forced to go to access their \nhealthcare through government--HealthCare.gov, what would you \nadvise them to do? You know, they are going to have to access \nthat. As they are filling out that information, are there some \npreventative things that they can do that would minimize some \nof the potential consequences if the system is breached?\n    Dr. Ponemon. Well, obviously, if the site is secure, that \nis a good step, right, but as an individual, whether we are \ndoing it on HealthCare.gov or whether it is a website like \nAmazon.com, we need to be smart. We need to understand that our \ndata could be at risk. The bad guys are really smart. For \nexample, we should not be using the same password over and over \nagain. Our computer should have the most current version of \nantivirus or anti-malware technology. These commonsensical \napproaches do make a difference and that should be across the \nboard.\n    But again, if you have data that is extremely sensitive and \nconfidential, then basically your guard, your level of concern \nshould go up. And a lot of people don\'t think about these \nissues well enough or they don\'t think that they will become a \nvictim. But as we know, with 110 million records here and 90 \nmillion records there, everyone, every single person in this \nroom is a victim of some data loss and probably at least had \none data breach notification in the last five years. So it is a \nbig problem.\n    Mr. Neugebauer. Thank you, Mr. Chairman. I yield back.\n    Chairman Smith. Thank you, Mr. Neugebauer.\n    The gentlewoman from Oregon, Ms. Bonamici, is recognized \nfor her questions.\n    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank \nyou to our witnesses for being here today.\n    This hearing is ostensibly about HealthCare.gov but I just \nwant to make a big picture comment that the Affordable Care Act \nis certainly about more than a website; it is about an issue of \ngreat importance, which is about the availability of healthcare \nto all Americans.\n    Now, when I saw the title of this hearing, I was pretty \ninterested. I actually have a background in consumer \nprotection. I used to work at the Federal Trade Commission, \nhave worked on identity theft issues. I was a little baffled \nfrankly about why we are doing this in the context of \nHealthCare.gov and in the Science Committee.\n    That being said, we all acknowledge that there have been \nsome serious technological problems rolling out the Affordable \nCare Act, but I am really concerned that some people listening, \nour constituents, might really be concerned that there are \nrisks involved in enrolling through the website that aren\'t \nreally there. So I want to clarify a couple of things.\n    First of all, I want to make it clear to our constituents \nthat identity theft is already a federal crime, that if someone \nknowingly commits identity theft, that is a federal crime. If \nthey do it--aggravated identity theft, there are enhanced \npenalties. So I want to make clear that if there is identity \ntheft, that is already against the law. The Department of \nJustice prosecutes that. The Federal Trade Commission has \nseveral laws dealing with it. So identity theft is an issue we \nshould be concerned about but I am baffled about why we are \ntalking about it in the terms of HealthCare.gov.\n    So, Mr. Krush, I want to ask you a couple of questions. \nFirst, I want to acknowledge and thank you for your service to \nthis country. I understand, Dr. Ponemon, you are a veteran as \nwell. Thank you for your service.\n    Mr. Krush, you talked about how some people are suggesting \nthat HealthCare.gov is a major target for hackers. Based on \nyour background, your military and cyber security background, \ncould you discuss the range of hackers and their different \nmotives and talk about where HealthCare.gov is on the scale of \nhigh payoff targets. And you mentioned this in your testimony, \nbut will you talk about that range just a bit, please.\n    Mr. Krush. Yes. Actually, it is very interesting in that, \nyou know, we are here on the Committee of Science, Space, and \nTechnology, and I will tell you something from a high payoff \ntarget perspective, especially when you are dealing with \nadvanced attackers, the more a nation--nation-sponsored \nattackers and those even on the criminal organizations, they \nare after some very specific targets. And, you know, I am not \ngoing to go into those but I will tell you from a government \nperspective in all reality if you are looking at the .mil and \nthe .gov kind of domains, you know, HealthCare.gov is not \nreally a huge high payoff target.\n    Space systems, technology related to weapons systems, \nintellectual property stores, information related to \nclearances, information related to quite possibly not only \npersonal information on a person that may be weaknesses such as \nrelationship issues where they can be played on or through \nblackmail. There is--websites that include information on \ncriminals that are actually part of the court systems, \nliterally we keep all of this information online now. As you \ncan imagine from an attacker\'s perspective, you could \nliterally, you know, not delete the paper but there are ways \nthat you can get into a system and change an outcome of quite \npossibly, you know, cases or what actually you have done in the \npast. So there is lots of high-profile targets.\n    Ms. Bonamici. Thank you. Thank you so much. I want to \nfollow up a little bit. It is my understanding that we have \nalready established that there aren\'t medical records on \nHealthCare.gov, and Mr. Gregg confirmed that in response to \nRepresentative Edwards\' question. Do you agree with that, there \nare no medical records on HealthCare.gov?\n    Mr. Krush. Correct. Those would be at the providers.\n    Ms. Bonamici. And would you agree that there is more \npersonal information in a federal tax return than there is in a \nHealthCare.gov insurance application?\n    Mr. Krush. I agree.\n    Ms. Bonamici. Mr. Kennedy, do you agree with that?\n    Mr. Kennedy. I do agree.\n    Ms. Bonamici. Mr. Gregg?\n    Mr. Gregg. I do agree.\n    Ms. Bonamici. Dr. Ponemon?\n    Dr. Ponemon. I agree.\n    Ms. Bonamici. Terrific. Okay. So about 80 percent of the \npeople in this country file their tax returns online. Mr. \nKrush, do you file your tax returns online?\n    Mr. Krush. I do.\n    Ms. Bonamici. Mr. Gregg, do you file your tax returns \nonline?\n    Mr. Gregg. No.\n    Ms. Bonamici. Dr. Ponemon, do you file your tax returns \nonline?\n    Dr. Ponemon. I am old-fashioned. No.\n    Ms. Bonamici. Mr. Kennedy?\n    Mr. Kennedy. I am old-fashioned as well.\n    Ms. Bonamici. So when you understand that about 80 percent \nof the people in this country file their tax returns online, we \nare talking about security with HealthCare.gov when there is \nmore personal information on a federal tax return. I just want \nto highlight that, that we are talking about security with \nHealthCare.gov when the majority of people file their tax \nreturns online.\n    All of you call for third-party--third parties to conduct \nsecurity testing, and the MITRE Corporation, Blue Canopy, and \nFrontier Security have all been doing that for months. In your \nopinion, are those companies competent to do the work, yes or \nno? Dr.--or Mr. Krush?\n    Mr. Krush. Yes.\n    Ms. Bonamici. Mr. Kennedy?\n    Mr. Kennedy. Yes.\n    Ms. Bonamici. Mr. Gregg?\n    Mr. Gregg. Yes.\n    Ms. Bonamici. Dr. Ponemon?\n    Dr. Ponemon. I only have knowledge of MITRE and the answer \nis yes.\n    Ms. Bonamici. Thank you. Mr. Krush, to be clear, there have \nbeen no cases of a person\'s identity being stolen through \nHealthCare.gov at this point, is that correct?\n    Mr. Krush. That is correct.\n    Ms. Bonamici. Okay. I just want to clear that up because \nthe title of the hearing suggests that one of the consequences \nof signing up through HealthCare.gov is going to be identity \ntheft. So I wanted to clarify that.\n    So I--my time is expired. Thank you, Mr. Chairman. I yield.