>> even under the currently contrived arrangements. not as a satellite, but nonetheless, the eu should encourage whatever additional arrangements are feasible. and we should be exploring ways, if there are any, by which the

wto could help to expose economic intimidation which is not in keeping with its rules, and communicate it sense of concern to the party responsible for generating it. perhaps there could be some steps taken to facilitate preferential access for ukrainians seeking to study and work in europe. fourth, we should keep in mind that the longer run issue is what will russia become, as china increases its influence in the former soviet central asia. we should keep reminding the russian people and their leaders that we respect russia's european identity and culture. and that russia's true destiny is also to be a major european state in a larger democratic west. we should make it clear that we

seek neither russia's isolation nor fragmentation, but russia's evolution towards a genuine democracy. one way or another, that day will come. putin stands in the way today with this nostalgic dream of a new empire called the eurasian union. but the fact is that such a prospect is not realistic. none of the would be members of the eurasian union truly desire to limit their sovereignty, to cede it to russia, to participate in the creation of a new union which revokes memories of the recently disappeared union, not to mention the older still russian empire. in brief, and i will conclude on this, we need to construct an open-ended, long-term policy for

ukraine as well as a long-term option for russia that may follow. thank you, mr. chairman. >> thank you very much, dr. brzezinski, for those in such. i think you alluded to this in your book, you suggest that russia cannot be a democracy if it's an empire, it cannot be fully and in part if it lacks control of the ukraine. is that if you that you think is driving moscow's behavior towards ukraine now speak with yes, i think, the leadership feels convinced that without ukraine the re- creation of some form of supernatural union, call it simply an empire, is it possible. this is why it's such a strategic stake for putin. what he under estimate, however, in my view, are the consequences of 20 years of independence.

these consequences we saw so dramatically and so admirably where that younger generation of ukrainians who have grown up in an independent state stood up and said no matter how cold or hot difficult or how dangerous, we stand for independence because we treasure our independence. what is less visible but it's also true, that that kind of sentiment pervades increasingly believes in such significance entities as kazakhstan and uzbekistan, but also any other smaller former soviet states. to put it simply in very human terms, who doesn't prefer to be a president of his own country or a general and his own army or a foreign minister in his own government, or an ambassador in washington representing his sovereignty rather than to view

officials of an entity in which they are subordinate? this is a normal human reaction. nationalism is a deeply contagious social force. and once awakened it is almost impossible to sweep it back into the box. what we are now seeing in ukraine is a long delayed awakening that was coming. one could see it during 20th century. one could see it during the days when they were starving to death of millions of ukrainians by deliberate decisions in moscow. but now it's a pervasive reality, and particular among the younger ukrainians. they feel themselves to be ukrainians. and this is why putin the trace such a historical ignorance when he says as he did just a few weeks ago that ukraine and russia are just but one nation.

and, of course, russians are the older brother in the nation, according to him. >> the flip side of that, and i share your views, but the flipside of that so we understand, the totality, the importance of this, is that could we ever see or perceive a democratization of russia if it would be able to achieve their goals of having ukraine join with them in this sphere? >> well, i have no doubt that the ukraine is subordinated. it marks a turning point and russia becomes in effect an empire. in my own personal view is, that first of all i don't think that's going to happen in total, even if there's a progression today. secondly, and, obviously, this is speculated that it is a question of judgment, my gut feeling is that putin's nostalgia for the past, which

drives this aspiration for a supernatural union, is simply divorced from political and social economic realities. russia today is no longer and individually motivated entity. mindlessly seeking in the real status the way the nazis did in order to compensate for their defeat in the first world war. it is no longer driven by an ideology which demands super nationality as the basis for superpower status. there is a nationalist element and russia to which he is appealing that is retrogressive. but there's also new manifestation in russia which is gradually becoming in my view more significant. the emergence of an increasingly internationally connected, internationally educated in many cases, middle-class, particularly major cities in

russia, moscow, st. petersburg, others. a middle class which increasingly identifies itself with more common western values, including democracy, freedom of travel, freedom to read what one wishes, freedom to say what one desires, and freedom eventually to express one's political preferences. that is a new reality. and is becoming stronger. so my gut feeling, and i've been a student of soviet and russian affairs now almost all of my life, is that this quest for a supernatural union is directly linked to the longevity of the president of russia. and if he fades from the scene for one reason or another, politically or physically, i think there's going to be an accelerated turn towards a redefinition of russia's place in the world, for two reasons.

