[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
HEALTHCARE.GOV: CONSEQUENCES
OF STOLEN IDENTITY
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
JANUARY 16, 2014
__________
Serial No. 113-62
__________
Printed for the use of the Committee on Science, Space, and Technology
Available via the World Wide Web: http://science.house.gov
U.S. GOVERNMENT PRINTING OFFICE
86-900 WASHINGTON : 2014
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR., DANIEL LIPINSKI, Illinois
Wisconsin DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
PAUL C. BROUN, Georgia DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi ALAN GRAYSON, Florida
MO BROOKS, Alabama JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois SCOTT PETERS, California
LARRY BUCSHON, Indiana DEREK KILMER, Washington
STEVE STOCKMAN, Texas AMI BERA, California
BILL POSEY, Florida ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky MARK TAKANO, California
KEVIN CRAMER, North Dakota ROBIN KELLY, Illinois
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS COLLINS, New York
VACANCY
C O N T E N T S
January 16, 2013
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 7
Written Statement............................................ 8
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 9
Written Statement............................................ 10
Witnesses:
Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC
Oral Statement............................................... 13
Written Statement............................................ 16
Mr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc.
Oral Statement............................................... 30
Written Statement............................................ 32
Mr. Michael Gregg, Chief Executive Officer, Superior Solutions,
Inc.
Oral Statement............................................... 40
Written Statement............................................ 42
Dr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute
Oral Statement............................................... 49
Written Statement............................................ 52
Discussion....................................................... 57
Appendix I: Answers to Post-Hearing Questions
Mr. David Kennedy, Chief Executive Officer, TrustedSEC, LLC...... 88
Mr. Waylon Krush, Co-Founder and CEO, Lunarline, Inc............. 102
Mr. Michael Gregg, Chief Executive Officer, Superior Solutions,
Inc............................................................ 108
Dr. Lawrence Ponemon, Chairman and Founder, Ponemon Institute.... 113
HEALTHCARE.GOV: CONSEQUENCES OF STOLEN IDENTITY
----------
THURSDAY, JANUARY 16, 2014
House of Representatives,
Committee on Science, Space, and Technology,
Washington, D.C.
The Committee met, pursuant to call, at 9:13 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Lamar Smith
[Chairman of the Committee] presiding.
[GRAPHIC] [TIFF OMITTED] 86900.003
[GRAPHIC] [TIFF OMITTED] 86900.004
[GRAPHIC] [TIFF OMITTED] 86900.005
Chairman Smith. The Committee on Science, Space, and
Technology will come to order.
Welcome to today's hearing titled ``HealthCare.gov:
Consequences of Stolen Identity.'' I will recognize myself for
an opening statement and then the Ranking Member.
When the Obama Administration launched HealthCare.gov,
Americans were led to believe that the website was safe and
secure. As the Science, Space, and Technology Committee learned
at our hearing last November, this was simply not the case. We
heard troubling testimony from online security experts who
highlighted the many vulnerabilities of the Obama website.
These flaws pose significant risks to Americans' privacy and
the security of their personal information.
One witness, Mr. David Kennedy, who has been re-invited for
today's hearing, testified that there are ``clear indicators
that even basic security was not built into the HealthCare.gov
website.'' In addition, all four experts testified that the
website is not secure and should not have been launched. Mr.
Kennedy will update the Committee on the security of the
website since November 30, 2013, which was the Administration's
self-imposed deadline for when it would be fixed.
Since the November hearing, other events have emerged that
prompted the need for today's hearing. In December, a former
senior security expert at the Centers for Medicare and Medicaid
Services stated that she recommended against launching the
HealthCare.gov website on October 1st because of ``high-risk
security concerns.''
A letter addressed to the Committee from Mr. Kennedy and
independently signed by seven other security researchers who
reviewed his analysis of vulnerabilities presents some very
troubling information. To paraphrase one of the experts, Mr.
Kevin Mitnick, who was once the world's most wanted hacker,
breaking into HealthCare.gov and potentially gaining access to
the information stored in these databases would be a hacker's
dream. According to Mr. Mitnick, a breach may result in massive
identity theft never seen before. Without objection, Mr.
Kennedy's letter will be made a part of the record.
Chairman Smith. Further, a recent report by the credit
bureau and consumer data tracking service Experian forecasts an
increase in data breaches in 2014, particularly in the
healthcare industry. Specifically, the report states: ``The
healthcare industry, by far, will be the most susceptible to
publicly disclosed and widely scrutinized data breaches in
2014. Add to that the Health Care Insurance Exchanges, which
are slated to add seven million people into the healthcare
system, and it becomes clear that the industry, from local
physicians to large hospital networks, provide an expanded
attack surface for breaches.'' Experian provides the identity
verification component of the Health Insurance Marketplace
enrollment process.
Because of increased accessibility to HealthCare.gov,
concerns continue to grow about the security of personal
information. The work of this Committee will help Congress make
decisions about what actions may be necessary to further inform
and safeguard the American people.
We are here today to discuss whether the Americans who
signed up for healthcare plans have put their personal
information at risk. If Americans' information is not secure,
then the theft of their identities is inevitable and dangerous.
[The prepared statement of Mr. Smith follows:]
Prepared Statement of Chairman Lamar S. Smith
When the Obama Administration launched Healthcare.gov, Americans
were led to believe that the website was safe and secure. As the
Science, Space, and Technology Committee learned at our hearing in
November, this was not the case.
We heard troubling testimony from online security experts who
highlighted the many vulnerabilities of the Obamacare website. These
flaws pose significant risks to Americans' privacy and the security of
their personal information.
One witness, Mr. David Kennedy, who has been re-invited for today's
hearing, testified that there are ``clear indicators that even basic
security was not built into the Healthcare.gov website.''
In addition, all four experts testified that the website is not
secure and should not have been launched. Mr. Kennedy will update the
Committee on the security of the website since November 30, 2013, which
was the Administration's self-imposed deadline for when it would be
fixed.
Since the November hearing, other events have emerged that prompted
the need for today's hearing. In December, a former senior security
expert at the Centers for Medicare and Medicaid Services stated that
she recommended against launching the Healthcare.gov website on October
1st because of ``high risk security concerns.''
A letter addressed to the Committee from Mr. Kennedy and
independently signed by seven other security researchers who reviewed
his analysis of vulnerabilities presents some very troubling
information.
To paraphrase one of the experts, Mr. Kevin Mitnick, who was once
the world's most wanted hacker, breaking into Healthcare.gov and
potentially gaining access to the information stored in these databases
would be a hacker's dream. According to Mr. Mitnick, ``A breach may
result in massive identity theft never seen before.''
Further, a recent report by the credit bureau and consumer data
tracking service Experian forecasts an increase in data breaches in
2014, particularly in the healthcare industry. Specifically, the report
states: ``The healthcare industry, by far, will be the most susceptible
to publicly disclosed and widely scrutinized data breaches in 2014. Add
to that the Healthcare Insurance Exchanges, which are slated to add
seven million people into the healthcare system, and it becomes clear
that the industry, from local physicians to large hospital networks,
provide an expanded attack surface for breaches."
Experian provides the identity verification component of the Health
Insurance Marketplace enrollment process.
Despite increased accessibility to Healthcare.gov, concerns
continue to grow about the security of personal information.
The work of this Committee will help Congress make decisions about
what actions may be necessary to further inform and safeguard the
American people.
We are here today to discuss whether the Americans who have signed
up for health plans have put their personal information at risk. If
Americans' information is not secure, then the theft of their
identities is inevitable and dangerous.
Chairman Smith. That concludes my opening statement, and
the gentlewoman from Texas, Ms. Johnson, is recognized for
hers.
Ms. Johnson. Thank you very much, Mr. Chairman.
Since we held our November 19th hearing highlighting
security issues at HealthCare.gov, up to 110 million people
have had their debit card or credit card information
compromised by a hack of Target store records. But Target was
not alone in being successfully hacked: The Washington Post,
Facebook, Gmail, LinkedIn, Twitter, YouTube, Yahoo, JP
MorganChase, SnapChat, and my friends at the Dallas-based
Neiman Marcus stores have all announced security breaches.
However, do you know one system that has not been
successfully hacked since the last hearing? HealthCare.gov.
Also since the last hearing the Center for Medicare and
Medicaid Services (CMS) staff and contractors have been working
around the clock to improve the performance and security of
HealthCare.gov. There have been numerous fixes to the website
that have improved the site's responsiveness compared to its
first 60 days. Millions of Americans have been able to access
the site and obtain medical coverage.