\n    Chairman Smith. Thank you, Ms. Bonamici.\n    The gentleman from Texas, the Chairman Emeritus Mr. Hall, \nis recognized for questions.\n    Mr. Hall. Thank you, Mr. Chairman, and thank you for the \nhearing and the witnesses. I like old-fashioned people. I don\'t \nknow why. But I will ask my fellow Texan there, Mr. Gregg. \nThere has been talk about March the 31st, and I think you \nmentioned that since the deadline for open enrollment is not \nuntil March the 31st, wouldn\'t hackers be kind of foolish to \nexploit the website now because they potentially would have the \nopportunity to retrieve a heck of a lot more information after \nthat date?\n    Mr. Gregg. Well----\n    Mr. Hall. Do they think like that or is that too----\n    Mr. Gregg. No, sir. They do in many ways look for the big \npayoff, and as was mentioned earlier, cybercrime can be broken \ndown into two areas. One is the individuals looking for \nmilitary, looking for that type of information, but a big other \nportion of it today is monetarily driven. We see a lot of that \nout of places like Eastern Europe. We see it out of places like \nRussia. And those individuals are looking for personal \ninformation. They are looking for things that they can make a \nfinancial payoff from. And to wait until the time was right \nwould very much be to their advantage. While it is true \ninformation is not held on HealthCare.gov, information is \npassed through that site that they could potentially manipulate \nor take advantage of.\n    Mr. Hall. Thank you. And I have heard of a lot of problems, \nbut given the problems of the website to date, would you say it \nis highly likely that there will be breaches to the healthcare \nwebsite?\n    Mr. Gregg. Yes, sir. I do believe it is very possible or it \nis probable at this current state of the site that that could \nhappen.\n    Mr. Hall. And once one has occurred, how quickly can \nexperts find out about the breach?\n    Mr. Gregg. That all depends. We have seen in previous cases \nwith things like Gh0st RAT, GhostNet Trojan. We have seen in \ncases like with Google and Aurora and others, in some instances \nthose organizations didn\'t know until weeks or months later.\n    Mr. Hall. How quickly should the American people be \nnotified in the event of a breach?\n    Mr. Gregg. Immediately.\n    Mr. Hall. Within hours, days, weeks, or just right now?\n    Mr. Gregg. Right now.\n    Mr. Hall. That is pretty clear. Once a breach has occurred \nand people have been notified, what actions should people take?\n    Mr. Gregg. Immediately start to do things like Dr. Ponemon \nmentioned as far as change passwords, change IDs, especially \nnotify and talk to your credit card companies----\n    Mr. Hall. Now is----\n    Mr. Gregg. --look at your credit card statements, also \ncheck your credit rating and look at the credit rating \norganizations because many times, just like a period of about a \nweek ago I got an email from Amazon that someone tried to open \nup an account under my name and I immediately called my credit \ncard provider and found out someone had charged about $5,000 \nworth of merchandise under my name because someone had stolen \nmy credit card. So you immediately need to take action for that \nstuff to put a stop to it if the credit card company doesn\'t \ncatch it.\n    Mr. Hall. This is not like Target where you can check with \nyour bank or your credit card company for even suspicious \nactivity or something you think might be happening and that----\n    Mr. Gregg. That----\n    Mr. Hall. I think that is what you are telling me.\n    Mr. Gregg. Yes, sir, that is correct.\n    Mr. Hall. And how do you find out if--how did you find out \nif your Social Security number--is that the way they got to \nyou?\n    Mr. Gregg. No, sir, they got a credit card number from me.\n    Mr. Hall. Credit card?\n    Mr. Gregg. Yes, credit card.\n    Mr. Hall. And if medical information had been compromised, \nwhat would you do about it?\n    Mr. Gregg. It would be very tough. With medical information \nor someone has intentionally obtained medical services under \nyour name, you may not find out until you actually get the \nbill, or if they have sent that to another address, you may not \nfind out until you maybe get denied for a job because they said \nyou had a preexisting condition they didn\'t know of.\n    Mr. Hall. Well, just briefly, what are the steps involved \nin repairing a breach?\n    Mr. Gregg. It is very tough.\n    Mr. Hall. And should a website be shut down while these \nremedies are being considered?\n    Mr. Gregg. I would say yes, it should, and I mean it is \nvery tough because, first, you have to contest those charges. \nAnd if it is related to medical, as soon as you contest it \nunder HIPAA and other laws, then you have no access to the \nrecords or information because it is not your information \nanymore. So it can be very difficult.\n    Mr. Hall. Well, my time is almost gone. I believe that all \nof you would agree that while no website can be 100 percent \nsafe, every precaution needs to be taken to ensure the security \nof the site.\n    Now, Mr. Chairman, there are far too many questions \nsurrounding the launch of the healthcare website, and until \nthese are resolved, the security of Americans\' personal \ninformation is going to remain at risk. That is your \nunderstanding. Is that why we are having this hearing?\n    Chairman Smith. That is exactly correct, Mr. Chairman.\n    Mr. Hall. And I thank you for the work on this issue and I \nthank each of you. And thank you, Mr. Chairman, for a good \nhearing.\n    Chairman Smith. Thank you, Mr. Hall. Would you yield me the \nbalance of your time?\n    Mr. Hall. I yield my balance of my time today, tomorrow, or \nnext week or any time.\n    Chairman Smith. Mr. Kennedy, I would like for you to \nreemphasize the point you made in response to my initial \nquestion about why the government doesn\'t even know whether it \nhas been hacked or not--that is HealthCare.gov. Why the \ngovernment really can\'t say or state credibly that there had \nbeen no successful security attacks.\n    Mr. Kennedy. Yes, sir. So if you look at the HealthCare.gov \ninfrastructure, it was built independently of HHS, including \nthe Security Operations Center piece. There is contractual \nlanguage on that. There is testimony from the Congress that \nalso states that as well. So the Security Operations Center, as \nof November 17, had not been built or implemented, which means \nthat they didn\'t have the security monitoring or detection \ncapabilities to detect the attacks that are being mentioned \nhere today. So to reemphasize, they don\'t know.\n    Chairman Smith. And they don\'t know. That is why they can \nsay there hasn\'t been any. They are not in a position to know \none way or the other.\n    Mr. Kennedy. That is correct.\n    Chairman Smith. Okay. Thank you, Mr. Kennedy.\n    Mr. Kennedy. Yes, sir.\n    Chairman Smith. The gentleman from California, Mr. Takano, \nis recognized for his questions.\n    Mr. Takano. Thank you, Mr. Chairman.\n    Mr. Krush, would you like to respond to that?\n    Mr. Krush. Sure, I would love to. Actually, we have been \ntalking about all of these supposed breaches that have been \ngoing on related to HealthCare.gov. If they couldn\'t monitor \nthose, how in the world do you have a number? The number would \nbe zero if there was no capability to actually look at what \nkind of attacks are coming through the ether.\n    Mr. Takano. Okay. Thank you very much.\n    Mr. Gregg, I would like to focus on a couple of areas of \nyour testimony. First, you argue that the site HealthCare.gov \nreally needs a third party working to probe the system for \nweaknesses; and second, you assert that medical records are at \nrisk on HealthCare.gov and you list the kind of damage that can \nbe done with stolen medical records. And you state previously \nin a post--Huffington Post post that ``however, the United \nStates has some of the very best minds in the world when it \ncomes to cyber security and there is no doubt that \nHealthCare.gov can be fixed if the right people are given the \nchance to test it.