[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
IS MY DATA ON
HEALTHCARE.GOV SECURE?
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 19, 2013
__________
Serial No. 113-55
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
_____
U.S. GOVERNMENT PRINTING OFFICE
86-893PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR., DANIEL LIPINSKI, Illinois
Wisconsin DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
PAUL C. BROUN, Georgia DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi ALAN GRAYSON, Florida
MO BROOKS, Alabama JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois SCOTT PETERS, California
LARRY BUCSHON, Indiana DEREK KILMER, Washington
STEVE STOCKMAN, Texas AMI BERA, California
BILL POSEY, Florida ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky MARK TAKANO, California
KEVIN CRAMER, North Dakota ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS STEWART, Utah
CHRIS COLLINS, New York
C O N T E N T S
November 19, 2013
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 6
Written Statement............................................ 7
Statement by Representative Eddie Bernice Johnson, Ranking
Minority Member, Committee on Science, Space, and Technology,
U.S. House of Representatives.................................. 8
Written Statement............................................ 9
Witnesses:
Mr. Morgan Wright, Chief Executive Officer, Crowd Sourced
Investigations, LLC
Oral Statement............................................... 11
Written Statement............................................ 14
Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in
Cyber Security, Southern Methodist University
Oral Statement............................................... 25
Written Statement............................................ 27
Dr. Avi Rubin, Director, Health and Medical Security Laboratory
Technical Director, Information Security Institute, Johns
Hopkins University (JHU)
Oral Statement............................................... 35
Written Statement............................................ 37
Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC
Oral Statement............................................... 41
Written Statement............................................ 44
Discussion....................................................... 65
Appendix I: Answers to Post-Hearing Questions
Mr. Morgan Wright, Chief Executive Officer, Crowd Sourced
Investigations, LLC............................................ 104
Dr. Fred Chang, Bobby B. Lyle Centennial Distinguished Chair in
Cyber Security, Southern Methodist University.................. 112
Dr. Avi Rubin, Director, Health and Medical Security Laboratory
Technical Director, Information Security Institute, Johns
Hopkins University (JHU)....................................... 120
Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC...... 124
Appendix II: Additional Material for the Record
Letter from the Identify Theft Resource Center submitted for the
record by Representative Lamar S. Smith, Chairman, Committee on
Science, Space, and Technology................................. 132
Centers for Medicare & Medicaid Services memorandum submitted for
the record by Representative Larry Bucshon, Committee on
Science, Space, and Technology................................. 135
IS MY DATA ON HEALTHCARE.GOV SECURE?
----------
TUESDAY, NOVEMBER 19, 2013
House of Representatives,
Committee on Science, Space, and Technology,
Washington, D.C.
The Committee met, pursuant to call, at 10:04 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Lamar Smith
[Chairman of the Committee] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. The Committee on Science, Space, and
Technology will come to order. Good morning to everyone. Our
hearing today is on the subject of the security of data on the
HealthCare.gov website. I am going to recognize myself for an
opening statement and then the Ranking Member.
Many Americans are beginning to experience the ill effects
of Obamacare. That is because the President's broken promises
are piling up. He promised that if you like your health care
plan you can keep it. But for millions of Americans, that is
not true. He said that the law would make health insurance more
affordable. But across the country, Americans are seeing their
premiums go up, not down. And when launching HealthCare.gov,
the Obama Administration said that the website was safe, secure
and open for business. We now know that isn't true either.
The data obtained by HealthCare.gov is one of the largest
collections of personal information ever assembled. It links
information between seven different Federal agencies and state
agencies and government contractors. The website requires users
to provide personal information like birth dates, Social
Security numbers and household incomes in order to obtain
information about potential health coverage. But security
experts have expressed concern about flaws in the site that put
this personal data at risk and subject users to the threat of
identity theft.
The Science Committee oversees the agencies responsible for
setting privacy and security policies and standards for the
rest of the federal government, the White House Office of
Science and Technology Policy and the National Institute for
Standards and Technology. The Obama Administration has a
responsibility to ensure that the personal and financial data
collected by the government is secure. Unfortunately, in their
haste to launch the HealthCare.gov website, it appears the
Administration cut corners that leaves the site open to hackers
and other online criminals. So the question for today's hearing
is: Can Americans trust the federal government with their
personal information on the HealthCare.gov website?
Today, we are going to hear from witnesses from outside the
government who are experts in cybersecurity and hacking
websites. Our witnesses will provide their professional
assessment of the vulnerabilities that underlie HealthCare.gov.
Several vulnerabilities have already been identified, and we
know of at least 16 attempts to hack into the system. And I
heard this morning that there were another 50. But we can
assume that many more security breaches have not been reported.
Here are some real-life examples. Mr. Thomas Dougall of
South Carolina received a surprise phone call from a stranger
one Friday evening explaining that he had just downloaded a
letter off the HealthCare.gov website containing Dougall's
personal information. And when Lisa Martinson of Missouri
called HealthCare.gov's customer service after forgetting her
password, she was told three different people were given access
to her account, address and Social Security number.
Also, it turns out that Federal employees called navigators
who help users apply for insurance on the HealthCare.gov
website have not received background checks yet they are able
to access the personal information of thousands of people.
Many Americans have been the victims of identity theft by
computer hackers. Identity theft jeopardizes credit ratings and
personal finances. The massive amount of personal information
collected by the HealthCare.gov website creates a tempting
target for scam artists. These threats to Americans' well-being
and financial security should make us question the future of
Obamacare. Perhaps it is time to take Obamacare off of life
support.
Americans deserve a healthcare system that works and that
they can trust. Obamacare is no cure.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Chairman Lamar S. Smith
Many Americans are beginning to experience the ill effects of
Obamacare. That's because the President's broken promises are piling
up. He promised that if you like your health care plan you can keep it.
But for millions of Americans, that's not true.
He said that the law would make health insurance more affordable.
But across the country, Americans are seeing their premiums go up, not
down. And when launching HealthCare.gov, the Obama administration said
that the website was safe, secure and open for business. We now know
that isn't true either.
The data obtained by HealthCare.gov is one of the largest
collections of personal information ever assembled. It links
information between seven different federal agencies and state agencies
and government contractors.
The website requires users to provide personal information like
birth dates, social security numbers and household incomes in order to
obtain information about potential health coverage. But security
experts have expressed concern about flaws in the site that put this
personal data at risk and subject users to the threat of identity
theft.
The Science Committee oversees the agencies responsible for setting
privacy and security policies and standards for the rest of the federal
government--the White House Office of Science and Technology Policy and
the National Institute for Standards and Technology.
The Obama administration has a responsibility to ensure that the
personal and financial data collected by the government is secure.
Unfortunately, in their haste to launch the HealthCare.gov website, it
appears the administration cut corners that leaves the site open to
hackers and other online criminals.
So the question for today's hearing is: Can Americans trust the
federal government with their personal information on the
HealthCare.gov website?
Today, we're going to hear from witnesses from outside the
government who are experts in cybersecurity and hacking websites. Our
witnesses will provide their professional assessment of the
vulnerabilities that underlie HealthCare.gov.
Several vulnerabilities have already been identified, and we know
of at least 16 attempts to hack into the system. And I heard this
morning that there were another 50. But we can assume that many more
security breaches have not been reported.
Here are some real-life examples. Mr. Thomas Dougall of South
Carolina received a surprise phone call from a stranger one Friday
evening explaining that he had just downloaded a letter off the
HealthCare.gov website containing Dougall's personal information.
And when Lisa Martinson of Missouri called HealthCare.gov's
customer service after forgetting her password, she was told three
different people were given access to her account, address and social
security number.
Also, it turns out that federal employees--called navigators--who
help users apply for insurance on the HealthCare.gov website have not
received background checks. Yet they are able to access the personal
information of thousands of people.
Many Americans have been the victims of identity theft by computer
hackers. Identity theft jeopardizes credit ratings and personal
finances. The massive amount of personal information collected by the
HealthCare.gov website creates a tempting target for scam artists.
These threats to Americans' well-being and financial security
should make us question the future of Obamacare. Perhaps it is time to
take Obamacare off of life-support.
Americans deserve a healthcare system that works and that they can
trust. Obamacare is no cure.
Chairman Smith. I now recognize the Ranking Member, the
gentlewoman from Texas, Ms. Johnson, for her opening statement.
Ms. Johnson. Good morning, and thank you very much, Mr.
Chairman. Let me welcome our witnesses. I look forward to your
testimony today.
In light of the startup problems that have been reported
with the HealthCare.gov website, problems that need to get
fixed as quickly as possible, some Americans may be concerned
about the security of their personal information on the
website. I can understand such concerns, because anytime any of
us go to the internet, we are vulnerable to those who would
attack public and private databases to get access to our
information. That said, we have not heard much about security
failures at HealthCare.gov. There is one recorded instance
where an individual was mistakenly given access to the records
of another person. There were initially security issues with
the password reset function. The site has also been attacked by
hackers in a denial-of-service attack. However, my
understanding is that these issues were quickly fixed and the
cyber attack was successfully prevented.
The reality is that HealthCare.gov is subject to the same
attacks as every other website and every other internet-
accessible database. Every Member of this Committee knows that
computer vulnerabilities are exploited every day at companies
and government offices across the world, leading to the
compromise of a wide range of personally sensitive information.
I would like to draw your attention to a graphic that tries
to illustrate major security failures of computer systems
resulting in personal information being compromised. It is on
the screens. As you can see, some of the biggest and most
experienced internet firms have suffered attacks, and often the
personal information that is accessed goes well beyond
identifying information to include credit card and sensitive
financial information. Governmental institutions have also seen
materials stolen.
Last year, Symantec's annual 2012 Cybercrime Report found
that 556 million individuals in 24 countries, including the
United States, were victims of one sort of consumer cyber crime
or another. This equates to 1.5 million victims every day.
One might conclude that the only way to avoid being
vulnerable to such attacks is to not be connected to the
internet at all. However, in the 21st century, that is not a
reasonable option for most government agencies, businesses or
individuals. So, I think we have to be realistic about the
ability of any internet-connected database to be completely
invulnerable to being compromised. I also think we have to be
honest about what information actually will be available to a
cyber attacker through HealthCare.gov. In my work as a
psychiatric nurse, I saw how patients' medical records were
routinely accessed by large numbers of people every day.
Several years ago my own electronic medical records were
breached, and I received a letter from the UT Southwestern
Medical School Hospital in Dallas telling me that.
So how vulnerable are medical records on HealthCare.gov?
Some including two of the witnesses invited to testify today
have made public claims that the website will have all kinds of
sensitive personal medical records in its database. That is
simply not true. HealthCare.gov will not have patient or health
care case information about anyone. HealthCare.gov will have
the name, date of birth, Social Security number and address of
participants, but that information is also potentially
available through every insurance company, bank, credit card
company and government agency that anyone deals with, and I
have already pointed out the data breaches that have occurred
and are occurring in these sectors of our economy.
So while there can be legitimate concerns about the privacy
in the health care field, HealthCare.gov should not be the case
of any exceptional fears in that regard. By saying that, I am
not excusing the startup failures to implement the Affordable
Care Act website in an effective way nor am I saying security
failures are acceptable; they are not. I expect HHS will take
every measure available to them to make the site secure and to
maintain a high level of security going forward. However, I
want everyone to keep the issues of security in perspective,
and I hope that none of us will use this hearing to engage in
fear-mongering in an effort to destroy participation in the
Affordable Care Act. That would be irresponsible and, frankly,
cruel. The Americans who most need the Affordable Care Act to
work are those that are among the most vulnerable members of
our society. Their personal medical data is not at risk on
HealthCare.gov. In fact, it can be argued that this Committee's
efforts to force sensitive information out of the EPA and
Harvard and the American Cancer Society are a bigger threat to
patients' privacy than HealthCare.gov.
In closing, I hope that today's hearing will not become a
soapbox for growing fear and confusion. Let us stay focused on
the facts.
With that, I again want to thank our witnesses and yield
back the balance of my time. Thank you.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Ranking Member Eddie Bernice Johnson
Good morning, and welcome to our witnesses. I look forward to your
testimony.
In light of the startup problems that have been reported with the
HealthCare.gov website--problems that need to get fixed as quickly as
possible--some Americans may be concerned about the security of their
personal information on the website. I can understand such concerns,
because anytime any of us go on the internet, we are vulnerable to
those who would attack public and private databases to get access to
our information.
That said, we have not heard much about security failures at
HealthCare.gov. There is one recorded instance where an individual was
mistakenly given access to the records of another person. There were
initially security issues with the password reset function. The site
has also been attacked by hackers in a ``denial of service'' attack.
However, my understanding is that these issues were quickly fixed and
the cyber-attack was successfully prevented.
The reality is that HealthCare.gov is subject to the same attacks
as every other website and every other internet-accessible data base.
Every Member of this Committee knows that computer vulnerabilities are
exploited every day at companies and government offices across the
world, leading to the compromise of a wide range of personally
sensitive information.
I would like to draw your attention to a graphic that tries to
illustrate major security failures of computer systems resulting in
personal information being compromised.
As you can see, some of the biggest and most experienced internet
firms have suffered attacks--and often the personal information that is
accessed goes well beyond identifying information to include credit
card and sensitive financial information. Governmental institutions
have also seen materials stolen.
Last year, Symantec's annual 2012 Cybercrime Report, found that 556
million individuals in 24 countries, including the United States, were
victims of one sort of consumer cybercrime or another. This equates to
1.5 million victims every day.
One might conclude that the only way to avoid being vulnerable to
such attacks is to not be connected to the internet at all. However, in
the 21st century that is not a reasonable option for most government
agencies, businesses or individuals. So, I think we have to be
realistic about the ability of any internet-connected database to be
completely invulnerable to being compromised.
I also think we have to be honest about what information actually
will be available to a cyber-attacker through HealthCare.gov. In my
work as a psychiatric nurse I saw how patients' medical records were
routinely accessed by large numbers of people every day. Several years
ago my own electronic medical records were breached and I received a
letter informing me about this from the hospital in Dallas.
So how vulnerable are our medical records on HealthCare.gov? Some,
including two of the witnesses invited to testify today, have made
public claims that the website will have all kinds of sensitive
personal medical records in its database. That is simply not true.
HealthCare.gov will not have patient or healthcare case information
about anyone. HealthCare.gov will have the name, date of birth, social
security number and address of participants, but that information is
also potentially available through every insurance company, bank,
credit card company and government agency that anyone deals with, and
I've already pointed out the data breaches that have occurred and are
occurring in those sectors of our economy.
So while there can be legitimate concerns about privacy in the
health care field, HealthCare.gov should not be the cause of any
exceptional fears in that regard. By saying that, I am not excusing the
startup failures to implement the ACA website in an effective way, nor
am I saying security failures are acceptable. They are not. I expect
HHS will take every measure available to them to make the site secure
and to maintain a high level of security going forward. However, I want
everyone to keep the issues of security in perspective, and I hope that
none of us will use this hearing to engage in fear-mongering in an
effort to destroy participation in the ACA. That would be irresponsible
and, frankly, cruel. The Americans who most need the ACA to work are
those that are among the most vulnerable members of our society.
Their personal medical data is not at risk on HealthCare.gov. In
fact, it can be argued that this Committee's efforts to force sensitive
information out of EPA, Harvard, and the American Cancer Society are a
bigger threat to patient privacy than is HealthCare.gov.
In closing, I hope that today's hearing will not become a soap box
for sowing fear and confusion. Let's stay focused on the facts.
With that, I again want to welcome our witnesses, and I yield back
the balance of my time.
Chairman Smith. Thank you.
Our first witness, Mr. Morgan Wright, is the Chief
Executive Officer of Crowd Sourced Investigations, LLC. Mr.
Wright is a former Kansas State Trooper, officer and detective
with almost 18 years of service. He has also worked for the
Department of Justice, the intelligence community, the
Department of Homeland Security, and State Department. Mr.
Wright has taught behavioral analysis interviewing at the
National Security Agency. He holds degrees in human resource
management and computer information systems from Friends
University and is a 2011 graduate of the Executive Leadership
and Management program at the University of Notre Dame.