one, which i've already mentioned, an impulse of the middle-class that sees itself part of the west and is increasingly educated in the west, in addition to traveling to it. and secondly, the extraordinarily significant rise in the power and significance of china, and particularly no increasingly so in central asia. the russians are building columba her bike along her new roads spanning the former russian central asia, roads, railroads, investments, increasingly matching and outstripping the russians. investments in the real estate and the natural resources of these newly independent states. these states are ambivalent because -- they are so huge and powerful. but at the same time they know that they create leverage, which gives them room for self-assertion. i know the presidents of the two

most important central asian countries, kazakhstan, extraordinarily rich in natural resources, and uzbekistan, the center of islamic self-awareness that's mixed with nationalism. neither of these two leaders wants to be a satellite. in fact, for that reason, he is very carefully maneuvering between china and russia, proposed to putin, and putin was smart enough to accept it, that putin's original name of the eurasian union be changed to eurasian economic union. which was an attempt, of course to limit what the union really means. in other words, don't limit our sovereignty. now, of course, if you have economic nomination, the other

one may be adversely affected. but my point simply is this. there is some support for arrangements for customs union and so forth because this can be beneficial in two ways. but there is above all else in the newly independent states, including belarus, doesn't have a notably good democratic record, there is a commitment in all of them, there was self independence. >> senator corker? >> thank you, mr. chairman. doctor, it was impressive to listen to you, to get your insights on issues that are happening throughout the world, and certainly in this part of the world you are quite an expert so i thank you for your comments. i know you listed a number of things, steps that should be taken to reinforce the ukrainian people, and you've talked about the values that they share with

the west, the values that middle income people and russia share with the west. and just a natural alliance that should be there. many of us have watched the administration since august, and watch as we deal with russia in ways that we do, and understand that the russian people in many ways should be oriented towards us and that there are issues of commonality that we should be pursuing. at the same time as we watch what's happening, we also -- it seems a deference to rush in so many cases, and almost beginning with syria come you know, stepping into their arms. i know you were just talking about how we need to fertilize and we need to, you know, encourage the ukrainian people to continue to move ahead. we hope there are going to be free elections. i know the standard there is for

opponents to be arrested and not be available for election, which makes it more difficult. but what would be your guidance to u.s. outward comments and policy relative ukraine right now and push back? and what effect does that actually have, if you will, on the ukrainian people and an outcome there? >> i think we should learn from experience of poland's emancipation from soviet control in the late 1980s, early 1990s. what emerged in poland was a national movement for independence. somewhat like the mike dunn -- with a dramatic leader who may not have the most senior leader originally and perhaps not always the most intelligent leader but the most effective political leader. and it was under his leadership that eventually that movement

forced the ruling, his regime to negotiate, to negotiate an arrangement of the commendation which then was transformed into eventually a democracy, a western type democracy of poland today in the eu and in nato. ukraine needs a clear-cut national narrative. i know there are a number of outstanding ukrainian leaders who participated in what has been transplanting, and some with great personal courage and sacrifice. at the biggest sacrifice that needs to be made is that all of them but one have to agree on a one that will be increasingly the symbol or alternative. because you do with an entrenched regime which can use force and bribery to stay in power and his russia's support. you need to have a figure articulate your aspirations, symbolizes you and becomes a focus of global attention.

the second part of your question pertained to what you described as our deference to the russians. i would take some exception to the word difference. i don't think we have really deferred to them. i know what i'm about to say is controversial but, frankly, i think that russia's interference in syria, to some extent, made it easier for us to avoid sliding into direct participation in a work which would've been very damaging to our interests and probably would have spread more widely and more quickly than was the case. such a question of judgment and we may disagree on the. but i think in any case what it illustrates is something more basic than that. our relationship with russia during the cold war was one of hostility. it was a non-zero-sum game. we win, they lose. they win, we lose. today, in many parts of the world the relationship is much more mixed.

