problem meaning that it is not being properly parsed. that same type of situation could lead to an attacker put in some type of data and misusing that in some way or launching an attack.

>> to think that health caring.gov could be built so quickly and then secured, to me, is very hard to believe. when we have a web site to be reviewed, typically we start at the very beginning before the site is actually developed. we do things as far as audits, we do vulnerability assessments, also pin testing. all three of these things are required to actually look at and examine the site. pin testing's a very important part of this process, because pin testing means we're looking at the site the same way the attacker would, we're seeing what would the attacker see, what could they use, what could they do with this, and how could they leverage this potentially for attack. i don't believe those types of assessments have been done to this day and have been properly completed. so what's been reported currently is that when we see with healthcare.gov that they are running weekly assessments, they are potentially patching the site. but a lot of that activity we're talking about is reactive in nature. that means when we're finding a problem, we're actually fixing it. that doesn't mean we've gone out

and found all possible problems or all potential ways that an attacker may leverage that and get access to the site. some might argue that if healthcare.gov is actually vulnerable, why hasn't it are been attacked? we've seen that attackers have the fortitude, also the patience to wait til the right time. look at target. did they attack immediately? no. they waited until the right time and the right moment to actually do this. this could be the same thing. they're going to wait until after march, they're going to wait until the deadline, until there's a trove of information for them to to go after, then they're going to target it. so what could with the impact on consumers? potentially, reduced credit ratings, increased difficulty getting loans, criminal issues, emotional impact, it also could be very damaging as far as medical information that could be lost. could be potentially people don't get hired for a job, they get the wrong treatment because someone else has obtained

treatment under their name for some other type of disease or problem that they didn't have. it could be potentially them being denied an application or job more some reason. and in closing, i'd just like to say this: when our organization builds applications, we build everybody together. we wring the end users -- we bring the end users, the developers, the security professionals to make sure the site is secure and security can be built in from the very beginning. i do not believe that's been done in this case. hacking today is big business. it's no longer or the lone hacker, the individual in their basement. today it's organized crime, it's very large groups potentially out of places like russia and eastern europe. we can fix these problems, but for these problems to be fixed means that we need an external assessment of this site by independent third parties. thank you very much for your time. >> thank you, mr. gregg. dr. parman. >> thank you, mr. chairman, and thank you for inviting me. first, let me just start off by saying that i am the research wonk to this panel.

these people are absolutely brilliant, and they understand the technical aspects and the security issues. what i'd like to do is talk about the consequences of identity theft and medical identity theft. that's really my focus, and the basis of my comment is research that my institute conducts. and sometimes, by the way, they call my institute is pokemon institute. i understand the purpose of my testimony is understanding the potentially devastating consequences of a data breach to individuals, to house olds and society as a -- households and society as a whole. for more than a decade we have studied the consequences of data breach through extensive consumer studies as well as benchmark research on the privacy and data protection practices of companies in the private and public sectors. in the area of health care, we have conducted four annual studies on medical identity theft and patient privacy and security or protections within hospitals and clinics.

we also surveyed consumers on their perceptions about the organizations they trust, they trust most to protect their privacy. among u.s. federal government sector, for example, we are pleased to report some good news, that the usps, the postal service, gets very high marks for trust. another, this might be a little surprising, the irs actually is trusted for privacy. not for anything else. no, i'm just joking. [laughter] but definitely for privacy practices. as well as the veterans administration, and they were a bad guy, right? you might remember they lost a lot of data. i'm a veteran, i was on that list of 26, what was it, 26 million? but they've turned things around, and they're trusted for privacy. so today i've been asked to testify about the possibility of like identity theft on the healthcare.gov web site and the potential consequences to the american public. identity theft and medical identity theft are not victimless crimes and affect those who are most vulnerable in

our society such as the ill, the elderly and the poor. so beyond doing these numerous research studies that i just mentioned, this is an issue that really struck home for me. last year my mother, she's 88 years old, she lives alone in tucson, arizona, and she suffered from a stroke. she was rushed to a hospital and admitted immediately, and unbeknownst to her, an identity theft was on the premises and made photocopies of her drive's license, debit cards and credit cards that were in her purse. by the way, she also has all the passwords, everything in a little post-it note in her purse as well. she doesn't listen to me, that's the problem. the thief was able to wipe out her bank account, and there were charges on her credit card and debit card amounting to thousands and thousands of dollars. in addition to dealing with her serious health issues, she had to cope with stress of recovering her losses and worry about more threats to her finances and medical records. the situation with my mom in the hospital and those who are

sharing personal information on healthcare.gov are not dissimilar. let me explain. my mother had a reasonable expectation that personal information she had in her wallet would not be stolen, especially by a hospital employee. and those who visit and enroll in healthcare.gov have an expectation that people who are helping them purchase health insurance will not sale their identity. they also have a reasonable expectation that all necessary security safeguards are in place to prevent cyber attackers or malicious insiders from seizing their personal data. now, in my opinion, the controversy regarding security of health care to the governor web site -- healthcare.gov web site is both a technical issue as we heard from these gentlemen, but it's also an emotional issue. in short, security controls alone will not ease the public's concern about the safety and privacy of their personal information. based on our research, regaining the public's trust will be essential to the ultimate

acceptance and success of this initiative. so following are some key facts that we learned from our consumer research over the more than decade of doing these kinds of studies. first, the public has, actually, a higher expectation that their data will be protected when they're dealing with government sites than commercial sites. in other words, when i'm going to the veterans administration, i have a higher expectation of privacy whether it's rational or not, that's basically what we see. second, the loss of one's identity can be a person, can destroy a person's wealth and reputation and in some cases their health. further, the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for americans to procure goods and services. third, medical identity theft negatively impacts the most vulnerable people in our nation. beyond financial consequences, the contamination of health records caused by imposters can result in health misdiagnoses

and in extreme cases could be fatal. because there are no credit reports to track medical identity theft, it is nearly impossible to know if you've become a victim. so what's the solution? let me just give you three ideas. first, on the trust issue, let's think about accountability. it's important to demonstrate accountability, and the best way to do that, in my opinion, is rigorous adherence to high standards. and i think we mentioned nist. ni is st is a great standard, but very high standards above the bar and showing the american people that this particular web site or any web site that collects sensitive personal information is meeting or exceeding that standard. number two is ownershipment what i'd like to see is the chief information security officer is your chief executive officer, you know? that's good news when the ceo steps up to the plate and does what needs to be done. and in this case, i would love to see our president take ownership for the web site and insure the good security and privacy practices are met as a

priority not just on healthcare.gov, but across the board. and third is verification. now, i'm an auditor. i have to admit this, i'm a little bit biased. or i used to be an auditor at pricewaterhousecoopers. we can say we're doing all these things, but having a third party expert telling us we are meeting and exceeding the standards is a very good idea and a noble idea. with that being said, i think i'm actually the first person concluding giving you some time back on the clock. >> well -- [laughter] >> oh, no. >> not exactly. >> i wasn't watching the time, i'm sorry. [laughter] >> thank you. appreciate your testimony. i'll recognize myself for questions, let me direct my first one to mr. kennedy. mr. kennedy, the administration maintains there has not been a successful security attack on healthcare.gov. is that an accurate at the same time? >> thank you, mr. chairman. basically, what we know for the

monitoring capabilities within the healthcare.gov infrastructure is as of november 17th, they had not had the capabilities to even detext a national take -- detect a national attack. they also stated they detected 32 attacks overall, however, be if you have no monitoring capabilities period, how are you detecting the attacks that are happening? the statement's accurate because they don't know the takes that are to you are curing. in addition, the chief information security officer from hhs also said that i would say the healthcare.gov web site did not follow best practices. so as a testament to mr. krush's testimony, the 80053 practices did not meet -- >> okay. mr. gregg? >> i'm sorry, mr. cruz, you can get time from someone else. i'd like to ask a question of mr. gregg. do you agree with the assessment by mr. kennedy that they don't have the capability? and you did have officials in november say there were 16, i

think, security breaches or innocents and then 32 in december. are those figures plausible, and where do they get 'em? >> well, they're potentially plausible if they either weren't monitoring or didn't pick up the attacks. for most of the sites we look at in companies we work with, we see anywhere from hundreds potentially, you know, a thousand or more hits a day. a lot of that stuff is scripted, but for a number to be that low i would either think, one, they're not detecting it or, two, their detection capability is not correct. >> okay. thank, mr. gregg. dr. ponemon, do the breach notification standards for obamacare even meet the minimal standards put in place for the private sector? >> i think the private sector for the most part had has -- and it does vary quite a bit. there are industry standards, for example, that actually, i think, are much higher than the standards we see in the government. but nist, for example, and the need to come lie with certain standards -- comply with certain standards like, for example,

around cloud computing, there are standards that exist that are actually fairly reasonable. for the most part, though, i think if you're looking for best practices, you probably would be looking at industry versus government. >> okay, thank you. mr. kennedy, another question for you, is mr. cruz right in what he said in his oral testimony, that reconnaissance of healthcare.gov is not sufficient to raise concerns about the web site's security? >> thank you, mr. chairman. i'd like to address that direct on which would be passive reconnaissance, you have the ability to numerate exposures and vulnerabilities. any tester that a's been in the industry for a number of years would be able to collaborate that. in fact, all seven of the security researchers also said the same exact thing, that the web site itself is vulnerable. these are actual exposures that are on the web site today that could lead to personal information being exposed as well as other critical flaws of attacking individual people just by visiting the web site. so to answer your question, you know, by doing passive

reconnaissance, you can absolutely identify exposures, there's techniques out there without actually attacking the site for doing it, and i would question that, you know, the other seven security researchers that looked at the same type of research came to the same exact conclusion as myself. >> okay. thank you, mr. kennedy. mr. krush, i do have a question for you. apparently, you have contracts with a company that does work for cms. is that accurate? >> that is accurate. >> and then how much -- what is the amount of those contracts both past and present? >> um, i actually don't know that off the top of my head. but i -- >> okay. i think -- >> tens of millions of dollars of contracts in the federal government right now. >> right. so you have tens of millions of dollars of business cms directly or indirectly. >> not cms -- >> a company that does work for cms. >> no. those amounts are very high. i'm talking across the government. i just don't know specifically with cms. that's why i can talk from a technical perspective on some of the --