Our second witness, Dr. Fred Chang, is the Bobby B. Lyle
Endowed Centennial Distinguished Chair in Cybersecurity and
Professor in the Department of Computer Science and Engineering
at Southern Methodist University in Dallas, Texas. Dr. Chang
brings us today over 30 years of public and private sector
cybersecurity knowledge, serving as the Director of Research at
the National Security Agency and then in an executive role at
the SBC Communications. Dr. Chang is also a member of the Texas
Cybersecurity Education and Economic Development Council, and
he has taught at both the University of Texas in San Antonio
and the University of Texas in Austin. Dr. Chang received his
Bachelor's degree from the University of California-San Diego
and his Master's and Ph.D. degrees from the University of
Oregon.
Our third witness, Dr. Avi Rubin, is a Professor of
Computer Science at Johns Hopkins University and is the
Technical Director of their Information Security Institute. He
is also President and Co-founder of Independent Security
Evaluators, a computer security consulting company. Prior to
joining the faculty at Johns Hopkins, Dr. Rubin worked in the
Secure Systems Research Department at AT&T Labs Research. Dr.
Rubin received his bachelor's, Master's and Ph.D. degrees from
the University of Michigan.
Our final witness, Mr. David Kennedy, is the President and
CEO of TrustedSEC, LLC. Previously Mr. Kennedy was a Chief
Security Officer for a Fortune 1000 company located in over 77
countries with over 18,000 employees. Mr. Kennedy is considered
a leader in the security field. He has spoken at many
conferences worldwide including Blackhat, Defcon, INFOSEC
World, and the Information Security Summit, among others. Mr.
Kennedy is the creator of several widely popular open source
tools and has coauthored a book on internet security that was
number one on Amazon.gov for over six months. Prior to moving
to the private sector, Mr. Kennedy worked for the National
Security Agency and the United States Marines in cyber warfare
and forensics analysis. Mr. Kennedy received his Bachelor's
degree from Malone University.
We welcome you all, and Mr. Wright, if you will begin?
TESTIMONY OF MR. MORGAN WRIGHT,
CHIEF EXECUTIVE OFFICER,
CROWD SOURCED INVESTIGATIONS, LLC
Mr. Wright. Thank you, Chairman Smith, Ranking Member
Johnson and Members of the Committee, I am pleased to be here
today. Thank you for allowing me to testify. Again, I am Morgan
Wright.
During my testimony, I just want to cover four major areas
that we want to provide a high-level overview to: end-to-end
security testing, user account creation and registration, cyber
squatting and domain name confusion, and the insider threat.
Just to set the stage, because we were talking about the
size and scope of HealthCare.gov, it has been reported to have
over 500 million lines of code. At the same time, Facebook, who
has addressed similar privacy threats and issues, has less than
20 million lines of code running, 772 million daily active
users, and 1.2 billion monthly users. So, when we start looking
at this, we start looking at the complexities and
interdependencies of the current government sites and the
potential for disruption, compromise of security of
identifiable information, frauds and scams, and I think one of
the larger issues is the insider threat. This vast amount of
code also means that it becomes very challenging from an
industry standpoint and best practices standpoint to give a
certification and assurance that the site is secure, especially
as it relates to FISMA.
So, in the end-to-end security testing, I think one of the
first major issues is the lack and the inability to conduct a
complete end-to-end security assessment. Even when the
contractors were here and testifying, they said it would take
two months to complete this. It is essential when you are
dealing with information that you have a top-down view, and in
a system this complex, and having worked on major intelligence
systems and the number of places we have to go out and touch
data, you have to have that top-down view of security. It has
to be something that is embedded in everything you do. There
are five major types of data: voice, video, data, mobility, and
then you apply security around that. That has to be put into it
at the beginning.
A recent news article, in fact, on October 30th in the
Washington Post stated that--and Ranking Member Johnson, I
believe, brought this out--the security flaw with user name and
password. The issue that it was not identified and rectified
until three weeks after the site was launched is an indication
of the lack of comprehensive security controls and awareness of
one of the basic functions HealthCare.gov is designed to
create, which is that experience, that user account, and the
way you secure that is with your password.
There is a document here I would like to have put into the
record a little bit later, but it came from Troy Trenkle, who
was the CIO at that time of CMS. In the authorization to
operate, one of the things he highlighted is that the Federal
Facilitated Marketplace has an open high finding in terms of a
security issue, but in the finding description, it says the
threat and risk potential is limitless. These were the words
from the authorization to operate, and the fix date, it is due
May 31, 2014, is when this is required to be fixed. And then on
the next page, on page 3, there is another finding, and it says
it is a high finding but there is no finding description, it
has all been redacted out, with a fix date of February 26,
2015. So just from an industry perspective, being on both the
public side and the private sector side, there has to be some
accountability from a security standpoint, if you go out and
you say that the threat and risk potential is limitless. There
is a lot of accountability in the private sector from
shareholder lawsuits, civil litigation if information like that
is found out. And from an industry perspective, it is
contravention of what would be considered best practices from a
security standpoint.
So the user account creation and registration, this was the
second major issue because this is how people access the
marketplace. I think one of the issues that caused some of the
security concerns was the decision to move the submission of
personally identifiable information before you could access the
health care information, which meant that a user had to give,
as was stated, name, date of birth, Social Security number,
address and some other information in order to be able to see
the plans. That creates an issue to where now--and I know David
will talk about this a little bit later--is that when you start
telling people the norm is to give your personally identifiable
information, things that identify you before you are allowed to
see the marketplace, it would be the equivalent of saying you
can't go in and see a car on the car lot and kick the tires
until you fill out a credit app and you are approved. This is
not the way consumers do business but it creates the potential
for fraud because now you have established a norm for
fraudulent sites and deceptive sites to say it is a norm that
you give us your personally identifiable information first
before we give you access to the rest of the information.
The third issue is about cyber squatting and domain name
confusion, and why would this be an issue? As a former law
enforcement officer, I can tell you it was tough enough as we
started getting into technology to defend one site or do an
investigation into one site. One of the articles that came out
from the Washington Examiner quoted another cybersecurity
expert who said that HealthCare.gov had 221 sites that were
attempting to exploit it, and on the state exchanges, there
were 499 sites. So from a purely law enforcement standpoint,
you have given a lot of ground for people to use and establish
the norm that you have to give your personally identifiable
information first before you can access it.
And then the very last thing is the insider threat. If you
were to assume that HealthCare.gov had reasonable security, it
ran reasonably well and it was within acceptable limits, the
fact that people who access this information and access the
information from the consumers do not undergo at least a
background check from a position of public trust, which is
already established by OMB standard form 85-P--it is a limited
background check to identify people with felonies or certain
convictions that would prohibit you from having positions
within the government. At least a similar background check like
that would expose deficiencies and then you apply rigorous
auditing and accounting to that to make sure that you learn
from those lessons and prevent future issues. So when dealing
with the insider threat, you have to remember, trust is not a
control and hope is not a strategy. If anything, Edward Snowden
has taught us that no matter how much trust you give somebody,
things can still happen.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Wright follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Mr. Wright. You got a lot into
five minutes there.
Dr. Chang.
TESTIMONY OF DR. FRED CHANG,
BOBBY B. LYLE CENTENNIAL
DISTINGUISHED CHAIR IN CYBER SECURITY,
SOUTHERN METHODIST UNIVERSITY
Dr. Chang. Chairman Smith, Ranking Member Johnson and
Members of the Committee, thank you for the opportunity to
testify before you today. As Chairman Smith mentioned, my name
is Frederick R. Chang. I am the Bobby B. Lyle Centennial
Distinguished Chair in Cybersecurity, Professor in the Computer
Science and Engineering Department, and Senior Fellow in the
Tower Center for Political Studies at SMU in Dallas, Texas.
On the backdrop of the 25th anniversary of the internet
worm of 1988, which caused a major disruption on the internet
in its day, let me start by saying that when considering the
volume and sensitive data associated with HealthCare.gov, it
would be unwise to underestimate the motivation, patience and
creativity of today's cyber adversaries. They will find seams
in the system. They will change the rules. They will attack you
in ways that you won't expect, and I will return to this theme
at the end of my oral comments.
In my written testimony, I pointed out three types of risk
that I see, and I will describe these briefly now. In the near
term, I think there is a large risk from bogus websites because
there is not one single website for people to use, there will
be confusion, and adversaries will take advantage of this
confusion. I believe there will be people who will launch a
search from a search engine and they will see many choices. I
would invite you to try that, by the way. It is pretty
instructive. Additionally, people will make typos when entering
a web address, and this will lead them to the wrong site or
they will receive spam emails taking advantage of the launch of
the new Affordable Care Act. I read one report indicating that
over 700 fake websites had been set within the first few weeks
of the October 1st launch. If you combine that volume with the
fact that people may be more likely than normal to enter
sensitive information over the web because it has to do with
health insurance coverage, you get especially concerned about
the potential for loss of sensitive information. It is
difficult to know how much traffic these bogus websites will
siphon off from authentic websites, but I saw one estimate that
was disturbingly high.
The second risk concerns the inherent risk in delivering
applications over the web. There are a plethora of security
risks facing any organization, public or private, as they
contemplate delivery of an application over the web. The web
was originally designed for the delivery of static read-only
pages. Today, of course, we perform a wide array of interactive
services over the web from buying books, videos and pet food to
checking in for our airline flights and so much more. The
convenience and business benefits are clear. It is really hard
to imagine not using the web this way. Unfortunately, the
convenience and benefits come at a price, and that price is
security. The security risks constantly change and the top
risks have been well chronicled in the field. I did not do any
form of security analysis myself personally on HealthCare.gov
but I did read some posts where people had done some
unobtrusive passive analysis, and concerns were raised, and I
think David is going to have some more to say about that
shortly.
The final risk that I mention in my written testimony was
the risk from complexity. Many in the security field have noted
that complexity is the enemy of security. As we ask for more
and more functionality and capability from our software
applications, the technologists and software developers are
only happy to oblige. The result is more complexity including
more defects and seams, and the attackers will try to exploit
these. I am not an expert in health insurance exchanges but as
I looked at the many sensitive back-end databases that are
being accessed as a result of HealthCare.gov and thought about
the many interactions, increased traffic load, the increased
accesses, I believe that one can rightfully be concerned about
the possibility of increased malevolent activity.
My wife asked me this weekend why haven't the hackers
already launched the big one on HealthCare.gov. She thought
that now might be the perfect time as the website was in
startup mode. There was a hearing by the Homeland Security
Committee chaired by Congressman McCaul in which it was
reported that about 16 cyber attacks had been detected against
HealthCare.gov. I don't have any detail on those attacks, but
regarding my wife's question about the big one, I answered it
the same way I mentioned in my opening remarks. It would be
unwise to underestimate our adversaries in cyberspace. They are
smart, they are creative. They will look for seams to exploit.
They will change the rules, and importantly, they will be
patient.
Thank you for your attention, and I look forward to your
questions.
[The prepared statement of Dr. Chang follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Dr. Chang.
Dr. Rubin.
TESTIMONY OF DR. AVI RUBIN,
DIRECTOR, HEALTH AND MEDICAL SECURITY
LABORATORY TECHNICAL DIRECTOR,
INFORMATION SECURITY INSTITUTE,
JOHNS HOPKINS UNIVERSITY (JHU)
Dr. Rubin. Chairman Smith, Ranking Member Johnson and
Members of the Committee, good morning, and thank you for the
opportunity to speak to you today. My name is Avi Rubin, and I
am a Computer Science Professor at Johns Hopkins University. I
am the Technical Director of the Johns Hopkins Information
Security Institute, and I direct the Health and Medical
Security Lab at Johns Hopkins.
I was asked to comment to you today on general security
issues for large web installations and specifically about
security issues that could affect a site such as
HealthCare.gov. As we all know from reading the press,
HealthCare.gov got off to a rocky start, and as a software
engineer, it is not surprising to me that this happened. When
we think about large systems and rolling out a large software
system, the way this is typically done by companies such as
Google and Amazon and other companies that roll out large
software services, they roll it out in a small way to some
controlled number of users. They identify bugs and problems
with the system. They fix those. They get the system stable,
and then they scale it up to a larger number of users. Once
again they discover that now there are all kinds of new
problems based on the bigger scale. Why would that be? Because
of increased communication requirements, storage and what we
might call race conditions that happen when you have a lot more
users than you had before. And so then someone rolling out a
large software package will roll it out to more users, get it
stable and keep rolling it out. It is not very common to roll
out a huge system with a ton of users on one day, and so it
wasn't surprising to me that there were a lot of problems when
this was initially rolled out.
Another thing is that when a project gets--a software
project gets behind schedule, it is not very easy to recover
from that. You might think well, just add more developers to
it, but in software engineering, it is well understood that
when you add additional programmers to a late software project,
you often make it later. In HealthCare.gov, there are many
interoperating components and links to many different systems
including the IRS, the Social Security Administration,
Department of Homeland Security, Experian, state exchanges and
many more, and we know, as was stated earlier, that the more
complex a system, the more vulnerabilities there will be, the
more interfaces there are the greater likelihood of problems.
We also know, and it has been stated, that there are great
risks to high-profile websites. We hear breaches reported in
the major media all the time, and the attackers are growing in
their creativity, sophistication, talent and resources. In
fact, just last week there was a report of a denial-of-service
attack against HealthCare.gov.
Maintaining a secure website is not easy, especially if it
manages sensitive information, if it requires ongoing
maintenance, keeping up with vendor patches, requiring highly
skilled administrators, reporting mechanisms for reporting
incidents, contingency plans, and the list goes on. I provided
a list, a longer list in my written testimony. And all of that
said, the industry--the computer industry has many success
stores. There are large, complex websites that have no major
breaches that I know of. Examples of these are the airline
reservation system, which manages a very complex array of
interdependencies, and even other sites like Orbitz and
Travelocity, which have to tap into those airline reservation
systems. Large social sites--Facebook and LinkedIn--they got
attacked all of the time and yet there hasn't been, to my
knowledge, a major compromise of these top sites that in a
wholesale manner exposed all the private information of the
users. We have Amazon.com, a shopping site. And while no system
is perfect, there are best practices in the industry that work
well for the most part. In my written testimony, I provided a
list of best practices and recommendations for the
HealthCare.gov website. I don't have time in my oral testimony
to go into them but to summarize what they are about, I suggest
a few of the security annually by outside experts, focusing on
the interfaces among the components and across systems,
reviewing authentication mechanisms, checking for known
standard vulnerabilities such as SQL injection attacks,
sanitization of user inputs, cross-site scripting, and we have
a long list of technical things to look for.
Data at rest should be encrypted, and the keys should be
managed carefully just like all of those sites that I mentioned
do. There should be mandatory incident reporting and
contingency plans in place for every possible conceivable
scenario. The list of recommendations that I have submitted is
partial, but I believe that with the proper administration and
the proper expertise, a website such as HealthCare.gov can be
deployed in a practical manner.
Thank you for the opportunity to speak with you today, and
I look forward to addressing your questions in the Q&A.
[The prepared statement of Dr. Rubin follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Dr. Rubin.
Mr. Kennedy.
TESTIMONY OF MR. DAVID KENNEDY,
CHIEF EXECUTIVE OFFICER,
TRUSTEDSEC, LLC
Mr. Kennedy. Thank you, Mr. Chairman and Members of the
Committee. I appreciate your time today.
Just to give you a brief background of my history, because
I think it will parlay into the security issues that we
identified with HealthCare.gov. We work with customers, large
and small, everything from Fortune 10 to Fortune 500 or Fortune
1000 companies all the time, and we do security assessments
where we basically break into computer sites all the time as
hackers. So I am a hacker on the good side, a white-hat hacker,
in those terms. So we break into websites all the time to
identify risks and exposure. We do it for government sites, we
do it for private sector sites all the time. And if you look at
the security industry, it has evolved significantly over the
past ten years. We didn't have dedicated security conferences,
folks that are dedicated to protecting infrastructure and
security. Technology has advanced so far and so fast that we
are really trying to still grasp our hands around how to
actually do it the right way, but there are things in place to
do it the right way and to make it right, and so there are
companies that have successfully deployed websites without any
major security exposures. There are websites out there that
aren't necessarily unhackable but they are very difficult to
break into, and we are hackers who break into them all the time
and it becomes very difficult for us. And the purpose of
security isn't to say hey, we are 100 percent unpenetrable all
the time but can we detect the hackers in the very early stages
of their lifecycle of the attack, monitor that and prevent the
attacks from happening, and none of those are clearly being
done on the HealthCare.gov websites and all of its sub-websites
themselves.
