and they had federal funding. so now we're going back at it because the need for tunnels is crucial. so i had three questions on the gateway program. first you agree it is a critical transit rail and passenger project? second do you believe it could be a candidate for the new starts program? and third do you need legislative authority to admit gateway into the new starts program? >> let me take those in order. you correctly point out we have had a painful history to get

necessary tunneling capacity under the hudson and tunnels currently serving extraordinary number of passengers on amtrak side and -- >> very diplomatic, mr. chairman. much painful history. >> those tunnels are over 100 years old. your first, do i agree, that it is an essential investment? we absolutely must do something about those. i believe we're approaching 110-year-old tunnels. they not only constrain capacity but at certain point they will become a real safety risk. and you know, think about the upheaval that will result if we were to lose that capacity all of a sudden. could it be a candidate for the new starts program? yes it could. what we would need is a local project sponsor to come forward to do all the development work and most importantly, come up with the necessary local match. and your final question, i need

special legislation to help make that happen? we'll take a turn on that but i don't think so. i think, i mean obviously the entire program expires at the end of the year but i think the question you may be alluding to is, how do we deal with a new start project for which amtrak is a participant? i don't know that i new legislation for that. >> would you check and get back to us? >> we can. we've had amtrak do necessary investments as part of east side access. they are responsible for the harold interlocking which is a very large portion of that project. so there may be a way of doing this without special legislation but if it is needed we'll certainly call it to your attention. >> you don't think it will be? >> i don't think so on its face but -- >> could you get back to me in writing in a couple of days? >> sure. >> finally the montague tunnel, we have a real interest in restoring this tunnel. give me a status report how it is going, how the repair it's

going? >> my understanding things are boeing along well. this is one of the benefits you get from closing the entire facility. you dot no not have to worry about safety risks posed by the workers. you have the ability to put all kind of equipment in the tunnel because you don't have to move trains through it at the same time. i've heard nothing to the effect that they are off schedule or overbudget. and indeed, in some of these tunnels we are making what we call our local resiliency funding some investments to move utilities to the roof of the tunnel, should we have flooding again we won't lose all signaling capacity and cabling. >> full speed ahead? >> yes, sir. >> thank you. >> i want to thank our witnesses for your testimony today. this hearing is adjourned.

>> california governor jerry brown delivers his state of the state address today. we'll bring you his remarks from the state capitol in sacramento. live at noon eastern, here on c-span2. and later, governor nicky hayley of south carolina delivers her fourth state of the state address. we'll bring you live coverage from the statehouse in columbia at 7:00 p.m. eastern also here on c-span2. a panel of cybersecurity experts are split on whether people's information is secure at healthcare.gov. they testified last week before the house science and technology committee. this is two hours.

>> the committee on science, space and technology will come to order. well could come to today's hearing healthcare.gov, consequences of stolen identity. i will recognize myself in opening statement and then the ranking member. when the obama administration launched healthcare.gov, americans were led to believe that the website was safe and secure. as the science, space and technology committee learned at our hearing last november this is somely not the case. we heard troubling testimony from online security experts who highlighted many vulnerabilities of the obama website. these flaws pose significant risk to american's privacy and the security of their personal information. one witness, mr. david kennedy, who has been reinvited for today's hearing, testified that there are, quote, clear indicators that even basic security was not built into the healthcare.gov website, end quote. in addition, all four experts

testified that the website is not secure and should not have been launched. mr. kennedy will update the committee on the security of the website since november 30th, which was the administration's self-imposed deadline when it would be fixed. since the november hearing other events have emerged that prompted the need for today's hearing. in december a former senior security expert at the centers for medicare & medicaid services stated that she recommended against launching the healthcare.gov website on october 1st because of quote, high-risk security concerns. a letter addressed to the committee from mr. kennedy, and independently signed by seven other security researchers who reviewed his analysis of vulnerabilities presents some very troubling information. to paraphrase one of the experts, mr. kevin mitnick, once the world's most wanted hacker, breaking into healthcare.gov and potentially gaining access to the information stored in these databases would be a hacker's

dream. according to mr. mitnick, a breach may result in massive identity theft never seen before with without objection mr. kennedy's letter will be made a part of the record. a recent report by credit bureau and consumer data service experion forecast a increase in data breaches in 2014, particularly in the health care industry. specifically the report states, quote, the health care industry by far will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. add to that, the health care insurance exchanges which are slated to add seven million people into the health care system and it becomes clear that the industry from local physicians to large hospital networks provide an expanded attack surface for breaches, end quote. experion provides identity

verification component of the health insurance marketplace enrollment process. because of increased accessibility to healthcare.gov, concerns continue to grow about the security of personal information. the work of this committee will help congress make decisions about what actions may be necessary to further inform and safeguard the american people. we are here today to discuss whether the americans who have signed up for health care plans have put their personal information at risk. if americans information is not secure then the theft of their identities is inevitable and dangerous. that concludes my opening statement and the gentlewoman from texas, miss johnson is recognized for hers. >> thank you very much, mr. chairman. since we held our november 19th hearing highlighting security issues at healthcare.gov up to 110 million people have had their debit card

or credit card information compromised by a hack of target store records but target was not alone in being successfully hacked. the washington post, facebook, gmail, linkedin, twitter, youtube, yahoo!, jpmorgan chase, snapchat, and my friend at dallas-based neiman marcus stores have announced security breaches. however, do you know one system that has not been successfully hacked since the last hearing? healthcare.gov. also since the last hearing, the center for medicare & medicaid services, cms, staff and contractors have been working round-the-clock to improve the performance and security of healthcare.gov. there has been numerous fixes to the website that have improved the site's responsiveness compared to its first 60 days. millions of americans have been able to access the site and

obtain medical coverage. during that entire time top security contractors including blue canopy, frontier security, and the mitre corporation have been working to test the system and identify weakness that is need to be addressed the chief information security officer has also been running weekly penetration tests to support security mitigation steps for cms. further cms says that none of the majority's witnesses concerns voiced in their november hearing have turned into any actual breach of security. the last hearing did not feature a single witness who had any actual information about the security architecture of healthcare.gov. nor what is being done to maintain the integrity of the website. today we have the same kind of hearing. as smart and experiences as these witnesses are, not one of

them has actual knowledge of security structure at healthcare.gov. the best that they can do is speculate vulnerabilities. i think it would be good for members to remember that. i'm concerned that the intentions in this hearing appears to be to scare americans away from healthcare.gov site. this appears to present a continuation of a cynical campaign to make the affordable care act fail through lack of participation. while we're holding this hearing, both the house oversight and government reform committee and the energy and commerce committee are holding similar events all with the apparent goal to create a sense of fear, thereby manufacturing an artificial security crisis. it is my hope that all of our witnesses can agree that it is important to make healthcare.gov work for the american people, to

help give all of our citizens access to affordable health care. i do not want to believe that any of the witnesses testifying today want the site to be hacked or shut down or even see the program fail. i or see americans go without health care insurance. this country faces a lot of real issues and real policy challenges. if we are truly interested in hacking and identity theft, we should have representatives of largest retail institutions in the country here to discuss the challenges they face in protecting people's information. instead it appears that the majority has allowed the committee to become a tool of a political messaging to a degree and i never witnessed anytime in my time in congress and i'm in my 22nd year. thank you i, i hope that the committee hearing will be the last of this topic, absent some actual allegations of wrongdoing

so at that we can focus on legitimate oversight issues facing the country and this committee. mr. chairman, before i yield, i would also like to comment on the letter you want to put in the record. i was hoping after reading it, that you would have some testimony or give the people opportunity, other than 24-hour showing of this letter but you don't have to take my word on this. mr. kennedy's own document reads, this report is for public use. the report is not appended to his testimony and i imagine it is not added because it would violate our 4-hour rule. he did not get us testimony in time but when late yesterday afternoon presented this report out of the blue. and i'm guessing your counsel told him to make it a letter because we routinely accept outside letters from groups and experts all the time with minimal if it is. so the report now portends to be

a letter addressed to you and me. however i can not remember another time a witness before the committee felt they had to write a letter. i think it is elaborate way to get testimony in front of the committee in violation ever the 4-hour rule. as the substance of the report, it includes what amounts to testimony from experts who are not appearing before us this committee is against the practice of the committee to accept testimony from people not personally available to answer our questions. one thing i do know none of the individuals who signed these statements in the packet have worked on healthcare.gov or the security protocols behind the website. and in other words, they know no more about the actual security on the site than does mr. kennedy. if deference to the chairman i would withdraw my objection but i would this report includes language i consider vulgar and beneath the dignity of the committee. that alone should be reason to keep it out. even if the chairman is

comfortable with the way our rules are being stretched, if you insist, i will withdraw but i want the record to reflect we've gone beyond professional behavior of this committee. thank you. >> i will recognize myself to respond to the ranking members comments. all committees, including this one have a long-standing practice affording members the courtesy of entering items they believe are relevant to the topic at hand into the record. i'm sure the ranking member knows this. members on both sides have generally approached the development of the record in the spirit of bipartisanship and comity. i'm disappointed that the gentlewoman from texas would now seek to question a letter i've asked to place in the record. we freakily place items in record that express opinions of various groups and make statements regarding issue at request of members on both sides of the aisle. often those who have written those letters are not testifying before the committee and have not been asked to do so. yet their opinions are still

made part of the record. one such example is 40, excuse me, 54-page submission that mr. mafe requested be place mid-the record at a hearing last august. this document was in the even addressed to the committee but instead to the ad min straight tore of the epa, was entered into the record without comment. it includes a letter from six different indian tribes signed by eight different people, none of whom testified before this committee. it includes a letter from the lawyer who represented the tribes. he also did not testify before the committee yet we made his letter a part of the record. finally it includes another letter to the administrator of the epa that purports to be from 15 different national organizations 11 different international organization,5 alaskan organizations and numerous other organizations from other states. none of these organizations testified before this committee. i have placed mr. kennedy's letter in the record here today. he is testifying before us

shortly and members will have the opportunity so question him on its contents. >> mr. chairman. >> i'm still in the middle of my statement. i regret the ranking member has questioned the long-standing prerogative of a member to enter a relevant document into the record especially when members on her side of the aisle have done so many times without objection from the majority. i hope this is not indicative of her desire to make this committee's business more partisan. that concludes my statement. and i will now introduce the witnesses. >> mr. chairman? >> i'm going to introduce the witnesses and that -- >> mr. chairman, i object to the entry of the letter into the record. >> the letter's already been entered into the record and objection is not timely. >> mr. chairman i would ask for a vote whether we enter the letter into the record. >> that is no longer a is proper motion because it is not timely.