>> is it true that your testimony you filed i think it's 1.5 million that you do have -- >> okay, that sounds good. >> if you'll take my word for it. >> yep. >> in that case, isn't it natural that we might suspect that your testimony is a result of your being paid by, directly or indirectly by cms, and here you're not going to actually testify against them if you're getting $1.5 million worth of contracts with hem. isn't that a reasonable -- >> well, chairman smith, as it relates to cms, if you look at the gao docket, i actually have a protest in with them. on the contracting side, me and cms are not merely best of friends. >> but you're still -- i know what you're, i know what you'd rather be talking about, but it still seems to me $1.5 million or more in contracts does, perhaps, influence your testimony. that's all i have to say on that. my time is up, and the gentlewoman from texas is recognized for her questions. >> thank you very much. very interesting hearing.

mr. krush, you were cut off earlier when you were going to make a comment on mr. kennedy's testimony. would you like to make that now? >> i actually have a few here so just across the board, um, earlier mr. gregg talked to the fact that, you know, the healthcare.gov didn't implement what we call fips199 and 200. just to clarify what that is, fips199 requires you to categorize ab information system in accordance with the confidentiality, integrity and availability of an information system. we know that that was completed because there was a letter from ms. tavenner out as part of the authorization process. 200 is the baseline controls. we also know that was completed because they had an ato letter that specified some of the vulnerabilities and what actually the process dealing with the healthcare.gov was. so i just wanted to talk to that

point. and, you know, talking about also waiting from target's perspective, waiting until, you know, a certain time to act. i don't think any of us here have also worked on the target.com web site or the back end data base, and i would tell you that a lot of the advanced attackers, you know, unless you've of done the forensic sampling and you've actually picked up the crumbs, you don't though when they actually attacked. and i think that's under investigation right now. healthcare.gov, seems that mr. kennedy brought up the point there was no security operations centers. some of those million dollars that have been allocated to my company was actually related to those early on. there's two centers within hhs you might want to know of. they have a centralized one which does monitoring of entire with enterprise. and on top of that, cms has its own security operations centers, and i can tell you from a technology perspective, some of the technologies they've

implemented is, you know, topnotch. it's what you would expect in a top tier security operation center in the u.s. federal government. >> thank you. according to mr. gregg's testimony that in this site is a major target and, but the attacks won't be accurate or of interest or of a value until after march, what do you anticipate that march will bring? >> nothing. um, you know, the truth is when it comes to march, if an attacker wants something off the site, they are going to continuously i do whatever they can to gain access. i think one of things that was also said is that, you know, there are a certain number of incidents, and those numbers do sound low, but once again everybody here, none of us have worked in the security operations center which does exist within cms, and we -- so

we don't necessarily know what the escalation requirements are. so, for example, most government web sites literally are enumerated passively, meaning -- and this is still considered an incident via dhs -- if you go through and you do scans on a web site meaning that you're looking for open ports, protocols and services, that is considered an incident. now, does can every organization report those? no, because you'd have hundreds of thousands of reports a day. however, you know, some of the -- i got a call last night from, actually, a news reporter, and they called me up to talk about mr. kennedy's um, you know, analysis he had done on the web site. and i just want to be clear that, you know, if him and his security researchers actually did go to adot.governor, they did pull data in an unauthorized manner, then that is a significant issue. i was also, you know, i went to the course hill i was in the military for the fbi, and i can

tell you that's of grave concern to us, when anybody goes out to a federal government web site without permission and is actually passively e enumerating, then executing something to pull data off that web site. >> thank you very much. dr. ponemon, for my last, you indicated that your mother had this incident happen with her identity. what about that stolen information affected her health care? >> you know, in the case of my mom, she would fall into the category of an identity, she's an identity theft victim but not a medical identity theft victim. because really her med -- medical records were not exposed. so that would be a different crime, and thank goodness she's not a medical identity theft victim because that's bad news. it's really hard. >> thank you. >> thank you. >> my time has expired, but i hope someone will ask the value of someone having hacked the

healthcare.gov. >> yeah, okay. thank you, ms. johnson. mr. hall has said that because mr. broun has a time commitment that is almost immediate, he is going to allow i mr. broun to go ahead of him in the questioning, so the gentleman -- mr. broun is recognized stwh. thank you, mr. chairman, thank you, mr. hall, for giving me this opportunity. it has come to the oversight committee, subcommittee of this committee's attention that there is or at least was an affordable care act information technology exchange's steering committee chaired by senior white house officials established back in may 2012. almost a year and a half before the rollout of healthcare.gov. the white house steering committee's charter explicitly directed the formulation of a working group, working groups including one on security. it also turns out that a chairman of this obamacare web

site steering committee is the u.s. chief technology officer in the white house science office who also happens to be the immediate past cto of the department of health and human services. upon learning this, i as chairman of the oversight subcommittee along with the full committee chairman, mr. smith, and research and technology subcommittee chairman, dr. but shop, sent a letter to the white house requesting that mr. todd park, u.s. cto and healthcare.gov's steering committee chairman make himself available to the committee to answer questions regarding the security issues with healthcare.gov. by january 10th, last friday. the white house has ignored that letter that the committees request until just yesterday when it provided a last minute response that rebuffed this

committee. let me repeat, rebuffed this committee. that letter did not come from the senate-confirmed president's science adviser to whom the letter was addressed, but from the politically-appointed ostp legislative affairs director. my question for the panel simply is this: don't the american people deserve answers from those who are in charge of overseeing the implementation of the obamacare web site's security protocol? after all, mr. park is the assistant to the president. as the chief technology officer of the united states and the chair of healthcare.gov's steering committee, wouldn't mr. park -- or shouldn't he -- know and be involved in the security details of the web site? starting with mr. kennedy. >> thank you, sir. when you look at a web site and its security, there is multiple people that need to be involved

to understand the progress of it. i would agree with your assessment that there should be some involvement in that case. in addition, i'd also like to clarify that the amount of information that we're getting around these security exposures to the web site has actually been vast. you had the chief information security officer from hhs saying it didn't follow best practices, a number of other individuals saying the security operation center hadn't been started yet, you have healthcare.gov infrastructure which was started completely independent of hhs being part of that. so this is a mismanaged issue. i don't understand how we're still discussing whether or not the web site is insecure or not. it is. there's no question about that. >> it is insecure. >> it is insecure, absolutely, 100%. there's no questioning that. people from hhs are said that. it's not a question of whether or not it's insecure, it's what we need to do to fix it. and just to point to mr. krush's point, he also said to reuters which is the article he also mentioned earlier, krush said he has not reviewed kennedy's findings or done any work on

healthcare.gov's site itself. this is all pure speculation, hogwash, and personally, it seems to be politically biased, unfortunately: >> thank you, mr. kennedy. appreciate your long answer, but this is actually a yes or no answer, mr. krush. do the more than people deserve to know? >> yes. >> okay. mr. gregg? >> yes, they do. however, i'd like to add i understand the nist process and others quite well. i co-authored a week on it, also taught a course on accreditation. a scan is not passive, a scan is active. but, yes, they do deserve an answer on this. be. >> doctor? >> ditto, yes. >> well, i agree. the answer is, yes. i'm very disappointed with the administration. we've asked for information. the american people deserve to have that information, and i'll do everything that we can to try to get mr. park to give us that information or the

administration. mr. chairman, my time's run out, so i yield back. >> okay. thank you, dr. broun. the gentlewoman from -- [inaudible] , ms. evans, is recognized. >> mr. kennedy, do you have any federal contracts for security? any? >> as of right now, no. >> have you had? >> yes, i have. >> and what were they? >> working for the federal government? >> yes. central security contracts. >> yes. >> what were they? >> i'd be happy to disclose those -- >> i'd appreciate in writing, be you would. >> sure. >> if you would tell us the federal contracts that you've had in dealing with information security in the areas that you claim to be -- >> i would be happy to write that -- >> and, mr. krush, i just want to ask you really briefly if you could tell us the security standards, compare those that are used for the federal government as to the private sector. you've alluded to that a bit, if you could just very quickly -- >> sure. so one thing to understand, um, and just to go back to