What we did--and again, this is purely from a
reconnaissance perspective. We did not hack into the site in
any way, shape or form. We are not authorized to hack into the
website in any way, shape or form. But just by looking at the
website, we can see that there is just fundamental security
principles that are not being followed, things that are basic
in nature that any security tester like my myself or anybody
that we hire to test these sites would actually test for prior
to it being released, and these are things that could actually
compromise sensitive information for people that have
registered for the website and actually compromise the entire
site itself and everything around it.
One thing to also mention is that not only is there Social
Security numbers and information in there that was mentioned
but also there is tight integration into state exchanges, the
IRS, DHS and third parties like Experian. So the infrastructure
itself has trust factors to multiple different areas that it
pulls and feeds information from, so not only is HealthCare.gov
at risk but you also have the infrastructure that it was built
off of that is at risk as well, which happens to be a lot of
those different areas.
And so if you read the written testimony that I placed into
there, I think we identified around 17 different direct
exposures. A lot of those have been addressed. We reported
them, and they have been addressed. Some of them have not been,
and they have not been included in the report. We are very keen
on what is called responsible disclosure and not putting
anything at harm when we do these type of things, but there are
critical flaws, there are critical exposures right now that are
currently on the website that hackers could use to extract
sensitive information. I am actually going to demonstrate one
that has already been addressed and fixed and one that I cannot
demonstrate because it would release sensitive information for
U.S. citizens.
So I would like to flip to the actual screen here, and you
can actually see the actual attack itself, and this attack and
this actual demonstration I am going to show was actually shown
from an independent researcher named Gillis Jones, who
identified this exposure on finder.HealthCare.gov. I want to
show you different things. There is multiple sites that support
the infrastructure. You have chat.HealthCare.gov,
data.HealthCare.gov, finder.HealthCare.gov. These are all
components that make up everything that is HealthCare.gov. It
pulls from different areas, different functionality, different
features. They all make up what we consider HealthCare.gov. In
this case here, if you notice on the right-hand side, and it is
a little hard to see, but what we do here is, if we can send an
email to anybody that is registered for the website and we can
actually extract a lot of that information. As soon as they
click this link, and you will see here, as soon as they click
this link, it will automatically redirect them back to a
malicious website where they actually hack the computer, and
this website itself is legitimate. It is finder.HealthCare.gov.
It is the website that folks go to. It looks legitimate. It is
registered by the government. It is a federal government site.
And as soon as somebody goes to this website and clicks on it,
you notice here, we are going to go to that website and we are
going to log in to it, and as soon as you log in to it, a
banner pops up that looks just like HealthCare.gov. We get a
little warning here that says HealthCare.gov enrollment. Now,
for folks that have actually been on the website, you know that
this isn't legitimate. This doesn't necessarily happen when it
pops up like this. The individuals going to the website
wouldn't know this. And as soon as they click ``run,'' it
actually hacks their entire computer. It escapes antivirus
preventative technologies. It doesn't get detected by anything.
And from there we can actually enable their web cam, monitor
their web cam, listen to their microphone, steal passwords.
Anything that they do on their computer, we now have full
access to. And here I am on the hacker computer, and you can
actually see--I can see the person's display here. You can see
everything that is on it. You can actually monitor everything
that person is doing, all the communications, and you can do
this on a large scale because the information is readily
available and the direct exposures that are actually on the
website.
And one other thing I want to show you, and this is a
sanitized version of this, which is, there was an exposure that
we identified at TrustedSEC, and I am not going to say which
website is involved in it, but basically allows us to extract
personal information of over 100,000 individuals including
first name, last name, email addresses, their user account
information as well as a lot of other additional information
that we can fully extract from the website itself. I just want
to show you an example, and this information has been sanitized
as to not actually show individual people that have been
exposed to this, but you notice here, you can see it up here.
What we are going to do is we are going to track one record for
someone that has actually registered for the site. Notice here,
the first record that we pull back is actually an administrator
for the website itself, so notice here, permission or
administrator. Now I am going to extract the next 10 records in
there. Now we have three admins, and then sanitized information
of individuals that have registered for the website. So we can
see here that we can extract over 100,000 individuals'
information from the website itself.
And one last thing--I know I am running low on time here--
is the talk that this attack has only happened 16 times and
that the website has only been attacked 16 times is not
possible. The attacks that happen on the internet are so
frequently used and so frequently done that that means that
there is not much detection capabilities on HealthCare.gov. And
just as an example, this was recently posted yesterday. If I
throw a semicolon into the search field, you can actually see
the top results for the websites for semicolons, and those are
all what we call SQL injection attacks, which means that
hackers are continuously trying to find vulnerabilities in
this, and the training program results on the website are
actual attacks happening on the website itself. So the attacks
that are happening are much larger scale right now. They are
trying to infiltrate the website. They are trying to break into
it, and there is definitely data on the website itself that is
indicative of that.
I appreciate your time. Thank you very much.
[The prepared statement of Mr. Kennedy follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Mr. Kennedy. I will recognize
myself for five minutes to ask questions, and Mr. Wright, let
me direct my first couple of questions to you.
Mr. Wright. Yes, sir.
Chairman Smith. The first is this. Does any other
government website collect so much personal information as does
HealthCare.gov?
Mr. Wright. When you look at all the interdependencies like
David laid out, when we looked around and obviously we are
limited to what is in the open source, but there doesn't appear
to be anything else that collects information and then uses
that information then to check associated records in multiple
other databases. So this becomes a central point of attack that
if you can compromise one area, you can get into others.
Chairman Smith. Okay. Next question is this. Is the fact
that other websites can be hacked any justification for the
lack of security with HealthCare.gov?
Mr. Wright. What we would hope is that by learning from the
known vulnerabilities out there and the other attacks that
happen is that you would have guarded against this in the
initial design to say we know this is going to happen, we know
this is going to happen. The password issues and the issues
David just showed are things that are so common, they should
have been prevented against before the site was even launched.
Chairman Smith. Okay. And on HealthCare.gov, do you think
as a practical measure it can be fixed, or should we start over
again?
Mr. Wright. You know one of my examples, my neighbor helped
build the Russian Embassy. I told him shame on you, the one
that had all the bugs in it. It was easier and much safer to
tear down the Embassy and start over again than it was to spend
untold number of years and man-hours to remediate the problem,
and that is just one issue. I mean, that is--you know, I am not
a political person, we are not here to talk politics, but if
you are asking from a technology standpoint, it would be easier
to start over again, lay a foundation of security and start
from the beginning because security has to be the foundation of
this site, period.
Chairman Smith. Thank you, Mr. Wright.
Mr. Kennedy, let me go to your last point, and I know you
cannot confess to having hacked HealthCare.gov yourself, that
would be illegal, so let me just ask you if you are confident
that HealthCare.gov has been hacked and can be hacked?
Mr. Kennedy. Mr. Chairman, I am very confident on the
security ramifications that we can see, basic attacks that you
could do at the website, that it is very susceptible to attack
and that hackers could break into it. And just as an example, I
got an email, a random email from somebody that I have never
met before that had about 14 to 30 different exposures on the
HealthCare.gov website that they were posting to me personally
on my email saying that they had contacted individuals and that
they hadn't had any responses back for these security
exposures, and some of them are very critical in nature. So
these are definitely happening. Hackers are definitely after
it. If I had to guess based on what I can see, and again, this
is purely from a reconnaissance perspective, I don't have any
understanding of the back-end infrastructure, but I would say
that the website is either hacked already or will be soon.
Chairman Smith. Okay. Thank you, Mr. Kennedy.
Let me address my last question to Mr. Kennedy, Dr. Chang
and Mr. Wright, and it is this: what dangers do Americans face
if there is a security breach with HealthCare.gov? In other
words, if HealthCare.gov is hacked, what are the real-life
threats, dangers to the American people who have provided that
personal information? Mr. Kennedy?
Mr. Kennedy. Well, if you look at the type of information
that is stored, it is not only, you know, Social Security
numbers and data, it is everything that integrates into the
state exchanges, the IRS, DHS, multiple other areas. There are
some large exposures for personal information being done,
fraudulent-type activities being performed, but I think, you
know, if you look at what this actually is, it is one of the
largest collections of U.S.-based data, Social Security numbers
and everything else, that we have ever seen in history. So for
attackers, I would go after that personally if I was a bad guy
to try to get that information for fraudulent activity, of if
you have ever heard the term state-sponsored or other
government agencies going after information based on U.S.-based
citizens, and while there is no medical records specifically in
the website itself, the integration into all the other sites
that they have access to, you know, we use that as a trusted
connection in term of hacking so getting access to that trusted
infrastructure, that the sites trust themselves, allows us to
access into that type of information.
Chairman Smith. Okay. Thank you, Mr. Kennedy.
Dr. Chang?
Dr. Chang. It is the general risk from identity theft. I
don't know if you have talked to people who have had identity
theft, it ends up being a major pain in the rear end to kind of
get yourself out of that. So, extreme inconvenience and
difficulty.
I would also mention that from the perspective of the U.S.
government, once identity theft happens, a bunch of other bad
things can happen. So if you look--I mention in my testimony
about the loss from fraudulent tax returns so as people end up
stealing identities, they start--they end up, you know, kind of
doing fraudulent tax returns. In 2012, I think the number was
something like in excess of $3 billion loss in fraudulent tax
returns, so it is just sort of an implication if identity
theft.
Chairman Smith. Okay. Thank you, Dr. Chang.
And Mr. Wright.
Mr. Wright. This becomes the largest collection of
personally identifiable information, and as a taxpayer and a
consumer, I don't want my government becoming the unwitting
accomplice in the largest disclosure of personally identifiable
information. David's point is right, and Ranking Member
Johnson, you expressed concerns about some of the medical
records. It is not so much the medical records, it is the fact
that once I can obtain your identity and I can now--medical
insurance fraud is actually a very large growing area. I can
actually go in and receive services. My issue as a consumer is
that if my medical records get conflated with somebody else's
and that I am now given a diagnosis or information that says I
have something I don't have or I don't have something I do
have, that is one of my biggest concerns, and I think the
threat--it is the threat of the unknown.
Chairman Smith. Thank you, Mr. Wright, and thank you all,
and the gentlewoman from Texas is recognized for her questions.
Ms. Johnson. Thank you very much, Mr. Chairman, and thank
all of you for being here.
Mr. Kennedy, you mentioned that you were able to get
100,000 user names from a website but you did not mention which
site that was. Was this the HealthCare.gov?
Mr. Kennedy. It is part of the same infrastructure. Without
disclosing----
Ms. Johnson. Excuse me. Was it a part of the
HealthCare.gov?
Mr. Kennedy. Yes.
Ms. Johnson. So you were able to get that information from
HealthCare.gov?
Mr. Kennedy. It is from the infrastructure from
HealthCare.gov. It is from--if you look at what makes up
HealthCare.gov, if you go to www.HealthCare.gov, that is one
site and server. But what makes up HealthCare.gov is
chat.HealthCare.gov, finder.HealthCare.gov,
data.HealthCare.gov. There are multiple things that feed
information into the main website. So you have all of these
different working parts that feed into what makes up
HealthCare.gov and that entire infrastructure, and that is what
we found the exposure on.
Ms. Johnson. HealthCare.gov?
Mr. Kennedy. On the infrastructure, on one of the sub-sites
for HealthCare.gov.
Ms. Johnson. But not the site of HealthCare.gov?
Mr. Kennedy. That is correct.
Ms. Johnson. Thank you.
Dr. Rubin, before--I mentioned earlier before I came to
Congress I was a nurse, and in fact, I graduated from St.
Mary's at the University of Notre Dame over 50 years ago, and
my master's from SMU over 30 years ago. I went there because
there was no school of first class in Texas that I could attend
in nursing at that time. So that tells you how old I am, which
I am very proud of.
But Dr. Rubin, what is your impression of the security in
the health care industry? I have worked in the health care
industry, and I have not found anybody seeking health care
information to make a profit. Most of the time it is some
scheme for people seeking information that they want to do
that. In the Affordable Care Act, the preexisting conditions is
no longer a factor, and so while I am not trying to make a
judgment on the information, I am trying to understand why is
there such an outcry at this point when medical records have
been so available in any institution that I have worked in.
Anyone who has any kind of hospital identification, whether it
is a janitor or the nutritionist, a physician, a nurse can
access a patient's chart that has everything on there that is
going to happen or is happening to that patient while they are
in the hospital, and that is something I know from personal
experience. So I am trying to understand, is the health care
industry lagging in these security measures or why--what is it
about this non-security in the past is going to impact where we
are now?
Dr. Rubin. So to answer your question about where the
health care industry stands with respect to security, I have
done consulting in many different vertical industries--
financial, all commercial--and in the last few years I have
been working in the health care industry doing tours of
hospitals and doctors' offices to assess their security, and I
have found it is actually perhaps the most far behind in terms
of the security at hospitals, even things in the emergency room
that surprised me and the operating room. And so to your
question, I think that the health care IT industry needs to
learn a lot from some of the other industries in order to bring
its security up to par.
Ms. Johnson. Thank you. Thank you, Mr. Chairman.
Chairman Smith. Thank you, Ms. Johnson.
I would like to ask unanimous consent to put into the
record a letter from the Identify Theft Resource Center, and
they make the point, medical identity theft is one of the worst
forms of identity theft for many reasons. For one, it is
extremely attractive for identity thieves and hackers because
the sale of medical identities is so lucrative. Second, medical
identity theft is extremely difficult to mitigate, and lastly,
medical identity theft is extremely dangerous. Without
objection.
[The information appears in Appendix II]
Chairman Smith. And then the gentleman from California, Mr.
Rohrabacher, is recognized for his----
Ms. Johnson. Mr. Chairman, before you go to the gentleman--
--
Chairman Smith. Before the gentleman from California is
recognized, the gentleman from Texas, Ms. Johnson.
Ms. Johnson. Woman. I just wanted some clarification. Do
they talk about the profitability sources in that letter?
Chairman Smith. If you are asking about the letter that we
just put in the record, I will give you a copy right there.
Ms. Johnson. Okay, because I am trying to figure out the
value to anyone to access medical records, and I think this--
did you say it spoke to it?
Chairman Smith. Yes. The gentleman from California.
Mr. Rohrabacher. Thank you very much, Mr. Chairman.
This has been a little bit overwhelming. Are you gentlemen
saying that basically the American people are being put at risk
by this incredible effort that our government is making in
order to set up a health care system that will serve the
people, that instead we are ending up putting them at risk?
Mr. Wright. Let me take the first pass at that, sir. Back
in February 7th of 2000, I was leading the computer emergency
response team for SCIC, and we had financial services client,
government clients. That date is significant because that was
the first distributed denial-of-service attack ever launched
nationwide. It took down Amazon, Yahoo, CNN. And one of the
things we saw is, things don't happen on the first day. You
have to build up the critical mass. The issue with
HealthCare.gov is, you will not see the attacks in the first
day as a detective. Nobody ever robbed a bank while it was
being built. They wait until it was built, it had the money in
there. What I am saying here is that yes, I mean, you are
looking at the first 30, 45 days. That is not the issue. I am
more concerned six months out at this information comes----
Mr. Rohrabacher. We are predicting that the American
people, unless there is a dramatic change in the way things are
being put together, that families throughout this country will
face huge problems, their bank accounts will be hacked into or
maybe there will be false information put into their health
care so if they go to the hospital, they won't get the right
kind of medicine. Is this what we are talking about?
Mr. Kennedy. I can kind of speak to that. From a security
perspective, there are things that we can see that are patterns
of inconsistencies around security, and if you could see those
patterns and you look at those patterns, you can see that there
is not a lot of security built into this site, at least from
what we can see from a 10,000-foot view, again, without
actually attacking the site itself. And there are things that
we can do to prevent those, and if you look at how a website is
supposed to be developed, it is supposed to be developed from
the ground up with security integrated and being an integral
part of that portion so you can protect sensitive data, U.S.
citizen-based data, and it does not appear to be done, from
what we can see and what we are finding as far as independent
researchers and the information that is ready available out
there.