\'\' Do you still feel that way?\n    Mr. Gregg. Yes, sir. That is one of the reasons why I am \nhere today----\n    Mr. Takano. Okay.\n    Mr. Gregg. --is because I believe with independent third-\nparty assessment and the right assessment done, we can get to \nthe bottom of this.\n    Mr. Takano. Okay. Well, thank you. I just want know were \nyou aware prior to your testimony today that MITRE, Blue \nCanopy, and Frontier Security were all working on third-party \nverification?\n    Mr. Gregg. MITRE, yes; the others, no.\n    Mr. Takano. Okay. You were aware that MITRE was aware, so I \ndon\'t understand how, you know, in your testimony you still \nassert that third-party work needs been done but you had \nknowledge that a third-party audit was actually being conducted \nby MITRE?\n    Mr. Gregg. Yes. One, the article was written before that. \nIt was written before that time. And two, I do not know if \nMITRE has finished their research or not or what the findings \nof those are.\n    Mr. Takano. Okay. But you did raise this question as if \nthird-party verification--I was led to the impression that \nthird-party verification wasn\'t being done, but in fact, you \nhad knowledge it was being done?\n    Mr. Gregg. Not at the time of the article.\n    Mr. Takano. Okay. But in your testimony you lead us to \nbelieve that you raise it as a concern but it has----\n    Mr. Gregg. You quoted the article and you quoted a \nstatement directly from the article that I said that needed to \nbe done. At that time nothing had been done.\n    Mr. Takano. But it is not in your----\n    Mr. Gregg. Is that the question?\n    Mr. Takano. The testimony that you submitted for this \nCommittee doesn\'t acknowledge it but yet you are telling me \nhere you had knowledge of it that it was being done.\n    Mr. Gregg. I----\n    Mr. Takano. Your testimony leads us to believe that it was \nnot being done.\n    Mr. Gregg. As of this hearing, I do have knowledge.\n    Mr. Takano. Okay. But your--but you----\n    Mr. Gregg. At the time of the article, no.\n    Mr. Takano. Okay. Okay. Very well. You know, Dr. Ponemon, \nyou talk about the medical records, you know, and identity \ntheft, and a lot of your work has shown that 95 percent of the \npeople who commit these sort of deeds are motivated by Robin \nHood motivations. Would you explain about that a little bit?\n    Dr. Ponemon. It is not 90 percent but it is a large \npercentage. I think it is 29 or 30 percent, but it is still \npretty significant. A Robin Hood crime, as we define it in the \nresearch, is where someone, for example, has a family member or \nfriend who basically has an illness and they are not insured \nand basically they will kind of look the other way if you will \nand allow that person to use their insurance credentials so \nthat when they show up at a hospital or clinic, they are \ngetting better treatment than just right off the street.\n    Mr. Takano. Well, common sense would sort of tell me if \nthat is sort of the big motivation, what would motivate someone \nto go and----\n    Dr. Ponemon. Sure.\n    Mr. Takano. --try to steal someone\'s identity, that \nexpanding healthcare coverage, providing quality coverage for \nmore and more people would reduce this--the likelihood of this \nsort of crime.\n    Dr. Ponemon. You have to understand I will be biased in \nthat because I think we all deserve good healthcare. So if \nbasically you had good healthcare, the value of a credential \nwould be meaningless, right, because we all have that \ncredential. So there is no value if you will in stealing \nsomeone\'s credential because everyone is going to have a \ncredential that will give them reasonable healthcare.\n    Mr. Takano. So actually, if we made this healthcare \nwebsite--you know, if it was very successful and more and more \npeople got enrolled, the actual--we would reduce the risk of \nthe misuse of medical records?\n    Dr. Ponemon. It could work one way or another. It is really \nhard to determine that. In theory, you are right. I mean you \ncould basically say that 29 or 30 percent, the Robin Hood \nportion of the crime, the medical identity theft might actually \nbe nonexistent.\n    Mr. Takano. So we would remove--we could possibly remove a \nhuge motive for people to try to hack into this system if they \nwere trying.\n    Dr. Ponemon. Well, yes, but remember, the value of a \nmedical record is more than just getting the insurance. You \nsee, that is only a very small part of it. There is a lot of \ninformation, rich information, and you--we have done studies \nand the Russian Federation, other parts of the world, and if \nyou had a look at the most valuable piece of information right \nnow on an individual basis, it would be a medical record. And \nin fact, just yesterday in Fox News, business news, they did an \narticle on the value of different types of information, and \nmedical information in the black market is much, much more \nvaluable than, say, credit or debit card information or \nauthentication data.\n    Mr. Takano. Okay. Well, thank you very much, Dr. Ponemon.\n    Dr. Ponemon. And thank you.\n    Mr. Takano. Thank you.\n    Chairman Smith. Thank you, Mr. Takano.\n    The gentleman from Indiana, Mr. Bucshon, is recognized for \nhis questions.\n    Mr. Bucshon. Well, thank you all for being here. It is a \nfascinating hearing. We had a previous hearing, which was also \nvery fascinating. And we were four for four no one would get on \nthe website last time, but we are three for four this time.\n    In my view, this is about confidence the American people \nhave in their government and whether or not their government is \ndoing everything they can to protect their privacy. It is not \nabout healthcare at all. We could be talking about any other \nwebsite that the federal government has. And we know the GAO \ncame out and reported thousands of breaches across the federal \ngovernment, so to argue that this website is going to be secure \nand that nothing is going to happen I think is a false argument \nbecause it is going to be breached. There is going to be \ninformation stolen.\n    I think from my perspective--I was a medical doctor before. \nI think when you throw in the healthcare part of it, it becomes \nvery personal for people. I understand people out there in my \ndistrict are concerned about the Department of Defense being \nhacked, maybe a few people, but when you start talking about \nthe potential for information that they perceive, whether it is \nreal or whether it is perceived, is personal information. I \nthink all of us in hearings like this and across government and \nthe Administration, in both political parties, need to \nrecognize the fact we need to do whatever we can to regain the \nconfidence of the American people that we are protecting their \npersonal information as best we can. Even though I do recognize \nthe website itself doesn\'t have that on there, it does have \nportals that people that are smart can potentially access that.\n    And this is actually one of the biggest problems in \nelectronic medical records, that we have. My medical practice \nestablished an electronic medical record in 2005. I love \nelectronic medical records but there are two issues. There is \nof course security issues and then there is compatibility \nissues about getting medical information across different types \nof electronic medical records.\n    So, I think it is unfortunate that all of you are somewhat \nsubjected to a national discussion about healthcare, and I \nappreciate all of you trying to confine your comments to the \nsecurity aspects and not the larger national debate about how \nwe provide quality affordable healthcare to all our citizens, \nwhich I think is a goal we all have and certainly as a medical \ndoctor I have. So it really doesn\'t matter if HealthCare.gov is \na low-propensity target by some hackers out there. In the minds \nof the American people when you mention their healthcare, this \nis the biggest target in the federal government in their minds. \nWhether that is real or perceived doesn\'t really make a \ndifference.