mr. gregg, you know, i've also written, co-authored a book on we've taken over 10,000 pages of information from the national institute of standards and technology, the department of defense instructions, the intelligence community directives and also, you know, some of the sat programs and consolidated that, and that book's actually used in places such as syracuse university to teach people who want to understand this very rigorous federal process. i'm also a co-author of nist special publication 853 alpha, the process where we actually do the assessments per se. so -- >> i trust your expertise. i just want to know the rigor or the standards for the or federal government compared to the private sector. >> sure, so that's a great question, ms. edwards. one of the things to understand is the 853 starting at reare vision 2 and we're now up to revision 4 integrated all of the commercial standards. at rev 3 so meaning, you know,

the most iso, carnegie mellon, a lot of organizations that had kind of best practices out there, they were integrated into that revision. by revision four we've actually integrated the department of defense standards, the intelligence community standards, also a lot of standards that are kind of outside the realm, they're threat-based. most, as you'll find, most auditing organizations don't look for those. >> so are -- >> rigor compared from a commercial organization to what you'll get in the government, and i've worked on both sides. 50 percent of my contracts are with fortune 50 and 100 companies, so i can tell you depth and rigor that you implement on a federal information system, as it should be, is just much more intense than what you see in the commercial markets. >> and is healthcare.gov, is the rigor attached to health healthe dot governor any different from any of these other federal systems that you've indicated? >> no. this process is the same across the u.s. government. >> thank you. so i wonder if the standards that you described are above,

and i think you said this, are above those that you would find in the commercial sector. >> i would say, yes. >> thank you. mr. gregg, you mentioned some information as speculation about medical records vis-a-vis healthcare.gov. are you aware of any medical record that is maintained on healthcare.gov? >> no. the information is simply passed through. >> exactly. no, there is -- is there any medical record, personal medical record contained on healthcare.gov? >> no. >> thank you. and then, dr. ponemon, just out of curiosity, you talked about your mother's experience which just sounds really horrible. but she didn't experience identity theft through healthcare.gov, isn't that correct? >> absolutely not. >> right. thank you. >> thank you. >> i just wonder, mr. krush, if you could help me, if you will.

of the experience that you've had in developing and working on federal information systems, is it your conclusion that you would feel safe in putting your personal information through healthcare.gov? >> ms. edwards, i've actually put that in my testimony. i would put my personal information on healthcare.gov. i've said this more than once and, you know, i continue to stand by that. >> thank you. and, will kennedy -- mr. kennedy, lastly i want to go back to your federal work. i mean, that i can find disclosed, i know that you got a small business loan from the small business administration for, quote, businesses that do not qualify for credit in the open market. again, what is the other federal security work that you've done? >> i'd be happy to disclose that in written testimony. >> can you just give me an example -- >> i would need to get permission from my customer. should i disclose my customer information to you? >> what i would like to do, i'll write you a letter.

your financial disclosure that you've submitted in this record requires that. did you out that in your financial disclosure? >> no. no, i -- listen, my experience -- no, the question you asked me was did i have federal experience -- >> it's my time, will kennedy. >> yes, ma'am. >> did you put that financial disclosure information in the record as required by our committee? >> i'm not required to put that in there. >> thank you very much. >> thank you. >> the it's not on behalf of -- [inaudible] thank you. >> thank you, ms. edwards. the gentleman from texas is recognized for his questions. >> thank you, mr. chairman. so will gregg -- mr. gregg, i ask you this question, could a security breach of healthcare.gov result in people's medical files being accessed? >> yes, sir, it could. the information could be accessed, and then the real damage would come afterwards, how that information could be used. it could be used potentially to

gain information of financial data, it could be used for identity theft, it could be misused many different ways, and that damage, as mr. kennedy alluded to earlier, is not just something as simple as replacing a credit card. this can be long term, very tajing to an individual -- damaging to an individual. >> now, there was a recent gao report that documented that there was 111% increase in federal agency data breaches in the past here three years. speckically, the gao report -- specifically, the gao reported incidents revealing sensitive personal information since 2012 up from 10,000 in 2009. interestingly enough, the centers for medicare and medicaid services, the healthcare.gov operator, had the second most breaches in the report for fy-2012. mr. krush just said that the hackers are going where the money is.

and not necessarily interested in these government sites. but yet we see a substantial increase in the number of incidents that are happening. can we -- what can, mr. kennedy, what can -- do you agree with mr. krush, that people really aren't interested in these government sites, or what's your opinion on this? >> thank you, sir. i do not agree with mr. krush's testimony. i believe the hackers move where the money is, and there is a lot of money on the personal information side as well as other government agencies that would love to do demise to us having direct access into dhs, irs is a treasure-trove for additional attackers out there. there's a lot of money for the organized crime, there's a lot of money of for what we call-state sponsored attacks. there's plenty of money to be had. >> what would, if i go to a government site and i'm a hacker, what are the treasures out there that i'm going to

glean that's going to help me do whatever bad thing is i have in mind? >> sure. i think that question depends purely on the motivation of the attacker. you have three criteria, your average black hat who may be politically motivated, organized crime which is specifically looking for monetary value or persistent access into organizations, there's also a huge black market for what we call carders. selling compromised infrastructures, organizations is a huge market. if i can say, hey, i compromised government x, i can sell that to a hacker for thousands of dollars to make a buck out off of it. then you have the state-sponsored element which is other government entities attacking the infrastructure in order to infiltrate, gain access and intelligence on us, and that's a huge business right now. we see it, obviously, happening off multiple different government entities as well as eastern your peen countries -- european countries. >> would you feel comfortable

putting your information on healthcare.gov? >> absolutely not. >> mr. gregg? >> no, sir, i would not. >> dr. ponemon, would you? >> i'm not sure. >> i want to go back to you. one of the things you talked about is you want to talk about the consequences of stolen identity. >> sure. >> yeah. so one of the things i think might be helpful is people that are forced to go to access their health care through government, healthcare.gov, what would you advise them to do? you know, they're going to have to access that. as they're filling out that information, are there some preventive things they can do that would minimize, you know, some of the potential consequences if the system is breached? >> well, obviously, if the site is secure, that's a good step, right? but as an individual, whether we're doing it on health healthv or whether it's a web site like amazon.com, we need to be smart.

we need to understand that our data could be at rusk. the bad guys -- at risk. the bad guys are really smart. for example, we should not be using the same password over and over again, our computer how far the most current version of antivirus or any malware technology. these common sense approaches do make a difference, and that could be across the board. but be you have data that is extremely sensitive and confidential, then basically your guard, your level of concern should go up. and be a lot of people don't think about these issues well enough or they don't think that they will become a victim. but as we know with 110 million records here and 90 million records there, everyone, every single person in this room is a victim of some data loss and probably at least had one data breach notification in the last five years. it's a big problem. there thank you, mr. chairman. i yield back.

>> thank you. the gentlewoman from oregon, ms. bonamici, is recognized for questions. >> thank you, mr. chairman, and thank you to our witnesses for being here today. this hearing sos tense my about healthcare.gov, but i just want to make a big picture comment that the affordable care act is certainly about more than a web site, it's about an issue of great importance, which is about the availability of health care to all americans. now, when i saw the title of this hearing, i was pretty interested. i actually have a background in consumer protection, used to work at the federal trade commission, have worked on identity theft issues. and i was a little baffled, frankly, about why we're doing in this the context of healthcare.gov and in the signs committee. that being said, we all acknowledge that there have been some serious technological problems rolling out the affordable care act. but aisle really concerned that -- i'm really concerned that some people listening, our constituents might really be concerned that there are risks involved in enrolling through

the web site that aren't really there. so i want to clarify a couple of things. first of all, i want to make it clear to our constituents that identity theft is already a federal crime, that if someone knowingly commits identity theft, that's a federal crime. if they do it aggravated identity theft, there are enhanced penalties. so i want to make clear that if there is identity theft, that is already existence the law. the department of justice prosecutes that, the federal trade commission has civil laws dealing with it. so identity theft is an issue we should be concerned about, but i'm baffled about why we're talking about it in the terms of healthcare.gov. so, mr. krush, i want to ask you a couple of questions. first, i want to acknowledge and thank you for your service to this country. i you said, dr. ponemon, you're a veteran as well. thank you for your service. mr. krush, you talked about how some people are suggesting healthcare.gov is a major target for hackers. based on your background, your

military and cybersecurity background, could you discuss the range of hackers and their different motives and talk about where healthcare.gov is on the scale of high payoff targets? you mentioned this in your testimony, but will you talk about that range just a bit, please? >> yes. actually it's very interesting in that, you know, we're here on the committee of science, space and technology. and i will tell you something, from a high payoff target perspective, especially when you're dealing with advanced attackers, the more a nation -- you know, the nation-sponsored attackers and those even on the criminal organizations, they're after some very specific targets. and, you know, i'm not going to go into those, but i will tell you from a government perspective in all reality if you're looking at the dot.mil and the dot.gov kind of domains, you know, healthcare.gov is not really a huge, high payoff target. space systems, technology related to weapons systems,

intellectual property stores, um, information related to clearances, information related to quite possibly not only personal information on a person, but maybe weaknesses such as relationship issues, where they could be layed on or through blackmail. there's web sites that include information on criminals that are actually part of the court systems. literally, we keep all of this information online now. as you can imagine from an attacker's perspective, you could literally, you know, not delete the paper, but there's ways that you could get into a system and change an outcome of quite possibly, you know, cases or what actually you have done in the past. >> could i -- thank you. thank you so much. i want to follow up a little bit. it's my understanding that we've already established that there aren't medical records on healthcare.gov. and mr. gregg confirmed that in