we don't like what they're doing in ukraine, but in the long run i would like them to become like ukraine and pursued the same path. there are many things they're doing elsewhere that we don't like, but we need them and we do need them in the middle east. in fact, i think the chances of stabilizing the middle east, including in the forthcoming conference, are greater even in the process we have with us not only the europeans, some of whom are very disliked in the middle east as former colonial powers, we also have with us the russians who in some cases are not so disliked. and the chinese who are increasingly being an influence in the middle east and they have a growing state in a stable middle east. that kind of a coalition i think gives us a greater opportunity to pursue arrangements that mitigate and minimize the danger of conflict starting out, and

certainly reduces the necessity of us being involved in these conflicts directly. because the fact remains if we become involved directly, some people may applaud us, some people may rub their hands with glee that we are getting stuck, but none of them are going to help us. i don't think the united states is in any position now to duplicate the wars in iraq or afghanistan with a direct military engagement in the middle east. so we do need some recommendations even with the russians on some issues just as we disagree with them on other issues. >> you know, i appreciate your point of view, but as it relates to ukraine which was just outward economic extortion, obviously that's not something that we in any way condone

regardless of the complexities of any situation and, therefore, and yet we really didn't speak to that. i think some reasons is because the of the elements that you just alluded to. i understand that relationships are complex and there are many other things that are occurring in regards to how you do those. i understand they come into this, but when it comes to an issue like ukraine where there's no question it was black and white extortion, what should the u.s. do in those cases where because it appears to me that we did not much, if you will. and -- >> i tend to agree with you on that aspect. this is what i mentioned in my testimony that we should take a hard look at wto rules. there are some countries in the wto that have behaved that fashion. we should look at the rules and see what is not acceptable in terms of formal behavior of wto

members who benefit from the fact that such organizations contribute to more fluid trade flows and greater access, and we could have opportunities for limited boycotts, limited bans and so forth. i agree with you it's not either black or white. you can have different combinations, but we have to have a sense of balance about it. i don't look in favor of same time, reigniting the cold war, for example, with russia, of the kind we have with the soviet union. in part because we do need russia in some other parts of the world. i also know today in moscow you can read criticisms of the government. you can read newspapers the

blast official policies. you can watch skits on television that ridicule the rulers and so forth. we are dealing with a more complicated russia today than the soviet union of the past. >> well, thank you. appreciate your service to our country and your continued involvement in helping us think through these complex issues. thank you. >> senator murphy. >> thank you, mr. chairman. welcome, dr. brzezinski. for all his faults, and five is a pretty savvy politician. he seems -- yanukovych is a pretty savvy politician. he seems to be under the impression he can somehow manage a short-term transition to economic aid in russia with an eventual long-term association with the eu. and for the seems to be under the belief that he can manage that transition without severe repercussions from russia.

keeps them happy for her to time, maybe they won't notice if he eventually enters into a roadmap to join europe. when we were there i tried to translate the phrase rip the band-aid off from which apparently does not translate very well in the ukraine. my point was at some point my impression is that you will have to deliver a very tough message to the russians you are going to join the eu and you'll have to potentially as long as putin is there except some of the very bad economic behavior that senator corker talks about, coming along with it unless we can stop it. as the united states and europe together. do you think he is right that there is a way, without our intervention, the ukraine to make the turn to europe in an overt way without raising the ire of russia in a way that will do great damage to the economy?

or perhaps you think that senator corker is right, that made with some intervention with the united states migh you mighe able to help manage that situation? >> we should try and resort should try, should certainly encourage the ukraine is to try themselves because ultimately it is not an issue which can be resolved by compulsion or pressure entirely from the outside. we can influence events that we cannot really did take them. my guess is, and emphasized the word guess, is that yanukovych in his gut feels that if he moves towards the west and part of it is also free elections, that he will lose. that's part of the difficulty. now, it's not easy, or maybe not even productive, to speculate publicly about how to manage that. but i will just draw you an analogy again to poland because it's relevant. i mentioned the polling can use the movement that produced a

popular leader that eventually sat down with a commons regime which knew it was losing the cubs the soviet union was disintegrating. they knew they had to somehow accommodate the new reality, and contrived we elections which were free. and solidarity one. and then solidarity agreed to the earth while dictator in one went bowling with some approval -- in poland with some approval, the first president. in other words, what the ukraine is has to have is a viable source of political influence but also political dialogue, and some degree of elasticity in getting with yanukovych to see that it's possible. but may not be possible. it may not be possible. he may be too careful. lookouts stupidly rigid he is on

the case. he could have sold it just like that. without giving too much fanfare, simply expelling her you're not necessarily even just sending her to germany for medical treatment but simply saying i'm getting rid of her. so she would be outside the country. part of the problem would be solved or perhaps the west would demand shouldn't be permitted to return and campaign but that would be a bit of a stretch. but he didn't have the guts or the imagination to do that. against the is i think a little bit frozen in his anxiety that he might lose. but i think it's worth a try because a lot of it depends on the maturity and flexibility, organizational skill and charismatic appeal of the opposition, including its willingness to play the game depending how it unfolds. >> what speed is one more sense. putin's money is going to run out. so this is a lousy economy. it's an economy from which funds