During that entire time top security contractors, including
Blue Canopy, Frontier Security and the Mitre Corporation have
been working to test the system and identify weaknesses that
need to be addressed. The Chief Information Security Officer
has also been running weekly penetration tests to support
security mitigation steps for CMS. Further, CMS says that none
of the Majority's witnesses' concerns voiced in that November
hearing have turned into any actual breach of security.
The last hearing did not feature a single witness who had
any actual information about the security architecture of
HealthCare.gov, nor what is being done to maintain the
integrity of the website. Today, we have the same kind of
hearing. As smart and experienced as these witnesses are, not
one of them has actual knowledge of the security structure at
HealthCare.gov. The best that they can do is speculate about
vulnerabilities. I think it would be good for Members to
remember that.
I am concerned that the intentions in this hearing appears
to be to scare Americans away from the HealthCare.gov site.
This appears to present a continuation of a cynical campaign to
make the Affordable Care Act fail through lack of
participation. While we are holding this hearing, both the
House Oversight and Government Reform Committee and the Energy
and Commerce Committee are holding similar events, all with the
apparent goal to create a sense of fear, thereby manufacturing
an artificial security crisis.
It is my hope that all of our witnesses can agree that it
is important to make HealthCare.gov work for the American
people to help give all our citizens access to affordable
healthcare. I do not want to believe that any of the witnesses
testifying today want the site to be hacked or shut down, or
even see the program fail, or see Americans go without
healthcare insurance.
This country faces a lot of real issues and real policy
challenges. If we are truly interested in hacking and identity
theft, we should have representatives of the largest retail
institutions in the country here to discuss the challenges they
face in protecting people's information. Instead, it appears
that the Majority has allowed the Committee to become a tool of
political messaging to a degree that I have never witnessed any
time in my time in Congress, and I am in my 22nd year.
Thank you. I hope that the Committee hearing will be the
last of this topic, absent some actual allegations of
wrongdoing, so that we can focus on legitimate oversight issues
facing the country and this Committee.
Mr. Chairman, before I yield, I would also like to comment
on the letter you want to put in the record. I was hoping after
reading it that you would have some testimony or give the
people opportunity other than a 24-hour showing of this letter,
but you don't have to take my word on this. Mr. Kennedy's own
document reads, this report is for public use. The report is
not appended to his testimony, and I imagine it was not added
because it would violate our 48-hour rule. He did not give us
testimony in time but late yesterday afternoon presented this
report out of the blue, and I am guessing your counsel told him
to make it a letter because we routinely accept outside letters
from groups and experts all the time with minimal notice.
So the report now pretends to be a letter addressed to you
and to me. However, I cannot remember another time that a
witness for the Committee also felt they had to write us a
letter. I think it is an elaborate way to try to get testimony
before the Committee in violation of the 48-hour rule.
As the substance of the report, it includes what amounts to
testimony from experts who are not appearing before this
Committee and is against the practice of the Committee to
accept testimony from people who are not personally available
to answer our questions.
The one thing I do know is that none of the individuals who
signed these statements in the packet have worked on
HealthCare.gov or the security protocols behind the website. In
other words, they know no more about the actual security of the
site than does Mr. Kennedy. In deference to the Chairman, I
will withdraw my objection but I would point out that this
report includes language that I consider vulgar and beneath the
dignity of the Committee. That alone should be reason to keep
it out.
Even if the Chairman is comfortable with the way our rules
are being stretched, if you insist, I will withdraw, but I want
the record to reflect that we have gone beyond professional
behavior of this Committee. Thank you.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Ranking Member Eddie Bernice Johnson
Since we held our November 19th hearing highlighting security
issues at healthcare.gov, up to 110 million people have had their debit
card or credit card information compromised by a hack of Target store
records. But Target was not alone in being successfully hacked: The
Washington Post, Facebook, Gmail, LinkedIn, Twitter, Youtube, Yahoo, JP
MorganChase, SnapChat, and my friends at the Dallas-based Neiman Marcus
stores have all announced security breaches.
However, do you know one system that has not been successfully
hacked since that last hearing? Healthcare.gov.
Also since the last hearing the Center for Medicare and Medicaid
Services (CMS) staff and contractors have been working around the clock
to improve the performance and security of healthcare.gov. There have
been numerous fixes to the website that have improved the site's
responsiveness compared to its first 60 days. Millions of Americans
have been able to access the site and obtain medical coverage.
During that entire time top security contractors, including Blue
Canopy, Frontier Security and the Mitre Corporation, have been working
to test the system and identify weaknesses that need to be addressed.
The Chief Information Security officer has also been running weekly
penetration tests to support security mitigation steps for CMS.
Furthermore, CMS says that none of the Majority's witnesses
concerns voiced in that November hearing have turned into any actual
breach of security.
The last hearing did not feature a single witness who had any
actual information about the security architecture of healthcare.gov,
nor what is being done to maintain the integrity of the website. Today,
we have the same kind of hearing. As smart and experienced as these
witnesses are, not one of them has actual knowledge of the security
structure at healthcare.gov. The best that they can do is speculate
about vulnerabilities. I think it would be good for Members to remember
that.
I am concerned that the intention of this hearing appears to be to
scare Americans away from the healthcare.gov site. This represents a
continuation of a cynical campaign to make the Affordable Care Act fail
through lack of participation. While we are holding this hearing, both
the House Oversight and Government Reform Committee and the Energy and
Commerce Committee are holding similar events. All with the apparent
goal to create a sense of fear, thereby manufacturing an artificial
security crisis.
It is my hope that all of our witnesses can agree that it is
important to make healthcare.gov work for the American people to help
give all our citizens access to affordable health care. I do not want
to believe that any of the witnesses testifying today want the site to
be hacked or shut down, or see the program fail, or see Americans go
without medical insurance.
The country faces a lot of real issues and real policy challenges.
If we are truly interested in hacking and identity theft, we should
have representatives of the largest retail institutions in the country
here to discuss the challenges they face in protecting people's
information. Instead, it appears that the Majority has allowed the
Committee to become a tool of political messaging to a degree I have
never witnessed in my time in Congress.
Thank you, I hope that today's hearing will be the last on this
topic, absent some actual allegations of wrongdoing, so that we can
focus on all the legitimate oversight issues facing the country and
this Committee.
Chairman Smith. I will recognize myself to respond to the
Ranking Member's comments.
All Committees, including this one, have a longstanding
practice of affording Members the courtesy of entering items
that they believe are relevant to the topic at hand into the
record. I am sure the Ranking Member knows this. Members on
both sides have generally approached the development of the
record in the spirit of bipartisanship and comity. I am
disappointed if the gentlewoman from Texas would now seek to
question a letter I have asked to place in the record. We
frequently place items in the record that express the opinion
of various groups or make statements regarding an issue at the
request of Members on both sides of the aisle. Often, those who
have written those letters are not testifying before the
Committee and have not been asked to do so, yet their opinions
are still made part of the record.
One such example is a 54-page submission that Mr. Maffei
requested be placed in the record at a hearing last August.
This document, which was not even addressed to the Committee,
but instead to the Administrator of the EPA, was entered into
the record without comments. It includes a letter from six
different tribes signed by eight different people, none of whom
testified before this Committee. It includes a letter from a
lawyer who represented the tribes. He also did not testify
before the Committee, yet we made his letter a part of the
record. Finally, it includes another letter to the
Administrator of the EPA that purports to be from 15 different
national organizations, 17 international organizations, 75
Alaskan organizations, and numerous other organizations from
other states. None of these organizations testified before this
Committee.
I placed Mr. Kennedy's letter in the record here today. He
is testifying before us shortly----
Ms. Edwards. Mr. Chairman.
Chairman Smith. --and Members will have the opportunity to
question him on its contents.
Ms. Edwards. Mr. Chairman.
Chairman Smith. I am still in the middle of my statement.
I regret the Ranking Member has questioned the longstanding
prerogative of a Member to enter a relevant document into the
record, especially when Members on her side of the aisle have
done so many times without objection from the Majority.
I hope this is not indicative of her desire to make this
Committee's business more partisan.
That concludes my statement, and I will now introduce the
witnesses.
Ms. Edwards. Mr. Chairman.
Chairman Smith. I am going to introduce the witnesses,
and----
Ms. Edwards. Mr. Chairman, I object to the entry of the
letter into the record.
Chairman Smith. The letter has already been entered into
the record and the objection is not timely.
Ms. Edwards. Mr. Chairman, I would ask for a vote on
whether we enter the letter into the record.
Chairman Smith. That is no longer a proper motion because
it is not timely.