response to representative edwards' question. do you agree with that, there are no medical records on healthcare.gov? >> correct. those would be at the providers. >> and would you agree that there is more personal information in a federal tax return than there is in a healthcare.gov insurance application? >> i agree. >> mr. kennedy, do you agree with that? >> i do agree. >> mr. gregg? >> i do agree. >> dr. ponemon? >> i agree. >> terrific. so about 08% of the people -- 80% of people in this country file their tax returns online. mr. krush, do you? >> i do. >> mr. gregg? >> no. >> doctor ponemon, do you feel online? >> i'm old-fashioned, no. >> mr. kennedy? >> ooh -- i'm old-fashioned as well. >> so when you understand that about 80% of the people in this country file their tax returns online, we're talking about security on healthcare.gov when there's more personal information on a tax return. i just want to highlight that,

that we're talking about security on healthcare.gov when the majority of people file their tax returns online. all of you call for third parties to conduct security testing. and the miter corporation, blue canopy and frontier security have all been doing that for months. in your opinion, are those companies competent to do the work? yes or no. mr. krush? >> yes. >> mr. kennedy? >> yes. >> mr. gregg? >> yes. >> dr. ponemon? >> i only have knowledge of miter, and the answer is, yes. >> thank you. mr. krush, to be clear, there have been no cases of a person's identity being stolen through healthcare.gov at this point, is that correct? >> that is correct. >> okay. i just wanted coclear that up, because the title of hearing suggests that one of the consequences of signing up to health care to the governor is going to be identity theft. so i wanted to clarify that. so my time has expired, thank you, mr. chairman. i yield. >> thank you, ms. bone mitch chi. the chairman emeritus, mr. hall, is recognized for questions. >> thank you, mr. chairman, and

thank you for the hearing and the witnesses. i like old-fashioned people. i don't know why. i'll ask my fellow texan there, mr. gregg, there's been talk about march the 31st, and i think you mentioned since the deadline for open enrollment is not until march the 31st, won't hackers be kind of foolish to exploit the web site now because they'd potentially have the opportunity to retrieve a heck of a lot more information after that day? do they think like that, or is that too -- >> no, sir. they do in many ways look for the big payoff, and as was mentioned off, you know, really cyber crime can be broken down into two areas. one is the individual's looking for military, looking for that type of information. but a big other portion of it today is monetarily driven. we see a lot of that out of places like southeast, eastern europe, we see it out of places like russia.

and those individuals are looking for personal information, they're looking for things that they can make financial payoff from. and to wait until the time was right would very much be to their advantage. while it is true information is not held on healthcare.gov, information is passed through that site that they could potentially manipulate or take advantage of. >> thank you. and i've heard a lot of robs, but 2007 the problems of the -- but given the problems of the web site today, would you say it's highly likely will will be breaches to the health care web site? >> yes, sir, i do believe it is possible or probable that that could happen. >> and once one's occurred, how quickly could experts find out about the breach? >> that all depends. we've seen with ghost net trojan, we've seen in cases like with google and awe aurora and others, in some instances those organizations didn't know until weeks or months later. >> how quickly should the more than people be notified in the event of a breach? >> immediately. >> within hours?

days? week or just right now? >> right now. >> okay, that's pretty clear. once a breach has occurred and people have been notified, what actions should people take? >> immediately start to do things like dr. ponemon mentioned as far as change passwords, change ids, especially motefy and talk -- notify and talk to your credit card companies, look at your credit card statements, also check your credit rating and look at the credit rating organizations. because many times just like what a period of about a week ago i got an e-mail from amazon that someone tried to open up an account under my name, and i immediately called my credit card provider and found out someone had charged about $5,000 worth of merchandise under my name because someone had stolen my credit card. you immediately need to take action if the credit card company doesn't catch it. >> this is not like target where you can check with i your bank

or your credit card company for even suspicious activity or something you think might be happening. i think that's what you're telling me. >> yes, sir, that is correct. >> how do you find out, how did you find out if your social security number, is that the way they got to you? .. >> i would say yes, it should. it's very tough because first you have to contest those charges. if it's related to medical smg

contested under hipaa and other laws than you know access to the records or information because it's not your information so we can be very difficult. >> my time is almost gone. i believe that all of you would agree that while no website can be 100% safe, every precaution needs to be taken to ensure the security. mr. chairman, there are far too many questions surrounding the launch of the health care website, and until these are resolve the security of americans personal information is going to remain at risk. that's your understanding? is that why we're having this hearing? >> that is exactly correct. >> i thank you for your work and thank you for giving. >> would you yield me the balance of my time? >> i yield the bows of my time today, tomorrow, next week him anytime. >> mr. kennedy, i would like you to re-emphasize the point you made to my question about why the government doesn't know whether it's been hacked or not. that is healthcare.gov. why the government can't state

credibly there have been no successful security attacks. >> yes, sir. as you look at the healthcare.gov infrastructure it was built independently of hhs including security operations entities. contractual language, testimony in front congress, also states that as well. the security operations center had not been built or implement it with means they didn't have the security monitoring capabilities to detect the attacks that are being mentioned today. to reemphasize, they don't know. >> they don't know, that's why they can say there hasn't been any. they will not know one way or the other. >> that's correct. >> the gentleman from telephony is recognized. >> thank you, mr. chairman. mr. krush, would you like to respond to that? >> i would love to. we've been talking about all of these supposedly breaches that of an going on related to healthcare.gov. if they couldn't monitor those come out in the world do you have a number?

the number would be zero if there were no capability to actually look at what kind of attacks are coming in. >> thank you very much. mr. gregg, i want to focus on a couple of as if your testimony. first you argue that the site, healthcare.gov, needs a third party working to build the system for witnesses. second, you assert medical records are at risk on healthcare.gov annual is the kind damage that can go with medical records. you state revisited in a post, "huffington post," post a quote however the u.s. has some very best minds in warwick comes to cybersecurity and there's no doubt that healthcare.gov can be fixed if the right people are given the chance to test it. do you still feel that way? >> yes, sir, that's one of the reasons why i'm here today is because i believe with independent third party assessments and the right assessment done we can get to the bottom of this. >> thank you.

were you aware prior to your testimony today that mitre, blue canopy in front your security were all working on third party predication? >> mitre, yes. the others, no. >> you were unaware that mitre was aware. so i don't understand how, you know, in your testimony used to assert that third party workings were done but you had knowledge that a third party audit was actually being conducted by mitre? >> yes. one article was written before that, was written before that time. and i do not know if mitre has finished the research or not on what the findings are. >> you did raise this question as a third party -- i was led to the impression that third party verification wasn't done. but, in fact, you acknowledge it was being done? >> not at the time of the article. >> but in your testimony you led us to believe, you raise it as a concerned, but -- spent you

quoted the article that i said the need to be done. at the time nothing had been done. >> but the testimony you submitted for this committee doesn't acknowledge it. but yet you're telling me you have knowledge of it, that it was being done. your testimony latest believe it was not being done. >> as of this hearing i do have knowledge. >> okay. but -- >> the time of the article, no. >> very well. dr. ponemon, you talk about the medical records, you know, identity theft, and a lot of your work to show that 95% of the people who commit these sordid deeds are motivated by robin hood motivations. would you explain about that? >> is a large percentage. i think it's 29 or 30% but it's still pretty significant. a robin hood crime as we defined it in the research is where

someone, for example, has a family member or friend who basically has an illness and they are not insured. and basically they were kind of look the other way, if you will, and allow the persons use their insurance credentials so initial but hospital or a clinic there getting better treatment than just write off the street. >> common sense would tell me if that's the motivation, what motivates someone to go and steal some and identity. expanding health care coverage, providing quality coverage for more and more people would reduce this, the likelihood of this sort of crime. >> you have to understand, i think we all deserve good health care. so is basically good good health care, the value of a credential would be meaningless, right, because we all have their credentials. there's no value in stealing someone's credential because everyone is going to have a credential that will give them

reasonable health care. >> if we made this health care website, was very successful and more more people got enrolled, we would reduce the risk of the misuse of medical records? >> it could work one way or another. it's really hard to determine that. in theory you're right. you could basically say that 29-30%, a robin hood portion of the crime, medical identity theft might actually be nonexistent. >> so we could possibly remove a huge motive for people to try to hack into the system? >> yet, but remember, the value of the medical record is more than just getting the insurance. that's only a very small part of the. there's a lot of information, rich information, and we've done studies, other parts of the world, if you deliver the most valuable piece of information right now on an individual basis, it would be a medical record.