Mr. Rohrabacher. So when we are talking about hackers and
you say you are a hacker, and we are talking about the American
people being vulnerable, are we making the American people
vulnerable to people, hackers from Russia or China or overseas?
Mr. Kennedy. Absolutely. There is, you know, really
different types if criteria of hackers. You have your hacker
that you picture, you know, probably me 20 years ago in my
basement, right, you know, hacking away or whatever. Then you
have the criteria of more of organized crime, which is more on
the monetary fraud perspective of just purely financial-type
gain. And then you have obviously the state-sponsored element,
which is more of like the folks that you see from governments
of other areas, and they are looking for things like high-
impact vulnerabilities so they can actually exploit a system,
get access to the data behind it and use that information
against us.
Mr. Rohrabacher. But we are facilitating some of the worst
scum in the world, not even in our own country, which we have
enough problems of criminals in our own country, but the worst
type of elements throughout the world to actually now get at
our citizens?
Mr. Kennedy. Objectively, we should have had a lot of
defensive capabilities put into this site well ahead of it
being released. There is technologies, there is detection
capabilities, there is coding that we can do to make the site
secure.
Mr. Rohrabacher. And it should have happened before we----
Mr. Wright. It should have happened well before it was ever
released, and that is what you see in commercial areas.
Mr. Rohrabacher. Let me--I only have one minute left.
Someone said, one of you testified, it would be better right
now, considering there is so much vulnerability that we now are
putting our people in that it would be better to start all over
again and just restructure the system from zero rather than
trying to correct the problems that are in the system now
because it was done wrong. Do you all agree with that? Is that
something that we have come to agreement here? Is there someone
who disagrees with that?
Dr. Rubin. Well, I can personally say that I haven't looked
at the system carefully enough to make that judgment. I do
think that we know as a computer industry how to build websites
like this that can be more secure and meet the best practices,
and I think that what would be necessary would be a security
review of the system to establish whether there is a deep
infrastructural problem with it or whether it is just----
Mr. Rohrabacher. Okay. So you are not sure about that. The
other witnesses would suggest that it would be better for us to
start over with security in mind rather than trying to correct
the problems in the current system. Is that correct?
Mr. Kennedy. If you build a house, a foundation off of
something that is flawed from the beginning, the foundation
doesn't work, you know, the foundation sinks, it is crumbling,
you can put a metal door on, you can bolt different things to
make the house better but the foundation is still bad.
Mr. Rohrabacher. So if we don't, Mr. Chairman, we are
putting average American citizens, we are making them
vulnerable to the worst godawful people in the whole world who
are malevolent human beings who now don't have that access to
our people. This is mind-boggling. Thank you very much, Mr.
Chairman, for holding this hearing.
Chairman Smith. Thank you, Mr. Rohrabacher.
The gentlewoman from Oregon, Ms. Bonamici.
Ms. Bonamici. Thank you very much, Mr. Chairman and Ranking
Member, for holding this hearing, and thank you so much to our
witnesses for participating in the hearing.
Certainly since HealthCare.gov came on line, many of us
have spoken with constituents who have had trouble navigating
the site and some have expressed concerns of course about
privacy on the site and further, I don't think there is a
single Mmember who isn't somewhat frustrated about the problems
that have plagued the rollout of the website and also the
websites in some of our states. But frankly, the Affordable
Care Act isn't about a website. I know I am not the only one
who has spoken with just as many constituents whose biggest
concern isn't the functioning of the website, it is the fact
that they haven't been able to get health insurance or access
health insurance or access health care, and in fact, right now
they can go to get health insurance by calling or applying in
person or by mail. The Affordable Care Act is designed to help
these people who haven't had access to health care, and we
should make that process as simple as possible, especially with
regard to the website and make sure their personal information
is protected.
I want to point out that right now in the United States,
about 83-1/2 percent of Americans e-file their taxes. Do you
all e-file your taxes? Yes, do you e-file your taxes? So you
all e-file your taxes? You are among the 83-1/2 percent?
Mr. Wright. I am sorry. That is--no offense, but what we do
and how we do it only gives information to let people--we can
neither confirm nor deny, and there is a reason the
intelligence community says that because they don't want to
tell people----
Ms. Bonamici. Understood.
Mr. Wright. --the threat vector that you can attack me on.
Ms. Bonamici. Well, I understand, but I just want to
clarify that a lot of people e-file their taxes.
So I want to also talk about the sort of conflation of
electronic health records, which has been discussed here this
morning, and certain detractors are suggesting that
HealthCare.gov is sort of a clearinghouse that includes access
to electronic medical records. So I want to get this from--let
us start with Dr. Rubin. Does HealthCare.gov collect or store
electronic medical records?
Dr. Rubin. It is my understanding that it does not.
Ms. Bonamici. Okay. And so let us talk a little bit about
the Data Hub, because we have been talking about how through
HealthCare.gov there is certain enrollment information that
gets verified through Data Hub, so it is my understanding, and
I would like, Dr. Rubin, confirmation of this, the Data Hub is
not a database, it does not store information. Is that your
understanding?
Dr. Rubin. My understanding of what the Data Hub is, is
that it is a queue of requests that are supposed to go out to
different entities for information and so once a request gets
processed, it is taken off of the queue and it is not stored.
Ms. Bonamici. So the data is not stored. I just want to
clarify that. It is used to verify information but not stored,
it is not a database. It is also my understanding that it is
not necessary to actually--consumers can still shop on the
website without creating an account. It is my understanding
that that was originally the case but now consumers can shop
and look for plans and compare plans without creating an
account first. Can somebody clarify that for me? Is that--has
that been changed so that you do not have to--consumers do not
have to set up an account?
Mr. Wright. In my written testimony, one of the security
issues was, is that they required you to give you personally
identifiable information upfront and go through the
registration process before you were given access to that
information. However, a website called healthsherpa.com created
by three gentlemen in two weeks did exactly what you were
talking about, which should have been done is just puts in your
age, your zip code and your sex and then you would be able to
shop for plans based upon a range of options. But when I went
through and started going through the process, it required you
to, and to this day it requires you to give your information
upfront.
Ms. Bonamici. Okay. Well, we will clarify that.
I wanted to ask Dr. Chang a question and also because I
want to give you an opportunity to say ``Go ducks'' like your
colleague said. In the lead-up to this hearing, we have heard
the reports about the attacks on the website, the distributed
denial-of-service attacks. So how would you describe those
attacks, and how might they compromise the functionality of
HealthCare.gov?
Dr. Chang. Go Ducks.
Ms. Bonamici. Thank you.
Dr. Chang. In the case of denial-of-service attacks, what
that would amount to is that it would essentially be an attack
on availability; people couldn't access the site, they couldn't
gain access to it and do the business they want to perform. I
guess I would mention sort of more generally as we talk about
the fact that the web is sort of this extremely powerful place,
it is also sort of a dangerous place. I got some statistics out
of 2012, and it basically talks about how 86 percent of
websites have at least one serious vulnerability. The average
website had 56 serious flaws. The organization only fixed 61
percent of these, and it took an average of 193 days. I mean,
so basically we have this powerful capability in which we can
launch all these sort of wonderful things but the downside is
that this power results in some danger.
Ms. Bonamici. And my time is expired, but I want to thank
you for your expertise, all of you for being here today. It
seems like there is a lot of places where people put in their
Social Security number and it doesn't--yes, we need to fix
things but that happens in a lot of places now. I yield back.
Thank you, Mr. Chairman.
Chairman Smith. Thank you, and the former Chairman of the
Committee, the gentleman from Texas, Mr. Hall, is recognized.
Mr. Hall. I thank you, Mr. Chairman. I thank you for having
such a capable Committee here, a group here, and I am really
amazed as I read your backgrounds here, and I might ask Mr.
Wright, when you were doing security work in Kansas, were you
working under Governor Sebelius at that time?
Mr. Wright. No, I was working under Governor John Carlin
and then Governor Mike Hayden, who became, I think, a secretary
of one of the agencies out here.
Mr. Hall. And Dr. Chang, I am going to have some questions
to ask you in just a minute because I am a little closer to
you. I am in Rockwall there, not too far from--come and get
more information from you if you don't tell me what I want to
hear from you. I graduated from there in law school years ago.
Both my sons graduated from law school there, and I am amazed
at SMU now, and I can't believe that Dave Kennedy being the CEO
of all those places is a hacker light, I would call him
something pretty capable. And might as well touch on Dr. Rubin
too. When you say Johns Hopkins University, you are going to
expect some class testimony. So Mr. Chairman, you and Eddie
Bernice got together a good group for us here, and I think
there is a lot of information there that we can look to. You
have already talked pretty much about the house with no
foundation, and I think you doubt that it can be patched up,
and I thank you all for your testimony.
As we examine the security of the website, HealthCare.gov,
or as we are finding out, the lack of security of this website
is in its current form, would you agree that if a system is not
only functioning--and that is my understanding from you. I
think that was your testimony, was it not, that you have a bad
basic for it. You have to go out and come in again, and that it
is not functioning, and that is another thing wrong with the
thrust of the health care that has been offered to the people.
So Dr. Chang, would you agree that if a system is not only
not functioning properly, that it is also not secure from
possible breaches and other cyber attacks, does that give you
some anxiety?
Dr. Chang. Yeah, it would. You know, in medical ethics,
they use this term ``do no harm.''
Mr. Hall. Right.
Dr. Chang. The exploit that David talked about is quite
literally the website attacking the user. I mean, that is sort
of the way to think about it. And you know, as others have
mentioned, it is really critical that security get built in
from the very beginning. If you are trying to add lines of code
to a software program on a sort of fundamentally unsound base,
that is not good. So I think you are hearing some agreement
among the folks around the table that security needs to be
built in from the very beginning, and to the extent it is not,
then that is----
Mr. Hall. Okay. How long do you think it would take to fix
these problems and assure public confidence in the website?
Dr. Chang. Pretty difficult to speculate. Maybe some of the
other panelists--I would say it is maybe sort of a matter of
months. I would be happy to----
Mr. Wright. I think Donald Rumsfeld said it best when he
talked about the levels of knowns. This is an unknown unknown.
I mean, we don't know because there is no transparency. We have
no information on the extent of the flaws. The information that
is documented on the FISMA requirements in the authorization to
operate have redacted information, so as practitioners, we
actually are hamstrung to be able to give you our best advice
because we don't have enough information to tell you we can
give you a best guess but a best guess can't translate into a
project plan in exact dollars.
Mr. Hall. And when you can't believe the information a
President of the United States gives you, you don't want to say
which time was he lying. I would rather say which time was he
not telling the truth, and I think that is where we are going
to come up with all these things that are breaking down now,
and I regret that we are trying to give them opportunities to
correct a bad bill, a bad health bill, with additional
information. Ought to kill it and start all over again and fix
the foundation.
Administrative officials have indicated that testing was
performed on pieces of the website, just on pieces of it, but
the entire website was not tested, and then how important, Dr.
Chang, is testing prior to launching a website of this
magnitude?
Dr. Chang. Extremely important. As you heard from the
others, this is what, you know, a professional website would
do. They would do testing before, during and after. In fact, I
am aware of one company in the private sector that conducts
quarterly unscheduled penetration tests after the site has gone
operational.
Mr. Hall. Do you think three years provides sufficient
time? Just yes or no.
Dr. Chang. What, for testing?
Mr. Hall. Yes.
Dr. Chang. It seems reasonable.
Mr. Kennedy. Sir, on the actual testing piece, you know, it
is not a matter of testing it, you know, stopping the code,
testing it, stopping the code, testing it. It should be built
into the process. So the process itself continuously tests the
security throughout the entire what we call the software
development lifecycle, and then through there you have the
security issues that are remediated prior to it. It doesn't
hinder or stop any type of production, and a three year time
period definitely should have been adequate enough to do the
security testing to make sure that prior to any type of
release, all those issues were vetted, and then from there you
do what is called penetration testing or hacking into the site
to make sure that you didn't miss anything important.
Mr. Hall. I thank you. My time is up. I may want to inquire
by mail to the four of you on some of these things. Thank you,
Mr. Chairman.
Chairman Smith. Thank you, Mr. Hall. The gentleman from
Massachusetts, Mr. Kennedy, is recognized for his questions.
Mr. Kennedy of Massachusetts. Thank you, Mr. Chairman. I
want to thank the Ranking Member as well for holding the
hearing, and thank each of our witnesses for your testimony.
Just want to echo my colleague's comments and say from
somebody from Massachusetts, obviously where we--coming from a
state that has gone through some of these challenges but a
state that now has nearly 100 percent of all adults covered--or
excuse me, 100 percent of all children covered, 98 percent of
all adults covered, where our rate of cost increase for the
overall health care system is right in line with our gross
state product, that for the risk pools for individuals and for
small businesses is about 1.8 percent, at least current data
for the year upcoming. Contrast that to about ten percent what
it was a decade ago. I think that Massachusetts has proudly
evidenced that if there is a collective will to get health
care, meaningful health care reform bill passed and to continue
to work on it, to continue to tweak it to make sure it works
together, it can be successful. And to the extent that I am
hearing from my colleagues today a new refrain of rather than
just repeal but actually repeal and replace, I think we are
finally actually getting somewhere. So thank you.
With regards to the actual website itself, and
unquestionably needs for improvement, and I want to thank the
witnesses for highlighting some of them, I did have a couple of
basic questions. First off, is it--Mr. Wright, is it clear that
you can actually get estimates about how much you are going to
pay for health insurance without having to put in any sort of
personal identifying information?
Mr. Wright. On the healthsherpa.com site, which has taken
it directly from the government site, yes, but when I went
through and tried it myself to get to the point to see how much
information it would require, I couldn't get to that point
without disclosing all of my information first.
Mr. Kennedy of Massachusetts. So would it surprise you to
know that in the past 5 minutes, I could log on to the
HealthCare.gov website, put in an exchange, put in a county,
put in no other identifying information other than age bracket
for me and whether I wanted coverage for myself or my spouse
and click through and get an estimate of various costs?
Mr. Wright. No, it wouldn't surprise me. In fact, I am glad
that they did it because it means that they learned from the
gentleman who created healthsherpa.com.
Mr. Kennedy of Massachusetts. Do you actually know who they
learned from?
Mr. Wright. No. That is the ones who originally did it,
that showed that model how it should be done.
Mr. Kennedy of Massachusetts. Okay. So----
Mr. Wright. But I am glad that they did it.
Mr. Kennedy of Massachusetts. Well, me too. Now, sir, your
testimony--and I take it from the chairman that the focus of
the testimony today in the hearing was, can Americans trust
government with the information on the HealthCare.gov website,
and Mr. Wright, the testimony that you offered basically broke
it down into four categories: the end-to-end security testing,
the user account creation and registration, the cyber squatting
domain name confusion, and insider threat. Is that right, those
four broad categories?
Mr. Wright. Yes.
Mr. Kennedy of Massachusetts. And so the end-to-end
security testing, those were the overall basic security issues
that we have--that many of the people on the panel and you
yourself talked about today, that every major website or most
major websites come under attack for cybersecurity threats. Is
that right?
Mr. Wright. Well, the need for end-to-end testing, yes, and
every site is--you must assume every site is under attack.
Mr. Kennedy of Massachusetts. Yes. Fair enough. That user
account creation and registration, if my understanding of your
testimony is correct is that your concern there is that it
creates a new norm that could be exploited by other websites
not pertaining to HealthCare.gov.
Mr. Wright. When it was originally done and they required
you to give you personally identifiable information upfront,
that created a new norm that people would use then to exploit
to say you must--this is the way we do it.
Mr. Kennedy of Massachusetts. Because so many people are
accessing health care and have signed up for HealthCare.gov
that that many people has now created a new norm?
Mr. Wright. I am not sure exactly your point.
Mr. Kennedy of Massachusetts. Well, how do you create the
new norm by----
Mr. Wright. You establish the new normal by saying this is
the way we do it. I mean, it could be one people that have
registered or 50 but at some point if the government says the
speed limit is now 65, that doesn't mean everybody starts
traveling 65, but that starts becoming the new norm that you
start enforcing against.
Mr. Kennedy of Massachusetts. Okay. And we have see that
proliferate across--you have seen that now proliferate across
other websites and other domains, other user forums? If it is a
new norm, that norm is something that now spreads, right?