Ms. Edwards. Well, Mr. Chairman, I think you have deeply
politicized this hearing.
Chairman Smith. Well, I am sorry for the Ranking Member's
comments that caused it, and now I will recognize and introduce
our first witness.
Mr. David Kennedy is the President and CEO of TrustedSEC
LLC. Mr. Kennedy is considered a leader in the security field.
He has spoken at many conferences worldwide including Black
Hat, DefCon, Infosec World and Information Security Summit,
among others. Prior to moving to the private sector, Mr.
Kennedy worked for the National Security Agency and the United
States Marines in cyber warfare and forensics analysis. Mr.
Kennedy received his Bachelor's degree from Malone University.
Our second witness, Mr. Waylon Krush, is the Co-Founder and
CEO of Lunarline. He is also a founding member of the Warrior
to Cyber Warrior program, a free six month cyber security boot
camp for returning veterans. A veteran of the U.S. Army, Mr.
Krush is a recipient of the Knowlton Award, one of the highest
honors in the field of intelligence. Mr. Krush holds a
Bachelor's degree in computer information science from the
University of Maryland University College. He is also a
certified information systems security professional,
certification and accreditation professional, certified
information systems auditor, and has more than 3,000 hours of
training with the National Cryptologic School.
Our third witness, Mr. Michael Gregg, is the CEO of
Superior Solutions Inc., an IT security consulting firm. Mr.
Gregg's organization performs security assessments and
penetration testing for Fortune 1000 firms. He has published
over a dozen books on IT security and is a well-known security
trainer and speaker. Mr. Gregg is frequently cited by print
publications as a cyber security expert and as an expert
commentator for network broadcast outlets such as Fox, CBS,
NBC, ABC and CNBC. Mr. Gregg holds two Associate's degrees, a
Bachelor's degree and a Master's degree.
Our final witness, Dr. Larry Ponemon, is the Chairman and
Founder of the Ponemon Institute, a research think tank
dedicated to advancing privacy, data protection and information
security practices. Dr. Ponemon is considered a pioneer in
privacy auditing and was named by Security magazine as one of
the most influential people for security. Dr. Ponemon consults
with leading multinational organizations on global privacy
management programs. He has extensive knowledge of regulatory
frameworks for managing privacy, data protection and cyber
security including financial services, healthcare,
pharmaceutical, telecom and Internet. Dr. Ponemon earned his
Master's degree from Harvard University and his Ph.D. at Union
College in Schenectady, New York. He also attended the doctoral
program in system sciences at Carnegie Mellon University.
We welcome you all and look forward to your expert
testimony, and Mr. Kennedy, will you lead us off?
TESTIMONY OF MR. DAVID KENNEDY,
CHIEF EXECUTIVE OFFICER,
TRUSTEDSEC, LLC
Mr. Kennedy. Thank you, Mr. Chairman.
Good morning to everybody in the House Science and
Technology Committee, to the Honorable Mr. Smith as well as the
Ranking Member of the House Science and Technology Committee,
the Honorable Ms. Johnson. It is great to see you two folks
again as well as all of the other Ranking Members here today. I
appreciate your time to hear us discuss the issues with the
HealthCare.gov security concerns as well as the consequences
around stolen identities.
What I want to first start off with is that to me, this is
not a political issue. I take no political-party stance and I
have no party affiliate. For me personally, this is a security
issue. Working in the security industry for over 14 years
including working for the National Security Agency as well as
spending a number of years in Iraq and Afghanistan, my
testimony here today is to talk about the issues with security,
and that is it. So when I talk about the issues that we see
here today, it is based on my expertise of working in the
security industry, doing these assessments on a regular basis,
being a chief security officer for a Fortune 1000 company for a
number of years as well as running my own company.
And I am not alone. The mention of the document that was
released yesterday had seven independent security researchers
that are well known in the security industry including a number
of folks that have worked for the United States government, do
training for the United States as well as work closely with the
United States government. Today is not to talk about the
political-party problems with it but also discuss just the
security issues alone, and that is what I am here to talk about
today.
So I would like to give thanks to Kevin Mitnick, Ed
Skoudis, Chris Nickerson, Chris Gates, Eric Smith, John Strand
and Kevin Johnson for providing their comments on the issues
that we see today. We are pretty unified in our approach.
Everybody that I shared with, I put them under non-disclosure
agreements and worked with them, and the consistent feedback
that we got was that HealthCare.gov is not secure today, and
nothing has really changed since the November 19th testimony.
In fact, from our November 19th testimony, it is even worse.
Additional security researchers have come into play,
providing additional research, additional findings that we can
definitely tell that the website is not getting any better. In
fact, since the November 19, 2013, testimony, there has only
been one-half of a vulnerability that we discovered that has
been addressed or even close to being mitigated. When I say but
one-half is that basically they did a little bit of work on it
and it is still vulnerable today.
I want to throw a disclaimer out there that in no way,
shape or form did we perform any type of hacking on the
websites. That is a misnomer. The type of techniques that we
used is looking at the site from a health perspective, doing
what we call passive reconnaissance, not attacking the site in
any way, shape or form, not sending data to the site but really
looking at the health of it. I would like to put in another
analogy. Say my expertise wasn't being in the security
industry, it wasn't anywhere near doing anything security
related and I was a person that was a mechanic. I had 14 years
of being a mechanic. And, a car drove past me that was puffing
blue smoke out of the muffler, it was leaking oil, the engine
was making clinking sounds, and basically a lot of symptomatic
problems: the doors are open, the windows are open and
everything else. As a mechanic, I can probably say with a
reasonable level of assurance that the engine probably has some
issues. Same thing with technology and Web applications. Web
applications are no different than a car with an engine
problem. There are a lot of pieces that make the car work.
There are a lot of pieces that make a website work.
From our testimony here today as well as what we have
discovered in the past, there is a number of security issues
that are still there today with the website. To put it in
perspective, I would like to put for the record that there
wasn't 70 to 110 million credit cards taken from Target. That
is not accurate. The correct statistic is that there were 70 to
110 million personal pieces of information taken about
individual people that shopped at Target. There were 40 million
credit cards that were taken. The issue with Target isn't
specifically around credit cards. Credit cards can be reissued.
Your credit that gets taken from the credit cards can be
debited back into your account. You are not liable as a
consumer. But what you can't fix is your personal identity. If
you look at Target, for example, the 70 to 110 million personal
pieces of information, that includes address, email addresses,
phone numbers, additional information. That is what you can't
replace, and we have already seen a number of individuals that
are selectively being targeted from a personal information
perspective because of that. That doesn't even include Social
Security numbers. In fact, I just had another independent
security person get targeted yesterday from an email claiming
to be Target. As soon as they clicked the link, it hacked their
computer and took full control of it.
So this issue here doesn't relate specifically to just
credit card data because that is obviously not in the
HealthCare.gov website. The personal information around Social
Security numbers, first name, last name, email addresses, home
of record, those are all a recipe for disaster when it comes to
what we see from personal information being stolen and theft.
So it is not just that. As an attacker, if I had access to the
HealthCare.gov infrastructure, it has direct integration into
the IRS, DHS as well as third-party providers as well for
credit checks. If I have access to those government agencies, I
now can complete an entire online profile of an individual,
everything that they do and their entire online presence.
And this isn't just HealthCare.gov alone. I am not trying
to single out HealthCare.gov alone. I am really focusing on a
much larger issue, which is security in the federal government
alone is at a really bad state. We need to really work together
to fix it and work on more sweeping changes. Thank you.
[The prepared statement of Mr. Kennedy follows:]
[GRAPHIC] [TIFF OMITTED] 86900.010
[GRAPHIC] [TIFF OMITTED] 86900.011
[GRAPHIC] [TIFF OMITTED] 86900.012
[GRAPHIC] [TIFF OMITTED] 86900.013
[GRAPHIC] [TIFF OMITTED] 86900.014
[GRAPHIC] [TIFF OMITTED] 86900.015
[GRAPHIC] [TIFF OMITTED] 86900.016
[GRAPHIC] [TIFF OMITTED] 86900.017
[GRAPHIC] [TIFF OMITTED] 86900.018
[GRAPHIC] [TIFF OMITTED] 86900.019
[GRAPHIC] [TIFF OMITTED] 86900.020
[GRAPHIC] [TIFF OMITTED] 86900.021
[GRAPHIC] [TIFF OMITTED] 86900.022
[GRAPHIC] [TIFF OMITTED] 86900.023
Chairman Smith. Thank you, Mr. Kennedy.