are fleeing to the west. the new middle class is enriching itself but look where it is depositing its money. there could be a crisis in terms of what putin can do for yanukovych. he has to be careful not to use force on the ukrainians. if he uses force on the ukrainians, he will discover very quickly because bit more than he can chew. these are tough people. they are not going to give up their independence. >> i wanted to ask you about the opposition. i know you won't necessary want to comment on individual political leaders in the ukraine, but it struck me when you're there, there's a huge portrait, and yet when you're actually talking to individuals there, there's not a lot of talk of individual political leaders. they are there for variety of reasons, most of which as was mentioned earlier, are not connected to an individual political party and there seems to be a disconnect between what those were there in the left

want and what the political opposition is able to deliver. and the worry is if we are really accounting political change in 2015 to ultimately deliver on a potential ultimate salvation of the ukraine, folks out there may have expectations that the political opposition ultimately can't make good on. regardless of who ends up being the standard bearer, how does the political opposition capitalize on a fairly non-political sentiments so that they are captured? >> first of all by trying to create a broader national dialogue. it may be the prime minister, may not want to talk to them. but there are a lot of other people in the key of who are not committed to the regime nor are in nor are entirely against it who can talk to. i can give you but i won't give it to you now publicly of some

names from sure would engage in discussion with the opposition to impart because they are an easy about the way things are shaping up. they resent the fact that this territory is not there's exclusive but moscow has prioritized in what they claim to be there exclusive area. they know that greater opportunities shine in the west. they may be interested in alternative deals. a map access and sources. they may be able to contrive. i'm talking literally from the top of my head right now, some arrangement whereby the election is delayed for a while, but with an understanding of the process in the meantime takes root and leads to transition which is exactly what happened in poland. they elected a president from the regime lasted one year. and yet went peacefully in the end. there are many ways you can skin the cat, of the political

leadership in ukraine has to be manifested and mature, but also symbolic. i'm not going to mention names but they can't all be running for president. one of them has to be and have to make the cat collection will will be most effective. don't forget, this movement is driven by the passions of the younger people who relish the fact that they are independent. that's a whole new psychological reality. the leader has to be in a sense somewhere other in tune with the mood, has to symbolize it most effectively. if that manifests itself and creates a new ballgame, okay, they can perhaps arrest him, yanukovych can be under pressure from putin. but it might not work. and don't forget, russia is changing, ma too. i'm not sure that everybody in russia is crazy about trying to create some sort of a union in which there's going to be

internally more opposition and chime in the meantime gains influence. >> dr. brzezinski, thank you very much for very insightful views and getting a sense of the entire field, as i like to call it. i grew up sitting in the cheap seats, but he gave you a view of the entire field. and it gave you a sense of what impact is in front of you in terms of choices to be made. so i think you've done this for the committee extraordinarily well. there is a reason that i called this hearing as the second hearing of this new session of the congress, after south sudan. because i believe in the importance of the ukraine, in the urgency of protecting civil society that senator murphy saw himself when he was a better, and in the possibilities of what a sovereign ukraine, free i

should say, from economic coercion, can ultimately achieve. and i think it is in the national interests of the united states, as well as the ukrainian people, to be able to try to achieve those goals. so we thank you for your testimony. this will not be -- we'll be continuing to monitor the events in the ukraine with both the full committee and with our distinguished colleagues. this record will remain open to the close of -- to the close of business tomorrow, and with that, this hearing is adjourned. [inaudible conversations] >> up and asked a house science

and technology committee investigates cybersecurity concerns with healthcare.gov website. secretary of state john kerry is meeting with his counterparts from canada and mexico to discuss revisions to the north american free trade agreement. he will talk with reporters after the meeting and we will have live coverage here on c-span2. president obama will announce changes to government surveillance programs and data collection. the president is expected to focus on steps to increase oversight and transparency. we will have live coverage from the justice department at 11 a.m. eastern on c-span. in the afternoon also on c-span, we will get reaction to the president's speech and proposed changes to federal surveillance programs. a former cia analyst and a british defense official will be at the brookings institution. live coverage begins at 2 p.m. eastern.