Mr. Wright. Well, if it is a new norm, what you do is,
people who create deceptive websites, or what David was
showing, is because you are used to doing that because it has
been said that you do that on HealthCare.gov--.
Mr. Kennedy of Massachusetts. Have you seen that yet, sir?
Mr. Wright. Yeah, actually what David just showed.
Mr. Kennedy of Massachusetts. Now, have you seen that
spread across--if it is a norm, that becomes the norm, right?
Have we seen that?
Mr. Wright. I think we are probably getting into semantics,
and I apologize, sir. I didn't mean to do that. When I said it
starts becoming the new norm is, you start setting a standard
and people start doing it. Everything starts out with a low
level of adoption, then you get critical mass, and if they
change it and they do that, you can actually prevent the fraud,
which is a good thing, because you reestablish what the norm
should be, not that you should give personally identifiable
information upfront.
Mr. Kennedy of Massachusetts. And I am just going to -- I
know I am running close over time. Thank you for clarifying,
sir.
The last piece that I just want to touch on, I don't know
if any of you--and I don't want to put anybody on the sot here
but applications for a passport where you have to submit--or it
asks for information including identifying information, proof
of citizenship, proof of identity off a website. We haven't had
any hearings based on the confidentiality or security of those
issues. Is that--have any of you investigated other government
website about the use of and the safety of classified--or of
confidential material?
Mr. Kennedy. And I can talk to that. One of the examples
earlier was around the e-filing system. I have actually done
security testing around the e-filing application part, and they
have had security embedded into that at a very different type
of level. There is actually state laws around the protection
around what you have to do around Social Security numbers, and
in the private sector there is what is called HIPAA around
protecting against, you know, patient health care information.
So there are laws and regulations around the protections of
those, and I have done actual security testing on those in the
past and they have done pretty well.
Mr. Kennedy of Massachusetts. And you think HIPAA--but we
heard a lot of concerns about confidential patient information
and the mix-up of electronical medical records--or electronic
medical records, HIPAA.
Mr. Kennedy. So there is a difference between compliance
and what we call proactive security. Compliance doesn't mean
security in any way shape or form but what HIPAA was designed
to do was to put protections in place around patient health
care information, or PHI, and while that is not necessarily
successful across 100 percent of the board, I have run into
some outstanding medical institutions that have very good
security to protect patient health care information and take it
very seriously, just a matter of negligence versus folks that
go on the proactive side to actually fix the issues that they
identify.
Chairman Smith. Thank you, Mr. Kennedy.
Mr. Kennedy. Mr. Chairman, thank you for the extra time.
Chairman Smith. The gentleman from Texas, Mr. Neugebauer.
Mr. Neugebauer. Thank you, Mr. Chairman.
I think we need to make sure we are clear here because even
when people call in to HealthCare.gov, they are talking to
individuals, but they are putting that data into the very same
system that the web page is putting that and so basically all
of that data is going into a central repository, and a number
of these people that are helping put this data into the system
are referred to as, I believe, navigators, and I think Ms.
Sebelius stated in a recent hearing that these people do not
undergo a federal background check, and Dr. Chang, as someone
that was once the Director of Research at NSA, what are some of
the risks of allowing people that have not had background
checks run on them to have access to this kind of data?
Dr. Chang. Yeah, so you would basically be worried about
the issues of identity theft. I once went to a restaurant and
gave the server my credit card. They wrote down my credit card
and racked up some charges. So the worry would be to the extent
that these folks that haven't had background checks--and
honestly, I don't know how severe the backgrounds might be but
if they haven't had background checks, who knows what they
could do with the information. It is valuable information,
there is a lot of it, and, you know, maybe they could do
malevolent things.
Mr. Neugebauer. Mr. Wright, do you want to comment on that?
Mr. Wright. Yes, sir. I actually conducted behavior
analysis training at the National Security Agency. We had the
damage assessments agents in from significant espionage cases
like Earl Edwin Pitts from the FBI, Aldridge Ames and Nicholson
from the CIA, and one thing over and over again was, you can do
a background check, you can give a high level of trust, and it
still doesn't mean, as we know from Robert Hanson, for example,
people still don't turn bad, but from my experience and
training and when we have gone and looked at the fact that you
don't do at least a cursory background check and eliminate the
obvious threats from the beginning means that convicted felons,
people with other--you would no more want a convicted felon
than somebody with a conviction for child pornography having
access to certain government systems. There is the SF-85-P from
OMB establishes at least a baseline of information you can use
to weed out candidates who should be disqualified from holding
a position of public trust. The question is, would you define a
navigator from a policy standpoint as a position of public
trust, and if you do, the procedures are already in place to
assess those backgrounds.
Mr. Neugebauer. Mr. Wright, when I was reading your
testimony, and I think you alluded to in your oral testimony,
about the fact that the HealthCare.gov has over five million
lines of code----
Mr. Wright. Five hundred million.
Mr. Neugebauer. Five hundred million? Yeah, it's even worse
than stated. And that the Windows has 50 or 80 million lines of
code, I think one of the questions that I have is also about
security, but the American taxpayers, I think are going to pay
like $680 million for the system, or that is what is reported.
So the question is, you know, we have got a lot of e-commerce
sites out there that have been in place for a very long period
of time, why would the government choose to try to build
something from scratch that already is pretty readily available
out there? Is there something about the way that HealthCare.gov
operates that is different from the rest of the world operates
or should be different from the rest of the world?
Mr. Wright. Yes, there is, and it is the issue of
accountability. If you are in the private sector and you have
shareholders and you screw up, you are gone. I mean, there is
accountability. There is also exposure to civil litigation. I
can tell you, I worked at Cisco for six years, great company.
We worked with a lot of countries and places. But the legal
ramifications of doing something wrong went up and down the
chain of command. Here you don't have the same. The government
has a lot of immunity from liability. It should have gone out
to the private sector to do this because what you have done --
my example was, can you imagine if the government put out a
request for proposal to build Facebook, what that would look
like. Facebook was built with 20 million lines of code and
serves 1.2 billion people. This has 500 million lines of code
and it has been challenged to provide the security and the
functionality that you need. So yes, looking from the private
sector, this actually would require a reinvention in terms of
how you go out for proposals as opposed to an IDIQ contract,
which this was done under. It is actually to go out and say,
give us your best shot, we have a statement of objectives, here
is what we would like to achieve, now innovate and build
towards that. Your costs would have gone down. The complexity
of the code would have gone down, that Dr. Chang talked about.
Mr. Neugebauer. Thank you.
Mr. Kennedy, so the complexity of this program means that
some of the proven techniques that have been used out there in
the private sector that have run through these security checks
might not have been incorporated into this code and so
basically when you have this much new code, does that increase
the vulnerability of the system?
Mr. Kennedy. It does significantly and if you look at
Microsoft, everybody here has heard of Microsoft before,
Windows, Microsoft Windows. You know, you hit the 50- to 80-
million mark for lines of code. Microsoft still continues to
this day to have security flaws and exposures, albeit
significantly less because they have done formal testing. They
have a great security program that actually looks at a lot of
these. But in its very early stages, it was definitely one of
the most hacked operating systems that there was out there with
hackers basically breaching with what call zero days or
exploits every single day. And so when you have 500 million
lines of code, which is six times greater than the code of
Microsoft, you have significant problems with manageability of
code, the complexity of the code and the introduction of
exposures that are out there as far as exploits and attackers.
So it is very difficult to manage something like that. It is
very difficult to fix something like that as well as even be
able to address some of the security concerns you have in a
short period of time.
Mr. Neugebauer. Thank you, Mr. Chairman.
Chairman Smith. Thank you, Mr. Neugebauer. The gentleman
from California, Dr. Bera, is recognized.
Mr. Bera. Thank you, Mr. Chairman. Thank you, witnesses,
for being here.
We never let politics get in the way of addressing health
care, addressing getting access to care. This body never would
let that happen. So since we are going to work together as
Democrats and Republicans to make sure we are able to get a
system up and running, my goal is not to defend the
HealthCare.gov website. Obviously this was a botched rollout.
It is to take advantage of the fact that we have some security
experts here, to take advantage of the fact that we have got to
fix and make this better. My colleague from Massachusetts, Mr.
Kennedy, already identified one way that we have made this fix
and made it better in terms of the sequencing, right? So when I
have gone to my home state exchange, Covered California, it
doesn't ask for any personal information. It allows me to just
put basic information in, zip code, basic income level and then
it gives me an estimate. It sounds like HealthCare.gov fixed
that. That is a good thing. It makes it more secure, right?
Everyone would agree with that?
Dr. Chang, you mentioned that 86 percent of all websites
have at least one vulnerability. We are not here suggesting
that we shut down 86 percent of the internet. What we are
suggesting is we should be vigilant and address those
vulnerabilities and we should do everything we can to the
extent possible to make things secure. Again, I think we all
agree on that.
Mr. Wright has mentioned four things. We just talked about
sequencing. So this change in sequencing makes us better. Cyber
squatting, domain name threats. I know in my state last week,
the Attorney General shut down, I believe, 10 websites that
were posing as Covered California look-alikes. We should be
able to address that as well if we are vigilant about that. I
would say we should just have someone looking at websites every
day saying hey, these are fake website, let us go after them,
let us shut them down. That is something we should be able to
address, wouldn't you agree?
Mr. Kennedy. I think you can definitely address a lot of
those issues from identifying what sites are trying to
impersonate as the website itself. There is definitely
proactive steps you can take to minimize the risk to the
website itself, absolutely.
Mr. Bera. So all of you would recommend that that is
something worth doing?
Mr. Kennedy. Absolutely.
Mr. Bera. So we should make that recommendation and get on
that right away and make sure that no one is going to a fake
website that looks like HealthCare.gov and putting information
in. So that is a recommendation I think we can make as a
Committee to immediately get on and it is something that should
be done today, if in fact it is not being done.
Mr. Wright. Dr. Bera, in fact, on the front page of the
site, one of the things I suggest is exactly that. It would be
nice for people to know what is an authentic account. Like when
you get your banks, they say we will not ask for your password,
we will not do this, just getting information like that from
the government itself saying these are things we do and these
are things we do not do and these are not authorized site, or
here is the only sites that count would actually go a long way
to preventing that fraud.
Mr. Bera. So we could certainly make that recommendation.
In my State of California, it is my understanding that all
the navigators have to go through a background check, so I
would ask the Committee to verify which states are making
navigators go through background checks and which ones aren't.
It is my understanding that because of the government shutdown,
part of our challenge in California is that there is a backlog
of navigators at the Justice Department going through the
background checks. So that is an easy recommendation that we
could make broadly as well, that at a minimum, the navigators
should go through at least a basic background check. I would
ask the Committee to verify which states are not doing
navigator background checks versus which ones are. I don't
think we can make a blanket statement that says navigators
aren't going through background checks because, again, my
understanding is that my home State of California, they are
going through background checks. So again, easy recommendation,
easy fix, an easy way for us to make sure that we are not
compromising security.
And then the more complicated one--I am not a computer
programmer, I did hear Dr. Rubin suggest that writing more
lines of code doesn't always make a system more secure, in
fact, it may make a system less secure. So, what I would
encourage all of you, as well as all of the folks in the
security industry, is to get out there as patriotic Americans,
we want to make sure our country is secure. I would start
making those recommendations to the federal government and I
would ask the Administration to be open to inviting folks in to
come in and make those suggestions because there is a lot of
knowledge out there. You know, again, Dr. Chang suggested there
are lots of vulnerabilities out there, so my message to the
Administration would be, instead of being insular, let us
actually invite folks in, Democrats and Republicans, to look at
this website and make sure it is secure, and with that, I will
yield back.
Chairman Smith. Okay. Thank you, Dr. Bera. The gentleman
from Alabama, Mr. Brooks, is recognized.
Mr. Brooks. Thank you, Mr. Chairman.
I am not a computer security expert but I can read the
words of those who are. The Science, Space, and Technology
Committee staff prepared for Members' use a document called
Hearing Charter, and according to our hearing charter, in order
to use HealthCare.gov, American citizens will be asked to input
or verify this type of information: birth and Social Security
numbers for all family members, household salary, debt
information, home mortgage information, credit card
information, place of employment, previous addresses and the
like. So when I see that, that causes me to pause. It causes me
to have concern because that is a lot of personal information.
I am sure that some criminal identity theft type of individual
would consider that a dream, a wealth of information to get
their hands on. Which brings me to the benefit of some of your
written testimony, which of course is more extensive than your
oral testimony, and if the Committee will bear with me, I am
going to read from some of the written testimony that we
received before we heard the oral testimony. ``The vast amount
of code also means applying industry standard security
practices is a task that can have no real chance of success at
present.'' No real chance of success at present. ``The first
major issue is the lack of an inability to conduct an end-to-
end security test on the production system.'' Obamacare ``also
creates massive opportunity for fraud, scams, deceptive trade
practices, identity theft and more.'' Another one: ``The lack
of effective security controls has created the conditions for
massive fraud and hacking.'' Yet another one: ``The most
troubling insider threat aspect would be the lack of a
personnel policy that requires background checks for
individuals with access to PII''--personal information--``or
sensitive information systems.''
During testimony November 6, 2013, Secretary Sebelius
admitted that convicted felons could be hired as navigators and
that no federal policy existed to require background checks. So
we have got the insider threat. Another one: ``There are clear
indicators that even basic security was not built into the
HealthCare.gov website.'' Another one: ``There are systemic and
serious concerns with the HealthCare.gov website. Based on our
experience in large web applications such as this, there are a
few options available in order to address the security concerns
with the website,'' and the list just goes on and on and on.
It seems to me that the Obamacare website is the mother
lode for identity theft, internet fraud and other criminal
activity. It is quite frankly frightening and outrageous that
the White House so callously and cavalierly exposes so many
Americans to risk of debilitating financial damage, and all of
this brings me to my questions. If HealthCare.gov identity
theft occurs, an American citizen is financially damaged. What
recourse does that citizen have under Obamacare against the
federal government for compensation for financial losses
occurred because we American citizens use the website we were
told to use under Obamacare? Can any of you all describe to me
what remedies, what recourse, what compensation can a citizen
receive from the federal government for use of the website we
are mandated to use that results in identity theft or other
adverse effects?
Mr. Wright. My very quick answer is, what form do I fill
out to get my identity back because there is no way to do that.
You can give me a credit card, you can fix my card, but once my
identity is taken how do I get that back. That is probably one
of the key things that has concerned me just from a technology
standpoint is the protection from an identity theft standpoint.
We can fix a lot of other stuff but your identity is what makes
you who you are.
Mr. Brooks. Dr. Chang, do you have any compensation that a
citizen who has been wronged can get from the government for
use of Obamacare's website?
Dr. Chang. I think I would just maybe respond sort of
generally. There is this notion kind of in credit card fraud
that you basically hold the consumers harmless. This is very
complex. They talk about 500 million lines of code, all this
kind of scripting and stuff. It is very complex, and to expect
users to have any sort of deep understanding of it, you might
say gee, it is sort of like a credit card. You kind of hold
them harmless.
Mr. Brooks. I have only got 30 seconds left, so I am going
to conclude with one quick question. Given HealthCare.gov's
security issues and assuming for the moment that you would be
personally responsible for all damages incurred, if any, from
your advice, would any of you advise an American citizen to use
this website as the security issues now exist? Yes or no.
Mr. Kennedy. No, sir, not at this time.
Mr. Wright. Same answer.
Dr. Chang. Same answer.
Dr. Rubin. Yeah, I wouldn't yet.
Dr. Brooks. So it is a unanimous no, don't use the web site
because of the security risks?
Dr. Rubin. I would say that the security would have to be
studied a lot more carefully before I would agree to that.
Mr. Kennedy. And disclosed.
Mr. Brooks. Thank you for your insight. I hope the American
people are listening. With that, Mr. Chairman, thank you for
the time.
Chairman Smith. Thank you, Mr. Brooks. You elicited a
unanimous response on that question.
The gentleman from California, Mr. Takano, is recognized.
Mr. Takano. Thank you, Mr. Chairman. I am disappointed that
the Committee is spending its time this morning adding to the
political drama around the Affordable Care Act. There have
already been over 40 hearings this year on the Affordable Care
Act by House committees, 15 of those since open enrollment
began on October 1. And now we can add the Science Committee to
that list.