yesterday, fox news, business news did an article on the valley of different types of information. medical information in the black market is much, much more valuable than say credit or debit card information or accreditation data. >> thank you very much. >> thank you. >> the gentleman from indiana is recognized for his questions. >> thank you all for being here. it's a fascinating here. we had a previous thing which is also very fascinating. we were for for for no one would get on the website the last time, or three for four this time. in my view this is about cofidis of the american people have in their government. and whether not their government is doing everything they can to protect their privacy. it's not about health care at all. we could be talking about any other website that the federal government has. we know the geochemist and reported thousands of bridges across -- gao came out and

reported thousands of bridges across a government. to argue this website is going to be secure and that nothing is going to happen i think is a false argument. it will be breached. i think from my perspective i was a medical doctor before, i think when you throw in the health care part of it, it becomes very personal to people. i mean, i understand evil out there in my district are concerned about the department of defense being hacked. maybe a few people. when you start talking about potential for information that they perceive whether it's real or whether it's perceived is personal information, i think all of us in hearings like this and across government, in the administration, in both political parties need to recognize the fact we need to do whatever we can to regain the confidence of the american people that we are protecting their personal information the

best we can do even though i do recognize the website itself doesn't have it on there, it does have a portal for people who are smart can potentially access that. this is one of the biggest problems in electronic medical records that we have. my medical practice establish an electronic medical record in 2000 by. i love in electronic medical records but there are two issues. there's of course security issues and there's compatibility issues about getting medical information across different types of electronic medical records. i think it's unfortunate that all of you are somewhat subjected to a national discussion about health care, and i appreciate all of you trying to confine your comments to this a good aspects and not the larger national debate about how we provide quality, affordable health care to all our citizens, which is i think ago we all have served as a medical doctor i have. so it doesn't matter if healthcare.gov is a low

propensity targeted by some hackers out there. in the minds of the american people when you mention the health care, this is the biggest target the federal government and the minds whether that's real or perceived, doesn't really make a difference. so mr. krush, i mean, you know, they gao came out with this report as you know in 2012 saying there were 22000 data breaches, 4000 cms alone and you have a relationship with the cms. you have to recognize that we can't make the case that any website is going to be secure to try to make a political argument to prove that the way we are managing health care is the right way to go. that's not the discussion. the discussion is how do we protect information? you would have to agree with the. >> i do agree with it. with the idea that the process that we use, you know, to secure

the data on federal information systems is very rigorous. that's my complete argument here. >> i would agree with it. when it comes to the confidence i know we've discussed third party people out there looking at this. i'll be honest with you, i'm a member of congress, and i have no idea whether there's a third party person out there and there obviously is, looking at this. so our charge is to get that to the american people. whether -- if the american people don't know, and i can do aas a political person trying to get a message across to 700,000 people, it's difficult to that's just 700,000 people. we need to do better getting the information out that there are people that are not in government looking at this to reserve people's personal records. that's my view. mr. kennedy, how do we do that? >> i think if you look at the

broader picture here and not just healthcare.gov but the federal space. ended into testing, proactive secret images, things that are outlined as being best practices need before perform. they are loosely followed. to comply with this month is not necessary every gruesome process. would have to say to that is we have to focus on putting security and the very forefront in the very beginning stages when you hire a contractor or we go after another organization through the entire process of that, healthcare.gov is a prime example of the failing of being able to implement security in a rigorous manner or in a process that includes security throughout the entire lifecycle. you have a better product if you do that. people can stand by and say we're doing a reasonable amount of assurance ear, protecting your information, not just kind of flapping and throwing it out there. >> i'd like to say let's all of us work together to regain the confidence of the american people. thank you. >> parliamentary inquiry, mr. chairman. i have a parliamentary inquiry.

spent the gentleman is recognized for her parliamentary inquiry. >> tried to get to the committee and house rules require witnesses to submit factually correct financial disclosures formed? >> there are certain limitations of that but within those limitations i think that's the case and i think all of our witnesses have done so today. the gentleman from -- >> mr. chairman? >> the gentlewoman continues to be recognized. >> just want to yield -- >> point of order, mr. chairman. i made the point of order that the witness testified today has not complied with a house committee rules regarding financial disclosure. and under those circumstances i request that the testimony be stricken from the record. i am very -- >> obviously i object to that. i'm afraid the gentleman is not going to make that -- >> i am not finished.

>> well, the -- >> i have been recognized, mr. chairman. >> does the gentlewoman have anything pertinent to say to her in great? >> i am very concerned about the testimony we heard from mr. kennedy a moment ago. he has testified on the record that he did not disclose government contracts in his truth and testimony form, that he and his company have received and the committee rules require that witnesses -- filed -- filled out by each witness. on that form, mr. kennedy answered the question saying, not applicable. this means that he did not comply with rules of our committee and as such i ask that he be removed -- >> that is not necessarily -- >> until the accurately and fully discloses the federal grants and contracts that he would indicate he represents have received on or after october 1, 2010. >> mr. kendig, you want to respond?

>> the question was how i done work in the federal space in the past or currently. the answer to that is him have a trustedsec we did not do work in the public sector or government which is what i disclose in the state and. i have worked for nasa as was other government agencies in my capacity as a cheesy good officer as was my prior role as a security consultant for former entities. so to answer the question and what was submitted i do not do work for the public sector. i'm plenty this is in the private sector keeping everyone protected, thank you. >> thank you, mr. kennedy. i would like to continue our questions. mr. kennedy is recognized. >> thank you, mr. chairman. thank you to the witnesses for being here today. i want to start out by saying i speak -- i know she is testifying i think at this moment or just moments ago. in front of doing on oversight and government reform. her testimony was referenced

about some of her remarks on healthcare.gov, and she just recently said today that the healthcare.gov website is secure based on an assessment. she's did the systems exceeds the best practice to ensure security and is a risk mitigation policies are being implemented and executed as planned. as a result, attacks have been successfully prevented. she recommends a new age you should be given when the current one expires, just to make sure we're all up to date on the current testimony. a couple of points of clarification. mr. kennedy, one of this year supports the aca. i'll leave that up for the gallery to decide. now, i noticed i think in your initial testimony you were nodding your head when mr. crucial said -- mr. krush said in lecture able to dive into the in the workings of the website which is made clear did not act or do anything illegal,

but you would not have any way of knowing in detail what part was available to attack unless you it doesn't. is that accurate? >> we can't tell the inside of healthcare.gov without actually testing it. that is 100% accurate. what we can see are symptoms of a much larger issue. if i can read one of the things i submitted just as an example. you're okay with that? >> go ahead. >> i've worked on dozens of large-scale cases over the last years looking at the root causes. rethink the security issue discovered in healthcare.gov site i can take this is a breach wind happen. these are the exactly an emphasize on the, the kind of security flaws bad guys exploit -- >> mr. toomey, i appreciate that but the point is everything we've heard it it reiterated a number of times here is that we don't know but you don't know, you testified before. hhs doesn't know, it's a concern

but is speculative, right? >> to the underlined portion of healthcare.gov, absolutely. >> think you. mr. krush, out of your expertise can you give me off the top of your head what you believe to be the biggest data breach? this is something that's common, target, neiman marcus is in the news today. are you aware of others? >> interestingly enough, when it comes to breaches i think target is a perfect example of someone that had the capability to identify a breach. the thing that is of most concern to me is there are a lot of industry and even government organizations that don't have the capability -- >> so, target, neiman marcus in the news. the recall heartland payment system data breach back in 2008? >> yes. >> one hundred reforming credit cards exposed. how about tjx companies in 2006?

94 million credit cards exposed. axel on which exposed e-mails of millions of customers, over 108 different retail chains. rsa security, top notch security for. sony playstation network, over 77 and playstation network accounts exposed. all private sector, yes? >> yes. >> the private sector invest billions of dollars a year trying to protect? >> yes. >> cutting edge in or to defend it, yes? >> yes. >> are you aware how may times the house of representatives has voted to cut funding for repeal the affordable care act in this congress because i am not. >> does the number close to 50 seem accurate to you? >> unfortunately, i just don't have -- i can do a risk assessment if you like. >> take my word for. i yield back. >> the gentleman from oklahoma is recognized for his questions. >> thank you, mr. chairman. i appreciate the time to i would

like to start by asking eyewitnesses a question, are you going with troy trinkle? he was the chief information officer for the centers for medicare and medicaid services to his job was to oversee the development of healthcare.gov, and his job was the last thing before launching the website he had a security when he was supposed to sign. do you guys remove any of this by chance? >> he didn't sign it. he refused to sign it and he resigned. his boss, marilyn tavenner, cms administrator who is not the chief information officer who arguably would not be qualified to sign off on a security waiver, she signed it. he didn't, he's qualified. she did, she is not qualified. she's an appointee of the president of the united states. interestingly, our boss, secretary of health and human

services kathleen sebelius testified before congress that she had no idea that a security waiver was supposed to be signed, that it didn't get signed, and that her subordinate, another barack obama appointee signed it. she didn't know. it would seem to me have a qualified person not signing it and having to resign. the administration was not clear about why that person had to resign, namely troy trenkle. in fact, they didn't answer the question why. it would appear, and this gives me concern, that people are making decisions for political reasons, not in the best interest of security of our citizens. and so some of you on this panel are ceos. i think the review, and one leads a research institution. just a quick yes or no answer. in your institution, if this is going on with you guys have an

issue with that? with someone in your organization be fired? we'll start with you, mr. kennedy, go down the road. >> coming from being a chief secured officer for fortunate -- fortune 1000 country, that would be yes. that would raise a concern for me. >> i would just talk to the point that the authorizing official, if it was -- he or she was the one authorizing design for the system, this is actual and other breakdowns in the risk management framework right now. you have what's called -- you shoulusually have the cio or the director that are in charge of media program, an organization, and they are directed as authorizing official. i was a for going to look at one of the weaknesses in the process governmentwide is that chief information procurement officer should be where the buck stops always. right now -- >> so you're acknowledging that she should've cited it was secured and his refusal is a big breach of trust you with the

american people? >> i acknowledge that under -- >> and he resigned -- >> current process allows for the authorizing official to be who ever is directly in charge of the entire information system. so that being said, i think that's a weakness in the process. right now hud chief information secured officer of where it stops. they're supposed to know the system, the city to capability and they're supposed to be the ones that should be responsible what that's not the process we're currently using. >> it was the process of supposed views into the refused and then resigned. going down the line. >> i would also say yes, and i would add to that as we talked about earlier with external third parties looking at this, that's just a piece of it. the other part is those items are actually implemented and their signed off on it. >> it's my turn i suppose. it's a big ethical issues in my opinion. i think key variable is that security of our country and the

citizens of our country should be more than a political issue. issue. >> agreed. >> but i don't think the solution is to have local ciso, people middle level management. it should be a major, major function of this government needs should have a ciso for the entire state is i'll have 30 more seconds but i appreciate your answer and you can submit for the record, but i would like to just say, i'm not going to put this into the record, thank you because i don't want to great in asia on the other side of the aisle but this comes from an article from cbs news dated november 6, 2013. the people watching him have access to advocates on the internet. it's all been disclosed, and i'd like to say finally in my last five seconds, this is exactly why. >> people have lost trust in their american government. this is exactly why the megapipe have lost trust in the government. tragic i yield back.