next, cybersecurity and i.t. officials testified about whether people's personal information is secure at the healthcare.gov website. this house science and technology committee hearing is chaired by congressman lamar smith. >> the committee on science, space and technology will come to order. welcome to today's hearing entitled healthcare.gov, consequences of stolen identity. i recognize myself in opening statement and then the ranking member. when the obama administration launched healthcare.gov, americans were led to believe that the website was safe and secure. as the science, space, and technology committee learned at our hearing in november, this was not the case. we heard troubling testimony from online security experts who highlighted the many vulnerabilities of the obamacare

website. these flaws pose significant risks to americans' privacy and the security of their personal information. one witness, mr. david kennedy, who has been re-invited for today's hearing, testified that there are clear indicators that even basic security was not built into the healthcare.gov website. in addition, all four experts testified that the website is not secure and should not have been launched. mr. kennedy will update the committee on the security of the website since november 30, 2013, which was the administration's self-imposed deadline for when it would be fixed. since the november hearing, other events have emerged that prompted the need for today's hearing. in december, a former senior security expert at the centers for medicare and medicaid services stated that she recommended against launching the healthcare.gov website on

october 1st because of high risk security concerns. a letter addressed to the committee from mr. kennedy and independently signed by seven other security researchers who reviewed his analysis of vulnerabilities presents some very troubling information. to paraphrase one of the experts, mr. kevin mitnick, who was once the world's most wanted hacker, breaking into healthcare.gov and potentially gaining access to the information stored in these databases would be a hacker's dream. according to mr. mitnick, a breach may result in massive identity theft never seen before. without objection, mr. kennedy's letter will be made a part of the record. further, a recent report by the credit bureau and consumer data tracking service experian forecasts an increase in data breaches in 2014, particularly in the healthcare industry. specifically, the report states, the healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in

2014. add to that the healthcare insurance exchanges, which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches. experian provides the identity verification component of the health insurance marketplace enrollment process. despite increased accessibility to healthcare.gov, concerns continue to grow about the security of personal information. the work of this committee will help congress make decisions about what actions may be necessary to further inform and safeguard the american people. we are here today to discuss whether the americans who have signed up for health plans have put their personal information at risk. if americans' information is not

secure, then the theft of their identities is inevitable and dangerous. that concludes my opening statement. the gentleman from texas is recognized. >> thank you very much, mr. chairman. since we held on november 19 hearing highlighting security issues at healthcare.gov, up to 110 million people have had their debit card or credit card information compromised or hacked up targets for records. but target was not alone in being successfully had. the "washington post," facebook, gmail, lincoln, twitter, youtube, yahoo!, jpmorgan chase, snapshot, and my friends at dallas-based neiman marcus stores have announced security breaches. however, do you know one system that has not been successfully hacked since the last hearing?

healthcare.gov. also since the last hearing the center for medicare and medicaid services, cms, contractors have been working around-the-clock to improve the performance and security of healthcare.gov. there's been numerous fixes to the website that improve the site's responsiveness, compared to its first 60 days. millions of americans have been able to access the site and obtain medical coverage. during that entire time, top security contractors, including blue canopy, frontier security, have been working to test the system and identify weaknesses that need to be addressed. the chief information security officer has also been running weekly penetration tests to support security mitigation for cms. further, cms says that none of the majority witnesses concern

voiced in the november hearing have turned into any actual breach of security. the last hearing did not seek a single witness said any information about the security of the pictures of healthcare.gov. not with intent to maintain the integrity of the website. today at the same kind of hearing. as smart and as experienced as these witnesses are, not one of them has actual knowledge of security structure at healthcare.gov. the best that they can do is speculate about vulnerabilities. i think it would be good for members to remember that. i am concerned that the intentions in this hearing appears to be to scare americans away from healthcare.gov site. this appears to present a continuation of a cynical campaign to make the affordable

care act fail through lack of participation. while we're holding this hearing, both the house oversight and government reform committee and energy and commerce committee are holding similar events. all with the apparent goal to create a sense of fear, thereby manufacturing and artificial security crisis. it is my hope that all of our witnesses can agree that it is important to make healthcare.gov worked for the american people, to give all of our citizens access to affordable health care. i do not want to believe that any of the witnesses testifying today want the site to be hacked or shut down. or even see the program failed. or see americans go without health care insurance. this country faces a lot of real issues and real policy talent. if we are truly interested in hacking and identity theft can we should have representatives of the largest retail ended stations in the country are --