\n    So Mr. Krush, the GAO came out with this report, as you \nknow, in 2012, saying there were 22,156 data breaches, 4,000 at \nCMS alone. And you have a relationship with CMS so you have to \nrecognize that we can\'t make the case that any website is going \nto be secure to try to make a political argument to prove that \nthe way we are managing healthcare is the right way to go. I \nmean that is not the discussion, is it? The discussion is how \ndo we protect information? You would have to agree with that, \nwouldn\'t you?\n    Mr. Krush. I absolutely agree with that. I will just say \nthat I agree with that and with the idea that the process that \nwe use, you know, to secure the data on federal information \nsystems is just very rigorous, and that is my complete argument \nhere.\n    Mr. Bucshon. Yes. And I would agree with that. I think when \nit comes to the confidence, I know we have discussed third-\nparty people out there looking at this. And I will be honest \nwith you. I am a Member of Congress and I have no idea whether \nthere is a third-party person out there--and there obviously \nis--looking at this. So our charge is to get that to the \nAmerican people, because if the American people don\'t know--and \nI can tell you as a political person trying to get a message \nacross to 700,000 people is difficult and that is just 700,000 \npeople. We need to do better getting the information out that \nthere are actually people that are in government that are \nlooking at this to preserve people\'s personal records. That is \nmy view. Mr. Kennedy, how do we do that?\n    Mr. Kennedy. Well, I think if you look at the broader \npicture here and not just HealthCare.gov but just in the \nfederal space, end-to-end testing, proactive security measures, \nthings that are definitely outlined as being best-of-breed \nsecurity practices need to be performed. And I am not saying \nthat NIST doesn\'t have those. It is just that they are loosely \nfollowed. And, to comply with FISMA is not necessarily a \nrigorous process.\n    So what I have to say to that is, we have to focus on \nputting security in the very forefront, in the very beginning \nstages of what we hire a contractor or we go after an \norganization, throughout the entire process of that. \nHealthCare.gov is a prime example of the failures of being able \nto implement security in a rigorous manner or in a process that \nincludes security throughout the entire life cycle. And if you \ndo that, you have a better product. You have something that \npeople can stand by and say, listen, we are doing our \nreasonable amount of assurance here and we are protecting your \ninformation, not just, kind of slapping it together and \nthrowing it out there.\n    Mr. Bucshon. My time is expired. I would like to say let\'s \nall of us work together to regain the confidence of the \nAmerican people. Thank you.\n    Ms. Edwards. Parliamentary inquiry----\n    Chairman Smith. Thank you.\n    Ms. Edwards. --Mr. Chairman.\n    Chairman Smith. Thank you, Dr. Bucshon.\n    I am sorry?\n    Ms. Edwards. Mr. Chairman, I have a parliamentary inquiry.\n    Chairman Smith. The gentlewoman is recognized for her \nparliamentary inquiry.\n    Ms. Edwards. Thank you. Mr. Chairman, isn\'t it true that \nthe Committee and House rules require witnesses to submit \nfactually correct financial disclosures forms?\n    Chairman Smith. There are certain limitations to that, but \nwithin those limitations, I think that is the case and I think \nall of our witnesses have done so today.\n    The gentleman from--\n    Ms. Edwards. Mr. Chairman?\n    Chairman Smith. Yes. The gentlewoman continues to be \nrecognized.\n    Ms. Edwards. Mr. Chairman----\n    Ms. Johnson. Point of order----\n    Ms. Edwards. --I yield to----\n    Ms. Johnson. Point of order, Mr. Chairman.\n    Chairman Smith. The gentlewoman is recognized.\n    Ms. Johnson. I make a point of order that the witness \ntestifying today has not complied with the House Committee\'s \nrules regarding financial disclosure. And under those \ncircumstances, I request that the testimony be stricken from \nthe record. I am very----\n    Chairman Smith. Obviously, I object to that and----\n    Ms. Johnson. I expected that.\n    Chairman Smith. --I am afraid that the gentlewoman is not \nthe one to make that determination.\n    Ms. Johnson. I am not finished.\n    Chairman Smith. Well, does the gentlewoman have----\n    Ms. Johnson. I am recognized, Mr. Chairman, and I have----\n    Chairman Smith. Does the gentlewoman have something to say \nthat is pertinent to her inquiry?\n    Ms. Johnson. --not finished my statement. I am very \nconcerned about the testimony we heard from Mr. Kennedy a \nmoment ago. He testified on the record that he did not disclose \ngovernment contracts in his truth-and-testimony form that he \nand his company have received, and our Committee Rules \nrequire----\n    Chairman Smith. He also said he was not----\n    Ms. Johnson. --a witness disclosure----\n    Chairman Smith. --required under the----\n    Ms. Johnson. --requirement to be filed out by each--filled \nout by each witness. On that form Mr. Kennedy answered the \nquestion saying ``not applicable.\'\' This means that he did not \ncomply with the rules of our committee, and as such, I ask that \nhe be removed----\n    Chairman Smith. That is not necessarily----\n    Ms. Johnson. --from--the testimony from the Committee----\n    Chairman Smith. --a legitimate----\n    Ms. Johnson. --until he accurately and fully discloses the \nfederal grants and contracts that the entity he represents have \nreceived on or after October 1, 2011----\n    Chairman Smith. Mr. Kennedy, do you want to respond whether \nyou were required to disclose that or not?\n    Mr. Kennedy. Thank you, sir. The question was have I done \nwork in the federal space prior in the past or currently. The \nanswer to that is on behalf of TrustedSEC, we do not work in \nthe public sector or government, which is what I disclosed in \nthe statement there. In addition, I have worked for NASA as \nwell as other federal government agencies in my capacity as a \nChief Security Officer for a Fortune 1000 company, as well as \nmy prior roles as a security consultant for former entities. So \nto answer the question there on what was submitted, I do not do \nwork for the public sector. I am plenty busy in the private \nsector keeping everybody else protected. Thank you.\n    Chairman Smith. Thank you, Mr. Kennedy. I think you have \nanswered the question.\n    And I would like to continue our questions. And the \ngentleman from Massachusetts, Mr. Kennedy, is recognized for \nhis.\n    Mr. Kennedy of Massachusetts. Thank you, Mr. Chairman, and \nthank you to the witnesses for being here today.\n    I want to start out by saying I know--I think Teresa Fryer \nwas mentioned earlier in this hearing, and I know that she is \nactually testifying I think at this moment or just moments ago \nin front of the Committee on Oversight and Government Reform. \nAnd her testimony before was referenced about--some of the--her \nremarks on HealthCare.gov and she just recently said today that \nthe HealthCare.gov website is secure based on a December 18 \nsecurity assessment. She stated that the system exceeds the \nbest practices to ensure security and that the risk mitigation \npolicies are being implemented and executed as planned. As a \nresult, attacks have been successfully prevented. She \nrecommends that a new ATO should be given when the current one \nexpires just to make sure that we are all up to date on the \ncurrent testimony.