>> thank you. the gentleman from illinois is recognized for his questions. >> thank you, mr. chairman. thank you all for being here. this is such an u abort topic ad something i'm hearing from my constituents as a traveler to my district, a great concern and wanting answers. i appreciate you being here. i've got a couple of questions. i will address the first one to mr. krush if i could. according to your written testimony you say that based on what you have read publicly thus far, healthcare.gov and a quote healthcare.gov is most likely categorize as a moderate system, referring to the national institute of standards and technology security levels of low, moderate and high. i wonder, is that an appropriate categorization for this kind of personal data that we're talking the shooting of able and accessible through healthcare.gov website including people's medical files? >> socom usually we reserve high for communist, grave danger to national security to the confidentiality, availability

for the most high system, usually to me when something is categorized with the dishes a life or death. so since healthcare.gov is not that, the are some areas where depend on the organizations there's something called organizationally defined parameters. that allows the organization to say if they process, store or review privacy did it allows them to make recommendation to go to hi. what i've read thus far about the second because it actions of the other websites means handing off and away deals with interconnections, it still would be moderate. if one of those interconnections are high, in what they have to do is actually, they do -- had to develop what's called an isam interconnection security agreement. but that requires both sides to do is upgrade on the cybersecurity roles including on how quickly they report any instance speed let me jump in real quick. i would say for my constituents

this is high concern to them and i think for us as well and would agree with my colleagues for a this is in people's lives, and boy, talking about medical care. sounds like life-and-death to me. oftentimes is making sure medical records are protected. i'm going to jump to mr. gregg is there evidence that healthcare.gov needs to enforce data security standards? >> i have not seen that evidence as far as whether not -- so i cannot say on that. >> okay. let me open this up to any others? mr. kennedy, dr. ponemon? let me this open up to you, any document of the national institute of standards and technology provides agencies with the guidance they need to develop and launch websites that are fully and properly secure. should nist's role be expand or increase with any new authority responsibly, specific with regard to healthcare.gov?

would nist best be qualified to certify how what agencies meet their security standards, compliance and should nist review healthcare.gov? start with mr. kendig. >> i would agree with the but if you look at not just technology, you have the cdc and protection which is really information about diseases and things like that. the same oversight needs to be there for more of a government structure over our security practices inside the government. this is more of a guidance role right now. i think the expansion on this is really to bring more security and integration throughout the whole government, the whole federal government to really build best practices. right now it's intermittent on whether or not they do. so i agree with that, yes. >> other comments or thoughts? >> they currently write the guidelines, the nist distended and technology special publication and also they write different guidance on different types of technologies. i think just understanding from

a risk perspective, if you have one organization that's in charge of the information security for every single government organization, you will never come to the same risk decision. the problem lies in the fact that somebody at hhs is going to know about hhs systems come into security and requirements better than someone, you know, in an office somewhere of the nist. >> my fear is accountability and making sure sometimes, i see, and bureaucracies there's a desire to protect them from a bridge, don't let anybody know. mr. gregg, any thoughts on this? >> no, but i would agree many times this stuff is covered up and it's not released community. we even see with target we get some information yet we didn't get the full picture. >> dr. ponemon, real quick. what are some of the serious consequences that consumers face in the wake of medical identity theft? are the financial consequences in addition to medical consequences? >> in our research we find a

very large percentage of sample suffer some financial consequences, and sometimes it's just staggering but it could be thousands, tens of thousands of dollars. keep in mind that people were at risk are not necessarily wealthy people, people who are low income. we have written on a proportional level it could be a total year, yearly income. basically gone -- the cost associate with cleaning up medical records. >> i think that's my fear is those are most vulnerable are those white on the edge. they don't have anything to fall back on. people with significant resources to. thank you that i appreciate the opportunity and i yield back. >> the gentleman from texas is recognized for his questions. >> thank you. mr. krush, i'll just call you for dinner is the main thing, right? mr. krush, you said i think you are lucky enough to work for the

hhs, or was it cms? >> so, i was fortunate enough to work early on on central office at hhs. i've also provided training, actually related to the risk management framework when we develop online training for cms spent i want to draw attention to the word luck. then later you said get contracts totaling around 10 million? 1 million? >> 1 million. >> okay. >> i would say when i was talking about like i was talking about the individuals that are at central office and are probably some of the most talented cybersecurity people i've met and that's the truth. i've worked with them and their contractors and now they are -- >> you say in working for the cms, i go down, you worked best of friends quote unquote speaks that's correct, with cms. we actually had a recent protest with them, and so -- >> but you have government contracts. you might not invest a friends but you worst enemy is? >> absolutely not.

>> it wasn't maybe a marriage but at that dollar but you might be interested in a long-term relationship. what do you think? >> at those dollar amounts, long-term relationship if it was low bit more, probably. >> i see. you're going to play hard to get. so were you hired on experience and good performance? >> absolutely. >> so you think performance is important? >> absolutely. >> so would you say the performance and rolling out healthcare.gov was sterling or problematic? >> it was problematic. >> very problematic. can you understand how some americans would question the ability of the companies that put together healthcare.gov? >> i can. >> sure it makes sense. so it's no surprise to you that their credibility has been called into question. do you fault us for doing our due diligence to try to protect the american public? >> i do not. >> so you think it's a good thing what we're doing here at?

>> i think that every time, unfortunately, we are as a nation very reactive just like industry. we wait until something big happens before we talk about it. cybersecurity -- >> yes or no, it's a good thing we're doing here because i'm running out of time. >> absolutely. >> i'm glad to hear you say that. mr. kendig them do you also think it is a good thing? >> absolutely i do. >> mr. gregg? >> yes, i do. >> doctor? >> yes, i do. >> i'm glad to hear we're finally did something that i is and engages. that's kind of rare for congress. mr. krush, on february 19, 2013, you tweeted don't just worry about china breaking into systems. and then you went on fox news and talk about it. you recall that? >> i don't remember that tweet, but i'm very -- actually i don't tweet that much ago by did one fox news, correct spin you don't

do a lot of tweeting. i looked at it. when you tweeted out doges what about china breaking systems, what do you mean by that? >> actually i think that was probably when a tweeting i just reposted a news article and that was probably just the title. >> but you recognize we have a lot of cybersecurity attacks, our government, like a million a your? >> absolutely. i've helped to develop many security operations centers in the government and industry, and there are organizations possibly knocking at our door and trying to knock it down. >> much i would only attack those military websites. they would never go for healthcare.gov, with a? >> interestingly enough, most organizations, you know, state-sponsored organizations, and i put this in my testimony, they are always looking for jump points. dot gov, .mil mac, et cetera. >> is their level of efficiency low, medium, high? >> very high. >> so we are well advised to warn the american people that

they're going to have information on healthcare.gov that may be spread across the globe? >> you are well advised to want to but in the federal government and even a industry that cybersecurity and privacy absolutely needs to be one of the top priorities. >> i appreciate your understanding that. mr. chairman, i yield back. >> the gentleman from new york is recognized for his questions. >> thank you, mr. chairman. i find it's been about two months and allows meeting, mr. kennedy, welcome back. one of the last witnesses i tend to see, there's times people tried to defend the indefensible, and the best way to defend the indefensible is to confuse the issue and muck it up and raise other things. i've heard and seen some of that today some kind of like to come back here at the end. and remind everyone that all for witnesses the last time, including the democrat witness, testified actually that the website was not secure on october 1. a testified that absolutely the

website was not secure on november 19. we couldn't get agreement as to whether we should shut it down immediately or not, but the testimony indicated that october 1 was a date certain set by the obama administration to launch healthcare.gov. irrespective of whether it was ready, i think the american public know, it was not ready. i think it brings into question if it was a date certain, it wasn't let's launch the website when it's ready to let's launch it when it would do the job to handle the traffic. let's launch it when it is secure. no. it was let's launch it on october 1 because we promised it would be october 1, whether it's ready, whether it's secure, doesn't matter, launch it. and we did. and the american public and watching this hearing can (c)(4) themselves that that was the overriding concern. certain not secure. so here we are today and yes, we