>> well, mr. chairman, i think you have deeply politicized this hearing. >> well i'm sorry for the ranking member's comments that caused it. i will now recognize our first finance witness mr. david kennedy is president and ceo of trustedsec llc. mr. kennedy is considered a leader in the security field. he has spoken at many conferences worldwide including black hat, deaf con, info second world and information security summit among others -- d-efcon. mr. kennedy worked for the snags kurt agency and united states marines in cyber warfare and forensics analysis. mr. kennedy received his bachelors degree from malone university. our second witness, mr. waylon krush is the foe counter and ceo of lunar line. he is also a founding member of the warrior to cyber warrior program, free six month cybersecurity boot camp for returning veterans. a veteran of the u.s. army mr. krush is recipient of the middleton award one of the

highest honors in the field of intelligence. holed as bachelor degree in compute are information science from university of maryland. he is also a certified information systems security pry professional, certification and accreditation professional, certified information systems auditor and has more than 3,000 hours training with the national cryptologic school. our third witness, mr. michael gregg is ceo of superior solutions, inc., an i.t. security consulting firm. mr. gregg's organization performs security assessments and penetration testing for fortune 1000 firms. he has published over a dozen books on i.t. security and is well-known security trainer and speaker. mr. gregg is frequently cited by print publications as a cybersecurity expert and has an expert commentator for network broadcast outlets such as fox, cbs, nbc, abc and cnbc. mr. gregg holds two associates degrees and a bachelor's degree and master's degree.

our final witness dr. larry upon that mon, ponemon. think tank to advancing privacy research and security practice siss. he was named by security magazine as one of the most influential people for security. dr. upon that mon consults with -- ponemon consults with national organizations on privacy programs. he has extensive knowledge for regulatory frameworks and data protection and cybersecurity and including financial services, health care, pharmaceutical, telecom and internet. he earned his master's degree from harvard university and phd and union college in new york. he attended system science es program at carnegie mellon university. we look forward to your expert testimony and mr. kennedy, will you lead us off. >> thank you, mr. chairman. good morning to everybody in the

house science and technology committee. honorable mr. smith as well as ranking member of house science and technology committee miss johnson great to see you folks again as well as other ranking members here today. i appreciate the time to hear to discuss the issues with the healthcare.gov security concerns as well as consequences around stolen identities. what i want to first start off with to me this is not political issue. i take no political party stance. i have no party affiliate. for me personally this is security issue. working in the security industry 14 years including working for the national security agency as well spending number of years in iraq and afghanistan my testimony here today is to talk about issues with security and that's it. so when i talk about the issues that we see here today it is based on my expertise working in the security industry doing assessments on regular basis, and being chief officer officer for fortune 1000 company for numb of years and running my own

company. the document had seven independent researchers well-known in the security industry including number of folks that worked for united states government, do training for the united states government as well as work closely with the united states government. today is not the to talk about the political party problems with it but also discuss just security issues alone. that is what i'm here to talk about today. i would like to give a thank to kevin mitnick, kevin johnson for providing their testimony on, their comments on the issues that we see today. and we're pretty unified in our approach. everybody that i shared with put them on non-disclosure agreements to work with them and consistent feedback that we got that healthcare.gov is not secure today. nothing has really changed since the november 19th testimony. in fact from our november 19th testimony it is even worse. additional security researchers come into play providing additional research, additional findings that we can definitely tell that the website is not getting any better. in fact since the november 19th, 2013,

testimony, there has only been one-half of a vulnerability that we discovered addressed or even closely to being mitigated. when i say one-half, basically did a little bit of work on it and it is still vulnerable today. i want to throw a disclaimer out there, in no way, shape or form did we perform any type of hacking on website. that is misnomer. the type of techniques we look at from health perspective doing what we call passive reconnaissance, not attacking the site in any way, shape or form. i like to put another analogy. say my expertise wasn't being in the security industry and wasn't doing anything security related and i was person with mechanic. 14 years being mechanic can nick and car drove past me, puffing blue smoke out of the muffler and engine making clanking sounds and lot of symptommic, doors are open, windows are open, everything else. as a mechanic i can say with a reasonable level of assurance the engine has issues.

same thing with technology and will be applications. there is lot of piece that is make the car work. there is lot of piece that is make a website work. from our testimony here today as well as what we've discovered in the previous past there's a number of security issues sill there today with the website. and to put it in perspective i'd like to for the record that there wasn't 70 to 110 million credit cards taken from target. that is not accurate. the correct statistic there were 70 to 110 million personal pieces of information taken about individual people that shopped at target. there were 40 million credit cards that were taken. the issue with target isn't specifically around credit cards. credit cards can be reissued. your credit that gets taken from the credit cards can be debited back into your account. you're not liable as consumer. but what you can't fix is your personal identity. if you look at target, for example, 70 to 110 million personal piece of information, addresses, email addresses phone numbers additional information that is what you can't replace. we've seen number of individuals selectively being targeted from

a personal information perspective because of that. that doesn't include social security numbers. i had another independent security person get targeted, claiming to be target. as thing as they clicked link, it hacked computer and took full control of it. this doesn't relate specifically to just credit card data. that is not on the healthcare.gov website, first name, last name, email address, home of record those are recipe for disaster when it comes to what we see from personal information being stolen in theft. so not just that. as an attacker if i had access to the healthcare.gov infrastructure it has direct integration to the irs, dhs as well as third party providers as well for credit checks. if i have access to those government agencies i can complete entire online profile of an individual, everything that they do and alter entire online presence. this isn't just healthcare.gov alone. i'm not trying to single out healthcare.gov alone. i'm focusing on a entire issue of security in the federal

government is in really bad state. we need to work together to fix it and work on more sweeping changes. thank you. >> thank you, mr. kennedy. mr. krush. >> chairman smith, ranking member johnson and members of the committee. thank you for this opportunity to testify on an important topic of cybersecurity. i'm waylon krush, founder and ceo of lunar line. we're one of the fastest growing cybersecurity companies. i'm also founder of the cyber warrior program. as stated earlier. i have been asked to speak on cybersecurity today as it relates to healthcare.gov and just listening to mr. kennedy i actually have some very simple points i want to make right away. first of all, if none of us here built healthcare.gov, if we're not actively doing a, not a passive vulnerability assessment, but an active vulnerability assessment in doing penetrations and running exploitable code on healthcare.gov, we can only speculate whether or not those attacks will work.

so anything that has been said thus far, if we're talking about any type of dot-gov or site, just identifying passively a vulnerability and not actually working on the site, knowing how the protocols work on the back end, what type of defense in depth, how each one of the assets locked down nobody here at this table can tell you they know there is vulnerabilities. another thing i would like to talk about today, in the federal government something a little bit different than we have in the commercial organization we use something called the risk management framework. and this committee actually helped develop that and that is one of the most rigorous processes as it relates to cybersecurity and privacy in the entire world. when i say the entire world, most security standards are just a subset of the risk management framework. it is one of those areas from a security control perspective has been taken to build other

security standards or it is basically copy and cut and pasted to create new security standards. this is a six-step process. includes categorization, selection, implementation, validation, authorization, and most importantly continuous monitoring of all the controls. you know, just looking at it, you might think, well there is about 360 controls in the special publication,53 revision 4. when you look a little bit deeper there are several thousand information security controls that are federal information systems must undergo from a security architecture perspective including they must be continuously testing. another point i would like to make is that if, if anybody here is actually went out to these websites and, i'm not talking about passive but if we have extracted addresses, if you went to the website and done anything outside of the bounds of what's

allowed in the federal government, you're basically breaking the law. you can't just go out and say, i found this vulnerability and then exploit it to try to get media attention or anything like that. if you do that, you're breaking the law. it is pretty simple. and last but not least, you know, healthcare.gov is one of many hundreds or even thousands of federal information systems out there and websites and you know i have worked in the threat area. i can tell you my background is not only a soldier that was on the u.s. army's information operations red teams, blue teams, information systems security monitoring teams, protocol analysis, signals analysis and including work in the critical infrastructure protection for at&t for a few years, all across the world, if you go out and tell someone, and this is just the truth when we're out actively taking down websites, i can sit here all day and speculate about a vulnerability but until i have actually exploited that vulnerability, there is no way to tell whether that attack will

actually work. there's a lot more going on in the background everybody needs to understand. another note and last but not least about healthcare.gov that everyone needs to understand, is that with all of the media attention that it is currently getting you would think it is most high target in the federal government. you would think healthcare.gov is something everybody would want to go after. that is truly just not, that is media spin if anything. healthcare.gov is one of many websites that have personal information in it. it is connected to other systems but saying he it is interconnected to all these systems that leaves them vulnerable, shows a lack of knowledge about the back end system capabilities. meaning those connections are very secure and authorized on both sides. you know, i have actually been lucky enough to work within cms and hhs and cybersecurity deployment and configurations, out of everybody here at least at this table i probably have