\n    Now, a couple of, I think, points of clarification: Mr. \nKennedy, I think one of us here supports the ACA, but I will \nleave that up for the gallery to decide. The--now, I noticed at \nthe--I think in your initial testimony and the initial \ntestimony of the witnesses, you were nodding your head when Mr. \nKrush said that unless you are actually able to dive into the \ninner workings of the website, which you have made clear that \nyou did not hack into, you did not do anything illegal, but \nthat you would not have any way of knowing in detail what part \nwas vulnerable to attack unless you had done so. Is that \naccurate?\n    Mr. Kennedy. We can\'t tell the inside of HealthCare.gov \nwithout actually testing it. That is 100 percent accurate. What \nwe can see are symptoms of a much larger issue. And if you \nwouldn\'t mind for just--if I can read a--one of the things that \nI submitted from Ed Skoudis just as an example if you are okay \nwith that, sir.\n    Mr. Kennedy of Massachusetts. Yes, go ahead.\n    Mr. Kennedy. Thank you. Mr. Skoudis said, ``I have worked \non dozens of large-scale breach cases over the past 12 years \nlooking at the root cause of vulnerabilities of attacker \nmethods. Reviewing the security issues discovered in \nHealthCare.gov, I can tell you this is a breach waiting to \nhappen. Or given the numerous vulnerabilities, perhaps a breach \nhas already happened. These are exactly\'\'--and he emphasized on \nthat--``the kind of security flaws bad guys exploit on large-\nscale breaches.\'\'\n    Mr. Kennedy of Massachusetts. So, Mr. Kennedy--and I \nappreciate that, but the point is--and I think we have heard it \nactually reiterated a number of times here--is that we don\'t \nknow. You don\'t know. You testified before that HHS doesn\'t \nknow. If HHS doesn\'t know, you don\'t know, so much of this is \nin fact--it is a concern but it is speculative, right?\n    Mr. Kennedy. It is an underlying portion of HealthCare.gov, \nabsolutely, yes.\n    Mr. Kennedy of Massachusetts. Okay. So--now--thank you. \nAnd, Mr. Krush, do you--out of your expertise, can you just \ngive me off the top of your head what you believe to be the \nbiggest data breaches--recent data breaches? This is something \nthat is fairly common. Obviously, Target and Neiman Marcus in \nthe news today. How many--are you aware of others?\n    Mr. Krush. Well, interestingly enough, you know, the \nthing--when it comes to data breaches, I think Target is a \nperfect example of someone that had the capability to identify \na breach. The thing that is of most concern to me is that there \nare a lot of industry and even government organizations that \ndon\'t have the capability to do that.\n    Mr. Kennedy of Massachusetts. So, sir, Target, Neiman \nMarcus obviously in the news now. Do you recall Heartland \nPayment Systems data breach back in 2008? Does that ring a bell \nwith you?\n    Mr. Krush. It does.\n    Mr. Kennedy of Massachusetts. At least from some estimates \n134 million credit cards exposed. How about TJX Companies in \n2006, 94 million credit cards exposed; Epsilon, which exposed \nthe emails of millions of customers stored in over 108 \ndifferent retail chains; RSA Security, top-notch security firm; \nSony Playstation Network, over 77 million Playstation Network \naccounts exposed, all private sector, yes?\n    Mr. Krush. Yes.\n    Mr. Kennedy of Massachusetts. This is something the private \nsector invests billions of dollars a year in trying to protect, \nyes?\n    Mr. Krush. Yes.\n    Mr. Kennedy of Massachusetts. This is something that is \nvery difficult and has to be on the cutting edge in order to \ndefend against, yes?\n    Mr. Krush. Yes.\n    Mr. Kennedy of Massachusetts. Are you aware of how many \ntimes the House of Representatives has voted to cut funding or \nappeal the Affordable Care Act this Congress?\n    Mr. Krush. I am not.\n    Mr. Kennedy of Massachusetts. Would the number close to 50 \nseem accurate to you?\n    Mr. Krush. Unfortunately, I just don\'t have that insight.\n    Mr. Kennedy of Massachusetts. Okay.\n    Mr. Krush. I can talk about risk assessment----\n    Mr. Kennedy of Massachusetts. Well, take my word for it.\n    Mr. Krush. --if you like.\n    Mr. Kennedy of Massachusetts. Take my word for it.\n    I yield back the balance of my time.\n    Chairman Smith. Thank you, Mr. Kennedy.\n    The gentleman from Oklahoma, Mr. Bridenstine, is recognized \nfor his questions.\n    Mr. Bridenstine. Thank you, Mr. Chairman. I appreciate the \ntime.\n    I would like to start by asking our witnesses a question. \nAre you familiar with Tony Trenkle? He was the Chief \nInformation Officer for the Centers for Medicare and Medicaid \nServices. And his job was to oversee the development of \nHealthCare.gov and his job was to,--as--you know, the last \nthing before launching the website he had a security waiver he \nwas supposed to sign. Do you guys remember any of this by \nchance? And he didn\'t sign it. He refused to sign it and he \nresigned. His boss, Marilyn Tavenner, CMS Administrator, who is \nnot a Chief Information Officer, who arguably would not be \nqualified to sign off on a security waiver, she signed it. He \ndidn\'t. He is qualified. She did, she is not qualified. She is \nan appointee of the President of the United States.\n    Interestingly, her boss, Secretary of Health and Human \nServices Kathleen Sebelius, testified before Congress that she \nhad no idea that a security waiver was supposed to be signed, \nthat it didn\'t get signed, and that her subordinate, another \nBarack Obama appointee, signed it. She didn\'t know. It would \nseem to me you have a qualified person not signing it and then \nhaving to resign, and the Administration was not clear about \nwhy that person had to resign, namely Tony Trenkle. In fact, \nthey didn\'t answer the question why. But it would appear--and \nthis gives me concern--that people are making decisions for \npolitical reasons, not in the best interest of security of our \ncitizens.\n    And so some of you on this panel are CEOs, I think three of \nyou. And then, one leads a research institution. Just a quick \nyes-or-no answer, in your institutions if this was going on, \nwould you guys have an issue with it? Would somebody in your \norganization be fired? We will start with you, Mr. Kennedy, and \njust go down the row.\n    Mr. Kennedy. Coming from being a Chief Security Officer for \na Fortune 1000 company, I would say the answer to that would be \nyes. That would raise a major concern for me.\n    Mr. Krush. I would just talk to the point that the \nauthorizing official, if it was the CSO and he or she was the \none authorized to sign for the system, you know, this is \nactually one of the breakdowns in the risk management framework \nright now. You have what is called--you usually have the CIO or \nthe director that are in charge of maybe a program, an \norganization, and they are directed as the authorizing \nofficial. I would say if we are going to look at one of the \nweaknesses in the process government-wide is that that Chief \nInformation Security Officer should be where the buck stops \nalways. Right now, there is----\n    Mr. Bridenstine. So you are acknowledging that he should \nhave signed it if it was secure, and his refusal is a big \nbreach of trust here with the American people?\n    Mr. Krush. I acknowledge that under the current process----\n    Mr. Bridenstine. And then he was forced to resign, \narguably.\n    Mr. Krush. The current process allows for the authorizing \nofficial to be whoever is directly in charge of the entire \ninformation system. So, that being said, I think that that is a \nweakness in the process. Right now, it should be the Chief \nInformation Security Officer where it stops. They are supposed \nto know the system, the security capabilities, and they are \nsupposed to be the ones that should be responsible, but that is \nnot the process that we are currently using in the government.\n    Mr. Bridenstine. Well, it was the process that was supposed \nto be used until he refused and then resigned. Going down the \nline?\n    Mr. Gregg. I would also say yes and I would add to that \nthat, as we talked about earlier, with external third parties \nlooking at this, that is just a piece of it, them looking at \nit. The other part is those items are actually implemented and \nthey are signed off on.