have a different witness that i guess i would ask our witness, mr. krush, what you think the reps i was ready to be launched on october 1 or not works that's kind of a yes or no. >> that is a new. spent do you think it was secure on october 1? >> if you read my testimony and my previous testimony will see that i said the process was followed and a risk-based decision was made. that's why it's called risk management framework and not the no nist risk process. >> so i guess what i come back to here is, you know, there are those today who try to say this is a politicized hearing and so forth, which i don't think it is but i think we are just back to talking to american public who are being told to sign up they must share this delicate information, including social security numbers. i think the fact that target or

neiman marcus happened to have their issues doesn't defend this. two wrongs don't make a right by any stretch of imagination, but i'm trying to point out and remind folks, this website was launched on october 1, for only one reason, political reason. it was not ready. the administration knew it was not ready. if it's not ready, it's not secure. it wasn't secure. we know it wasn't secure. we're being told today to trust the administration, mr. cruise -- mr. krush, usher get a. something happened in the last month or two, it's not secure. i guess i'm not quite ready to accept that just because you say it is so. it doesn't message on a make it so. him on just trying to bring us back to where gore october 1, where we were on november 19, where we are today. and certainly, in talking you through ever witnessed today, mr. kennedy, do you think it is

secure to take? >> absently not. >> mr. gregg? >> no, i did not. usually there are rolled out into a beta first. >> dr. ponemon, do you believe it is secure today? >> it's hard to tell. these people are the experts, but they so what i'm hearing and as a citizen of this country i'm concerned. i'm not happy with what i'm hearing. >> mr. krush, i'll let you answer that as well. >> i think my testimony and everything i've been seeing here, none of us worked on healthcare.gov. so speculating that it's either secure or not is just not something i'm willing to say. >> so "usa today" you would not state affirmatively to the american public that it is secure? >> based on the information that i've read, a decision was made to there was a mitigation strategy that was very clear. you are doing weekly scans, daily scans, mitigation -- >> i was hoping for a yes or no. >> that's pretty secure.

>> so you're saying yes, it is secure? >> i am stating this on information i have right now i would say it is secure. >> we can have a difference of opinion and i guess i will leave it at that for the american public to make their own decision. mr. chairman, i yield back. >> the gentleman from illinois is recognized for her questions. >> thank you, mr. chair. mr. krush, unlike some of the other witnesses you experience working on the inside, developing countermeasures against potential attacks and ensuring the websites are as secure as possible. is it true that what might appear like a security vulnerability or even a successful exploit from the outside does not actually always result in a security threat? >> that's correct. actually would like to set up honeypots mean we will set up -- we want to know what the attackers are actually doing to our website and the systems. so we set up services that may not have anything to do with the website to find out who is

coming into what they're doing and so that we can then build countermeasures. >> i've also been told that a side street team will leave the appearance of weakness in place of a hacker to waste the time but other times as i understand it, seeming weaknesses are perfectly put in place where a genuine hacker or even a white hacker gets caught trying to penetrate the system and you just said that was true. do you imagine with healthcare.gov that honeypots are in place speak with ms. kelley, because i didn't set up a honeypot i can't speculate on that either but it is a very normal practice and best practice in the government to set up honeypots so that we can understand what our adversaries are external or decisions are trying to gain access to and what types of things they are doing to our websites. >> and lastly, the healthcare.gov website uses remote authentication help

verify that users are who they claim they are to help cut down on medical fraud. these security practices can sometimes make websites clunky and the user interface problematic to kenya address this issue for us? is a possible these sorts of kings and glitches expense on healthcare.gov were due to its enhanced city measures by any just? >> the great thing about security that if it's done right it won't work. so a lot of times women lockdown system and the federal government if we found everything a security control that's put forward for us, we would turn that box or the system into completely unusable, you know, locked down box me i could log into it as an administrator neither could you. ..

[inaudible conversations] >> thanks for coming. >> internet service providers are gatekeepers and they also likely to cited network or two cited gatekeepers like the heat keeper, somebody on one side and somebody on the other side so the situation then is very similar to the credit card industry so we all have credit cards and there is the credit card company and on the undecided is the restaurant and

is useful for restaurants that we all have credit cards and it is useful for us that all the restaurants will take them, but it is not so useful if the gatekeeper's says some of these restaurants we won't allow them to participate in the system, translating that to the present, if the internet service provider were to say not all but people, putting content on their computers, we don't want all of them to have access to all the users, that is a problem if the gatekeeper behave that way. >> this weekend on c-span a look at the d.c. circuit court ruling on broadband and high-speed internet regulations. saturday morning at 10:00 eastern on c-span2's booktv author gary and examine the speech, the story behind martin luther king jr.'s dream saturday at 3:30 part of three days of programming this holiday weekend and c-span3's american history books that emancipation, reconstruction and race.

atlanta after the civil war sunday morning at 11:00. >> you are watching c-span2 with politics and public affairs weekdays featuring live coverage of the u.s. senate, weeknights watched the public policy events and every weekend latest nonfiction authors and books on booktv, you can see past programs and get our schedules on our web site and join in the conversation on social media sites. we are live at the state department where secretary of state john kerry is about to conduct a joint news conference with his canadian and mexican counterparts, holding talks on the north american free trade agreement which came into law 12 years ago. talks will continue next month in mexico. the news conference scheduled to get underway in a couple minutes, live coverage when it begins. while we wait we will show you remarks from john kerry yesterday on syria. the syrian opposition to attend the conference next week in switzerland aimed at ending

symbol unrest, opposition groups will vote on whether to attend. >> will have an availability tomorrow in the morning when we have our french -- friends from mexico. i will take extra questions to make up for not being able to answer some now. i know that many of you have been asking about some of the recent revisionism as to why the international community will be gathering next week. let me make it clear here today. from the very moment that we

announced the goal of holding the geneva conference on syria, we all agreed that the purpose was specifically and solely to implement the 2012 geneva 1 communique. that purpose, that sole purpose could not have been more clear when it was announced or more clear today, and and the parties signed up to comment and then you have to venue in resolution after resolution. including most recently in paris last weekend when both the london 11 and russian federation reaffirmed their commitment to that objective. the implementation of geneva 1. for anyone seeking to rewrite this history or to muddy the

waters, let me state one more time with the geneva 2, it is about establishing a process essential to the formation of a transition government body governing body with full executive powers established by mutual consent. that process is the only way to bring about an end to the civil war that has triggered one of the planet's most severe humanitarian disasters and which has created a feeding ground for extremism. the syrian people need to be able to determine the future of their country. their voice must be heard. any names put forward for leadership of syria's transition must, according to the terms of geneva in 1 and everyone of the reader rations of that being the heart and soul of geneva 2, of

those names must be agreed to by both the opposition and the regime. that is the very definition of mutual consent. that means any figure that is deemed unacceptable by either side whether president assad or remember the opposition cannot be a part of the future. the united nations, the united states, russia and all the countries attending know what this conference is about. after all that was the basis of the u.n. invitation sent individually to each country, restatement of the purpose of implementing geneva 1 and attendance by both sides of the parties can come only with their acceptance of the goals of the conference and we too are deeply concerned about the rise of extreme is in. the world needs no reminder that

syria has become a magnet for jihadists and extremists. it is the strongest magnet for terror of anyplace today so it defies logic to imagine that those whose brutality created this magnet, how they could never meet syria away from extremism for the better future is beyond any kind of logic or common sense. so on the eve of the syrian opposition coalition, general assembly meeting tomorrow to decide whether to participate in geneva in the peace conference the united states for these reasons urges positive vote. we do so knowing the geneva peace conference is not the end but rather the beginning. the launch of the process, process that is the best opportunity for the opposition to achieve the goals of the syrian people and the revolution and the political solution to

this terrible conflict that has taken many, many, too many lives. we will continue to push in the meantime for vital access for humanitarian assistance. i talked yesterday with russian federation prime minister to push still harder for access to some areas where the regime played games with the convoys taking them around the securities route instead of directly the way the opposition had arranged for and was willing to protect them in. it is important that there be no games played with this process. we will continue to fight for a cease-fire where we could achieve them and we will continue to fight for the exchange or release of captive journalists and a workers and others in order to improve the climate for negotiations. obviously none of this will be easy. ending a war and stopping

slaughter never is easy. we believe this is the only road that can lead to the place where the civilized world has joined together in an effort to lead the parties to a better outcome and to the syrian people let me reiterate the united states and international community to provide help and support as we did yesterday in kuwait where we pledge $380 million assistance in order to relieve pain and suffering of the refugees. we will continue to stand with the people of syria, written large. all the people. in an effort to provide them with the dignity in the new syria which they are fighting for. i will be happy to answer questions tomorrow.

[inaudible question] >> that was secretary of state john kerry yesterday speaking on resolving the syrian civil war from the state department. we are once again live from the ben franklin room in the state department today where secretary john kerry is hosting a a joint news conference with his mexican and canadian counterparts. they are holding talks on nafta, the north american free trade agreement which was signed into law 20 years ago during the george bush administration.