While there certainly have been issues with the rollout of
the website, the stories of how the Affordable Care Act is
already helping millions of people are drowned out by the scare
tactics used by my colleagues on the other side of the aisle. I
have here the Republican playbook for undermining the ACA. It
is filled with examples of how to scare constituents away from
Obamacare. It is in the American people's best interest to
encourage participation in the exchanges to help bring down
premiums for everyone. But for my colleagues, it seems it is
not about the American people winning, it is about them
winning.
This hearing is just another attempt to undermine the
President's signature law and follow their playbook.
Mr. Rohrabacher. Mr. Speaker, Mr. Chairman----
Mr. Takano. Well, I would like to----
Mr. Rohrabacher. Mr. Chairman, I----
Mr. Takano. While I would like to balance the record and
share----
Mr. Rohrabacher. Mr. Chairman, might I ask----
Mr. Takano. Mr. Chairman, I do not yield. I reclaim my
time.
Mr. Rohrabacher. I am not asking you to yield. I am asking
the Chairman to make a decision as to whether or not what you
just did was impugning the integrity of those who are
disagreeing with you on this side of the aisle which is----
Chairman Smith. Yeah, I would say the gentleman from
California----
Mr. Rohrabacher. --inconsistent with the rules of this
Committee.
Chairman Smith. I appreciate the gentleman from California
bringing that issue up, but in the Chair's judgment, the
accusation was general enough and not specifically addressed
towards any individual. So I am sure the gentleman will not
repeat it. But I would not say at this point it was out of
order.
Mr. Rohrabacher. Thank you very much.
Mr. Takano. Thank you, Mr. Chairman. I would like to
balance the record and share a bit about how the ACA is helping
my constituents. Twenty-four percent of my constituents are
uninsured. That is 175,000 people in my district alone. The
Affordable Care Act will get them covered so they don't have to
worry about going bankrupt or being unable to get care if they
become sick. Just yesterday I heard from a constituent who lost
her insurance when her husband became sick with Parkinson's
disease at the age of 50. Now through Covered California, she
and her sons are able to get robust coverage, and they are
saving more than $600 a year.
Yes, the federal rollout has been complicated, and yes, we
should be sure the website is protected from attack and
Americans' personal information is secure. The law is about
more than the website. It is about peace of mind for millions
of Americans who need and deserve affordable coverage.
Now, I have seen a lot of--I am an English teacher, and I
have seen a lot of rhetorical, a lot of red herring, rhetorical
confusion sort of statements and testimony being made, and I
just want to clarify something with you, Mr. Kennedy. I have--
you were asking, responding to--excuse me. Before the hearing,
you met with staff to discuss the vulnerability you found on
the Data.HealthCare.gov site. In that meeting you said that you
could not know what the architecture of Data.HealthCare.gov,
what it was or how it was connected at the systemic level with
HealthCare.gov. These are two separate websites.
Now you are saying that they share an infrastructure. I am
not sure what you mean by that, but it implies that they are
one in the same site. Now, let me ask you a simple question.
You could see the account information for Data.HealthCare.gov,
a site that is not designed for consumers but for researchers
who look at national aggregations of data on health plans. Is
an account at Data.HealthCare.gov also an account at
HealthCare.gov? Are they the same?
Mr. Kennedy. There are two questions there. The first is,
is the account the same.
Mr. Takano. Are they the same? That is my question.
Mr. Kennedy. They are not the same.
Mr. Takano. Okay. Thank you. Dr. Rubin, based on what you
were able to learn preparing for this hearing, what are the
vulnerabilities at HealthCare.gov implicit in Mr. Kennedy's
discovery about the data website managed by CMS?
Dr. Rubin. It is really not clear to me. The
Data.HealthCare.gov, I went to it and looked at it, and it is a
different kind of a site. And I am not sure. I would need to
study the linkage between, if there is any, the accounts on
HealthCare.gov and the accounts on Data.HealthCare.gov.
Mr. Takano. Okay. So Mr. Kennedy, do you believe there is
any connection?
Mr. Kennedy. I do. I do believe that there is significant
connection. If you think HealthCare.gov, it is not just
www.HealthCare.gov. Think of a house where you have a door
which may be the entryway into it. There are things that
support that website that pull data feeds in, and there are
direct data feeds that get pulled in from Data.HealthCare.gov
that are directly represented on HealthCare.gov. Information
consists----
Mr. Takano. But are consumers going to be going to that
site?
Mr. Kennedy. Not necessarily. I don't know enough about the
infrastructure to say whether or not consumers----
Mr. Takano. So you don't know anything about the
infrastructure?
Mr. Kennedy. I don't know enough about the infrastructure--
--
Mr. Takano. Yet, in your testimony there is an implication
that people could draw that there is one.
Mr. Kennedy. Well, there are over 100,000 individuals
registered for that website. It would be indicative that it is.
Mr. Takano. Well, I think this is kind of an example of the
confusionous sort of testimony, a red herring to make the
American people--to scare the American people.
Mr. Kennedy. I would say that extracting 100,000
individuals' email addresses----
Mr. Takano. Again, you don't know the infrastructure.
Chairman Smith. Mr. Takano, would you mind letting the
witness answer one of those questions?
Mr. Takano. Thank you. My time is up, Mr. Chairman.
Chairman Smith. Okay.
Mr. Wright. Mr. Chairman, could I actually add something? I
wanted to clarify something. I just talked with your staff.
I just went through to create an account because the
implication was made is that they have changed it. I am
actually here right now with an account asking me to verify my
home mortgage, Social Security number and stuff. So in terms of
my testimony, I just wanted to make sure to be factual is that
it still requires me to verify and provide personally
identifiable information, Social Security number, credit
information before I can create an account.
Chairman Smith. Thank you for that clarification. The
gentleman from Utah, Mr. Stewart, is recognized for his
questions.
Mr. Stewart. Mr. Chairman, could I beg to defer my question
for several and come back?
Chairman Smith. Absolutely. We will return to you in just a
minute. We will go to the gentleman from New York, Mr. Collins.
Mr. Collins. Thank you, Mr. Chairman. I think it is
probably appropriate after that give and take, I am just going
to ask six yes/no questions. How is that? We will start with
Mr. Wright, go down the line, and there are six of them.
Number one, would any of you have launched HealthCare.gov,
recommended the launch, given the factual, known status of the
website on October 1?
Mr. Wright. No.
Dr. Chang. No.
Dr. Rubin. No.
Mr. Kennedy. No.
Mr. Collins. Number two, would any of you have signed off
as experts on the front-end requirement to enter personal data
to be able to go get pricing and other information?
Mr. Wright. No.
Dr. Chang. No.
Dr. Rubin. No.
Mr. Kennedy. No.
Mr. Collins. Do any of you today think today that the site
is secure?
Mr. Wright. No.
Dr. Chang. No.
Dr. Rubin. No.
Mr. Kennedy. No.
Mr. Collins. While this is a hypothetical, in your opinion
do any of you think the site will be secure on November 30?
Mr. Wright. No.
Dr. Chang. No.
Dr. Rubin. No.
Mr. Kennedy. No.
Mr. Collins. In your opinion, how long do you think it will
be before the site could be secure? Just give me an estimate of
months.
Mr. Wright. Unknown.
Dr. Chang. Hard to estimate.
Dr. Rubin. I don't have enough information.
Mr. Kennedy. A long time.
Mr. Collins. And finally, last question. This will be a
record, Mr. Chairman, in a five minute questioning session.
Would you recommend today that this site be shut down until it
is verified to be secure?
Mr. Wright. Yes.
Dr. Chang. Yes.
Dr. Rubin. I would need more information.
Mr. Kennedy. Yes.
Mr. Collins. Thank you, gentlemen.
Chairman Smith. Thank you, Mr. Collins. You would be a
dangerous lawyer. The gentleman from Texas, Mr. Veasey, is
recognized for his questions.
Mr. Veasey. Thank you, Mr. Chairman. I wanted to
specifically ask you about a couple of events that have been in
the press here lately. One was a large bank, financial
institution that had their information compromised. CitiGroup
had an attack of about 146,000 people that had their Social
Security numbers, their date of births and other information
that was compromised, and there was also a large defense
contractor that also had over 70,000 individuals that had their
names, Social Security numbers, date of birth, blood type,
other contact info. Can you explain how individuals are at
greater risk of identity theft under HealthCare.gov than any of
these other sites that I have just named?
Mr. Kennedy. I can take that, and I appreciate your
question there. There is no doubt that the hacking community
and what is going on right now with technology is a great
threat. I mean, it is happening all the time. There are attacks
happening all over the world from different locations on
different companies as well as government agencies.
And so what we need to do and what we need to bring
awareness to, and this is why we are here as experts on the
security side, is bring awareness to what you can do to prevent
these type of attacks from happening because they are
preventable. You can do secure coding. You can do things that
prevent hackers from breaking in. You can stop them in the very
early stages of an actual attack. And these companies that
experience these type of breaches fundamentally had flaws in
their security program that allowed these type of exposures to
happen. There is a lot of success stories that have happened, a
lot of companies that haven't experienced breaches. And those
are the companies that I think hold true to proper secure
coding practices, proper testing and ensuring that they have
security injected into their software development lifecycle to
prevent these type of exposures in the meantime.
Mr. Veasey. Dr. Rubin, I would be interested to hear what
you have to say.
Dr. Rubin. I mean, he was echoing my thoughts exactly----
Mr. Veasey. Okay.
Dr. Rubin. --that there are known practices that if they
are followed with proper personnel and proper training and
proper security practices and encryption and the right software
and the right software life cycle. You can't ever make a system
that any security professional would claim is entirely secure,
but you can make something that should stand up to the attacks
that we are seeing today.
And so the sites that have been compromised, if you dig
deep, and I have had experience and opportunity to dig deep in
some of the sites that have been compromised, you often find
that they either weren't vigilant enough, were running the
wrong software or weren't following some well-known best
practice that would have prevented the problem.
Mr. Veasey. Have any of you, particularly because of the
question that you just answered from the previous
Congressperson on the dais on the Republican side, have any of
you done a security assessment of HealthCare.gov? Because I
mean, for you to be able to say that, no, you think that it
should be shut down, I am assuming that you have done a
security assessment.
Mr. Kennedy. To answer that question, what we can see is
indicators of security flaws, things that would be basic for an
attacker to go after that should be addressed, even by the most
simplistic scans or ways of detecting exposures. So to answer
your question, I have not performed a security assessment on
HealthCare.gov because I am not authorized to. However, based
on using public information and information that is readily
available, there are clear indicators that there are major
security concerns on the website based off of what we can
identify without actually attacking the site itself.
Mr. Veasey. I would like for everybody to answer that one.
Mr. Wright. Yeah, and what he is getting at, too, it is
just the example I was talking about when the original denial
of service attacks happened. They didn't happen right away.
They built up until they got critical mass over a period of six
months. The Chinese People's Liberation Army, the Mandient
report, advance persistent threat one did this for years. You
will not see the massive attack in the first 30 to 60 days, but
what you have are the precursors and the indicators and in a
sense warnings is that all the conditions are there, the
vulnerabilities are there, the lack of an end-to-end security
test is there which will create the condition in the future,
just like a forest fire. It is a recipe for disaster at some
point in the future if it is not remediated.
Dr. Chang. Yeah, I guess I would echo what some of the
others have based on information that seems to be publically
available, based on the testimony of David, and just this
general idea that I mentioned before that the web is basically
a pretty dangerous place, and some of these precautions haven't
been inserted is cause for concern.
Dr. Rubin. I think that the attacks that have been
published so far and that I have seen have all been ones that
are easily fixable, and the ones that have been around for a
little while have been fixed. And before I would recommend
shutting something down, I would have to know that there was
some inherent security problem or architectural flaw that
necessitated that as opposed to some small superficial type
risks that can be easily fixed. I don't want to minimize them,
but if they can be fixed, that is better than shutting it down.
Mr. Veasey. And to clarify the exchange that you had with
Mr. Kennedy a little bit earlier, you talked about the HIPPA
protocols, I just want to clarify something for everybody that
may be watching this. HIPPA applies to medical records which
are not stored in HealthCare.gov, is that correct?
Dr. Rubin. That is my understanding.
Mr. Veasey. Okay. All right. Mr. Chairman, thank you.
Chairman Smith. Thank you, Mr. Veasey. The gentleman from
Arizona, Mr. Schweikert is recognized for his questions.
Mr. Schweikert. And thank you, Mr. Chairman, and to a
couple of my fellow Members, thank you for letting me skip
ahead. I have another appointment in a moment. I need to
disclose, I am sort of a junior-level SQL programmer which
makes me just dangerous enough to think I know what is going
on. Not that I wouldn't know about any of these blogs, but
while sitting here I went on a couple of the hacker blogs that
I have some familiarity with. Some of them, you all know,
because I am sure when you are hunting for public information--
that is why I have been a little surprised at some of the
dialogue back and forth here saying let's have sort of a
technical discussion instead of a political one that seems to
be coming from the other side.
Outside of the, what is it, a DDoS type attacks, which are
easy conceptually, mechanically, I found one whole discussion
group talking about SQL injections. I would think that would
have been just a junior-level thing to have avoided and tested
for. So Mr. Wright, should I have a level of concern that just
in sitting here in 40 minutes I was able to find a number of
blogs talking about here is a script you might try?
Mr. Wright. I am shocked it took you that long because it
is out there. You look at the common vulnerability expressions,
basically a common vulnerability database. One of the things
you can do that is a very easy check is to check your site
against the top 20 things that are out there and see how you
rank against that. That is public information. The FBI does
that. I think it is the San Francisco Field Office in concert
with the security administrator networks. It is called SANS, I
think, and then MITRE has that. There is stuff out there you
can already test it again.
Mr. Schweikert. It is an automated script. You can just
load it in and test your----
Mr. Wright. And you can do--there is a lot of automated
testing. But again, to David's point, there is no authorization
from our side to conduct that and nobody wants to run afoul of
the law. So you can only do things that are passively or
recognizance. You can't do anything active against the site.
Mr. Schweikert. Dr. Chang?
Dr. Chang. So I guess I would relate back to this idea that
hackers will be patient. So David talked about, you know, kind
of probes and scans. They are basically going to sort of check
things out, try to understand if they will recognizance. They
will, you know, press and probe. They will be patient.
Mr. Schweikert. Dr. Rubin?
Dr. Rubin. Yeah. I mean, I think that the sequel injection
attacks are one of the better-known types of attacks, and they
can easily be prevented up front. From the demonstration that
Mr. Kennedy did, it shows that people are actively trying out
to see if there are sequel injection vulnerabilities.
Mr. Schweikert. Mr. Kennedy, I was going to actually go to
something else because it is come up now I think two or three
times in the discussion. HealthCare.gov, we should think of it
as a portal that is reaching out and touching a number of
different databases, and those different databases all, you
know, most likely have also entries into those. So it is a
connected web. And there has been some of the absurdity of some
of the argument coming here is, well, you know, is it
HealthCare.gov? If there is lots of ways to get into the hub,
you will have lots of different paths of vulnerability. And I
mean, I am trying to describe it as simply as possible. Am I
doing okay?
Mr. Kennedy. You are perfect. It is entirely accurate. If
you look at what was mentioned, the data hub and the different
sites that make up HealthCare.gov, HealthCare.gov is what we
call the end-user experience, the user interface, the UI. That
is when people browse and kind of view and things like that.
But data that comes in from there comes from different areas.
It comes from state exchanges, it comes from
Data.HealthCare.gov. If you want to click on the live chat
button on the bottom right, it takes you to
Chat.HealthCare.gov. So there are different sites that make up
what you see in your browser.
Mr. Schweikert. And that is often the vulnerability. It
could be over here just a discussion group that actually has
access in and that is my path in the line of code.
Mr. Kennedy. In fact, right before this all started, I got
an email from an individual that had sent me basically about 14
different exposures that they identified, and one of them was
basically how to manipulate data that could be directly
portrayed on the HealthCare.gov website because it pulls in
from these different areas.