\n    Dr. Ponemon. It is my turn, I suppose. Yes, it is a big \nethical issue in my opinion. I think the key variable is that \nthe security of our country and the citizens of our country \nshould be more than a political issue.\n    Mr. Bridenstine. Agreed.\n    Dr. Ponemon. But I don\'t think the solution is to have \nlocal CSOs, people who are middle-level management. It should \nbe a major, major function of the government to have a CSO for \nthe entire United States and then----\n    Mr. Bridenstine. I am going to bring back my time. I have \nonly have 30 more seconds but I appreciate your answer and you \ncan submit it for the record.\n    Dr. Ponemon. Absolutely.\n    Mr. Bridenstine. But I would like to just say that I am not \ngoing to put this in for the record, Mr. Chairman, because I \ndon\'t want it to create any issues on the other side of the \naisle, but this comes from an article from CBS News dated \nNovember 6, 2013. So people watching at home have access to it. \nIt is on the internet. It has all been disclosed.\n    And I would like to say, finally, in my last five seconds \nthis is exactly why the American people have lost trust in \ntheir government. This is exactly why the American people have \nlost trust in their government.\n    Mr. Chairman, I yield back.\n    Chairman Smith. Thank you, Mr. Bridenstine.\n    The gentleman from Illinois, Mr. Hultgren, is recognized \nfor his questions.\n    Mr. Hultgren. Thank you, Mr. Chairman. Thank you all for \nbeing here. This is such an important topic and something I am \ncertainly hearing from my constituent as I travel around my \nDistrict of great concern and wanting answers and so I \nappreciate you being here.\n    I have got a couple of different questions. I am going to \naddress the first one to Mr. Krush if I could. According to \nyour written testimony, you say that based on what you have \nread publicly thus far, ``HealthCare.gov is most likely \ncategorized as a moderate system referring to the National \nInstitute of Standards and Technology or NIST\'s security levels \nof low, moderate, and high.\'\' I wonder, is that an appropriate \ncategorization for this kind of personal data that we are \ntalking about here being available and accessible through the \nHealthCare.gov website, including people\'s medical files?\n    Mr. Krush. So usually we reserve high for, you know, grave \ndanger to national security, to the confidentiality, integrity, \nand availability could, you know--for most of the high systems. \nSo usually to me when something is categorized with that, it is \nusually life or death. And since HealthCare.gov is not that, \nit--there are some areas where, depending on the organization, \nthere is something called organizationally defined parameters. \nThat allows the organization to say if they process, store, \ntransmit, manage, or review privacy data, it allows them to \nmake the recommendation to go to high. But from what I have \nread thus far about the site, because of the interactions with \nthe other websites, meaning the handing off through the \ncontrolled APIs and the way that it deals with \ninterconnections, it still would be moderate. If one of those \ninterconnections are high, then they--then what they have to do \nis actually--they do--well, we are going to do this anyway. \nThey have to develop what is called an ISA, an Interconnection \nSecurity Agreement. And what that requires both sides to do is \nagree on the cyber security rules, including on how quickly \nthey report any instance related to those.\n    Mr. Hultgren. Let me jump in here real quick. I would say \nagain for my constituents this is of high concern to them and I \nthink for us as well. And I would agree with my colleagues of \nhow important this is in people\'s lives. And, boy, talking \nabout medical care, it sounds like life and death to me \noftentimes is making sure that our medical records are \nprotected.\n    I am going to jump to Mr. Gregg. Is there any evidence that \nHealthCare.gov meets NIST\'s data security standards and who \nshould certify that HealthCare.gov complies with the Federal \nInformation Security Management Act?\n    Mr. Gregg. I have not seen that evidence as far as whether \nor not they have been certified so I cannot say on that.\n    Mr. Hultgren. Okay. Let me open this up to any others. Mr. \nKennedy, Dr. Ponemon, let me open this up to you all, any \nthoughts you might have. National Institute of Standards and \nTechnology, NIST again, provides agencies with the guidance \nthey need to develop and launch networks and websites that are \nfully and properly secure. Should NIST\'s role be expanded or \nincreased with any new authority and responsibility \nspecifically in regards to HealthCare.gov? Would NIST be best \nqualified to verify and certify how well agencies meet their \nsecurity standards\' compliance? And in today\'s case, should \nNIST review HealthCare.gov? Start with Mr. Kennedy.\n    Mr. Kennedy. I would agree with that. I think if you look \nat not just technology-specific areas. You have the CDC, the \nCenters for Disease Control. Prevention, which is really about \ngetting information to the American people about diseases, \nthings like that. The same oversight needs to be there and the \nexpanse of NIST needs to be there for more of a governance \nstructure over our security practices inside the government. \nAgain, NIST is more of a guidance role right now to adhere to. \nI think the expansion on this is really to bring more security \nintegration throughout the whole government, the whole federal \ngovernment, to really build best practices in. Right now, it is \nkind of intermittent not whether they do it or not. So I agree \nthat, yes.\n    Mr. Hultgren. Okay. Any other comments or thoughts?\n    Mr. Krush. They currently write the guidelines, the NIST--\nNational Institute of Standards and Technology special \npublications and also they write different guidance on \ndifferent types of technologies. I think just understanding \nsystems from a risk perspective, if you have one organization \nthat is in charge of the information security for every single \ngovernment organization, it is--you will never come to the same \nrisk decision. The problem lies in the fact that somebody at \nHHS is going to know about HHS systems and the security and the \nrequirements better than someone, you know, in an office \nsomewhere up at NIST.\n    Mr. Hultgren. I think that my fear is accountability, too. \nSometimes I see it in bureaucracies, there is a desire to \nprotect, hey, if we have a breach, don\'t let anybody know. I \nwant to make sure that doesn\'t happen.\n    Mr. Gregg, do you have any thoughts on this?\n    Mr. Gregg. No, but I would agree many times this stuff is \ncovered up and it is not released immediately. We even see with \nTarget that we are getting some information, but yet to see the \nfull picture.\n    Mr. Hultgren. Okay. Dr. Ponemon, real quick, what are some \nof the serious consequences that consumers face in the wake of \nmedical identity theft? Are there financial consequences in \naddition to medical consequences?\n    Dr. Ponemon. Yes, and our research we find that a fairly \nlarge percentage of our sample suffered some financial \nconsequences, and sometimes it is just staggering. It could be \nthousands or tens of thousands of dollars. Keep in mind that \nthe people who are at risk are not necessarily wealthy people, \npeople who are low income. And so on a proportional level it \ncould be their total yearly income just basically the costs \nassociated with cleaning up your medical record.\n    Mr. Hultgren. Doctor, you are right, and I think that is my \nfear is those who are most vulnerable are right on the edge----\n    Dr. Ponemon. Absolutely.\n    Mr. Hultgren. --something happens there, they don\'t have \nanything to fall back on. People with significant resources do.\n    Thank you again for being here. Chairman, I appreciate the \nopportunity and I yield back.