the most hands-on knowledge but i can't come here and speculate what is actually vulnerable to the system and what is not. the truth is, once again on the threat side, as we've seen in media you can probably tell that, you know, healthcare.gov is not the one getting attacked. most cyber criminals, and especially those with advanced capabilities they go where the money is, right? they will go after targets, they will go after neiman marcus, they will go after these place that is contain lots of data related to intellectual property because it just makes fiscal sense, right? if the u.s. government spends billions of dollars on our research and development and we don't protect it and some other country takes that, you just saved them billions of dollars. thank you. >> thank you, mr. krush. mr. gregg. >> thank you, chairman smith. thank you ranking member johnson, members of the committee for having me here today. again my name is michael gregg. i'm really boeing to break down my speech into three pieces and

my presentation. first how healthcare.gov could potentially be hacked. why healthcare.gov needs independent review by third parties. also what would be the result of this? what could be the potential impact. my concern is that healthcare.gov is a major target potentially for hackers looking to steal not only personal identities but also information that could be used to steal their identity of the although i understand healthcare.gov does not store that information, it pass that is information back and forth between third party government is sites and other organizations. there are many different way that is that sight could be hacked. there are some prominent ones. these are the same ones listed by prominent websites like owasp. cross site scripting, sequel injection. it could be ldap injection, could be buffer overflow. there are many different ways this could be done. while that sounds foreign to many of you, the fact is these

are known attacks used against known sites every day from target to neiman marcus, to google, to many others. some of the things that concerns me are in the past we've seen for example, the 834 data. that's data passed to the back end to the insurance companies. we've seen and we've heard reports of this information being corrupted and not being correct when it is received. that indicates at some point the data is not being handled correctly. all input data, all process data, all-out put data has to be correct. if not, there is some type of problem, meaning that data is not being properly parsed. the same type of situation could lead to an attack or putting in some type of data and misusing that in some way or launching an attack. also, as i said, healthcare.gov is very large attack surface. this is a very large program or application. it was built very quickly. a large attack surface makes it very hard to secure. so i find it hard to believe that during the release and also

the update of the site that all the items that our previous speaker spoke of, as far as fisma, fips 199, 200, those things were taken care of and passed all those requirements that they're required to by law and that those were properly completed. microsoft, think of those folks, for example. they have spent almost 30 years trying to secure their operating systems and still we see microsoft products, their operating systems being brought under attack. to think that healthcare.gov be built so quickly and be secured to me is very hard to believe. when we have a large application or website to be reviewed, typically we do it in a couple of different ways. we start at the very beginning before the site is actually developed. we do things as far as audits. we do vulnerabilities assessments and do pin testing. all three of these things are required to actually look at and examine the site. pin testing is a very important part of this process because pin

testing means we're looking at the site the same way the attacker would. we're saying what would the attacker see? what could they use? what could they do with this and how do they leverage this potentially for attack? i don't believe those types of assessments have been done to this day and been properly completed. so what's been reported currently what we see with healthcare.gov that they are running weekly assessments, that they are potentially patching the site but a lot of that activity we're talking about is reactive in nature. that means when we're finding a problem, we're actually fixing it. that doesn't mean we gone out and found all possible problems or all potential ways an attacker may leverage that and get access to the site. some might argue if healthcare.gov is actually vulnerable why hasn't already been attacked? if you think about it from an attacker's standpoint, we've seen attackers have fortitude and also patience to a wait for the right time. look at target. did they attack immediately?

they waited until the right time and right moment to actually do this. this could be the same thing. they will wait until after march. they will wait until the deadline. they will wait there is trove of information for them to go after. then they're going to target it. so what could be the impact on consumers, potentially reduce credit ratings. increased difficulty getting loans. could be criminal issues. could be emotional impact. could also be very damaging as far as medical information that could be lost. could be potentially people don't get hired for a job. it could be they get the wrong treatment because someone else obtained treatment under their name for some other type of disease or some other type of problem they didn't have. it could potentially them being denied application or job for some reason. in closing i would just like to say this. when our organization builds application we bring everybody together. we bring end-users, developers, we bring everyone together, security professionals to make sure the site is secure and security can be built in from the very beginning. i do not believe that has been

done in this case. hacking today is big business. it is no longer the lone hacker, individual in their basement. today it is organized crime, very large groups potentially out of places like russia and eastern europe. we can fix these problems but for these problems to be fixed means we need external assessment of this site by independent third parties. thank you very much for your time. >> thank you, mr. gregg. and dr. poneman. >> thank you, mr. chairman. and thank you for inviting me. first, let me just start off by saying i am the research wonk to this panel much these people are absolutely brilliant and they understand the technical aspects and security issues but what i would like to do is talk a little bit about the consequences of identity theft and medical identity theft and that is really my focus and the basis of my comments, research that my institute conducts and sometimes by the way they call my institute the pokemon institute.

it is upon any mon institute which is my name. to understand the potentially consequences of to each individual, to households and society as a hole whole. more than a decade we study the cost and consequences of data breach through extensive consumer studies as well as benchmark reserve on privacy and data protection practices of companies in the private and public sectors. in the area of health care we conducted for annual studies on medical identity theft and patient privacy and security protection within hospitals and clinics. we survey consumers on their perceptions about the organizations they trust or they trust the most to protect their privacy. among u.s. federal government sector, for example we're pleased to report some good news. that the u.s. -- usps, the postal service gets very high marks for trust. another, this might be a little surprising, irs is actually trusted for privacy.

not for anything else. just joking but definitely for privacy practices as well as the veterans administration. they were a bad guy, right? remember they lost a lot of data. i'm a veteran. i was on the list of that 26 million. but they turned things around and they're trusted for privacy. so today i've been asked to testify about the possibility of like identity theft on the healthcare.gov website and potential consequences to the american public. identity theft and medical identity theft are not victimless crimes and affect those most vulnerable in the society, such as ill, elderly and poor. beyond doing numerous research study that is i just mentioned this is an issue that really struck home for me. last year my mother, she's 88 years old. she lives alone in tucson, arizona and suffered from a stroke. she was rushed to a hospital and admitted immediately. unbeknownst to her identity theft was on the premises, made

photocopies of her drivers license and credit cards and debit cards in her purse. also she has all the passwords, everything in a little post it note in her purse as well. she doesn't listen to me. that's the problem. the thief was able to wipe out her bank account and were charges on her credit card and debit card amounting to thousands and thousands of dollars. in addition to dealing with her serious health issues she had to cope with stress of recovering losses and worry about more threats to her finances and medical records. the situation with my mom in the hospital, and those who are sharing personal information on healthcare.gov are not dissimilar. let me explain. my mother had reasonable expectation that personal information she had in her wallet would not be stolen, especially by a hospital employee. and those who visit and enroll in healthcare.gov have an expectation that people who are helping them purchase health insurance will not steal their identity. they also have a reasonable

expectation that all necessary security safeguard are in place to prevent cyberattackers or malicious insiders from seizing their personal data. in my opinion the controversy regarding security of the healthcare.gov website is both a technical issue as we heard in, from these gentlemen but also an emotional issue. in short, security controls alone will not ease the public's concern about the safety and privacy of their personal information. based on our research, regaining the public's trust will be essential to the ultimate acceptance and success of this initiative. so, following are some key fact that is we learned from our consumer research over the more than a decade of doing these kinds of studies. first, the public has actually a higher expectation their data will be protected when dealing with government sites than commercial sites. in other words, when i'm going to the veterans administration i have a higher expectation of privacy. whether it is rational or not,

that is basically what we see. second loss of one's identity can destroy a person's wealth and reputation and in some cases their health. further the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for americans to procure goods and services. third medical identity theft negatively impacts most vulnerable people in our nation. beyond financial consequences, contamination by health records by imposters can result in wrong diagnoses and extreme cases being fatal. there are no credit records to track medical identity theft it is nearly impossible to know if you've become a victim. what is the solution? let me give you three ideas. first on the trust issue. let's think about accountability. it is important to demonstrate accountability and the best way to do that in my mind is rigorous adherence to high

standards. we mentioned nist. nist is a great standards but very high standards above the bar and showing the american people that this particular website or any website that collects sensitive personal information is meeting or exceeding that standard. number two is ownership. what i would like to see the is the chief information security officer is your chief executive officer. you know, that's good news, when the ceo steps up to the plate and does what needs to be done and in this case i would love to see our president take ownership for the website and insure that good security and privacy practices are met as priority, not just on healthcare.gov but across the board. and third is verification. i'm an auditor. i have to admit this. i'm biased or used to be an auditor at pricewaterhousecoopers. this need that we can say we're doing all the good thing but having third party expert tell us we're meeting and exceeding the standard is very good idea

and noble idea. that being said i think first person concluding giving some time back on the clock. thank you. >> well -- >> not exactly. >> i wasn't watching time, i'm sorry. >> thank you, doctor ponemon appreciate your testimony. i will recognize myself for questions. let me direct to mr. kennedy. the administration maintains there has not been a successful security attack on governor goof. is that an accurate statement? >> thank you, mr. chairman. basically what we know from the monitoring capabilities within the healthcare.gov infrastructure is that as of november 11th they had not stood up a security operations center or had the capabilities even to detect an actual attack. so they also stated they detected 32 attacks overall, however if you have no monitoring detection capabilities period how are you detecting all the different attacks that are happening? the statement is accurate because they don't necessarily know the actual attacks that are occurring in there. in addition i like to mention