Mr. Krush.
TESTIMONY OF MR. WAYLON KRUSH,
CO-FOUNDER AND CEO, LUNARLINE, INC.
Mr. Krush. Chairman Smith, Ranking Member Johnson and
Members of the Committee, thank you for this opportunity to
testify on the important topic of cyber security.
I am Waylon Krush, Founder and CEO of Lunarline. We are one
of the fastest-growing cyber security companies. I am also a
founder of the Warrior to Cyber Warrior program, as stated
earlier.
I have been asked to speak on cyber security today as it
relates to HealthCare.gov, and just listening to Mr. Kennedy, I
actually have some very simple points I want to make right
away.
First of all, if none of us here built HealthCare.gov, if
we are not actively doing not a passive vulnerability
assessment but an active vulnerability assessment and doing
penetrations and running that exploitable code on
HealthCare.gov, we can only speculate whether or not those
hacks will work. So anything that has been said thus far, if we
are talking about any type of dot gov or dot mil site just
identifying passively a vulnerability and not actually working
on the site, knowing how the protocols work in the back end,
what type of defense in depth, how each one of the assets are
locked down, nobody here at this table can tell you that they
know that there is vulnerabilities.
Another thing I would like to talk about today is in the
federal government, something a little bit different than we
have in the commercial organizations is, we use something
called the risk management framework, and you know, this
Committee has actually helped develop that as part of NIST, and
I will tell you, that is one of the most rigorous processes as
it relates to cyber security and privacy in the entire world,
and when I say the entire world, most security standards are
just a subset of the risk management framework. It is one of
those areas from a security control perspective that has been
taken to build other security standards or it is basically
copy, cut, pasted to create new security standards. This is a
six-step process. It includes categorization, selection,
implementation, validation, authorization and, most
importantly, continuous monitoring of all the controls. You
know, just looking at it, you might think well, there is about
360 controls in NIST Special Publication 800-53, revision 4.
When you dig a little bit deeper, there is actually several
thousand information security controls that our federal
information systems must undergo from a security architecture
perspective including they must be continuously testing.
Another point I would like to make is that if anybody here
actually went out to these websites, and I am not talking about
passive, but if we have extracted addresses, if you went to the
website and done anything outside the bounds of what is allowed
in the federal government, you are basically breaking the law.
You can't just go out and say I found this vulnerability and
then exploit it to try to get, you know, media attention or
anything like that. If you do that, you are breaking the law.
It is pretty simple.
And last but not least, you know, HealthCare.gov is one of
many hundreds or even thousands of federal information systems
out there in websites, and you know, I have worked in the
threat area. I can tell you, my background is not only a
soldier but was on the U.S. Army's Information Operations Red
Team, Blue Teams, information system security monitoring teams,
protocol analysis, signals analysis, and including working in
critical infrastructure protection for AT&T for a few years all
across the world. If you go out and tell someone--and this is
just the truth when we are out actively taking down websites--I
can sit here all day and speculate about a vulnerability but
until I have actually exploited that vulnerability, there is no
way to tell whether that attack will actually work. There is a
lot more going on in the background that everybody needs to
understand.
Another note, and last but not least, about HealthCare.gov
that everyone needs to understand is that with all of the media
attention it is currently getting, you would think it is most
high payoff target in the entire federal government. You would
think that HealthCare.gov is something that everybody would
want to go after. That is truly--that is media spin, if
anything. HealthCare.gov is one of many websites that have
personal information in it. It is connected to other systems
but saying it is interconnected directly to all these systems
and that leaves them vulnerable also shows kind of a lack of
knowledge of the backend system capabilities, meaning that
those connections are very secure and they are authorized on
both sides.
And you know, I have actually been lucky enough to work
within CMS and HHS on cyber security deployments and
configurations so out of everybody here at least at this table,
I probably have the most hands-on knowledge but I can't come
here and just speculate about what is actually vulnerable to
the system and what is not. And the truth is, once again, on
the threat side, as we have seen in media, you can probably
tell that, you know, HealthCare.gov is not the one getting
attacked. Most cyber criminals, especially those with advanced
capabilities, they go where the money is, right? They are going
to go after the Targets, they are going to go after the Neiman
Marcus, they are going to go after these places that contain
lots of data related to intellectual property because it just
makes fiscal sense, right? If the U.S. government spends
billions of dollars on our research and development and we
don't protect it and some other country takes that, you just
saved them billions of dollars. Thank you.
[The prepared statement of Mr. Krush follows:]
[GRAPHIC] [TIFF OMITTED] 86900.024
[GRAPHIC] [TIFF OMITTED] 86900.025
[GRAPHIC] [TIFF OMITTED] 86900.026
[GRAPHIC] [TIFF OMITTED] 86900.027
[GRAPHIC] [TIFF OMITTED] 86900.028
[GRAPHIC] [TIFF OMITTED] 86900.029
[GRAPHIC] [TIFF OMITTED] 86900.030
[GRAPHIC] [TIFF OMITTED] 86900.031
Chairman Smith. Thank you, Mr. Krush.
Mr. Gregg.
TESTIMONY OF MR. MICHAEL GREGG,
CHIEF EXECUTIVE OFFICER,
SUPERIOR SOLUTIONS, INC.
Mr. Gregg. Thank you, Chairman Smith, thank you, Ranking
Member Johnson, Members of the Committee, for having me here
today.
My name is Michael Gregg. I am really going to break down
my speech into three pieces and my presentation: first, how
HealthCare.gov could potentially be hacked, why HealthCare.gov
needs independent review by third parties, and also, what would
be the result of this, what could be the potential impact.
My concern is that HealthCare.gov is a major target
potentially for hackers looking to steal not only personal
identities but also information that could be used to steal
their identity. Although I understand HealthCare.gov does not
store that information, it passes that information back and
forth between third-party government sites and other
organizations. While there are many different ways that the
site could be hacked, there are some prominent ones, and these
are the same ones listed by prominent websites like OWASP. It
could be things like cross-site scripting, SQL injection. It
could be LDAP injection, it could be buffer overflow. There are
many different ways that this could be done.
Now, while that sounds foreign to many of you, the fact is,
these are known attacks that are used against known sites every
day from Target to Neiman Marcus to Google to many others. Some
of the things that concern me are in the past we have seen, for
example, the 834 data. That is data that is passed to the back
end of the insurance companies. We have seen and we have heard
reports of this information being corrupted and not being
correct when it is being received. That indicates at some point
the data is not being handled correctly, and all input data,
all process data, all output data has to be correct. If not,
there is some type of problem, meaning that data is not being
properly parsed. That same kind of situation could lead to an
attacker putting in some type of data and misusing that in some
way or launching an attack.
Also, as I said, HealthCare.gov is a very large attack
service. This is a very large program or application. It was
built very quickly. A large attack surface makes it very hard
to secure. So I find it hard to believe that during the release
and also the update of the site that all the items that our
previous speaker spoke of as far as FISMA, FIPS 199, FIPS 200,
were actually taken care of and it actually passed all those
requirements that they are required to by law,and that those
were properly completed.
Microsoft, think of those folks, for example. They have
spent almost 30 years trying to secure their operating systems
and still we see Microsoft products or operating systems being
brought under attack. To think that HealthCare.gov could be
built so quickly and then be secured to me is very hard to
believe.
When we have a large application or website to be reviewed,
typically we do it a couple of different ways. We start at the
very beginning before the site is actually developed. We do
things as far as audits. We do vulnerability assessments. We
also do PIN testing. All three of these things are required to
actually look at and examine the site. PIN testing is a very
important part of this process because PIN testing means we are
looking at the site the same way the attacker would. We are
saying what would the attacker see, what could they use, what
could they do with this and how could they leverage this
potentially for attack. I don't believe those types of
assessments have been done to this day and have been properly
completed.
So what has been reported currently is that when we see
with HealthCare.gov that they are running weekly assessments,
that they are potentially patching the site, but a lot of that
activity we are talking about is reactive in nature. That means
when we are finding a problem, we are actually fixing it. That
doesn't mean we have already gone out and we have found all
possible problems or all potential ways that an attacker may
leverage that and get access to the site.
Some might argue that if HealthCare.gov is actually
vulnerable, why hasn't it already been attacked? Well, if you
think about it from an attacker's standpoint, we have seen that
attackers have the fortitude and also the patience to wait
until the right time. Look at Target. Did they attack
immediately? No, they waited until the right time and the right
moment to actually do this. This could be the same thing. They
are going to wait until after March. They are going to wait
until the deadline. They are going to wait until there is a
trove of information for them to go after. Then they are going
to target it.