in the country here. instead it appears that majority has allowed the committee to become political messaging to agree. hanky. i hope the committee hearing will be the last of this topic. absent some actual allegations of wrongdoing and so we can focus on the oversight issues facing the country and this committee. mr. chairman, before i yield i would also like to comment on the letter you want to put in the record. i was hoping after reading it that you would have some testimony or give the people opportunity other than a 24 hour showing of this letter. but you don't have to take my word on this. mr. kennedy's own document reads this report is for public use your the report is not a

scientist has one and -- he did not give us testimony in time when late yesterday after and presented his report out of the blue. and i'm guessing your counsel told him to make it a better because we routinely accept outside with some groups and experts all the time with minimal notice. so the -- address to you and me. however, i cannot remove another time when a witness for the committee also felt they had to write us a little. i think it is an elaborate way to try to get testimony before the committee in violation of the 48 hour rule. as the substance of the report commit includes what amounts to testimony from experts who are not appearing before us. it is against the practice of the committee to accept testimony from people who are not personally available to answer our questions. the one thing i do know is that none of the individuals who

signed these statements in the packet have worked on healthcare.gov or the security protocol behind the website. in other words, they know no more about the actual security other side and does mr. kennedy. in deference to the chairman i will withdraw my exception i will point out -- objection but this report concludes land which i consider boulder and beneath the dignity of the committee. that alone should be reason to keep out. even if the chairman is comfortable with wha the way our rules are being stretched, if you insist i will withdraw but i want the record to reflect that we have gone beyond acceptable behavior of this committee. thank you. >> i would recognize myself to respond. all committees including this one have a long-standing practice of affording them the courtesy of entering items that they believe are relevant to the topic at hand into the record. i'm sure the ranking member knows this. members on both sides are general approach the development of the record in the spirit of

bipartisanship and comedy. i am disappointed that the gentleman from texas would now seek to question of letter i asked be placed in the record. we frequently place items in the record that express the opinion of theirs groups or make statements regarding an issue at the request of members on both sides of the aisle. often those have written those letters are not testifying before the committee and have not been asked to do so. yet their opinions are still made part of the record. one such example is a 54 page submission that was requested be placed in the record at a hearing last august. this document which was not even addressed to the committee but instead to the administrator of epa was entered into the record without comment. it includes a letter from six different indian tribes signed by eight different people, none of whom testified before this committee. it includes a letter from the lawyer who represented the tribes. he also did not testify before

the committee, yet we made his letter a part of the record. finally, it includes another letter to the administrator of epa that purports to be from 15 different national organizations, 17 international organizations, 75 alaska organizations and numerous other organizations from other states. none of these organizations testified before this committee. i have placed mr. kennedy's record in the letter today. is testifying shortly and members want the option to question him on his comment. >> mr. chairman? >> i'm still in the middle of my statement. i regret the ranking member has questioned the long-standing prerogative of a member to enter a relative document into the record. especially when members on her side of the aisle have done so many times without objection from the majority. i hope this is not indicative of her desire to make this committee's business more partisan. that concludes my statement and i will now introduce the

witnesses. >> mr. chairman? >> i'm going to introduce the witnesses. spent mr. chairman, i object to the entry of the record of the letter into the record. spent the letter has already entered into the record. the objection is not diamond. >> and to i would ask for a vote whether we into the record -- enter the letter into the record. >> that is no longer a proper motion because it is not diamond. >> i think it deeply politicized the hearing. >> i'm sorry for the ranking members comments the cost of your own that it is the first witness. mr. david kennedy is ceo of trustedsec. he is considered a leader in the security field. via spoken at conferences worldwide. prior to moving to the private sector, mr. kennedy worked for the national secret agency and

the niceties bring in cyber warfare and forensics analysis. mr. kennedy received his bachelor's degree from the university of our second witness, mr. waylon krush is a vote cofounder and ceo of lunarline. is also a founding member of the warrior to cyberwar program, a free six-month cybersecurity a camp for returning veterans. a veteran of u.s. army, mr. krush is recipient of the military a working with highest honors in the field of intelligence. he holds a bachelors degree in computer information science from university of maryland university college. he's also a certified information system second professional, certification and accreditation professional, certified information systems auditor. he has more than 3000 hours of training at the national cryptologic school. our third witness, mr. michael gregg, is ceo of superior solutions inc., an i.t. security consulting firm. mr. gregg organization perform security assessments and