So, to put this conceptually and easy, it hooks into IRS,
it hooks into DHS, it hooks into Experion which is a third
party. You have all these trusted connections. You have all
these things that make up the site itself. But the pieces that
actually make up www.HealthCare.gov are multiple areas.
Mr. Schweikert. Yeah, I just need everyone to sort of
understand that because there seems to be a misunderstanding of
thinking it was a siloed website, and it is just the opposite.
You know, think of it sort of as the spider web.
In my 20 remaining seconds, we have half-a-billion lines of
code. Market value or market pricing right now for really
beautiful, high-end code is what, 45 bucks a line? 50?
Mr. Kennedy. It averages and depends based on what type of
programming language and infrastructure, but sure.
Mr. Schweikert. And so that is where I have been trying to
get my head around saying if just half-a-billion lines of code,
particularly when you are reaching out and pulling in out of
other databases and then standardizing it, does something seem
almost absurd?
Mr. Wright. Well, there is also another paradigm, to, that
if it costs you $1 to fix it before you launch, it will cost
you up to $100 to fix it after you launch.
Mr. Schweikert. You beat me to the punch line.
Mr. Wright. Oh, sorry about that.
Mr. Schweikert. No, it is okay. Mr. Chairman, thank you for
tolerance, and thank you everybody.
Chairman Smith. Thank you, Mr. Schweikert. The gentleman
from Illinois, Mr. Lipinski, is recognized for his questions.
Mr. Lipinski. Thank you, Mr. Chairman. As Mr. Veasey had
said and others have said, I think it is important enough to
make the point again for those watching as I have been in my
office up until now, HealthCare.gov does not store any
personal, medical information or other information. So a hacker
could get access to sensitive information, the hacker could not
simply access all a person's life and medical history. I think
it is important that we make clear that to the American people.
You know, it should be said that also cyber security
threats are not unique to HealthCare.gov, and I have some
concerns that we are just focusing on the security of
HealthCare.gov but not other potentially vulnerable systems.
Just yesterday, for example, the Treasury Inspector General for
Tax Administration issued a report which found the security
configuration settings on IRS servers were not set in
accordance with IRS policy. The report stressed that if these
servers were accessed by unauthorized persons, they might be
able to access large amounts of sensitive information.
So I think that there are other things we should be looking
at. It is easy right now to beat up on HealthCare.gov, but I
think we should make sure we are doing our job in looking at
all of the potential vulnerabilities in cyberspace, with cyber
security, with government systems. But everyone would have to
admit that the HealthCare.gov website rollout has been an
unmitigated disaster. My personal experience with DC Health
Link so far has not been very good, either, but I don't think--
we are not talking about that right now.
Apart from the obvious issues of the lack of usability of
the website, there have been security flaws present at the time
of the launch which would have compromised the data that people
entered into the site as has been mentioned. The fact the
information is not stored on the website would be cold comfort
to anyone who had their Social Security number and other
sensitive info stolen as it was submitted to the website. I
never want to downplay that importance.
In a memo on September 27, the CMS Administrator, Marilyn
Tavenner, revealed that a contractor had not had access to all
the security controls to test the system. The memo went on to
say that, ``From a security perspective, the aspects of the
systems that were not tested expose a level of uncertainty that
can be deemed a high risk.''
So we certainly have examples of problems with
HealthCare.gov. We have talked about those. I have long been
concerned about cyber security issues in general, which is why
in the last three Congresses I have cosponsored the Cyber
Security Enhancement Act with Congressman McCaul. This
legislation would improve federal research and workforce
development in the field of cyber security. I am glad that we
have moved that here in this Congress.
I have also sponsored several bills which would make
necessary changes to the Affordable Care Act including one to
delay the individual mandate unless HHS's IG was able to
certify that the website was working by November 30. I did not
vote for the Affordable Care Act, but I think that we owe it to
the American people to put partisanship aside and make
necessary changes to the Affordable Care Act when they are
required. I have certainly stepped forward to try to do that.
So with that long introduction, my question for the panel--
hope you had some time to rest there--is whether a similar
approach in some ways is needed for HealthCare.gov. So I want
to ask, would it be helpful to have the--and this is for
everybody. Would it be helpful to have HHS's IG certify that
all known security issues have been dealt with and that a
process was in place to proactively identify and address major
security issues as they arise? Do you feel that an adequate
process is currently in place. That is we talked a lot about
issues here. Do we need to have a system maybe, like I said,
HHS's IG or someone else who is looking at this and making sure
that the processes are in place as these things are found? We
never know for certain every single possible weakness. But
would you think that would be helpful to help moving security
along on this system?
Dr. Chang. I wrote down some questions that are kind of
along those lines. Maybe I will read them now. They might be
useful. I think I would ask questions like how resilient is
HealthCare.gov to a hacking attempt? What is your evidence?
When there is a breach, how will we respond? What is our
process for monitoring the security of HealthCare.gov? When a
vulnerability is found, how quickly is it remediated? Are we
taking all reasonable steps to protect the sensitive data on
HealthCare.gov? What is the evidence?
Mr. Wright. And to your point, it would be helpful because
then we are dealing with a known. Now we have a report, and it
may be is that the report would ameliorate a lot of the
uncertainty that is out there. But on the other hand, you have
to be prepared for the fact is that the report would identify
the structural deficiencies that cannot go on and still allow
the site to operate. But at any point, a knowledge base as Dr.
Rubin was talking about would be helpful to make the proper
assessment by experts and trusted people in the field to give
you an idea, they, yeah, this can be fixed or no, it can't be
fixed.
Dr. Rubin. I think it is important to do what you are
suggesting and to have reviews both at the high level because
the questions that Dr. Chang was asking were high-level
questions but as well as the low-level questions, a technical
checklist of particularly known problems and making sure that
all of those are addressed.
Mr. Kennedy. I think the fundamental differences that we
have here is there's no question that there is no security
vulnerabilities with the website or that there are security
issues that we know about right now with the website itself. So
we know that there are vulnerabilities. We know that there are
security concerns.
So having a process in place to actually address those in a
very quick manner is a very good process to have and ensuring
that they get remediated in a very timely, effective manner.
Now, the question I would pose back is it is so complex that
introducing changes to what we call a production site or
something that is live and running becomes extremely critical
and very hard to do because of the working code that is behind
it.
So meeting those timeframes and meeting the ability to
actually fix those issues may become more difficult to do in
the current working environment that you have right now.
Mr. Lipinski. Thank you.
Chairman Smith. Thank you, Mr. Lipinski. The gentleman from
Utah, Mr. Stewart, is recognized.
Mr. Stewart. Thank you, Mr. Chairman. Thanks for holding
the hearing, and to the witnesses, thanks for your service.
Thanks for being here today.
You know, I am just a guy. I am not a genius, but I got to
tell you, you don't have to be a genius to listen to your
testimony today and to be scared to death. If I were in my
living room or home doing dishes, listening to you as you have
testified today, I would be scared to death. Americans should
be scared to death.
I would like to come back to my friend, Mr. Collins, and
his series of questions. I am not going to ask you to repeat or
answer these questions again but just to review them for you
and your response. Would any of you have launched
HealthCare.gov? Unanimously, the answer was no. Would any of
you have signed off on the front-end personal data requirement?
Again, unanimously the answer was no. Is the site secure now?
Once again, no. Will the site be secure on December 1? Once
again, the answer is no, that you provided.
I would add one more, and I would ask your response on
that. Is it possible to know how many attacks have occurred
against HealthCare.gov and its associated sites? Are you aware
of any? And let me kind of frame it in this question. If you
were a Chinese cyber terrorist, wouldn't you consider this just
a target-rich environment?
Mr. Wright. So sir, to that point, you can only manage what
you can measure, and if you are incapable of measuring the
attacks and you don't have the capacity, you won't even be
aware that those attacks have occurred.
So the point where they say they have only had so many
attacks, that is based on what they know. Again, I go back to
what Donald Rumsfeld said, you know what you know, you know
what you don't know. What we are dealing with----
Mr. Stewart. Sure.
Mr. Wright. --here is we don't know what we don't know, and
until you have a comprehensive review of the site and you
really understand your security posture and then put the
defense in-depth strategies in place you have absolutely no
idea about how many attacks.
Mr. Stewart. But there is no reason for us to be optimistic
about the number of attacks or the vulnerabilities of this
site, wouldn't you agree?
Mr. Wright. I would say the number of attacks vastly
understate the actual threat.
Mr. Stewart. Yeah, absolutely.
Dr. Chang. Yes, I would happen to agree. We are very early
on in the start-up of this website. My concern would be that
they are spending now time basically kind of, you know,
investigating, analyzing, kind of preparing. So this is the
prep phase.
Mr. Stewart. Okay. Anyone else, if you have something to
add? Okay. Let me kind of make this point then. If you were a
federal official who had the authority and this was a private
company and you were examining this company and saw the issues
that you do with HealthCare.gov, and again, if you had the
authority, would you shut that site down?
Mr. Wright. Yes, and I will tell you what we suffered from.
If you think of the Challenger disaster and the Apollo
missions, people had go fever. This was going to happen on
October 1 no matter what. No matter what risk finding you had
and regardless of how serious it was, go fever said that we
were going to launch on October 1. That is not the way to run a
business.
Mr. Stewart. Okay. Anyone else want to----
Dr. Rubin. Sure. I agree that it is pretty bad to have a
particular date in mind that you are going to go no matter
what. I think that the shutting down again will require a
review to ascertain whether there are fundamental security
problems or kind of scratching the surface security problems
that can be easily fixed.
Mr. Stewart. Yeah. You know, I just think the irony isn't
lost on people when they say the government, one of the
responsibilities they have is to help set up processes to
protect my personal information. And yet we have exactly the
opposite here where not only are they not protecting them but
they are requiring them and allowing the government to move
forward with the program that is going to do exactly the
opposite which then, if I could make my final point and
question to you, what would you say to your constituents if you
were me? What should I tell the people that I represent, the
American people? I mean, how could I in good conscience go back
and encourage them to participate in this program when we know
that they are exposing themselves if they do? Can you help me
with that? I mean, I would appreciate any advice you got on
that.
Mr. Wright. That is the advantage on being on this side of
the table is I don't have to.
Mr. Stewart. Okay.
Mr. Wright. No, you are in a very tough--and it is very
tough. But at some point, people intuitively know. You have to
tell them the truth. They have to make their own decisions.
Still, the consumer needs to be aware. Educate them, tell them
what the risks are, and if they choose to do it, it is still a
consumer issue. But what we are dealing with here is a lack of
awareness, education and people really understanding what the
risk is. If they choose to take the risk, that is their issue
at that point. But without knowing it, it is very hard to make
that decision.
Mr. Stewart. Anyone else want to counsel us on that? Thank
you. Mr. Wright, I think you hit on the key to that is all we
can do is tell the truth, and I think that is the purpose of
this hearing here is to help people understand what is the
truth, what is actually happening here. And that is why I think
this has been valuable.
So Mr. Chairman, with that I yield back my remaining two
seconds.
Chairman Smith. Thank you, Mr. Stewart. Dr. Chang, I know
you have to leave at noon. We are now a couple minutes past
that in order to catch your flight. So thank you for being here
today and thank you for your testimony.
Dr. Chang. Okay. Thank you.
Chairman Smith. Thank you. And we'll go to the gentleman
from Oklahoma, Mr. Bridenstine, for his questions.
Mr. Bridenstine. Thank you, Mr. Chairman. I just wanted to
ask the panel--first of all, thank you so much for being here,
and thank you for your service. There has been a lot of
accusations from the other side of the room. I just wanted to
ask the panel, did any of you guys come here because you wanted
to scare the American people in an effort to bring down this
law? Was that the intention of anybody on the panel?
Mr. Kennedy. The purpose for us coming here is to explain
what issues we identify. We are agnostic when it comes to the
politics side. We are security researchers. We are folks that
understand security, and our whole purpose here is to educate
around what security concerns that we can see. I mean, I don't
understand how you do your day-to-day jobs and how you work the
government in every single side of the House. But I understand
security. I understand how security works, and these things can
definitely be fixed ahead of time. And it is not to instill
fear at all. It is just to get the awareness out there, to get
the information out there to help better educate and fix the
issues that are apparent with the site.
Mr. Bridenstine. Thank you.
Mr. Wright. I think it was Harry Truman who said it best.
We don't give them hell, we just tell the truth. They think it
is hell. No, there is no R or D or I in computer codes. It is
ones and zeros. The computer is agnostic about what it does. We
had discussions--everybody here, we are not here to talk about
the political issue, should it be up or down. We are saying if
you are asking us, based on our background and experience and
put our reputation on the line to say should we do this, it is
about the technology. That is why, Congressman Stewart, I am
glad we are on this side because you deal with the politics, we
deal with the technology which sometimes is far easier than
what you deal with. But no, the purpose coming here today is
educate, awareness, give you our opinions. But we don't control
those levers of power. What we do, as David said and Dr. Rubin
says, we are here to give you our unbiased opinion what we
think.
Mr. Bridenstine. Dr. Rubin?
Dr. Rubin. Yes, I agree with both of them.
Mr. Bridenstine. Okay. Speaking of it, you mentioned the
code, the code is non-partisan, there are 500 million lines of
code. What is the risk? When you talk about 500 million lines,
can you give me some comparisons and share with me what does
that mean as far as risk?
Mr. Kennedy. Whenever you introduce this amount of
complexity, you introduce a significant amount of risk,
especially from what we are understanding around the security
testing, which was rushed out the door and not all components
actually tested. So it is very much a critical risk from the
lines of code that were developed, and to be honest with you, I
have not seen--and I have worked for Fortune 10, Fortune 50,
Fortune 100, Fortune 1000 companies as well as on the
government side, I have not seen an application that pales in
comparison to 500 million lines of code, including some of the
largest applications you would ever see in the history of man.
Mr. Wright. Just to put it in perspective, the website
should be similar to a game of checkers. It should be that easy
to understand. Instead, we are trying to find a chess master
who can play 20 games of 3-D chess at the same time. That is
the difference in the complexity of code because when you have
two pieces of data, there's just not one possibility. There are
actually four possibilities. There is no data, one piece, the
other piece and then both pieces together. So when you add 500
million lines, then you are talking do the old checkerboard
thing, put a penny and keep doubling it until you get to the 64
square, that is the complexity we are talking about.
Mr. Bridenstine. So when you talk about this complexity,
Mr. Wright, I think you are hitting on a critical component
that it is hard for people who aren't computer programmers to
wrap our brains around which is if you fix one piece of that
500 million lines of code, what are the--I mean, there's got to
be some side-effects that result from that, is that correct?
And how does that work?
Mr. Wright. Side-effects is a good term. Yeah, you create
an unintended series of cascading events that you have no
control over because you don't have a grasp of what the code is
actually doing. And to David's point, and he can actually show
you these vulnerabilities, you think you have changed one
thing, by doing that you have opened up a Pandora's box of
vulnerabilities on the other side because you could not account
for the path, the 72 places it had to go to before it finally
got there. It is so complex, you can't manage that.
Mr. Kennedy. And just taking it from the functionality
side, when you introduce a piece of code that fixes a flaw, you
could break the functionality piece that users see on a regular
basis, too, because again it is so complex. So you fix one, you
break another. It doesn't necessarily mean you fixed the
security issue. You may not be able to actually browse a site
or visit what you intended to actually use.
Mr. Bridenstine. Just out of curiosity, if you had to
assess the length of time it would take even to assess the
security risk, how long of a period of time are we talking?
Mr. Kennedy. To look at 500 million lines of code, there is
a process we call source code analysis where you actually look
at the code itself. And that is going to be your most
comprehensive way of looking at the actual exposures.
And then you have what is called dynamic testing which is
on top of it to look at the live running sites. So you marry
those two together to perform kind of a holistic approach to
looking at the overall security around the site itself. Five
hundred million lines of code? I would say to do it properly
would probably take about six months or so just to do the
review cycle of it.
Mr. Bridenstine. And then after that you would have to do
the fixes to secure it. How much longer would that take?
Mr. Kennedy. And that is the problem. So in my written
testimony, I gave three different options for recommendations
on how to actually address the concerns with this because if
you look at it then, let's just say that 20 percent of the code
needs to be rewritten based on the exposures that are
identified. If you introduce 20 percent new code into a running
website that is up there right now, you are absolutely going to
have some major systemic issues with the stability of the site
as well as introducing new exposures to it.