So what could be the impact on consumers? Potentially
reduced credit ratings. It could be increased difficulty
getting loans, could be criminal issues. It could be emotional
impact. It also could be very damaging as far as medical
information that could be lost. It could be potentially people
don't get hired for a job. It could be they get the wrong
treatment because someone else has obtained treatment under
their name for some other type of disease or some other type of
problem that they didn't have. It could be potentially them
being denied an application or job for some reason.
And in closing, I would just like to say this. When our
organization builds applications, we bring everybody together.
We bring the end users, the developers. We bring everyone
together, the security professionals, to make sure the site is
secure and that security can be built in from the very
beginning. I do not believe that has been done in this case.
Hacking today is big business. It is no longer the lone hacker,
the individual in their basement. Today is organized crime. It
is very large groups potentially out of places like Russia and
Eastern Europe. We can fix these problems, but for these
problems to be fixed means that we need an external assessment
of this site by independent third parties.
Thank you very much for your time.
[The prepared statement of Mr. Gregg follows:]
[GRAPHIC] [TIFF OMITTED] 86900.032
[GRAPHIC] [TIFF OMITTED] 86900.033
[GRAPHIC] [TIFF OMITTED] 86900.034
[GRAPHIC] [TIFF OMITTED] 86900.035
[GRAPHIC] [TIFF OMITTED] 86900.036
[GRAPHIC] [TIFF OMITTED] 86900.037
[GRAPHIC] [TIFF OMITTED] 86900.038
Chairman Smith. Thank you, Mr. Gregg.
And Dr. Ponemon.
TESTIMONY OF DR. LAWRENCE PONEMON,
CHAIRMAN AND FOUNDER,
PONEMON INSTITUTE
Dr. Ponemon. Thank you, Mr. Chairman, and thank you for
inviting me.
Well, first, let me just start off by saying that I am the
research wonk to this panel. These people are absolutely
brilliant and they understand the technical aspects and the
security issues. What I would like to do is talk a little bit
about the consequences of identity theft and medical identity
theft. That is really my focus, and the basis of my comments is
research, research that my institute conducts. And sometimes,
by the way, they call my institute the Pokemon Institute. It is
actually Ponemon Institute, which is my last name.
So I understand the purpose of my testimony today is to
provide assistance in understanding the potentially devastating
consequences of a data breach to individuals, to households and
society as a whole. For more than a decade, we have studied the
cost and consequences of data breach through extensive consumer
studies as well as benchmark research on the privacy and data
protection practices of companies in the private and public
sectors. In the area of healthcare, we have conducted four
annual studies on medical identity theft and patient privacy
and security protections within hospitals and clinics. We also
survey consumers on their perceptions about the organizations
they trust the most to protect their privacy. Among the U.S.
federal government sector, for example, we are pleased to
report some good news, that the USPS, the Postal Service, gets
very high marks for trust. Another, and this might be a little
surprising, the IRS actually is trusted for privacy, not for
anything else--no, just joking--but definitely for privacy
practices, as well as the Veterans Administration, and they
were a bad guy, right? You right remember, they lost a lot of
data. I am a veteran and I was on that list of 26 million. But
they turned things around and they are trusted for privacy.
So today I have been asked to testify about the possibility
of like identity theft on the HealthCare.gov website and the
potential consequences to the American public. Identity theft
and medical identity theft are not victimless crimes and affect
those who are most vulnerable in our society such as the ill,
the elderly and the poor.
So beyond doing these numerous research studies that I just
mentioned, this is an issue that really struck home for me.
Last year, my mother, she is 88 years old, she lives alone in
Tucson, Arizona, and she suffered from a stroke. She was rushed
to a hospital and admitted immediately, and unbeknownst to her,
an identity theft was on the premises and made photocopies of
her driver's license, debit cards and credit cards that were in
her purse. And by the way, she also has all the passwords to
everything in a little Post-It note in her purse as well. She
doesn't listen to me. That is the problem. The thief was able
to wipe out her bank account and there were charges on her
credit card and debit card amounting to thousands and thousands
of dollars. In addition to dealing with her serious health
issues, she also had to cope with the stress of recovering her
losses and worrying about more threats to her finances and
medical records.
The situation with my mom in the hospital and those who are
sharing personal information on HealthCare.gov are not
dissimilar, and let me explain. My mother had a reasonable
expectation that the personal information she had in her wallet
would not be stolen, especially by a hospital employee, and
those who visit and enroll in HealthCare.gov have an
expectation that people who are helping them purchase health
insurance will not steal their identity. They also have a
reasonable expectation that all necessary security safeguards
are in place to prevent cyber attackers or malicious insiders
from seizing their personal data.
Now, in my opinion, the controversy regarding security of
the HealthCare.gov website is both a technical issue, as we
heard from these gentlemen but it is also an emotional issue.
In short, security controls alone will not ease the public's
concerns about the safety and privacy of their personal
information. Based on our research, regaining the public's
trust will be essential to the ultimate acceptance and success
of this initiative.
So following are some key facts that we learned from our
consumer research over the more than a decade of doing these
kinds of studies. First, the public has actually a higher
expectation that their data will be protected when they are
dealing with government sites than commercial sites. In other
words, when I am going to the Veterans Administration, I have a
higher expectation of privacy. Whether it is rational or not,
that is basically what we see. Second, the loss of one's
identity can destroy a person's wealth and reputation and in
some cases their health. Further, the compromise of credit and
debit cards drives the cost of credit up for everyone, thus
making it more difficult for Americans to procure goods and
services. Third, medical identity theft negatively impacts the
most vulnerable people in our Nation. Beyond financial
consequences, the contamination of health records caused by
imposters can result in health misdiagnosis and in extreme
cases could be fatal. Because there are no credit reports to
track medical identity theft, it is nearly impossible to know
if you have become a victim.
So what is the solution? Let me just give you three ideas.
First, on the trust issue, let us think about accountability.
It is important to demonstrate accountability, and the best way
to do that, in my mind, is rigorous adherence to high
standards, and I think we mentioned NIST. NIST is a great
standard but very high standards above the bar and showing the
American people that this particular website or any website
that collects sensitive personal information is meeting or
exceeding that standard.
Number two is ownership. What I would like to see is the
chief information security officer is your chief executive
officer. That is good news when the CEO steps up to the plate
and does what needs to be done, and in this case, I would love
to see our President take ownership of the website and ensure
that good security and privacy practices are met as a priority,
not just by HealthCare.gov, but across the board.
And third is verification. Now, I am an auditor. I have to
admit this, so I am a little bit biased, or I used to be an
auditor at PriceWaterhouseCoopers. You know, we can say that we
are doing all of these good things, but having a third-party
expert telling us that we are meeting and exceeding the
standards is a very good idea and a noble idea.
And with that being said, I think I am actually the first
person concluding giving you some time back on the clock.
[The prepared statement of Dr. Ponemon follows:]
[GRAPHIC] [TIFF OMITTED] 86900.039
[GRAPHIC] [TIFF OMITTED] 86900.040
[GRAPHIC] [TIFF OMITTED] 86900.041
[GRAPHIC] [TIFF OMITTED] 86900.042
[GRAPHIC] [TIFF OMITTED] 86900.043
Chairman Smith. Well----
Dr. Ponemon. Oh, no.
Chairman Smith. --not exactly.
Dr. Ponemon. I wasn't watching the time. I am sorry.
Chairman Smith. Thank you, Dr. Ponemon. I appreciate your
testimony. I will recognize myself for questions. Let me direct
my first one to Mr. Kennedy.
Mr. Kennedy, the Administration maintains that there has
not been a successful security attack on HealthCare.gov. Is
that an accurate statement?
Mr. Kennedy. Thank you, Mr. Chairman. Basically what we
know for the monitoring and detection capabilities within the
HealthCare.gov infrastructure is as of November 17th, they had
not stood up a security operation center or had the
capabilities to even detect an actual attack. So it also stated
that they detected 32 attacks overall. However, if you have no
monitoring detection capabilities, period, how are you
detecting all the different attacks that are happening? So I
would say that the statement is accurate because they don't
necessarily know the actual attacks that are occurring in
there.
In addition, I would like to also mention that the Chief
Information Security Officer from HHS, Kevin Charest, also said
that, ``I would say that the HealthCare.gov website did not
follow best practices.'' So as a testament to Mr. Krucsh's
testimony, the 800-53 and best practices were not followed and
did not meet best practices when it was implemented.