that the chief information security officer from hhs said that the governor governor did not follow best practices. -- healthcare.gov as a testament to mr. krush's testimony the best practices were not followed and did not meet best practice when they were implemented. >> let me talk to that. >> i'm sorry, mr. krush, you can get time to someone else. i would like to ask a question to mr. gregg. do you agree with the assessment by mr. kennedy they don't have the capability? and furthermore let me say you did have administration firms say in november there were 16 i think security breaches or incidents and then 32 in december. are those figures plausible and where do they get them. >> well they're potentially plausible if they either weren't monitoring or didn't pick up the attacks. for most of the sites we look at and companies we work with, we see anywhere from hundreds potentially, you know 1,000 or more hits a day. a lot of that stuff is scripted but for a number to be that low, i would think one they're not

detecting it or two their detest, capability is not correct. >> thank you, mr. gregg. dr. ponemon breach notification standards for obama care even meet the minimal standards put in place for the private sector? >> i think the private sector for the most part, that varies quite a bit. there are industry standards i think for example, are much higher than the standards in the government. the nist for example, the need to comply with certain standards for example, around cloud computing and fed ramp and there are standard that exist that are fairly reasonable. for the most part though, i think if you're looking for best practices would you probably look at industry versus government. >> okay. mr. kennedy another question for you. is mr. krush right in what he said in his oral testimony that passive pinging or reconnaissance of healthcare.gov is not sufficient to raise

concerns about the website's security? >> thank you, mr. chairman. i would like to address that would be passive reconnaissance you have the ability to enumerate exposures or vulnerability. any research other testers been in number of years especially on technical side would collaborate. security researchers said the same thing, website itself is vulnerable. this is not speculation. these are vulnerabilities on website today that could lead to information being exposed and critical flaws attacking individual people by visit together website. to answer your question by doing passive reconnaissance you can absolutely identify exposures. there are techniques without attack site to do it. i would question the other seven security research theirs also testified looked at same type of research came to the same exact conclusion as myself. >> thank you, mr. kennedy. mr. krush i do have a question for you. apparently you have a contracts with a company that does work for cms, is that accurate? >> that is accurate. >> and then how much, what is

the amount of those contracts both past and present? >> i actually don't know that off the top of my head. but -- >> i. >> 10 of millions of dollars in the contracts in the federal government right now. >> right. so you have 10 of millions of dollars of business with cms directly or indirectly. >> not cms. >> with a company that does work for cms? >> no. those amounts are very high. i'm talking across the government. i don't know specifically with cms that is why i can talk from technical perspective and not speculate -- >> testimony thaw filed i think it is 1.5 million you do have the? >> that sounds good. >> if you take my word for night yep. >> in that case, isn't it natural that we might suspect that your testimony is a result of your being paid by, directly or indirectly by cms? and here you're not going to actually testify against them if you have $1.5 million worth of contracts with them, isn't that

reasonable assumption. >> well, chairman smith, actually as it relates to cms, if you look at the gao docket i have protests with them. you know, on contracting side, me and cms are not necessarily best of friend. i'm here to talk about the cybersecurity in -- governor governor. >> i know what you would rather be talking about you still seems to me 1.5 million or more in contracts does perhaps influence your testimony. that is all i have to say on that. so my time is up and gentlewoman from texas is recognized for her questions. >> thank you very much. very interesting hearing. mr. krush, you were cut off earlier when you were going to make a comment on mr. kennedy's testimony. would you like to make that now? >> i actually have a few here. so just across the board. earlier mr. gregg talk to the fact that you know, the healthcare.gov didn't implement what we call fips 199 and 200.

just to clarify what that is for everyone here. federal information processing standard 199. requires you to categorize information system in accordance with confidentiality and availability of a information system. we know that was completed because there was a letter from miss tavenner out from the authorization process. fips 200 is baseline controls for all federal information systems. we know that was completed because they had an ato letter that specified some of the vulnerabilities and what actual process dealing with healthcare.gov was. so i just wanted to talk to that point. and you know, talking about, also, weighting from target's perspective, waiting until, you know, a certain time to act, i don't think any of us here have also worked on the target.com website or back end database. i would tell you that a lot of advanced attackers, you know, unless you've conference sick sampling and actually picked up the crumbs, you don't know when

they actually attacked. i think that is under investigation right now. healthcare.gov, seems that mr. kennedy brought up the point there was no security operations centers. some of those 1., whatever million dollars been allocated to my company was actually related to those early on. there is actually two security operations within hhs you might want to know. they have a centralized one which does monitoring of the entire enterprise. on top of that cms has its own security operations centers and i can tell from you a technology perspective, some of the technologies they have implemented is, you know, top-notch. it is what you would expect in a top tier security operations center in the u.s. federal government. >> thank you. according to mr. gregg's testimony that this site is a major target and but the attacks won't be accurate or of interest or of value until after march,

what do you anticipate that march will bring? >> nothing. you know, the truth is when it comes to, march, if it an attacker wants something off of a site they will continuously do whatever they can to gain access. think one of the things that was also said is that, you know, there are certain number of incidents and those numbers do sound low but once again, everybody here, none of us have worked in the security operations center which does exist within cms and we, so we don't necessarily know what the escalation requirements are. so for example, most government websites literally are enumerated passively, meaning, and this is still considered an incident slew through cms, if you do scans on website, looking for open ports, protocols and services that is considered an incident. now does every organization report those?

no because you would have hundreds of thousands of reports a day. however, some of the, i got a call last night from actually a news reporter and called me up to talk about mr. kennedy's analysis he had done on the website. and i just want to be clear that, you know, if him and his security researchers actually did go to a dot-gov, did passively enumerate and pull data in unauthorized manner that is a very significant issue. i was also, i went to the course while i was in the military for the fbi and i can tell you that is a grave, is great concern to us when anybody goes out to a federal government website without permission, and is actually passively enumerating and executing something to pull data off that website. melissa: >> thank you very much, dr. poneman, for my last question. you indicated your mother had this incident happened with her identity. what about that stolen

information affected her health care? >> you know, in the case of my mom, she would fall into the category of an a, an identity, she is an identity theft victim but not a medical identity theft victim. really her medical records were not exposed. and so that would be a different crime. thank goodness she is not a medical identity theft victim because that's bad news. it is really hard. >> thank you. >> thank you. >> my time has expired but i hope someone would ask the value of someone having hacked the healthcare.gov. >> okay. thank you, miss johnson. mr. hall has said that because mr. brown has a time commitment that is almost immediate he is going to allow mr. brown to go ahead of him in the questioning. so the gentleman, mr. brown is recognized. >> thank you, mr. chairman. thank you, mr. hall for, for giving me this opportunity. it has come to the oversight

committee, subcommittee of this committee's attention there is, or at least was an affordable care act information technology exchanges steering committee chaired by senior white house officials, established back in may 2012. almost a year and 1/2 before the rollout of healthcare.gov. the white house steering committee's charter ex-police officers it i directed the formulation of a working group, working groups including one on security. it also turns out that a chairman of this obamacare website steering committee is the u.s. chief technology officer in the white house science office, who also happens to be the immediate past cto of the department of health and human services. upon learning this, i as chairman of the oversight subcommittee, along with the full committee chairman, mr. smith and research and technology subcommittee

chairman, dr. boshon sent a letter to the white house requesting that mr. todd park, the u.s. cto and healthcare.gov steering committee chairman make himself available to the committee to answer questions regarding the security issues with healthcare.gov. by january 10th, last friday much the white house has ignored that letter that the committee's request until just yesterday when it provide ad last-minute response that rebuffed this committee. let me repeat, rebuffed this committee. that letter did not come from the senate confirmed president's science advisor. to whom the letter was addressed but from the politically-appointed ostp legislative affairs director. my question for the panel, simply is this. don't the american people deserve answers from those who are in charge of overseeing

implementation of the obamacare website's security protocol? after all, mr. park is the assistant to the president, as chief technology officer of the united states, and the chair of healthcare.gov's steering committee, wouldn't mr. park, or shouldn't he, know and be involved in the security details of the website? start with mr. kennedy. >> thank you, sir. when you look at at a website and its security there are multiple people need to be involved to understand the progress of it. i would agree with your assessment there should be some involvement in that case. in addition i would also like to clarify the amount of information getting around secure compos sure to the website has been vast. you have chief information from security officer hhs didn't say it followed best practices. number of other individuals saying security operations center hadn't been started yet. healthcare.gov was completely

independent and started completely independent of hhs being part of them. this is mismanaged issue. i don't understand how we're still discussing whether or not the website is insecure or not. it is. there is know about that. >> it is insecure? >> it is insecure absolutely 100%. there is no questioning that. people from hhs have said that it is not a question of whether or not it is insecure. what we need to do to fix it. just to point to mr. krush's point he said to routers which is article he mentioned earlier, krush said not reviewed kennedy's findings or done any work on healthcare.gov site itself this is purely speculation. it's a bunch much hogwash. personally seems to be politically biased unfortunately. >> thank you, mr. kennedy. back to appreciate your long answer but this is actually a yes or no answer. mr. krush, do the american people deserve to know? >> yes. >> okay. mr. gregg? >> yes they do. however i like to add i understand the nist process and

others quite well. i coauthored a book on it. also develop ad course for villanova university on accreditation. statement as to a scan. a scan is not passive. a scan is active. yes they do deserve an answer on this. >> doctor? >> ditto, yes. >> well i agree. the answer is yes. i'm very disappointed with the administration. we've asked for information. the american people deserve to have that information. and i will do everything that we can to try to get mr. park to give us that information or the administration. mr. chairman, my time's run out. so i yield back. >> thank you, dr. broun. gentlewoman from maryland is recognized for her questions. >> thank you, mr. chairman and thank thank you for your witnesses today. thank you, mr. kennedy, do you have any federal contracts for security? any? >> as of right now, no. >> have you had? >> yes, i have. >> and what were they? >> working for the federal government?