So the first recommendation was to rebuild it in a sense of
kind of like a version 2.0 which incorporates all of these
changes or is rewritten from scratch to really kind of address
it.
The second option was shutting down the site itself, making
the changes and putting it back up after you've addressed
those.
The third option was basically letting the website run and
introducing new code into that environment which would
obviously create stability concerns.
Each one of those has different links and times. If you do
a version 2.0, based on the knowledge you already have with how
to integrate into the already-running state exchanges, that
would probably take six months to develop a new site that would
be operational. The three folks that built it in two weeks are
definitely a testament, but to do a fully production instance I
think would take about six months. To shut it down, to actually
shut it down and recode would probably take four to six months
to get the critical concerns out of the way to at least get it
back up and running an stable.
The portion around keeping it stable or keeping it up and
running while introducing it could take years.
Mr. Bridenstine. Mr. Chairman, I yield back.
Chairman Smith. Thank you, Mr. Bridenstine. The gentleman
from Texas, Mr. Weber, is recognized.
Mr. Weber. Thank you, Mr. Chairman. Have any of you all
assessed on a scale of one to ten the cost of this website with
the volume of stores, the interaction, the cost per
participant? In other words, you are going to have--I forget. I
think they have said 100-something thousand had been on there,
whatever it is, but versus private industry. From your
knowledge about those websites and how they have been created
and produced, on a scale of one to ten, ten being the most
efficient bang for the buck, what would you give this? We will
start with Mr. Wright.
Mr. Wright. Back-of-a-napkin calculation, I mean, it is got
to be somewhere around a two. Your average cost per user is
significantly high because you have got few users and you have
got a lot of money in it.
Mr. Weber. Right. Got you.
Dr. Rubin. I haven't had that data to perform a cost
analysis.
Mr. Weber. Okay.
Mr. Kennedy. When you look at the website the
infrastructure supported, I believe there was a statistic that
came out that they could handle 600 users per second on the
site during registration process. So if you look at that
infrastructure, you look at the amount of money that was spent
on this, and it was in excess of I believe $600 million? Is
that correct?
Mr. Weber. That is huge. Yes.
Mr. Kennedy. I would give this a one as far as operational
efficiency and the type of money that was spent on it.
Mr. Weber. All right. Thank you. And my second--we are
going to talk projected costs going forward because if it so
expensive to maintain this thing and they can't hire the right
people, then Americans' security is going to be at risk.
So going forward, if there was going to be a maintenance
contract on maintaining this thing, which I am assuming there
is, you are going to have to have personnel that are doing
that. Now, my colleague form Utah said this would be a great
vulnerability for Chinese cyber terrorists was the word he
used. But I would submit that there might be some Edward
Snowdens. They don't have to be in China.
From what you know, is that system available to disallow
something like that happening where somebody inside could walk
out with just tons of information? Yes or no.
Mr. Wright. Based on what we know, no. Or at least what I
know.
Mr. Weber. Right.
Dr. Rubin. I don't have enough information again about how
the system is architected to answer that.
Mr. Weber. Okay.
Mr. Kennedy. And I don't have enough information on the
back-end process for that, but it is my understanding no.
Mr. Weber. I got you. What I wanted to is guarantee a
platform, but that couldn't happen. So let's go back now. We
ranked the efficiency on the dollar, but how about on a
security scale? I think I am going to know this answer, one to
ten, ten being the most secure, you have got to give this
abysmal ratings, right?
Mr. Wright. Based on what we previously said that we would
not allow it to go. It would have to be a zero.
Mr. Weber. Absolutely, has to be--okay. Go ahead.
Dr. Rubin. So I think we have seen a bunch of security
problems that were easily fixed, and a deeper dive is necessary
in order to determine where we are on that scale of one to ten.
Mr. Weber. But versus what you know about the private
industry----
Dr. Rubin. There is no doubt that compared to a private
system that goes live, this system has more problems than you
would expect to see.
Mr. Weber. Well, I don't know that that is accurate because
this is the federal government. We expect a lot of problems.
And then finally, Mr. Henry Chao I guess is how you say
that, the Chief Information Officer for the CMS, said that the
site was no problem. He would recommend it to his sister. I
don't know, you all probably didn't read that. It is in our
notes. So I guess this question is for Mr. Kennedy. You are the
hacker. How long do you think it would take you to get his
sister's information or do you already have it?
Mr. Kennedy. I am not going to confirm that second one, but
no.
Mr. Weber. Okay.
Mr. Kennedy. No, I do not have any type of public
information. But you know, confidently I would say, and this is
being very generous, I would say within a day to two days.
Mr. Weber. One to two days you could go in and hack the
site based on the platform that is there now, which is not
guaranteeing zero or one level of security, if that is even----
Mr. Kennedy. Yes, sir, and that is just understanding the
amount of time it takes to understand an application is where
the bulk of the one to two days comes in. It is just
understanding how the infrastructure works, being able to start
to kind of probe it a bit. It would take about a day or so. I
could probably, you know--to be honest with you, it would
probably take a few hours, but I am giving myself two days.
Mr. Weber. All right. That is great. I mean, that is good
news and bad news. It is bad news what you are saying it could
be done, but it is good news is the American public is going to
know this. So once you learn that system and get into it, then
you can hack anybody's information really quickly.
Mr. Kennedy. That is correct. Yes, sir.
Mr. Weber. Makes me feel more secure.
Mr. Wright. And sir, I think the biggest danger, too, is
everybody keeps talking about the data hub. But what concerns
me about the data hub is it operates as a trusted broker. In
other words, all these other systems trust the data hub to say
the transaction is authenticated, it is trustworthy. If that is
not the case, you have just unintentionally done it similar to
a Donnie Brasco, introduce somebody in that everybody trusts
because of the introduction, not because it is actually
trustworthy.
Mr. Weber. So not only do we have politicians saying trust
me, I am from the federal government, now we have computers
saying it.
Mr. Wright. Essentially yes. I mean, there's a certain
level of trust that comes from the data hub.
Mr. Weber. Mr. Chairman, I yield back.
Chairman Smith. Thank you, Mr. Weber. The gentleman from
Indiana, Mr. Bucshon, is recognized.
Mr. Bucshon. Thank you, Mr. Chairman. First of all, I am a
medical doctor, I was, before coming to Congress, and I want to
briefly comment on some of the comments that were made about
personal health information and whether that is profitable or
not profitable, and I would ask the question would anyone in
this room want to let everyone in this room know all their
personal medical information? And I would say that the answer
to that is no because it is personal. This is about people.
This is not about profit on medical information.
Let me give you an example. When you ask people to direct
donate blood, for example. Say someone is having surgery and
their family members want to donate blood. Actually
statistically, the blood from the regular pool is safer than
having your family donate blood for you. Why is that? The
reason is is because you don't know what all kinds of health
problems that your family members have had because they haven't
told you. And so I would argue this is a personal privacy
issue, and if there's any chance that people's medical
information can get out there based on a government website, it
is not correct.
The other thing I would like to say is quickly, and then I
will have a question, is just because other websites of the
federal government or in the private sector have problems
doesn't justify this website having problems. I have heard that
here today, too. Well, this website has been breached and this
private sector has given up information. That doesn't matter.
We are not talking about that. We are talking about this
website, and it doesn't justify failures of this website.
So with that said, on September 3, 2013, a memo signed by
the Chief Information Officer, there were at least two open
high findings for the federally facilitated marketplace, the
Federal exchanges. The first high finding, although
substantially redacted, indicates that the threat and risk
potential is limitless. It indicates corrective action must be
taken by May 31, 2014. And information on the second high
finding is completely redacted. It indicates that due date for
corrective action is February 26, 2015. I think we have
mentioned that before.
As cyber security experts, based on these findings, would
anyone recommend that the federally facilitated marketplace,
the Federal exchanges, be made publically available?
Mr. Wright. Yes, sir. That is exactly the same memo I
referenced earlier, and when the phrase is said the threat and
risk potential is limitless, I don't know how you accept risk
based on the fact as you can't quantify the risk.
Mr. Kennedy. To also address that situation, in the private
sector, those type of exposures are what we call showstoppers,
things that would not allow the website to be put into
production until they actually were remediated, and that would
be especially ones that never heard the term limitless before
which would mean that basically access to everything and
everything that would be part of that infrastructure would be
my guess. You would not put that into any type of production
environment or go live with it in any way.
Mr. Bucshon. Mr. Chairman, if this hasn't been introduced
in the record--I can't remember if Mr. Wright did that--I would
like unanimous consent to introduce the memo from CMS into the
record.
Chairman Smith. Okay. Without objection, it'll be made a
part of the record.
[The information appears in Appendix II]
Mr. Wright. And if I could add one more point in
clarification, too, the difference in the private sector versus
the government is that, gain, it goes back to liability,
shareholder lawsuits. If a memo like this came out in
litigation, you would find the firm facing financial ruin
basically because they knew, they knew they shouldn't have done
it and they did it anyway. And that is the basis for company
killing litigation.
Mr. Bucshon. Dr. Rubin, at this point, could you recommend,
based on the fact we don't know what the redacted information
is but that there was a high finding, would you recommend
opening these up to the public at this point? I think it is a
similar question that has been asked before about the website.
But this is specifically related to the exchanges.
Dr. Rubin. Yeah, I mean before I would answer that
question, I would want to see the details, the technical
details of what the problems really are.
Dr. Bucshon. It is my point these are redacted and not
publically available, and that is an issue because outside
people can't assess what the threat is because we have redacted
information. And maybe since they have released this, they have
made it public, but I don't think that is the case.
Mr. Kennedy, is it common--would anyone out there launch a
website with these types of warnings before corrective action
is completed? I mean, anybody out there? I mean, would it be
prudent to do that?
Mr. Kennedy. I come from very much a programming
background, one that works with organizations on developing
software for life cycles and building applications that are
large like this.
So what I can say is that it depends on the risk of the
organization and what they are able to accept. Based off of
what we have seen and the information that is been publically
available, I would not know of a company that would release a
site like this with the functionality and security concerns
that there were ahead of time.
Mr. Bucshon. So it would be important for the public to
know what the concerns were and then you could make a better
assessment?
Mr. Kennedy. Absolutely.
Mr. Bucshon. That is what you are saying? I think that is
what Dr. Rubin has said also.
Dr. Rubin. Yeah, I agree. I am sorry. I agree. I think that
the public should know what the concerns were.
Mr. Bucshon. Okay.
Mr. Wright. And just to add one point, sir, a final thing.
When they establish the advanced encryption standard which
became the basis for our encryption, that math, those
algorithms were in the public. They were in the public domain.
People got to view those, and to this day you can look at all
the people who submitted things. Bruce Shneer submitted I think
it was called ``Two Fish.'' You have got the AES. The math is
public. It was subject to peer review, and if there was any
issues, it would have been exposed. And that is really--
sunlight is the best thing when you are looking at remediating
security problems. Expose it, let it be shown and let the
people weigh in on it who've got the expertise. You will find
people will crowd source and help you solve the problem.
Mr. Bucshon. Thank you, Mr. Chairman. I yield back.
Chairman Smith. Thank you, Dr. Bucshon. The gentlewoman
from Wyoming, Ms. Lummis, is recognized for her questions.
Mrs. Lummis. Thank you, Mr. Chairman. Mr. Kennedy, in a
recent article by Fox News you were quoted as saying if I was
allowed to attack the website by myself and I had approval to
go and do it, it would be very simple for me to break into it,
steal all the information that is in the database, including
all of your personal information that you use to register for
those sites, Social Security numbers, everything like that,
basically that is what you were saying to one of the previous
Members who was talking about Mr. Chao's sister. You mentioned
that you'd like to have two days to get in to access her
information.
We have also learned today that these systems are
integrated, that they are talking back and forth, that there's
integration between HealthCare.gov and the IRS website and
Homeland Security and others. Would you be able to get into
HealthCare.gov and then use it to get into the IRS website?
Mr. Kennedy. Without knowing enough about the
infrastructure behind it, I can't say yes or no. However, what
I can say is that as attackers and as hackers break into
infrastructure, they usually use a conduit, a website, to use a
trusted connection back to other infrastructure to gain access
to that back end.
So without understanding infrastructure, I can't say yes,
100 percent. But based on the information that we know, you can
look at the privacy policy on the website itself, it shows who
it actually interacts with and the type of information it
sends. If you look at that, it is pretty indicative that you
could, you know, use that HealthCare.gov as a leaping point and
kind of a back door into the other agencies, other Federal
portions of government, like the IRS or DHS. And again, I can't
say without certainty but it is definitely a common technique
that a hacker would use to do it. It is called what we call,
you know, pivoting and further attacking into the
infrastructure.
Mrs. Lummis. And gentlemen, based on that information,
would you have recommended that HealthCare.gov be walled off
from other federal government databases that have very
sensitive information?
Dr. Rubin. Let me address your first question, and then
I'll address the second question. First, just one
clarification, that is it is not the IRS website. It is a back-
end database of the IRS that is being accessed. And the way the
data is being accessed is through this hub where requests are
being sent. And so if the site were designed with proper
security, with good security practices and principles, there
would be a very, very limited interfaced between HealthCare.gov
and the IRS where the IRS's database responses would be very
limited in their nature. They could only answer certain queries
to answer eligibility questions. If the site were designed very
poorly and the interface was designed poorly, then I think that
could be open. I don't know what kind of design they use, but
in my written testimony I talked about focusing on those
interfaces, keeping them very simple and very basic and using
the hub simply to query those back-end databases at these other
sites and get the responses back.
Mrs. Lummis. Mr. Wright?
Mr. Wright. I think one of the challenges--and this is why
I went back and confirmed after Congressman Kennedy said that--
is that you still have to provide this information up front. So
part of the issue you can get to make the site more secure and
make it function better is to not put all this overhead on the
initial transaction because the closer you are to the
presentation layer to where the user is actually interfacing
with it means it is easier to get that information to your
point, not necessarily walled off and playing off what Dr.
Rubin said, but I would like to push that kind of transaction
back farther to where I can maintain better security. My
security perimeter gets smaller. I can defend against things
better. As opposed to the Great Wall of China, we are trying to
secure the great fence of China, and instead what I want to do
is have a smaller, tighter core that I can defend against and
have that data hub, and those types of transactions happen in a
smaller, confined area. You can't wall it off because it still
has to interface, but you can reduce the risk and the threats
by reducing the amount of waste and the places that to David's
point an attacker can come in because they will do that. They
will come in and they will use the same methodologies, the same
seven-stage terrorism planning cycle that is in the traditional
world is also used in cyber terrorism.
Mrs. Lummis. Well, we do know that there are countries that
hire hackers, governments that hire hackers that attempt to
hack into information in the United States all the time, and we
know that some of those government-hired hackers hack for their
government by day and they hack for hire by night. And so there
are mercenary hackers out there that will hack for money.
Mr. Kennedy, are there vulnerabilities that you've not
identified publically out of fear that the consequences are so
exploitable that it would be like telling a criminal where you
hide the spare key to your house?
Mr. Kennedy. Yes, there is. There are exposures that I have
identified that are not public.
Mrs. Lummis. Have you identified them to someone who can
use them to plug those holes?
Mr. Kennedy. Yes, I have. Any time that I discover an
exposure or criticality, it is sent to the appropriate people
to get addressed and fixed. That is where we come in from the
responsible disclosure side of doing the right thing.
Mrs. Lummis. Gentlemen, I really thank you for your
expertise and your presence here today. Mr. Chairman, I yield
back.
Chairman Smith. Thank you, Mrs. Lummis. I would like to
thank our witnesses today for being here and helping us better
understand the many privacy and security concerns that have
been voiced concerning HealthCare.gov. Unfortunately, the
personal information that has already been entered into
HealthCare.gov is vulnerable to online criminals and identity
thieves. This security flaw endangers a large number of
Americans who already have used the website. President Obama
has a responsibility to ensure that the personal and financial
data collected as part of Obamacare is secure. It is clear this
is not the case.
There is only one reasonable course of action. Mr.
President, take down this website.
That concludes our hearing, and thank you again for
testifying and we stand adjourned.
Mr. Wright. Thank you.
[Whereupon, at 12:35 p.m., the Committee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]