[silence] [silence] >> shortly we will join secretary of state john kerry and he will be joined by his mexican and canadian counterparts as they are holding talks today on nafta, the north american free trade agreement. the three are holding a news conference this morning to answer reporters''s questions. coming up on the c-span network

president obama will be delivering remarks and the justice to palmer denouncing changes to government surveillance programs. the president is expected to focus on steps to oversight transparency while leaving the framework of the surveillance programs in place. the president's remarks coming up at 11:00 eastern on our companion network c-span and open our phone lines to take your calls and reaction on twitter and facebook. here are c-span2 we will be live at noon eastern on capitol hill for discussion by the advisory committee looking into the future of the internet following an import court ruling this week by the d.c. circuit court of appeals. now the joint news conference. >> good morning. nice to be here with everybody. particularly delighted to welcome my friends and north american counterparts, secretary

meade and administer baird. happy to have them in washington today. i know was happy to meet bilaterally with a number of times with both the secretary and the minister but this is the first time we have been able to meet all three of us since i became secretary of state and i am grateful to both of them for making the trip here, and i hope as i said to them today to visit their countries, both of them, very soon. during my years in the senate, and certainly since becoming secretary, i have often found myself in absolute awe of how extraordinary this continent really is. while we often wind up traveling to troublespots in the world, the truth is north america is a remarkable, remarkable unity of

three very important and powerful countries that share values and interests and are operating on those values and interests every single day. we are three nations separated by peaceful borders, we are neighbors, partners, and we come together to confront the full range of challenges the we face and believe me, this is something that is not everyday everywhere in the world today. today -- north american nations are promoting democracy and shared values at home and around the globe. we are encouraging daily our cooperation on matters of international peace and security. we work together on non-proliferation, syria, middle east peace, a host of different challenges to our security and also collaborating to address

all of them more effectively than any of us could do alone and that is the power of north america and this relationship. through initiatives like the north america central america security dialogue we are working to improve citizens' security throughout the western hemisphere and beyond and we are reducing the impact of natural disasters, providing assistance in the face of help, humanitarian challenges. we have launched trilateral initiatives like the north american plan for an avalanche pandemic influenza which was critical during the h1n1 outbreak in 2009 and remains intact today to help us address similar challenges should they arise at any moment. we are taking steps to support economic growth that is inclusive, shared just a few

weeks ago we marked the 20th anniversary of nafta. i think we have learned a couple of important lessons that can help inform the vision of nafta. the first question is free trade works. in a world where economic policy is foreign policy, free-trade is a key ingredient for shared prosperity, shared growth, shared security. every single day the united states does more than $3.4 billion of trade in our nafta partnership. that is about a third of all the trading that we do. it is done between this partnership. more than a trillion dollars of trade a year, $100 billion of trade among, more trade than we engage in with brazil annually, and each month we do more trade

that we engage with in the annual adjusted give you a sense of the vitality of this partnership. over the past 20 years we have opened up a new north american market place. we have integrated supply chains and we imagined entire industries from agriculture to aerospace. today north america is far more than the sum of three economy is. is the collective output of what has become a full reintegrated manufacturing center. if you bought a car in mexico it may well have been assembled in canada and contain made in america parts. there are workers putting the finishing touches on aircraft that contain fuselages assembled in mexico and engines built in canada. this kind of economic integration is benefiting all three nations economically and has improved living standards and working conditions across

the board. i will tell you because i was involved in the nafta debate in the united states senate, i remember how in tents that debate was. it divided america. we could never really have envisioned even in the best arguments what has happened in those 20 years. the second lesson we can learn from the past couple decades is globalization isn't slowing down any time soon. no matter how much there is some dislocation and we acknowledge there can be, the fact is no political leader, no country can put that genie back in the bottle. when i joined by fellow senators in supporting an ultimately passing nafta, we didn't do it because it was easy. we did it because we believed it was a risk worth taking and it has proven true. nafta was at the vanguard of the interconnected world that we

face today. as i always say, nobody has any way of transforming the realities of this desire of people everywhere to have better jobs, more jobs, more education, more opportunity that comes with that opening up so globalization can be a challenge. it really has meant that our countries have to be more dynamic. we have to be more competitive. we have to be more innovative. that is not always easy but globalization is an enormous opportunity. and if we can take advantage of it as we build on this strong partnership, we believe it will help all of us to provide better opportunity and more security to our citizens. if we want to compete we have to make it even easier to trade, easier for people to invest in our countries. we talked about that this morning. we talked about how we can

improve the transborder movement of goods and people. we talked about how the trans-pacific partnership could particularly have an impact on the global economy and also be enormously beneficial to each of our economy is and if our nations want to compete, the united states, canada and mexico are best approaching these challenges as partners, not as competitors. that includes on the subject of energy. i look forward to discussing with my counterparts the opportunities for energy cooperation and we talked about that today, ways in which we can address the enormous challenge of climate change which we all agree in our nations must be addressed, but also how p

address -- do so in ways that are environmentally sustainable and responsible. next month and obama and prime minister harper in mexico, and the lessons of the past will be at the forefront of our minds but the focus fundamentally needs to be on the future and that is where it will be. on the growth of our markets, the strength of our partnership, the health and well-being of our people and the security of our continent for years to come. secretary. >> thank you and good morning to all. thank you, secretary perry and minister bird. this is a good meeting for mexico and the opportunity to talk about issues that are relevant to the region. at the outset i would like to

recognize from mexico the very long hours, very long days that secretary kerri, the risks that he has taken, many of those risks have paid off in mexico, recognizing that is how it works. we had at very good meeting this morning addressing the interests of the press. >> i would like to thank mexican and hispanic correspondents for their attendance. >> common interest of our government. secretary kerry says that position in north america would work, the most competitive and dynamic region in the world, we would be honored to host prime minister harper and president obama in february and in today's meeting focused that we are on track to deliver our commitment,

we discussed many topics how to work on prosperity, our leadership and opportunities, international engagement and the security of citizens of the north american region. in the twenty-first century north america is the most dynamic region in the world. we note president obama and prime minister harper also share. we have many things that support the work to make north america competitive and dynamic. secretary kerry said and minister bird believes we manufacture patents, we have a working partnership that has worked to the benefit of our people but we also have a region that enjoys an important number of factors going forward. very competitive labor costs, we have huge transportation and

logistical challenges logistical challenges, when in five hard-working human capital and recommendations from some years back. great economics of scale, at and a framework that has worked well. as we mark the nafta 20th anniversary it is important to see the site of the resources at this press conference going on, more than 2 million products are being traded every year within our three economy is and there has been job creation in the region. mexico looks forward to partaking an effort to advance the region, both shared and inclusive. we know we must see an opportunity in the night before us to collaborate on one side on

technology and innovation. the opportunity to work together in addressing regional concerns, in gauging witsinsinsiengaging the caribbean and we have the framework and political will in place to implement the decisions we have taken. the north american idea, a very good friend of mexico and north good friend of mexico and north ameri the u.s. and canada are working together to further the community and that commitment was reaffirmed this morning. thank you, secretary kerry and mr. bird for your partnership. >> thank you very much, secretary meade. >> it is a great pleasure for me to be here today to celebrate the good partnership and the

good relations between our two countries. we had great discussions today celebratingd and the shoe significant economic growth and trade between our thrt we also have seen the growth of our political relations with the trilateral relationship. what we can do to work together, more jobs and more hope and more opportunity to make our economy more competitive, what we can do to boost income, boost job creation in all three countries. nafta has been an unqualified success and one of the great side-eks fects is to strengthen political relationships between all three countries where issue after issue aomeer issue there s strength and partnership where not only are we working together but rhrling together and getting a lot farther along faster than any of us could have hopedd years ago. we had an opportunichn to discus

security, work management, infrastructure of, and all the things that can helssuboost job creation and this remains a significant priorichn for canad, and we look forward to continued cooperation, and we appreciate significantly your shissufrom president penanito. the speed of the reform that has taken place his first year in office is remarkable. we had a strong relationship with the calderon administration and very pleased with first yeas of our relationship with the newer administration. ..

the efforts of we strongly support. thank you their rematch, john. >> question from michael at "the new york times." >> i have a question for secretary of kerry. after you became secretary of state, you made the point repeatedly that was important to change the shaara al-assad's calculation in order to achieve a political solution that you needed to. almost a year later it is clear that the regime is stronger than ever. in a letter to the united nations, the department will be

holding the delegation to geneva to suggest the purpose of going to geneva is to fight terrorism and not discuss the political transition. he says in the invitation the syrian government received, quote, are in conflict with the political decision and the state of syria. so my question is how can you expect to make progress towards the political transition with geneva if the al-assad government does not accept the purpose of the conference? have you been in contact with the syrian government over the last 24 hours to obtain an assurance that it obtains the purpose of the meeting and doesn't the minister's letter mean that more pressure needs to be brought to bear on the assad government to make political headway? thank you. >> thank you very much, michael. yesterday i address it directly the revision as of the syrian

regime in an effort to try to divert the purpose, which will not be successful. more than 30 nations are going to assemble, all of whom thus far, and if there are more, will be and must be committed to the geneva one communique. you were in paris with media the day when foreign minister lavrov stated the purpose of this conference is the implementation of the geneva one communique. nobody would have believed that assad would have given up his chemical weapons. but he did. and the reason he did is that his patrons came to understand that he had to. and i believe as we begin to get to geneva and get in this process that will become clear that there is no political solution whatsoever