\n    Chairman Smith. Thank you, Mr. Hultgren.\n    The gentleman from Texas, Mr. Weber, is recognized for his \nquestions.\n    Mr. Weber. Thank you.\n    Mr.--is it Krush or Krush? I have heard it both ways.\n    Mr. Krush. It is Krush but in the Army I used to say Krush.\n    Mr. Weber. It is Krush, okay. All right. Well, just call \nyou for dinner is the main thing, right?\n    Mr. Krush, you said, I think, that you were lucky enough to \nhave worked for the HHS or was it the CMS?\n    Mr. Krush. So I was fortunate enough to work early on on \nthe central office at HHS.\n    Mr. Weber. Okay.\n    Mr. Krush. I have also provided training actually related \nto the risk management framework and we develop online training \nfor CMS.\n    Mr. Weber. I want to draw attention to the word luck. You \nsaid you were lucky but then later you said you had contracts \ntotaling around $10 million? $1 million? $10 million?\n    Mr. Krush. $1 million.\n    Mr. Weber. $1 million. Okay.\n    Mr. Krush. But I would say when I was talking about luck, I \nwas actually talking about the individuals that are at the \ncentral office are probably some of the most talented cyber \nsecurity people I have met. And that is just the truth. I have \nworked with them when they were contractors and now they are--\n--\n    Mr. Weber. Okay. And then you said I am working for the \nCMS--and I wrote it down--you weren\'t ``best of friends\'\' \nwith----\n    Mr. Krush. That is correct, with CMS.\n    Mr. Weber. --was the words you used.\n    Mr. Krush. We actually had a recent protest with them.\n    Mr. Weber. Okay.\n    Mr. Weber. But you had government contracts so you might \nnot have been best of friends, but you weren\'t enemies, right?\n    Mr. Krush. Absolutely not.\n    Mr. Weber. Yes, you weren\'t enemies. It wasn\'t maybe a \nmarriage, but at that dollar rate, you might be interested in a \nlong-term relationship? What do you think?\n    Mr. Krush. At those dollar amounts----\n    Mr. Weber. Yes, sir.\n    Mr. Krush. --a long-term relationship? If it was a little \nbit more probably.\n    Mr. Weber. Okay. I see. You are going to play hard to get. \nSo were you hired on experience and good performance?\n    Mr. Krush. Absolutely.\n    Mr. Weber. Okay. So you think performance is important?\n    Mr. Krush. Absolutely.\n    Mr. Weber. So would you say that the performance in rolling \nout HealthCare.gov was sterling or problematic?\n    Mr. Krush. It was problematic.\n    Mr. Weber. Very problematic. Can you understand how some \nAmericans would question the ability of the company that put \ntogether HealthCare.gov?\n    Mr. Krush. I can.\n    Mr. Weber. Sure, makes sense. So it is no surprise to you \nthat their credibility has been called into question.\n    Mr. Krush. Um-hum.\n    Mr. Weber. Do you fault us for doing our due diligence to \ntry to protect the American public?\n    Mr. Krush. I do not.\n    Mr. Weber. So you think it is a good thing what we are \ndoing here?\n    Mr. Krush. I think that every time--unfortunately, we are \nas a nation fairly reactive, just like, you know, industry. We \nwait until something big happens before we talk about it. You \nknow, cyber security----\n    Mr. Weber. That is a yes or no. It is a good thing we are \ndoing here because I am running out of time.\n    Mr. Krush. Oh, absolutely it is a good thing--\n    Mr. Weber. Yes, good. Well, I am glad----\n    Mr. Krush. --to talk about it.\n    Mr. Weber. Good. I am glad to hear you say that.\n    Mr. Kennedy, you also think it is a good thing?\n    Mr. Kennedy. Absolutely I do.\n    Mr. Weber. How about--Mr. Gregg?\n    Mr. Gregg. Yes, I do.\n    Mr. Weber. Doctor?\n    Dr. Ponemon. Yes, I do.\n    Mr. Weber. Okay. Well, I am glad to hear that we are \nfinally doing something that is advantageous. You know, that is \nkind of rare for Congress.\n    Mr. Krush, on February the 19th, 2013, you tweeted ``don\'t \njust worry about China breaking into systems.\'\' And then you \nwent on Fox News and talked about it. Do you recall that?\n    Mr. Krush. I don\'t remember that tweet but, yes, I am \nvery--actually, I don\'t tweet that much at all but I did go on \nFox News related to the APT, correct.\n    Mr. Weber. Yes, I know. You don\'t do a lot of tweeting. I \nlooked at them.\n    Mr. Krush. Yes.\n    Mr. Weber. When you tweeted out ``don\'t just worry about \nChina breaking into systems,\'\' what did you mean by that?\n    Mr. Krush. Actually, I think, sir, that was probably--when \nI was tweeting, I just reposted a news article and that was \nprobably just the title.\n    Mr. Weber. But you recognize that we have a lot of cyber \nsecurity attacks hitting our government, like a million a year.\n    Mr. Krush. Oh, absolutely. I have helped to develop many \nsecurity operation centers in the government and industry, and \nthere are organizations constantly knocking at our door and \ntrying to knock it down.\n    Mr. Weber. But China would only attack those military \nwebsites. They would never go for HealthCare.gov, would they?\n    Mr. Krush. Interestingly enough, most organizations, you \nknow, state-sponsored organizations--and I put this in my \ntestimony--they are always looking for jump points, .gov, .mil, \nperiod.\n    Mr. Weber. So the people in China that are attacking us, is \ntheir level of proficiency low, medium, high?\n    Mr. Krush. Very high.\n    Mr. Weber. So we are well advised to warn the American \npeople that they are going to have information on \nHealthCare.gov that may be spread across the globe?\n    Mr. Krush. You are well advised to warn everybody in the \nfederal government and even in industry that cyber security and \nprivacy absolutely needs to be one of your top priorities.\n    Mr. Weber. Okay. Well, I appreciate you understanding that, \nMr. Chairman, I yield back.\n    Chairman Smith. Thank you, Mr. Weber.\n    The gentleman from New York, Mr. Collins, is recognized for \nhis questions.\n    Mr. Collins. Thank you, Mr. Chairman. And I find that it \nhas been about two months since our last meeting. Mr. Kennedy, \nwelcome back.\n    As one of the last witnesses, I tend to see that there are \ntimes people will try to defend the indefensible, and the best \nway to defend the indefensible is to confuse the issue and muck \nit up and raise other things. I have heard and seen some of \nthat today. So I would like to come back here at the end and \nremind everyone that all four witnesses last time, including \nthe Democrat witness, testified absolutely the website was not \nsecure on October 1. They testified that absolutely the website \nwas not secure on November 19. We couldn\'t get agreement as to \nwhether we should shut it down immediately or not, but the \ntestimony indicated that October 1 was a date certain set by \nthe Obama Administration to launch HealthCare.gov irrespective \nof whether it was ready, and I think the American public know \nit was not ready.\n    So I think it brings into question if it was a date \ncertain, it wasn\'t let\'s launch the website when it is ready. \nLet\'s launch it when it will do the job and handle the traffic. \nLet\'s launch it when it was secure. No. It was let\'s launch it \non October 1 because we promised it would be October 1 whether \nit is ready, whether it is secure, doesn\'t matter. Launch it. \nAnd we did. And the American public in watching this hearing \ncan see for themselves that that was the overriding concern, \ncertainly not security.\n    So now, here we are today, and yes, we have a different \nwitness, but I guess I would ask our witness, Mr. Krush, \nwhether you think the website was ready to be launched on \nOctober 1 or not? That is a yes or no.\n    Mr. Krush. That is a no.\n    Mr. Collins. And do you think it was secure then on October \n1?\n    Mr. Krush. So if you have read my testimony and my previous \ntestimony, you will see that I said the process was followed \nand a risk-based decision was made. That is why it is called \nrisk management framework and not the no-risk process.