>> yes. >> federal security contracts. >> yes. >> what were they? >> i would be happy to disclose those -- >> i appreciate in writing if you would. >> sure. >> tell us the federal contracts you've had dealing with information security in the areas that you claim to be -- >> i would be happy to write you that. >> and mr. krush, just want to ask you really briefly if you could tell us the security standards, compared those that are used for federal government as to the private sector? you have alluded to that a bit. if you could very quickly. >> sure. so one thing to understand, and just to go back to mr. gregg. i've also written, coauthored a book on, we've taken over 10,000 pages of information from national institute of standards and technology. the department of defense instructions, intelligence community directives and also you know, some of the sap programs and consolidated that and that book is used in places such as syracuse university to teach people that actually want to understand this very rigorous

federal process. . . a lot of these organizations that had kind of best tactics out there they were integrated into that revision. by revision for we've integrated the department of defense standards, the and and tells me standards, also a lot of standards the kind outside the realm or threat-based. most as you will find most

musicians don't look for those. >> the depth and rigor compared to a commercial organization to which will get in the government, and have worked on both sides, 50% of my contracts are with fortune 50 and 100 companies. i can tell you the depth and rigor you implement on a federal information systems as it should be is much more intense than what you see in the commercial markets. >> is healthcare.gov or to the rigor attached to healthcare.gov attached come any different than any of these federal systems you've indicated? >> no. it's the same. >> i wonder if the standards you describe our above, and i think you said this, our above those that you would find in the commercial sector? >> i would say yes. >> thank you. >> mr. gregg, you mentioned some information, speculation about medical records, these the healthcare.gov. are you aware of any medical record is maintained on healthcare.gov?

>> no. the information is simply passed through. >> exactly. is there any medical record, personal medical record contained on healthcare.gov? >> no. >> thank you. and then dr. poneman, just out of udacity, you talked about your mother's experience which essentially horrible, but she can experience identity theft through healthcare.gov, isn't that correct? >> absolutely not. >> right, thank you. i just wonder, mr. krush, if you could help me if you will, of the experience you had in developing and working on a federal information systems, is it your conclusion that you would feel safe in coding or personal information through healthcare.gov? >> i put that in my testimony. i would put my personal information on healthcare.gov. i said this more than once. i continue to stand by that.

>> mr. kennedy, lastly i want to go back to your federal work. that i can find disclosed. i know you got a small business loan from the small business administration, for quote businesses that do not qualify for credit in the open market. again, what is the other federal security work that you don't? >> i'd be happy to disclose that in written testimony. >> can you give me an example writer on the record speaks i would need to get permission from a customer. >> would like to do, i will write you a letter in your financial disclosures made in this record requires that. did you put that in your financial disclosure? >> no. know. listen, my experience -- know, the question you asked be was dead to have federal experience -- >> it's my time, mr. kennedy. did you put the financial disclosure information in the record as required by our

committee's because are not required to put that in there. >> thank you. >> it's not on the up of trustedsec. >> the gentleman from texas is recognized for his questions. >> thank you, mr. chairman. so, mr. gregg, could a security breach of healthcare.gov result in people's medical files be accessed? >> yes. it could. the information could be accessed. the real damage would come afterwards. have that information could be used to it to be used potentially to gain information of financial data. it could be used for identity theft. it could be this cute many different ways. that damage as mr. kennedy other to earlier is not just something as simple as replacing a credit card. this can be long-term, very damaging to an individual. >> there was the recent gao report that document there was

111% increase in federal agency data breaches in the past three years. specifically, the g.a. report noted that there were 22156 incidents revealing personal information since 2012, up from 10,000 in 2009. interestingly enough the centers for medicare and medicaid services, the healthcare.gov operator, had the second most breaches in the report, fy 2012. mr. krush said the hackers are going where the money is, and not necessary interest in these government sites but yet we see a substantial increase in the number of incidents that are happening. what can you, mr. kennedy do you agree with mr. krush that people really are not interested in these government sites? what's your opinion on that? >> thank you, sir. i do not agree with mr. krush

his testimony. i believe the hackers know where the money is and there is a lot of money to meet in the personal information site. as most other agencies the look to do demise to us, having direct access into vhs, irs is a treasure trove for additional hackers out there. there's a lot of money for the organized crime, a lot of money for what we call state-sponsored attacks. i would not a great with his assessment. there's plenty of money to be made. there are breaches happening all the time there. >> if i g could a government sie and i'm a hacker, what are the treasures out there that i'm going to glean that's going to help me do whatever i think is i have been mulling? >> i think it's a fair question. it depends on the motivation of the hacker. of three criteria. your average black cat that may be politically motivated. you have to organized crime which is looking for monetary value. there's also a huge black market

that surpass the credit card industry for what we call partners. selling compromise infrastructure to it -- is a huge market. i can sell that to an attacker for thousands of dollars to make the big bucks off of it. used a portion of the identity theft, fraud, other areas in the state-sponsored element which is other governments, entities in order to infiltrate intelligence. that's a huge business right now. we see it happening off a number of government entities as was eastern european countries. >> would you accountable putting your personal information and healthcare.gov? >> absolutely not. >> mr. gregg? >> no, sir, i would not. >> dr. poneman, would you? >> i'm not sure. >> i want to go back to you, dr. poneman. one of the things you talked about was you wanted to talk about the consequences of stolen identity. one of the things might be helpful is, these people that

are forced to go to access their health care through healthcare.gov, what would you advise them to do, you know, to access that as their filling out that information? are there some preventative things they can do that would minimize some of the potential consequences if the system is reached? >> gave the site is secure, that's a good step, right? but as an individual what he would do it on healthcare.gov or whether it's a website like amazon.com, we need to be smart. we need to understand that our data could be at risk. the bad guys are really smart. for example, we should not be using the same password over and over again. our computer should have the most current version of antivirus or anti-malware technology. these commonsensical approaches does make a difference. that should be across the board. if you have dated it is

extremists sensitive and confidential, then basically your garden, your level of concern should go up. a lot of people don't think about these issues well enough. they don't think that they will become a victim. with 110 million records here, and 90 million records there, everyone, every single person in this room is a victim of some data loss, and probably at least had one data breach notification in the last five years. it's a big problem. >> thank you, mr. chairman. i yield back. >> thank you, mr. knock of our. the gentleman from oregon is recognized for her questions. >> thank you very much, mr. chairman and thank your witnesses for being here today. this hearing is about healthcare.gov but i just want to make a big picture, that the trend for certainly about more than a website. it's about an issue of great importance which is about the

availability of health care to all americans. when i saw the title of this hearing i was pretty in was the type of acts -- background, i've worked on identity theft issues. i was a little baffled about why we're doing this in the context of healthcare.gov and in the science committee. that's being said, we all acknowledge that there have been some series of technological problems rolling out, the affordable care act. but i'm really concerned that some people listening our constituents might really be concerned that there are risks involved in rolling through the website that aren't really there. so i want to clarify a couple of things. first of all i want to make it clear to he her constituents tht identity theft is already a federal crime. that if someone knowingly commits identity theft, that's a federal crime. if they do it, aggravated identity theft, the our enhanced

penalties. so i want to make clear that if there is identity theft, that is already against the law. the department of justice prosecutes that. there are several -- civil laws. identity theft is an issue we should be concerned about but i'm baffled about why we're talking about it in the terms of healthcare.gov. mr. krush, want to ask a couple of questions. first i want to acknowledge and thank you for your service to this country to understand dr. poneman, you're a veteran as well. thank you for your service. mr. krush, you talked about how some people are suggesting that healthcare.gov is a major target for hackers. based on your background, your military and cyber city background, could you discuss the range of hackers and different motives and talk about where healthcare.gov is on the scale of high payoff targets. he mentioned this in your testimony. but we talk about that range just a bit? >> yes. actually it's very interesting in them we are here on the committee of science, space and

technology. i will tell you something, from a high payoff targets perspective especially when you're dealing with advanced attackers. the more nation sponsored attackers and those even on the criminal organizations, they are after some very specific targets. i'm not going to go into those but i will tell you, from a government perspective, in all reality if you're looking at the dot mil and the dot gov kind of domains, healthcare.gov is not really a huge high payoff target. space systems, technology, related to weapons systems, intellectual property source come information related to clinton's. information related to quite possibly not only personal information on a person but maybe weaknesses such as relationship issues, where they can be played on or blackmailed. there's websites that include

information on criminals that are actually part of support systems. literally, we keep all of this information online. if you can imagine from in attackers perspective, you could literally, you know, not to leave the paper, but there's ways you can get into the system and change an outcome of quite possibly cases or what actually you have done in the past. >> thank you. thanks much. i want to follow up a little bit. it's my understanding that we've already established, there aren't medical records on healthcare.gov. mr. gregg confirmed that in response to represented edwards question. do you agree with that? >> correct. those are at the provider. >> would you agree there is more personal information in a federal tax return than it is in a healthcare.gov insurance application? >> i agree. >> mr. kennedy? >> i do agree.

>> mr. gregg? >> i do agree. >> dr. poneman? >> i agree. >> about 80% of the people in this country violate tax returns online. mr. krush, do you fall yours online? >> i didn't. >> mr. gregg? >> no. >> dr. poneman? >> on old-fashioned, no. >> mr. kennedy? >> on old-fashioned as well. >> we understand about 80% of the people in this country file their tax returns online, we are talking of security with healthcare.gov when there's more personal information on a federal tax return. i want to highlight that that we are talking about security with healthcare.gov. when the majority of people file their tax returns online. all of you call for third parties to conduct security testing. the mitre corporation, blue canopy and frontier security have all been doing that for months. in your opinion are those companies can' copied it to do e work, yes or no? >> yes.