Chairman Smith. And Mr. Gregg----
Mr. Krush. Let me talk to----
Chairman Smith. I am sorry, Mr. Krush. You can get time
from someone else. I would like to ask a question to Mr. Gregg.
Do you agree generally with the assessment by Mr. Kennedy
that they don't have the capability? And furthermore, let me
say that you did have Administration officials say in November
that there was 16, I think, security breaches or incidents and
then 32 in December. Are those figures plausible, and where do
they get them?
Mr. Gregg. Well, they are potentially plausible if they
either weren't monitoring or they didn't pick up the attacks.
For most of the sites we look at, and companies we work with,
we see anywhere from hundreds potentially, a thousand or more
hits a day. Now, a lot of that stuff is scripted but for a
number to be that low, I would either think, one, they are not
detecting it, or two, their detection capability is not
correct.
Chairman Smith. Okay. Thank you, Mr. Gregg.
Dr. Ponemon, do the security standards, protections and
breach notification standards for Obamacare even meet the
minimal standards put in place for the private sector?
Dr. Ponemon. I think the private sector for the most part
has--and it does vary quite a bit. There are industry
standards, for example, that actually are much higher than the
standards we see in the government. But NIST, for example, and
the need to comply with certain standards, for example, around
cloud computing and fed ramp, and there are standards that
exist that are actually fairly reasonable. For the most part,
though, I think if you are looking for best practices, you
probably would be looking at industry versus the government.
Chairman Smith. Thank you, Dr. Ponemon.
Mr. Kennedy, another question for you. Is Mr. Krush right
in what he said in his oral testimony that passive
reconnaissance of HealthCare.gov is not sufficient to raise
concerns about the website's security?
Mr. Kennedy. Thank you, Mr. Chairman. I would like to
address that direct on, which would be, passive reconnaissance,
you have the ability to enumerate exposures and
vulnerabilities. Any security researcher or tester that has
been in the industry for a number of years, especially in the
technical side, will be able to collaborate that. In fact, all
seven of the security researchers also said the same exact
thing, that the website itself is vulnerable. This isn't
speculation. These are actual exposures that are on the website
today that could lead to personal information being exposed as
well as other critical flaws of actually attacking individual
people just by visiting the website.
To answer your question, by doing passive reconnaissance,
you can absolutely identify exposures. There are absolutely
techniques out there without actually attacking the site for
doing it, and I would question that the other seven security
researchers that also testified that looked at the same type of
research, came to the same exact conclusion as myself.
Chairman Smith. Okay. Thank you, Mr. Kennedy.
Mr. Krush, I do have a question for you. Apparently you
have contracts with a company that does work for CMS. Is that
accurate?
Mr. Krush. That is accurate.
Chairman Smith. And what is the amount of those contracts,
both past and present?
Mr. Krush. I actually don't know that off the top of my
head but I have----
Chairman Smith. Okay. I think----
Mr. Krush. --tens of millions of dollars of contracts in
the federal government right now.
Chairman Smith. All right. Okay. So you have tens of
millions of dollars of business with CMS directly or
indirectly?
Mr. Krush. Not CMS.
Chairman Smith. With a company that does work for CMS?
Mr. Krush. No, that--those amounts are very high. I am
talking across the government. I am not--I just don't know
specifically with CMS. That is why I can actually talk from a
technical perspective and not speculate on some of the----
Chairman Smith. With CMS, according to your Truth in
Testimony that you filed, I think it is $1.5 million that you
do have in those contracts.
Mr. Krush. Okay. That sounds good.
Chairman Smith. If you will take my word for it?
Mr. Krush. Yes.
Chairman Smith. In that case, isn't it natural that we
might suspect that your testimony is a result of your being
paid by--directly or indirectly by CMS and here you are not
going to actually testify against them if you have $1.5 million
worth of contracts with them? Isn't that a reasonable
assumption?
Mr. Krush. Well, Chairman Smith, actually as it relates to
CMS, if you look at the GAO docket, I actually have been
protesting with them. You know, on the contracting side, me and
CMS are not necessarily best of friends. I am here to talk
about the cyber security in what----
Chairman Smith. I know what you would rather be talking
about but it still seems to me $1.5 million in contracts does
perhaps influence your testimony. That is all I have to say on
that. My time is up, and the gentlewoman from Texas is
recognized for her questions.
Ms. Johnson. Thank you very much. Very interesting hearing.
Mr. Krush, you were cut off earlier when you were going to
make a comment on Mr. Kennedy's testimony. Would you like to
make that now?
Mr. Krush. I actually have a few here, so just across the
board. Earlier Mr. Gregg talked to the fact that, you know, the
HealthCare.gov didn't implement what we call FIPS 199 and FIPS
200. Just to clarify what that is for everyone here, FIPS 199
is Federal Information Processing Standard 199. It requires you
to categorize an information system in accordance with the
confidentiality, integrity and availability of an information
system. We know that that was completed because there was a
letter from Ms. Tavener out as part of the authorization
process that 200 is the baseline controls for all federal
information systems. We also know that that was completed
because they had an ATO letter that specified some of the
vulnerabilities and what actual the process dealing with the
healthcare.gov was. So I just wanted to talk to that point.
And, you know, talking about also waiting, from Target's
perspective, waiting until, you know, a certain time to act. I
don't think any of us here have also worked on the Target.com
website or the backend database, and I would tell you that a
lot of the advanced attackers, you know, unless you have done
the forensic sampling and you have actually picked up the
crumbs, you don't know when they actually attacked, and I think
that that is under investigation right now.
HealthCare.gov, Mr. Kennedy brought up the point that there
was no security operation centers. Some of those one point
whatever million dollars that have been allocated to my company
was actually related to those early on. There is actually two
security operation centers within HHS you might want to know.
They have a centralized one which does monitoring of the entire
enterprise, and on top of that, CMS has its own security
operation center, and I can tell you from a technology
perspective, some of the technologies they have implemented is,
you know, top notch. It is what you would expect in a top-tier
security operations in the U.S. federal government.
Ms. Johnson. Thank you. According to Mr. Gregg's testimony
that this site is a major target, but the attacks won't be
accurate or of interest or of value until after March, what do
you anticipate that March will bring?
Mr. Krush. Nothing. You know, the truth is, when it comes
to March, if an attacker wants something off the site, they are
going to continuously do whatever they can to gain access. I
think one of the things that was also said is that, you know,
there is a certain number of incidents, and those numbers do
sound low, but once again, everybody here, none of us have
worked in the security operations center, which does exist
within CMS, and so we don't necessarily know what the
escalation requirements are. So, for example, most government
websites literally are enumerated passively, meaning--and this
is still considered an incident via DHS. If you go through and
you do scans on a website, meaning that you are looking for
open protocols and services, that is considered an incident.
Now, does every organization report those? No, because you
would have hundreds of thousands of reports a day.
However, some of the--I got a call last night from actually
a news reporter and they called me up to talk about Mr.
Kennedy's, you know, analysis he had done on the website, and I
just want to be clear that, you know, if him and his security
researchers actually did go to a dot gov, they did passively
enumerate and actually pulled data in an unauthorized manner,
then that is a very significant issue. I went to the course
while I was in the military for the FBI, and I can tell you
that that is of grave--it is great concern to us when anybody
goes out to federal government website without permission and
is actually passively enumerating then executing something to
pull data off that website.
Ms. Johnson. Thank you very much.
Dr. Ponemon, you indicated that your mother had this
incident happen with her identity. What about that stolen
information affected her healthcare?
Dr. Ponemon. You know, in the case of my mom, she would
fall into the category of an identity--she is an identity theft
victim but not a medical identity theft victim because really,
her medical records were not exposed, and so that would be a
different crime, and thank goodness she is a medical identity
theft victim because that is bad news. It is really hard.
Ms. Johnson. Thank you.
Dr. Ponemon. Thank you.
Ms. Johnson. My time is expired but I hope someone will ask
the value of someone having hacked the HealthCare.gov.
Chairman Smith. Thank you, Ms. Johnson.
Mr. Hall has said that because Mr. Broun has a time
commitment that is almost immediate, he is going to allow Mr.
Broun to go ahead of him in the questioning, so Mr. Broun is
recognized.
Mr. Broun. Thank you, Mr. Chairman, and thank you, Mr.
Hall, for giving me this opportunity.
It has come to the Oversight Subcommittee of this
Committee's attention that there is or at least was an
Affordable Care Act Information Technology Exchanges Steering
Committee chaired by senior White House officials, established
back in May 2012, almost a year and a half before the rollout
of HealthCare.gov. The White House steering committee's charter
explicitly directed the formulation of working groups,
including one on security. It also turns out that a chairman of
this Obamacare website steering committee is the U.S. Chief
Technology Officer in the White House Science Office, who also
happens to be the immediate past CTO of the Department of
Health and Human Services.