\n    Mr. Collins. So I guess what I come back to here is that \nthere are those today that tried to say this was a politicized \nhearing and so forth, which I don\'t think it is. I think we are \njust back to talking to the American public who are being told \nthat, to sign up, they must share this delicate information, \nincluding Social Security numbers.\n    I think the fact that Target or Neiman Marcus happened to \nhave had their issues doesn\'t defend this. Two wrongs don\'t \nmake a right by any stretch of the imagination. But I am trying \nto point out and remind folks this website was launched on \nOctober 1 for only one reason: political reasons. It was not \nready. The Administration knew it was not ready. If it is not \nready, it is not secure. It wasn\'t secure. We know it wasn\'t \nsecure. Now, we are being told today to trust the \nAdministration and, Mr. Krush, to trust some of your judgment. \nSomething happened in the last week or two or month. It is now \nsecure. Well, I guess I am not quite ready to accept that just \nbecause you say it is so. That doesn\'t necessarily make it so. \nSo, I am just trying to bring us back to where we were October \n1, where we were on November 19, where we are today. And \ncertainly, I am confident three of our witnesses today, Mr. \nKennedy, do you think it is secure today?\n    Mr. Kennedy. Absolutely not.\n    Mr. Collins. Mr. Gregg?\n    Mr. Gregg. No, I do not. And usually when sites are rolled \nout, they are rolled out in a beta first----\n    Mr. Collins. Right.\n    Mr. Gregg. --very small group, and then to a large group.\n    Mr. Collins. Mr. Ponemon, do you believe it is secure \ntoday?\n    Dr. Ponemon. You know, it is hard to tell. I am not--these \npeople are the experts, but they simply--based on what I am \nhearing, again as a citizen of this country, I am concerned. I \nam not happy with what I am hearing here today.\n    Mr. Collins. Okay. And, Mr. Krush, I will let you answer \nthat as well, please.\n    Mr. Krush. I think my testimony and everything I have been \nsaying here is none of us worked on HealthCare.gov, so \nspeculating that it is either secure or not is just not \nsomething I am willing to say.\n    Mr. Collins. So you would say today you would not state \naffirmatively to the American public that it is secure?\n    Mr. Krush. Based on the information that I have read, a \nrisk-based decision was made. There was a mitigation strategy \nthat was very clear. They are doing weekly scans. They are \ndoing daily scans. They are doing mitigation and remediation.\n    Mr. Collins. Okay. I was kind of hoping for a yes or no.\n    Mr. Krush. I would say that is pretty secure.\n    Mr. Collins. So you are stating, yes, it is secure?\n    Mr. Krush. I am stating based on the information I have \nright now I would say it is secure.\n    Mr. Collins. Okay. Well, we can have that difference of \nopinion and I guess I will leave it at that for the American \npublic to make their own decisions.\n    Mr. Chairman, I yield back.\n    Chairman Smith. Thank you, Mr. Collins.\n    The gentlewoman from Illinois, Ms. Kelly, is recognized for \nher questions.\n    Ms. Kelly. Thank you, Mr. Chair.\n    Mr. Krush, unlike some of the other witnesses, you have \nextensive experience working on federal government websites \nfrom the inside developing countermeasures against potential \nattacks and ensuring that websites are as secure as possible. \nIs it true that what might appear like a security vulnerability \nor even a successful exploit from the outside does not actually \nalways result in a security threat?\n    Mr. Krush. That is correct, Ms. Kelly. Actually, we like to \nset up things called honey pots meaning that we will set up--we \nwant to know what the attackers are actually doing to our \nwebsites and our systems, so we set up ports, protocols, and \nservices that may not have anything to do with the website to \nkind of find out who is coming in, what they are doing, and so \nthat we can then build countermeasures internally to deal with \nthose type of things.\n    Ms. Kelly. I have also been told that a site security team \nwill leave the appearance of a weakness in place so that \nhackers will waste their time. There are other times, as I \nunderstand it, seeming weaknesses are purposely put in place \nand what IT professionals--like you just said, honey pots, \nwhere a genuine hack or even a white hacker gets caught trying \nto penetrate a system. And you just said that that was true. Do \nyou imagine with HealthCare.gov that is--honey pots are in \nplace or----\n    Mr. Krush. So, Ms. Kelly, because I didn\'t set up the honey \npot, I can\'t speculate on that either, but it is a very normal \npractice and best practice in the government to set up honey \npots so that we can understand what our adversaries or external \norganizations are trying to gain access to and what type of \nthings they are actually doing to our websites.\n    Ms. Kelly. Okay. And lastly, the HealthCare.gov website \nuses remote authentication to help verify that the users are \nwho they claim they are in order to help cut down on medical \nfraud. These sorts of security practices can sometimes make \nwebsites clunky and the user interface problematic. Can you \naddress this issue for us? Is it possible that these sorts of \nkinks and glitches experienced on HealthCare.gov were do to its \nenhanced security measures by any chance?\n    Mr. Krush. The great thing about security is if it is done \nright, it won\'t work. No, I am joking. So a lot of times when \nwe lock down systems in the federal government, if we followed \nevery single security control that is put forward for us, we \nwould turn that box or that system into a completely unusable, \nyou know, locked-down box meaning I couldn\'t log into it as an \nadministrator but neither could you. So what we do is we look \nat the controls from a security engineering perspective and \ndecide what are the best, you know, security controls to \nimplement and how that is going to affect our operational user \nbase. And so to answer your question that is a possibility but \nI didn\'t actually do the identity management system so, once \nagain, I can\'t really talk to that fact.\n    Ms. Kelly. Thank you so much. I yield the rest of my time.\n    Chairman Smith. Okay. Thank you, Ms. Kelly.\n    I don\'t see any other Members here to ask questions so this \nconcludes our hearing today. Thank you all again for your \ncontributions to the subject at hand. We heard a lot of good \ntestimony and we will continue to be in touch.\n    We stand adjourned.\n    [Whereupon, at 11:12 a.m., the Committee was adjourned.]\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\n\n<SKIP PAGES = 000>\n\n                   Answers to Post-Hearing Questions\nResponses by Mr. David Kennedy\n[GRAPHIC] [TIFF OMITTED] 86900.045\n\n[GRAPHIC] [TIFF OMITTED] 86900.046\n\n[GRAPHIC] [TIFF OMITTED] 86900.047\n\n[GRAPHIC] [TIFF OMITTED] 86900.048\n\n[GRAPHIC] [TIFF OMITTED] 86900.049\n\n[GRAPHIC] [TIFF OMITTED] 86900.050\n\n[GRAPHIC] [TIFF OMITTED] 86900.051\n\n[GRAPHIC] [TIFF OMITTED] 86900.052\n\n[GRAPHIC] [TIFF OMITTED] 86900.053\n\n[GRAPHIC] [TIFF OMITTED] 86900.054\n\n[GRAPHIC] [TIFF OMITTED] 86900.055\n\n[GRAPHIC] [TIFF OMITTED] 86900.056\n\n[GRAPHIC] [TIFF OMITTED] 86900.057\n\n[GRAPHIC] [TIFF OMITTED] 86900.058\n\nResponses by Mr. Waylon Krush\n[GRAPHIC] [TIFF OMITTED] 86900.059\n\n[GRAPHIC] [TIFF OMITTED] 86900.060\n\n[GRAPHIC] [TIFF OMITTED] 86900.061\n\n[GRAPHIC] [TIFF OMITTED] 86900.062\n\n[GRAPHIC] [TIFF OMITTED] 86900.063\n\n[GRAPHIC] [TIFF OMITTED] 86900.064\n\nResponses by Mr. Michael Gregg\n[GRAPHIC] [TIFF OMITTED] 86900.065\n\n[GRAPHIC] [TIFF OMITTED] 86900.066\n\n[GRAPHIC] [TIFF OMITTED] 86900.067\n\n[GRAPHIC] [TIFF OMITTED] 86900.068\n\n[GRAPHIC] [TIFF OMITTED] 86900.069\n\nResponses by Dr. Lawrence Ponemon\n[GRAPHIC] [TIFF OMITTED] 86900.070\n\n[GRAPHIC] [TIFF OMITTED] 86900.071\n\n[GRAPHIC] [TIFF OMITTED] 86900.072\n\n[GRAPHIC] [TIFF OMITTED] 86900.073\n\n                                 <all>\n\x1a\n</pre></body></html>\n'