>> mr. kennedy? >> yes. >> mr. gregg? >> dr. poneman? >> i only have knowledge of mitre in the answer is yes. >> thank you. mr. krush, to declare their then no cases of a persons identity being stolen through healthcare.gov at this point, is that correct? >> correct. >> i want to put that up because the title evidence suggests one of the consequences of signing up through healthcare.gov is going to be identity theft. so i wanted to clarify that. so my time has expired. thank you, mr. chairman. >> the gentleman from texas, the chairman emeritus, mr. holcomb is recognized. >> thank you, mr. chairman. thank you for the hearing and the witnesses i like old-fashioned people. i don't know why. but i ask my fellow texan, mr. gregg, there's been talk about march 31 and they think you mentioned since the deadline for open enrollment is not into march 31, would hackers be kind

of foolish to exploit the website now because they potential have the opportunity to retrieve a heckuva lot more information after that day? do they think like that? >> no, sir. they do in many ways look with a big payoff. as was mentioned earlier, really cybercrime to be broken into two areas. one is the individuals looking for military, looking for that type of information. but a bit of a portion of it is monetarily driven. we see a lot of that in places like eastern europe, we see it in places like russia. those individuals are looking for personal information. they are looking for things they can make financial payoff from, and to wait until a time was right would be to their advantage. while it is true information is not held on healthcare.gov, information is passed through that site that they could potentially manipulate or take advantage of. >> i've heard of a lot of problems but given the problems of the website to date, would

you say it's highly likely that there will be breaches to the health care website the? >> yes, sir, i do believe it's very possible or it is probable that could happen. >> once it has occurred how quickly can experts find out about the reached? >> that all depends. we've seen in previous cases with things like ghost met a trojan can we sing cases like with the google and ahwar and others. in some instances those organizations did know and to weeks or months later. >> how quickly should the american people be notified in the event of a great? >> immediately. >> within hours? days? right now? >> right now. >> that's pretty clear. once a breach has occurred in people have been notified, what actions should people take? >> immediately start to do things like dr. poneman mentioned as far as change passwords, change ids,

especially notify and talk to your credit card companies. look at your credit card statements, also check your credit rating and look at the credit rating organizations. because many times, just like a period of about a week ago, i got an e-mail from amazon this would open up an account undermining. i called my credit card provider and found that someone had charged about $5000 worth of merchandise undermine it because someone stole my credit card. you need to take action to put a stop to it if the credit card company doesn't get get. >> this is not like target we can check with your bank or credit card company, even suspicious activity or something you think might be happening. i think that's what you're telling? >> that is correct. >> how do you find out -- how did you find out your social security number -- is that the way they ge got the? >> no, sir. they got my credit card number. >> if medical information had been compromised, what would you

do? >> very tough with medical information awesome is potentially obtaining medical services on your name. you may not find out until you actually get the bill or if they sent that to another address you may not find it into the maybe get tonight for a job because they said you're a preexisting condition they did know a. >> what are the steps involved in repairing the breach of? >> it's very tough -- >> should a website be shut down while these remedies are being considered? >> i would suggest it should. it's very tough because first got to contest the charge. if it's related to medical as soon as you contested under hipaa and other lawscome of no access to the records or information because it's not your information anymore. it can be very difficult. >> my time's almost gone. i believe that all of you would agree that while no website can be 100% safe, every precaution needs to be taken to ensure the security of the site. mr. chairman, ther the unfortune question surrounding the launch of the health care website ended

to use a result of the sector to of americans personal information is going to remain at risk. is that your understanding? is that why we're having visiting? >> that is exactly correct. >> i thank you for the work on this issue and i think each of you and thank you, mr. chairman for a good hearing. >> would you do me the balance of your time to? >> i yield about someone time today, tomorrow, next week, anytime. >> mr. kendig, i would like to do we emphasize the point you made about why the government doesn't know whether it's been hacked or not. that is healthcare.gov. why the government really can't stay or state credibly that there have been no successful security attacks. >> if you look at the healthcare.gov infrastructure was built independent of hhs including the secret operation centerpiece. there's testimony in front of congress, also states that as well. to secure the operations and as of the 17th had not been built or intimated which means they

didn't have the security monitoring capabilities. to reemphasize, they don't know. >> they don't know, that's why they can say that hasn't been any, they are not in a position to know one way or the other? >> that's correct. >> the gentleman from california is recognized for his questioning. >> thank you, mr. chairman. mr. krush, would you like to respond to? >> i'd love to. actually we've been talking about all of the proposals, breaches have been going on related healthcare.gov. if they could monitor those, how and what do you have a number? the number would be zero if there was no capability to actually look at what kind of attacks are coming through the ether. >> thank you very much. mr. gregg, i want to focus on a couple of areas your testimony. first you argue that the site, healthcare.gov really needs a third party working to grow the system for weaknesses. and second you assert that medical records are at risk on

healthcare.gov annual is the kind of damage that can be done with medical records. you state previous in a post, "huffington post," post that quote, however, the u.s. has some of the very best minds in the world when it comes to cybersecurity and there's no doubt that healthcare.gov can be fixed if the right people are given the chance to test it. do you still feel that way? >> yes. that's one of the reasons why i'm here today because i believe with independent third party assessment and the right assessment done we can get to the bottom of this. >> thank you. were you aware prior to your testimony today that mitre, blue canopy and front your security were all working on a third party dedication? >> mitre, yes. the others, no. >> you were aware that mitre was aware. so i don't understand how, and tell your testimony, you still

assert that third party work needs to be done, but you acknowledge that a third party audit was actually being conducted by mitre? >> yes. ones of the articles written for that was written for the time come into, i don't know if mike has finished the research were not by what the finest of those are. >> you did raise this question at the third party certification -- >> i was led that third party wasn't been done but, in fact, you acknowledge it was being done speak was not at the time of the article. >> in your testimony you let us to believe, you raised it as a concern, but -- >> you quoted a statement director from the article that i said that nee needed to be done. at that time nothing had been done. >> but the testimony submitted for this committee doesn't acknowledge it. but yet you're telling me here you had knowledge of it, that it was being done to your testament leads us to believe it was not being done. >> as of this hearing i do have knowledge.

>> okay. spent at the time of the article, no. >> very well. you know, dr. poneman, utah about bashing you talked about the medical records and identity theft, and a lot of your work, 95% of the people commit these sort of deeds are motivated by robin hood motivations. would you explain? >> it's about 90% but it's a large percentage but i think it's 29 or 30% but it's still pretty significant. a robin hood crime as we define it in the research is where someone, for example, has a family member or friend and who basically has an illness and they are not insured, and basically they will sort of look the other way, if you will, and allow the person to use their insurance credentials so that when they show up at a hospital or a clinic there getting better treatment than just write off the street. >> common sense would tell me if that's a big motivation, what

motivates someone to go and steal someone's identity. expanding health care coverage, providing quality coverage for more and more people would reduce this, the likelihood of this. >> you have to understand. will be biased in that because i think we all deserve good health care. so basically if you could health care, the value of a credential would be meaningless because we all have that credential. there's no value if you will in stealing someone's credential because everyone is going to have a credential that will give them reasonable health care. >> if we made this health care website very successful, and more and more people got enrolled, we would reduce the risk of the misuse of medical records. >> it could work one way or another. it's really hard to determine that. in theory you're right. you could basically say that 29

or 30%, the robin hood portion of the crime, the medical identity theft might actually be nonexistent. >> so we could possibly remove a huge motive for people to try to hack into this system? >> well, yeah, but remember, the valley of the medical record is more than just getting the insurance. that's only a very small part of the. there's a lot of information, which information. we've done studies in the russian federation and other parts of the world. if you do look at the most valuable piece of information right now on an individual basis, it would be a medical record. just yesterday in fox news, business news, did an article on the valley of different types of information. and medical information in the black market is much, much more valuable than say credit or debit card information or authentication data. >> thank you very much. thank you. >> the gentleman from indiana is recognized for his questions. >> thank you all for being here. it's a fascinating here.

we had a previous in which is also very fascinating. we were for for for no wicket on the website last time, but we are three for for this time. in my view this is about confidence of the american people have in their government. whether or not the government is doing everything they can to protect their privacy. it's not about health care. at all. we could be talking about any other website that the federal government has and we know the gao came out and reported thousands of bridges across the federal government. so to argue that this website is going to be secure and nothing is going to happen, i think is a false argument. it is going to be preached. it is going to be information stolen. i think from my perspective, i was a medical doctor before, i think when you throw in the health care part of the company becomes very personal to people.