Upon learning this, I, as Chairman of the Oversight
Subcommittee, along with the full Committee Chairman, Mr.
Smith, and Research and Technology Subcommittee Chairman, Dr.
Bucshon, sent a letter to the White House requesting that Mr.
Todd Park, the U.S. CTO and HealthCare.gov's steering committee
chairman, make himself available to the Committee to answer
questions regarding the security issues with HealthCare.gov by
January 10th, last Friday.
The White House has ignored that letter and the Committee's
request until just yesterday when it provided a last-minute
response that rebuffed this Committee--let me repeat: rebuffed
this Committee. And that letter did not come from the Senate-
confirmed President's Science Advisor, to whom the letter was
addressed, but from the politically appointed OSTP Legislative
Affairs Director.
My question for the panel simply is this: don't the
American people deserve answers from those who are in charge of
overseeing implementation of the Obamacare website's security
protocol? After all, Mr. Park is an Assistant to the President.
As the Chief Technology Officer of the United States and the
chair of HealthCare.gov's steering committee, wouldn't Mr.
Park, or shouldn't he, know and be involved in the security
details of the website? Starting with Mr. Kennedy.
Mr. Kennedy. Thank you, sir. When we look at a website and
its security, there are multiple people that need to be
involved to understand the progress of it. I would agree with
your assessment that there should be some involvement in that
case.
In addition, I also would like to clarify that a lot of
information that we are getting around these security exposures
has actually been vast. The Chief Information Security Officer
from HHS saying it didn't follow best practices. You have a
number of other individuals saying the security operations
center hadn't been started yet. You have the HealthCare.gov
infrastructure, which is completely independent and was started
completely independent of HHS being part of that. So this is a
mismanaged issue. I don't understand how we are still
discussing whether or not the website is insecure or not. It
is. There is no question about that.
Mr. Broun. It is insecure?
Mr. Kennedy. It is insecure, absolutely 100 percent. There
is no questioning that. People from HHS have said that. You
know, it is not a question of whether or not it is insecure. It
is what we need to do to fix it.
And just to point to Mr. Krush's point, he also said to
Reuters, which is the article that he also mentioned earlier,
Krush said he has not reviewed Kennedy's findings or done any
work on HealthCare.gov's site itself. So, you know, this is all
purely speculation. It is a bunch of hogwash, and personally,
it seemed to be politically biased, unfortunately.
Mr. Broun. Thank you, Mr. Kennedy. I appreciate your long
answer but this is actually a yes or no answer.
Mr. Krush, do the American people deserve to know?
Mr. Krush. Yes.
Mr. Broun. Okay. Mr. Gregg?
Mr. Gregg. Yes, they do. However, I would like to add, I
understand the NIST process and others quite well. I co-
authored a book on it, also developed a course for Villanova
University on certification and accreditation. Finally, his
statement ends to a scan. A scan is not passive. A scan is
active. But yes, they do deserve an answer on this.
Mr. Broun. Doctor?
Dr. Ponemon. Ditto, yes.
Mr. Broun. And I agree, the answer is yes. I am very
disappointed with the Administration. We have asked for
information. The American people deserve to have that
information, and I will do everything that we can to try to get
Mr. Park to give us that information or the Administration.
Mr. Chairman, my time has run out so I yield back.
Chairman Smith. Okay. Thank you, Dr. Broun. The gentlewoman
from Maryland, Ms. Edwards, is recognized for her questions.
Ms. Edwards. Thank you, Mr. Chairman, and thank you to our
witnesses today.
Just very quickly, Mr. Kennedy, do you have any federal
contracts for security? Any?
Mr. Kennedy. As of right now, no.
Ms. Edwards. Have you had?
Mr. Kennedy. Yes, I have.
Ms. Edwards. And what were they?
Mr. Kennedy. Working for the federal government?
Ms. Edwards. Yes, federal security contracts.
Mr. Kennedy. Yes.
Ms. Edwards. What were they?
Mr. Kennedy. I would be happy to disclose those.
Ms. Edwards. I would appreciate it in writing, if you
would.
Mr. Kennedy. Sure.
Ms. Edwards. If you would tell us the federal contracts
that you have had in dealing with information security in the
areas that you claim to be an expert in.
Mr. Kennedy. I would be happy to write that.
Ms. Edwards. And Mr. Krush, I just want to ask you really
briefly if you could tell us security standards, compare those
that are used for the federal government as to the private
sector. You have alluded to that a bit, if you could just very
quickly?
Mr. Krush. Sure. So one thing to understand, and just to go
back to Mr. Gregg, you know, I have also co-authored a book on,
we have taken over 10,000 pages of information from the
National Institute of Standards and Technology, the Department
of Defense instructions, the intelligence community directives
and also, you know, some of the SAP programs and consolidated
that, and that book is actually used in places such as Syracuse
University to teach people that actually want to understand
this very rigorous federal process. I am also co-author of NIST
Special Publication 800-53 alpha. That is the process where we
actually do the assessments per se. So----
Ms. Edwards. I trust your expertise. I just want to know
the rigor of the standards for the federal government compared
to the private sector.
Mr. Krush. Sure. So that is a great question, Ms. Edwards.
One of the things to understand is that NIST Special
Publication 800-53 starting at revision 2, and we are now up to
revision 4, integrated all of the commercial standards. At rev
3, so meaning, you know, the most ISO, Carnegie Mellon, a lot
of these organizations that had kind of best practices out
there, they were integrated into that revision. By revision 4,
we have actually integrated the Department of Defense
standards, the intelligence community standards, also a lot of
standards that are kind of outside the realms, they are threat-
based. As you will find, most auditing organizations don't look
for those.
Ms. Edwards. So are the----
Mr. Krush. There is definitely rigor compared from a
commercial organization to what you will get in the government,
and I have worked on both sides. Fifty percent of my contracts
are with Fortune 50 and 100 companies, so I can tell you the
depth and rigor that you implement on a federal information
system, as it should be, is just more much intense than what
you see in the commercial markets.
Ms. Edwards. And is HealthCare.gov, is the rigor attached
to HealthCare.gov any different from any of these other federal
systems that you have indicated?
Mr. Krush. No, this process is the same across the U.S.
government.
Ms. Edwards. Thank you. So I wonder if the standards that
you described are above--and I think you said this--are above
those that you would find in the commercial sector?
Mr. Krush. I would say yes.
Ms. Edwards. Thank you.
Mr. Gregg, you mentioned some information or speculation
about medical records vis-a-vis HealthCare.gov. Are you aware
of any medical record that is maintained on HealthCare.gov?
Mr. Gregg. No, the information is simply passed through.
Ms. Edwards. Exactly. Is there any medical record, personal
medical record, contained on HealthCare.gov?
Mr. Gregg. No.
Ms. Edwards. Thank you.
And then Dr. Ponemon, just out of curiosity, you talked
about your mother's experience, which just sounds really
horrible, but she didn't experience identity theft through
HealthCare.gov. Isn't that correct?
Dr. Ponemon. Absolutely not.
Ms. Edwards. Right. Thank you.
And I just wonder, Mr. Krush, if you could help me, if you
will. Of the experience that you have had in developing and
working on federal information systems, is it your conclusion
that you would feel safe in putting your personal information
through HealthCare.gov?
Mr. Krush. Ms. Edwards, I actually put that in my
testimony. I would put my personal information on
HealthCare.gov. I said this more than once, and you know, I
continue to stand by that.
Ms. Edwards. Thank you.
And Mr. Kennedy, lastly, I want to go back to your federal
work I mean that I can find disclosed. I know that you got a
small business loan from the Small Business Administration for
``businesses that do not qualify for credit in the open
market.'' Again, what is the other federal security work that
you have done?
Mr. Kennedy. I would be happy to disclose that in written
testimony.
Ms. Edwards. Can you just give me an example right here on
the record?
Mr. Kennedy. I would need to get permission from my
customer. I work on non-disclosure agreements and
confidentiality of information.
Ms. Edwards. Okay. What I would like to do, I will write
you a letter. Your financial disclosure that you have submitted
in this record requires that. Did you put that in your
financial disclosure?
Mr. Kennedy. No. No, I--listen to me. My experience----
Ms. Edwards. Did you----
Mr. Kennedy. The question you asked me was, did I have
federal experience in the----
Ms. Edwards. It is my time, Mr. Kennedy.