penetration testing for fortune 1000 firms. he's published over one dozen books on i.t. security and is well known security training and speaker. mr. gregg israeli side i print publications in the cybersecurity expert and as an expert commentator the network broadcast outlets such as fox, cbs, nbc, abc, and cnbc. mr. gregg wants to associate degrees and bachelor degree and a master's degree. our final witness, dr. lawrence ponemon is the chairman and founder of the ponemon institute, research think tank dedicated to advancing privacy, data protection and information security practices. dr. ponemon is considered a pioneer in privacy auditing is named as one of the most influential people for security. dr. ponemon consults with leading multinational organizations on global privacy management programs. he has extensive knowledge of regulatory frameworks and

cybersecurity including financial services, health care, pharmaceutical, telecom and internet. dr. ponemon earned his master's degree from harvard and ph.d at union college in schenectady new. he also attended the doctoral program at carnegie mellon university. we welcome you all and look forward to your expert testimony. mr. kennedy, will you leaders often? >> thank you, mr. chairman. good morning to everybody in the house science and technology committee, to the honorable mr. smith as both ranking member, ms. johnson but it's great to see you folks again as with all of the other ranking members here today. i appreciate your time to hear us discuss the issues with the healthcare.gov security concerns as was the consequences around the stolen identities. what a want to start off with is to me this is not a political issue. i take no political party stands. i have no particular. for me personally this is a security issue. working in the security industry for over 14 years as was thing a

number of years iraq and afghanistan my testimony today is to talk about the issues with security, and that's it. when i talk about the issues we see today its base of expertise of working in the industry doing assessments on the record basis, in a chief security officer for a number of years as was running my own company. i'm not alone. the mention of the document that was released yesterday at seven independent security researchers that are well known, including a number of folks that have worked for the chinese government, to train with the chinese government as was work close with a united states. today is not to talk about a political party problems with the but also to discuss just security issues alone. i'd like to give thanks to kevin mitnick, chris gates, eric smith, kevin johnson for providing their testimony, or the comments on the issues we see today. we are pretty unified in our approach. everybody that i shared with, i

put nondisclosure agreements and work with them come on a consistent feedback we got was that healthcare.gov is not secure today. nothing has changed since the november 19 testimony. it's even worse. additional security researchers have come into play providing additional research, additional findings that we can tell that the website is not getting any better. since the november 19 testimony, there's only been one half of a vulnerability that we discovered that has been addressed or close to being mitigated. basically they get a lucrative work on and it's still vulnerable today. i wanted a disclaimer, and no way, shape, or form do we perform any hacking on the website. that's a misnomer. we look at the site from a health perspective, not attacking the reform, not sending data to the cyber really looking at the health of the. another analogy, same expertise

was being investigated industry, it wasn't anywhere near doing anything security related and i was the person that was a mechanic. 14 years of being a mechanic at a card drove past me that was leaking oil, the engine was making sounds. basically a lot of problems, the doors are open, windows are open and everything else. as a mechanic i could probably say the engine probably has some issues. same thing with technology and web application. web application are no different than a car with an engine problem. there's a lot of pieces that make the car work, to make a website work. from our testimony here today as was what we discovered in the previous past there's a number issues that are still there today with the website. to put in perspective i would like to put for the record there wasn't 70-110 million cards taken from target. that's not acted. they were 70-110 million personal pieces of information taken about individual people that shop at target. there were 40 million credit

cards taken to the issue with target isn't specifically around credit card. personal -- the informatiinformati on can be debited i.t. architect you are not liable as a consumer. what you can't fix is your personal identity. look at target for example, that includes addresses, e-mail addresses, phone, e-mails. that doesn't include social setting of his. just admit independent security person get targeted yesterday. this is the click the link get hacked the computer and took full control of the. the personal information about social city numbers, first name, last and come home of record, those are all a recipe for disaster when it comes to what we see from personal information being stolen. it's not just that. as an attacker five access to

the united states infrastructure, it has integration through the iris, dhs, third party providers as well for credit checks. i have access to those agencies inevitably in and klier online profile, immediate and all online presence. this isn't just healthcare.gov alone. i'm not trying to single out tonight a little bit i'm focusing on a much larger issue which is security in the federal government alone is added that state. we need to work together to fix it and work on more changes. thank you. >> thank you, mr. kennedy. mr. krush. >> chairman smith, ranking member johnson, and members of the committee, thank you for this opportunity to testify on important topic of cybersecurity. i am waylon krush, founder and ceo of lunarline, one of the fastest-growing cybersecurity companies. also i'm the founder of the cyber warrior program. as stated earlier. i've been asked to speak on cybersecurity day as relates to