i understand people out there in my district are concerned about the department of defense being hacked. maybe a few people. but when you start talking about the potential for information that they perceive whether it's real or whether it's perceived, is personal information, i think all of us in hearings like this and across government, in the administration, in both political parties need to recognize th that we need to do whatever we can to regain the confidence in the american people that we are protecting their personal information as best we can do even though i do recognize the website itself doesn't have that author, it does have portals and people who are smart can potentially access that. this is one of the biggest problems in electronic medical records that we have. my medical practice established an electronic medical record in 2005. i love in electronic medical records but there are two issues, security issues and compatibility issues about

getting medical information across different types of electronic medical records. i think it's unfortunate that all of you are somewhat subjective to the national discussion about health care and i appreciate all of you trying to confine your comments to the security aspect and not the larger national debate about how we provide quality, affordable health care to all our citizens, which i think is the goal we all have, certainly as a medical doctor i have. so it really doesn't matter if healthcare.gov is a low propensity target by some hackers out there. in the minds of the american people when you making their health care this is the biggest target the federal government in their minds, whether that's real or perceived it doesn't really make a difference. so mr. krush, i mean, the gao came out with this report as you know, in 2012 saying there were 22156 david regis, 4000 inseam

is alone. you have a relationship with cms. you have to recognize that we can't make the case that any website is going to be secure to try to make a political argument to prove that the way we are managing health care is the right way to go. that's not the discussion. that discussion is how do we protect information. you would have to agree with that speak with i agree with that. it. i would just say i agree with that, with the idea that the process that we use, you know, to secure the data on federal information systems is a very rigorous. that's my complete argument. >> i would agree with it. when it comes to confidence i know we discussed third party people out there looking at this, and i'll be honest with you, i'm a member of congress and i have no idea whether there's a third party person out there, there obviously is, looking at this. so our charge is to get that to

the american people. is the american people don't know it, and i can tell you as a political person trying to get a message across to 700,000 people, it's difficult. that's just 700,000 people. we need to do better getting the information out that there are people that are in government looking at this to preserve people's personal records. that's my view. mr. kennedy, how do we do that? >> i think if you look at the broader picture here and not just healthcare.gov but just in the federal space, end-to-end testing, proactive secret images, things that are outlined as being best security practices need to be performed per i'm not saying nist doesn't have the. to comply with fisma isn't a rigorous process. 's would have to say to that is we have to focus on putting security in the very forefront in the very beginning stages one hire a contractor or we go after

another organization. to the entire process of that, healthcare.gov is a prime example of the failures of being able to implement security in a rigorous manner or in a process that includes security throughout the entire lifecycle. if you do that you have a better product, something that people can stand by and say we'r we are doing our reasonable amount of insurance and we're protecting your information, not just kind of sloppy get-together, throwing it out there. spend i would like to say let's all of us work together to regain the confidence of the american people. thank you. >> parliamentary inquiry. >> thank you, doctor spend i had a parliamentary inquiry spent the gentlewoman is recognized. >> mr. chairman, isn't it true that the committee on house rules require witnesses to submit factually correct financial foreign? >> there are certain limitations of that but within those limitations i think that's the case and i think all of our witnesses have done so today.

>> mr. chairman? >> yes. the gentlewoman continues to be recognized. >> why don't i get -- >> point of order. >> gentlewoman is recognized. >> i make a point of order that the witness testifying today has not complied with a house committee rules regarding financial disclosure, and under those circumstances i request that the testimony be stricken from the record. i am very -- >> august the i object to that. and -- >> i expected that spent the gentlewoman is not the one to make that decision. >> i am not finished. i am recognize, mr. chairman,. >> if the generally have something pertinent to say to her inquiry. >> i am very concerned about the testimony we heard from mr. kennedy a moment ago. he testified on the record he did not disclose government contracts industries in testimony form, that he and his company have received. our committee rules require -- >> he also said he was not required [talking over each other]

>> filled out by each witness. on that form, mr. kennedy answered, the question saying not applicable. this means he did not comply with the rules of our committee and as such i ask that he be removed -- >> that is not necessary and legitimate -- >> into the accurately and fully discloses the federal grants and contracts that he or the entity he represents have received on or after october 1 speak do want to respond whether you disclose that are not? >> the question was have i done work in the federal space bar in the past or currently. the answer is on behalf of trustedsec we did not do work in the public sector or government which is what i disclose in the statement. i have worked for nasa's was other federal agencies in my capacity as a chief security officer, as was my prior role as a security consultant for former entities. so to answer the question in what was a victim i did not do work for the public sector.

i'm busy in the private sector keeping everybody else protected. >> thank you, mr. kennedy but i'd like to continue our questions. the gentleman from massachusetts is recognized. >> thank you, mr. chairman and thank you to the witnesses for being here today. i wanted to start out i saying, teresa fire -- teresa fire was mentioned earlier in this hearing. how does one before was referenced about some of her remarks on healthcare.gov and she just recently said today that the healthcare.gov website is secure based on a december 18 security assistant to she stayed the system exceeds the best practices to ensure security and risk mitigation policies are being intimated and executed as planned. as a result hacks have been successfully presented.

just make sure we're all up-to-date on the current testimony. now, a couple of a thing point of clarification. mr. kennedy, i think one of this year supports the aca, but i will leave it up for the gallery to decide. i noticed i think in your initial a testament and you were nodding your head when mr. krush said, unless you are actually able to dive into the inner workings of the website, which you may declared you did not do anything illegal, but you would not have any way of knowing in detail what part was global to attack unless you have done so. is that accurate? >> we can't tell the inside of healthcare.gov without testing, that is 100% accurate. what we can see are symptoms of a much larger issue. if i can read one of the things i submitted just as an example.

mr. scotus said i've worked on dozens of large-scale cases. we've investigated issues discovered in the healthcare.gov i consider this is a breach waiting to happen. given the form of those perhaps a breach has already happened. these are emphasized on that. >> mr. kennedy, i appreciate that, but the point is anything recorded reiterated a number of times here, that we don't know but you don't know. you testified before that hhs dozen of the hhs doesn't know, you don't know. much of this is a concern. >> the underlying portion of healthcare.gov, absolutely. >> mr. krush, out of your expertise could you give me off the top of your head what you believe to be the biggest data breach? target and neiman marcus, how many are you aware of others'? >> interesting enough, when it

comes to the breach, i think target is a perfect example of someone that has the capability to identify a breach. the thing that is of most concern to me is that there aren't lots of industry and give government organizations that don't have the capability to do that. >> target, neiman marcus is always in the news now. be recalled heartland payment systems data breach back in 2008? >> yes spent at least from some effort 100 reform and credit cards exposed to how about tjx companies in 2006, 94 men credit cards exposed? epsilon which exposed e-mails of millions of customers, over 186 ritchie change. sony playstation network, over 77 million playstation network account exposed to all private sector, yes. >> yes. >> the private sector invest

billions of dollars a year trying to protect? >> yes. >> has to be on the cutting edge in order to defend against? >> yes. >> are you aware of sometimes the house of representatives has voted to cut funding or repeal the affordable care act speak with i am not. >> does the number close to 50 seen accurate do you? >> unfortunate i just don't have that. i can talk about risk assessment if you like. >> take my word for it. i yield back the balance of my time. >> the gentleman from oklahoma is recognized for his questions. >> thank you, mr. chairman. i appreciate the time. i would like to start asking our witnesses a question from our youth me with troy trenkle? he was the chief information officer for the centers for medicaid and medicare services. his job was to oversee the development of healthcare.gov and his job was, the last thing before launching the website he had a security where he was supposed to sign. these guys remember any of this

by chance? and he didn't sign. he refused to sign it and he resigned. his boss, marilyn tavenner, cms administrator, who is not a chief information officer who arguably would not be qualified to sign on a security waiver, she signed it. he didn't. he is qualified. she did. she is not qualified. she's an appointee. of the present of the united states. interestingly, her boss, secretary of health and human services kathleen sebelius testified before congress that she had no idea that he security waiver was supposed to be signed, that it didn't get signed, and that her subordinate, another barack obama appointee, find it. she didn't know. it would seem to me have a qualified person not signing it and then having to resign, and

the administration was not clear about why that person had to resign, namely troy trenkle. in fact, they didn't answer the question why. it would appear, and this gives the concern, that the people who are making decisions for political reasons not in the best interest of the security of our citizens. and so some of you on this panel are ceos, i think three of you, and one leads a research institution, just a quick yes or no answer. in your institution, if this was going on with you guys have an issue with the? would someone be fired? go down the row. >> coming from being a chief security officer for fortune 1000 company i would suggest. that would raise a major concern for me. >> i would just talk to the point that the authorizing

official, if he or she was the one authorizes either the system, this is one of the breakdowns in the risk management framework right now. you have -- user have the cio or the director that are in charge of maybe a program, an organization and they're directed as an authorizing official. i would say if we're going to look at one of the weaknesses in the process governmentwide is that the chief information second officer should be where the buck stops always. right messages to your notion that he should have signed it if it was secured and his refusal, a big breach of trust with the american people? >> i acknowledged that undisputed and he was forced to resign spent our current process allows for the authorizing official to be whoever is dragged in charge of the entire information system. so that being said, i think that's the weakness in the process. right now it should be the chief information secure the officer of where it stops. they're supposed to know the system, the security capability and they're supposed to be the

ones that should be responsible but that's not the process we are currently using and the government. >> it was the possibility of those to be used until he refused and then resigned. going down the line. >> i would also suggest i would add to that, that what we talked about earlier with external third parties looking at this, that's just a piece of it. the other part is those items are implemented and signed off on. >> it's my turn i suppose. yeah, it's a big ethical issue in my opinion. i think the key variable is that security of our country and the citizens of a country should be more than a political issue. >> agreed. >> but i don't think the solution is to have local ciso, people middle level management. it should be a major, major function of this government should be to have a ciso for the entire united states and -- >> i'm going to bring back my

time. i only have 30 more seconds but i appreciate your answers, and you can submit for the record. that i'd like to just say, i'm not going to put this into the record, tricky because i don't want to create any issues on the other side of the album this comes from an article from cbs news dated november 26, 2013, the people at home watching an accident on the internet. it's all been disclosed but i like to say finally in my last five seconds, this is exactly why the american people lost trust in their government. this is exactly why the american people have lost trust in the government. i yield back. >> the gentleman from illinois is recognized for his questions. >> thank you, mr. chairman. thank you all for being here. this is such an important topic and something i'm hearing from my constituents as i travel around my district, the great concern and wanting answers. i appreciate you being here. i've got a couple of different question. i will address the first one to mr. krush. according to your rant is going

to say based on what you have read publicly, healthcare.gov and the quote healthcare.gov is most likely categorize as a moderate system referring to the national institute of standards and technology, security levels of low, moderate and high. is that an appropriate categorization for this kind of personal data that we're talking to being available and accessible through healthcare.gov website including people's medical files? >> so usually we reserve high, or you know, grave danger to national security to the confidentiality and integrity for most of the high systems, usually when something is categorize with that, it's life or death. since healthcare.gov is not that, there are some areas where depending on the organization, there's something called organizationally defined parameter. that allows the organization to say if they process, store, privacy did it allows them to

make recommendations to go too high. what i've read thus far about the site, because the interactions with the other websites, handing off to these controlled ac eyes and the way they are dealt with interconnections it still would be monitored if one of those interconnections are high, then what they have to do is actually come to do, have to develop what's called interconnection security agreement. but that requires both sides do is agree on the cybersecurity rule including on how quickly they report in -- >> let me jump in real quick. i would say are my constituents this is a concern to them and i think for us as well. i would agree with my colleagues about important this is. talk about medical care. sound like life-and-death to me oftentimes is make sure our medical records are protected. i'm going to jump to mr. gregg is there any evidence that healthcare.gov needs nist's security stands and you should certify that healthcare.gov complies with the federal information security management

act? >> i have not seen that evidence into force whether they have been certified so i cannot say. >> let me open this up to any others, i don't know if -- let me open this up to you all, any thoughts you might have. national institute of standards and technology, nist comprise agency with the guys they need to develop and launch networks and websites that are fully and properly secure. should nist's role be increased with any new authority and responsibility specific regard to healthcare.gov? would nist the best qualified to serve the hell agencies needed to get a standards, compliance and in today's case should nist review healthcare.gov? start with mr. kennedy. >> i would agree but if you look at not just technology specific area, cdc, which is -- same oversight needs to be there and expense of nist needs to be

there over our security practices inside the government. this is more of a guidance role right now. i think the expansion is really to bring more security, integration throughout the whole government, the whole federal government to build best practices in. >> any other comments or thoughts? >> they currently write the guidelines, the nist national institute stands and technology special publication and also they write a different guidance on different types of technology. i think just understanding, if you have one organization in charge of the information security for every single government organization, you will never come to the same risk decision. the problem lies in the fact that somebody at hhs is going to know about hhs systems and the security and the requirements better than someone in an office somewhere up at nist.

>> my fear is accountability making sure sometimes, i see it in bureaucracies there's a desire to protect if we have a breach, to let anybody know. mr. gregg, any thoughts? >> no. but i would agree many times this stuff is covered up and it's not released the media. we see with target there was some information but have yet to see the full picture. >> dr. poneman, real quick, what are at this is consequences that consumers face in the wake of medical identity theft? are there financial consequences in addition to medical consequences? >> we find a fairly large percentage of our sample suffer some kind of financial consequences and sometimes it's staggering, it could be thousands, tens of thousands of dollars. keep in mind that people are at risk are not necessarily wealthy people, people who are low income. we wrote on a proportional level it could be a total yearly income. basically the cost associated to clean up your medical records.

>> that's my fear. those are most vulnerable are right on the edge. if someone happens, they don't have anything to fall back on. people with significant resources do. thank you for being here, mr. chairman. i yield back. >> the gentleman from texas is recognized. >> thank you. isn't crushed or krush? >> it is crushed by denny on the i uses a crush. >> just call you for dinner is the main thing, right? >> is that i think you are lucky enough to work for the hhs or was it the cms? >> i was fortunate enough to work early on on the central office at hhs. i've also provided training actually related to the risk management framework to develop online training for scene is spent i want to draw attention to the word looked. -- the word looked.

>> i would say when i was talking about like i was talking about the individuals that are at central office, probably some of the most talented cybersecurity people i've met. that's just the truth. i worked with them and their contractors and now they are in charge of -- >> you said working for the cms and i wrote down the words best of friends quote unquote. >> that's correct, at the cms. we had a recent protest with them. spin but you have to government contracts so you might not invest the french but you weren't enemy's? >> absolutely not. >> it wasn't maybe a marriage but at th that dollar but you mt be interested in a long-term relationship? what do you think? >> at those dollar amounts, it was a little bit more probably. >> i see. you're going to play hard to get. so were you hired on experience and good performance? >> absolutely. >> so you think performance is important?

>> absolutely. >> would you say that the performance in rolling out healthcare.gov was storming or problematic? >> it was problematic. >> very problematic. can you understand how some americans would question the ability of the companies that put together healthcare.gov? >> i can. >> sure, makes sense but it's no surprise do that their credibility has been called into question. do you fault us for doing our due diligence trying to protect the american public? >> i do not. >> you think it's a good thing what we are doing your? >> i think every time unfortunately we are as a nation very reactive, just like industry. we went into something big happens before we talk about it. cybersecurity -- >> yes or no, a good thing? i'm running out of time. >> absolutely stunning good, i'm glad you said that. mr. kennedy come also think it's a good think? >> absolutely i do.

>> mr. gregg? >> i do. >> doctor? >> yes, i do. >> i'm glad to hear we are finally doing something that is advantageous. that's kind of rare for congress. mr. krush, on paper 19, 2013, you tweeted don't just worry about china breaking into systems, and then you went on fox news and talk about it. do you recall that? >> i don't remember that tweet, but i'm very passionate actual i don't wait that much at all but it did go on fox news related to the abt spent you don't do a lot of tweeting. when you tweeted out don't just worry about china breaking -- what did you mean? >> i think is probably when i was waiting i just reposted a news article and that was probably just the title. >> but you recognize we have a lot of cybersecurity attacks hitting us, our government like a million a year's? >> absolutely. i've helped to develop many secured operations in the in the

government and industry, and there are organizations constantly knocking at our door and trying to knock it down. >> but china would only attack the military websites. they would never go for healthcare.gov, with a? >> interestingly enough, most organizations, state-sponsored organizations, and i put this in my testimony, they are always looking for choke point. dot gov, dot mil, good spent the people in china, their level of proficiency low, medium, high? >> very high. >> we are well advised to warn the american people that they are going to have information on healthcare.gov that may be spread across the globe speak with you are well advised when everybody in the federal government and industry that cybersecurity needs be one of your top priorities spent i appreciate you understand the. i yield back. >> the gentleman from new york is recognized for his questions. >> thank you, mr. chairman.

i find it's been two months since our last meeting. mr. kennedy, welcome back. as one of the last witnesses i tend to see, there are times people try to defend the indefensible. and the best way to defend the indefensible is to confuse the issue and muck it up and raced other things. i would like to come back here at the end and remind everyone that all four witnesses last time, including the democrats, testament also be the website was not secure on october 1. they testify that absolutely the website was not secure on the from a 19th. we couldn't get agreement as to whether we should shut it down immediately or not, but the testimony indicated that october 1 was a date certain set by the obama administration to launch healthcare.gov. irrespective of whether it was ready, and i think the american people -- public know, it was not ready.

so i think it brings into question if it was a date certain, it wasn't let's launch the website when it's ready. let's launch it when it will do the job and handle the traffic. that's launch it when it is secure. no. it was let's launch on october 1 because we promised it would be october 1. whether it's ready, whether it's secure, doesn't matter. launch it. we did. the american public can see for themselves that that was the overriding consensus. here we are today, and yes, we have a different witness, but i guess i would ask our witness, mr. krush, whether using the website was ready to be launched on october 1 or not? that's kind of a yes or no. >> that is a no. >> do you think he was secured in on october 1? >> so if you've read my

testimony and my previous testimony will see that i said the process was followed, and a risk-based decision was made. that's what it's called risk management framework, and not the note nist risk process spent i guess what i come back to hear is, there are those today that try to say this was a politicized hearing and so forth to which i don't think it is. i think we are just back to talking to the american public who are being told to sign up, they must share this delicate information including social scooting numbers. i think the fact that target or neiman marcus happened to that other issues doesn't defend this. two wrongs don't make a right by any stretch of the imagination. but i'm going to point out and remind folks, this website was launched on october 1 for only one reason, political reason. it was not ready. the administration knew it was not ready. if it's not ready it's not secure. it wasn't secure. we know it wasn't secure.

we are being told that they could trust the administration, mr. krush, to trust some of your judgment. something happened in the last week or two or month. it's now secure. well, i guess i'm not quite ready to accept that just because you say it is so. that doesn't necessarily make it so. so i'm just trying to bring us back to where we were october 1, where we were on november 19, where we are today. and certainly i'm confident three of our witnesses today, mr. kennedy, do you think it is secure to a? >> absolutely not. >> mr. gregg? >> no, i did not. usually when such a role but they are rolled out in a beta first, small group. >> dr. poneman? >> it's hard to tell. these people are the experts. based on what i'm hearing, again at his a citizen of this country i'm concerned. i'm not happy with what i'm hearing. >> mr. krush, i'll let you

answer that as well. >> i think my testimony and everything i've been saying here is, none of us worked on healthcare.gov, so speculating that it is secure or not is not something i'm willing to say. >> so you would say today, you would not state affirmatively to the american public that it is secure? >> based on information that i have read, a risk-based decision was made. there was a mitigation strategy that was very clear. they are doing weekly scans, daily scans, mitigation and remediation. that's pretty secure. >> so you are stating yes, it is secure? >> i am stating based on information i have right now i would say it is secure. >> we can have that difference of opinion, and i guess i'll leave it at that for the american public to make their own decision. i yield back. >> the gentleman from illinois is recognized. >> thank you, mr. chair. mr. krush, some like -- unlike