healthcare.gov and just listening to music in the eye has some very simple points i want to make right away. first of all, if none of us here build healthcare.gov. if we are not actively doing, not a path to vote early, but an active for the assessment and doing penetrations and running that exploitable code on healthcare.gov, we can only speculate whether or not those will work. so anything that's been said thus far if were talking about any type of site can just identifying a vulnerability and the actual working on the site, no nanoparticles work in the background, what -- how each one on lockdown, nobody here at this table can tell you that they know there is on the billy. another thing i would like to talk about today is in the federal government, something different we have is we is

something called risk management framework. this committee has helped develop that and i will tell you that is one of the most rigorous processes as relates to cybersecurity and privacy in the entire world. when i say the entire world, most security standards are just a subset of the risk management framework. it's one of this area some security into a perspective that has been taken to build other security standards or basically copy, cut and paste a great new security standards to this is a six step process but it includes a categorization, selection, implementation, validation. authorization and most importantly continuing monitoring of all of the controls. just looking at it you might think there's about 360 controls, 853 provisions to when you dig deeper there's several thousand information controls

that are federal information systems must undergo, including they must be continuously testing. another point i would like to make is that if anybody here is actually, when out to these websites, and i'm not talking about hacking, but if we extract addresses configured in anything outside the bounds of what's allowed in the federal government, you're basically breaking the law. you can't just go out and say i found his own ability and then exploited to try to get media attention of any like that but if you do that you are breaking the law. it's pretty simple. last but not least, healthcare.gov is one of many hundred or thousands of federal information systems out there and websites. and you know, i've worked in the threat area. i can tell you my background is not only a soldier that was on the u.s. army information

operations raid team complete teams, information security monitoring team, protocol analysis, signals analysis and including working in critical infrastructure protection for a few years, all across the world, if you go out until someone, and this is just the truth when were out actively taking down websites, i consider all day and speculate about a vulnerability. but until i've actually exploited the vulnerability, there's no way to tell whether the attack will actually work. there's a lot more going on in the background that everybody needs to understand. another note, and last but not least, about healthcare.gov but if one needs to understand, is that with all of immediate attention it is only giving you think the most high payoff target and the federal government. you would think that healthcare.gov is something that everybody would want to go after. that is truly not, that is media spin if anything. healthcare.gov is one of many websites as personal information in it.

it's connected to other systems, but think it is in a connected record all the systems and that leaves them vulnerable also shows kind of a lack of knowledge of the backend system capability, meeting those connections are very secure and their authorized on both sides. him i've been lucky enough to work with cms and hhs on cybersecurity configuration. out of everybody here at least at this table i probably have the most hands-on knowledge, but i can't come here and just speculate about what his actual vulnerable to the system and what is not. the truth is, once on the threats i, as we've seen in the eu can probably tell that healthcare.gov is not the one getting attacked. most cybercriminals, especially those with advanced capabilities, they go where the money is, right? they will go after the target, and median market, then go after the places that contain lots of data related to intellectual property.

because it just makes sense, right? if the u.s. government spends billions on our research and development, and we don't protected, and some of the country takes that, you just saved them billions of dollars. thank you. >> thank you, mr. krush. mr. gregg. >> thank you, chairman smith, and thank you, ranking member johnson, members of the committee for having me here today. minus michael gregg, i'm going to break down my speech into three parts, my presentation. first, how healthcare.gov could potentially be hacked. why healthcare.gov needs independent review by third parties. and also what would be the result of this, what could be the potential impact. my concern is that healthcare.gov is a major target potentially for hackers looking to steal not only personal identities but also information that could be used to steal their identity. although i understand healthcare.gov does not store the information, it passes that information back and forth between third party, government

and other organizations. there are many different ways that that site could be hacked. the are some prominent ones, these are the same ones listed by prominent websites, could be things like cross site scripting, injection, could be buffer overflow. there are many different ways this could be done. while that sounds warned to many of you, fact is these are known attacks their use against known sites everyday from target to neiman marcus to google, too many others. some of things that concern me come in the past we've seen the 834 data. data that is passed the backend to the insurance companies. we've seen and we've heard reports this information being corrupted and not being correct when it is being received. that indicates at some point the data is not being handled correctly. all input data, all process data, all output data has to be correct. if not there some type of

problem meaning that it is not being properly parsed. that same type of situation could lead to an attacker put in some type of data and misusing that in some way or launching an attack.