Mr. Kennedy. Yes, ma'am.
Ms. Edwards. Did you put that financial disclosure
information in the record as required by our Committee?
Mr. Kennedy. I am not required to put that in there.
Ms. Edwards. Thank you very much.
Mr. Kennedy. Thank you. It is not on behalf of TrustedSEC.
Thank you.
Chairman Smith. Thank you, Ms. Edwards. The gentleman from
Texas, Mr. Neugebauer, is recognized for his question.
Mr. Neugebauer. Thank you, Mr. Chairman.
So, Mr. Gregg, I ask you this question: could a security
breach of HealthCare.gov result in people's medical files being
accessed?
Mr. Gregg. Yes, sir, it could. The information could be
accessed, and then the real damage would come afterwards, how
that information could be used. It could be used potentially to
gain information of financial data. It could be used for
identity theft. It could be misused many different ways. And
that damage, as Mr. Kennedy alluded to earlier, is not just
something as simple as replacing a credit card. This can be
long-term. It can be very damaging to an individual.
Mr. Neugebauer. Now, there was a recent GAO report that
documented that there was a 111 percent increase in federal
agency data breaches in the past three years. Specifically, the
GAO report noted that there were 22,156 incidents revealing
sensitive personal information since 2012, up from 10,000 in
2009. Interestingly enough, the Centers for Medicare and
Medicaid Services, the HealthCare.gov operator, had the second-
most breaches in the report for Fiscal Year 2012. Mr. Krush
said that the hackers are going where the money is and not
necessarily interested in these government sites, but yet we
see a substantial increase in the number of incidents that are
happening. Mr. Kennedy, do you agree with Mr. Krush that people
really aren't interested in these government sites or what is
your opinion on that?
Mr. Kennedy. Thank you, sir. I do not agree with Mr.
Krush's testimony there. I believe that the hackers move where
the money is and there is a lot of money to still be made in
the personal information side as well as other government
agencies that look to do demise to us, especially on our
information technology-related issues. Having direct access
into DHS, IRS is a treasure trove for additional attackers out
there. There is a lot of money for the organized crime, there
is a lot of money for what we call state-sponsored attacks, so
I would not agree with his assessment. There is plenty of money
to be made in the government space and there are breaches
happening all the time there.
Mr. Neugebauer. If I go to a government site and I am a
hacker, what are the treasures out there that I am going to
glean that are going to help me do whatever bad thing I have in
mind?
Mr. Kennedy. Sure. I think that is in the question. It
depends purely on the motivation of the attacker. So you have
really three criteria of the attackers. You have your average
black hat that may be politically motivated to prove a specific
point or street credibility. You have your organized crime,
which is specifically looking for monetary value or persistent
access into organizations. There is also a huge black market
right now that surpassed the credit card industry for what we
call carders. Selling compromised infrastructures and
organizations is a huge market right now. If I can say, hey, I
compromised Government X or HealthCare.gov, I can sell that to
an attacker for thousands of dollars to make a big buck off of
it.
Additionally--so you have that portion of it, the identity
theft, the fraud, other areas there. Then you have the state-
sponsored element, which is other government entities attacking
infrastructure in order to infiltrate, gain access and
intelligence on us, and that is a huge business right now. We
see it obviously happening off of different, multiple other
government entities, as well as Eastern European countries.
Mr. Neugebauer. Would you feel comfortable putting your
personal information in HealthCare.gov?
Mr. Kennedy. Absolutely not.
Mr. Neugebauer. Yes. Mr. Gregg?
Mr. Gregg. No, sir, I would not.
Mr. Neugebauer. Dr. Ponemon, would you?
Dr. Ponemon. I am not sure.
Mr. Neugebauer. You know, I want to go back to you, Dr.
Ponemon. One of the things that, you know, you talked about was
that you wanted to talk about the consequences of stolen
identity.
Dr. Ponemon. Sure.
Mr. Neugebauer. Yes. So one of the things I think might be
helpful is people that are forced to go to access their
healthcare through government--HealthCare.gov, what would you
advise them to do? You know, they are going to have to access
that. As they are filling out that information, are there some
preventative things that they can do that would minimize some
of the potential consequences if the system is breached?
Dr. Ponemon. Well, obviously, if the site is secure, that
is a good step, right, but as an individual, whether we are
doing it on HealthCare.gov or whether it is a website like
Amazon.com, we need to be smart. We need to understand that our
data could be at risk. The bad guys are really smart. For
example, we should not be using the same password over and over
again. Our computer should have the most current version of
antivirus or anti-malware technology. These commonsensical
approaches do make a difference and that should be across the
board.
But again, if you have data that is extremely sensitive and
confidential, then basically your guard, your level of concern
should go up. And a lot of people don't think about these
issues well enough or they don't think that they will become a
victim. But as we know, with 110 million records here and 90
million records there, everyone, every single person in this
room is a victim of some data loss and probably at least had
one data breach notification in the last five years. So it is a
big problem.
Mr. Neugebauer. Thank you, Mr. Chairman. I yield back.
Chairman Smith. Thank you, Mr. Neugebauer.
The gentlewoman from Oregon, Ms. Bonamici, is recognized
for her questions.
Ms. Bonamici. Thank you very much, Mr. Chairman, and thank
you to our witnesses for being here today.
This hearing is ostensibly about HealthCare.gov but I just
want to make a big picture comment that the Affordable Care Act
is certainly about more than a website; it is about an issue of
great importance, which is about the availability of healthcare
to all Americans.
Now, when I saw the title of this hearing, I was pretty
interested. I actually have a background in consumer
protection. I used to work at the Federal Trade Commission,
have worked on identity theft issues. I was a little baffled
frankly about why we are doing this in the context of
HealthCare.gov and in the Science Committee.
That being said, we all acknowledge that there have been
some serious technological problems rolling out the Affordable
Care Act, but I am really concerned that some people listening,
our constituents, might really be concerned that there are
risks involved in enrolling through the website that aren't
really there. So I want to clarify a couple of things.
First of all, I want to make it clear to our constituents
that identity theft is already a federal crime, that if someone
knowingly commits identity theft, that is a federal crime. If
they do it--aggravated identity theft, there are enhanced
penalties. So I want to make clear that if there is identity
theft, that is already against the law. The Department of
Justice prosecutes that. The Federal Trade Commission has
several laws dealing with it. So identity theft is an issue we
should be concerned about but I am baffled about why we are
talking about it in the terms of HealthCare.gov.
So, Mr. Krush, I want to ask you a couple of questions.
First, I want to acknowledge and thank you for your service to
this country. I understand, Dr. Ponemon, you are a veteran as
well. Thank you for your service.
Mr. Krush, you talked about how some people are suggesting
that HealthCare.gov is a major target for hackers. Based on
your background, your military and cyber security background,
could you discuss the range of hackers and their different
motives and talk about where HealthCare.gov is on the scale of
high payoff targets. And you mentioned this in your testimony,
but will you talk about that range just a bit, please.
Mr. Krush. Yes. Actually, it is very interesting in that,
you know, we are here on the Committee of Science, Space, and
Technology, and I will tell you something from a high payoff
target perspective, especially when you are dealing with
advanced attackers, the more a nation--nation-sponsored
attackers and those even on the criminal organizations, they
are after some very specific targets. And, you know, I am not
going to go into those but I will tell you from a government
perspective in all reality if you are looking at the .mil and
the .gov kind of domains, you know, HealthCare.gov is not
really a huge high payoff target.
Space systems, technology related to weapons systems,
intellectual property stores, information related to
clearances, information related to quite possibly not only
personal information on a person that may be weaknesses such as
relationship issues where they can be played on or through
blackmail. There is--websites that include information on
criminals that are actually part of the court systems,
literally we keep all of this information online now. As you
can imagine from an attacker's perspective, you could
literally, you know, not delete the paper but there are ways
that you can get into a system and change an outcome of quite
possibly, you know, cases or what actually you have done in the
past. So there is lots of high-profile targets.
Ms. Bonamici. Thank you. Thank you so much. I want to
follow up a little bit. It is my understanding that we have
already established that there aren't medical records on
HealthCare.gov, and Mr. Gregg confirmed that in response to
Representative Edwards' question. Do you agree with that, there
are no medical records on HealthCare.gov?
Mr. Krush. Correct. Those would be at the providers.
Ms. Bonamici. And would you agree that there is more
personal information in a federal tax return than there is in a
HealthCare.gov insurance application?
Mr. Krush. I agree.
Ms. Bonamici. Mr. Kennedy, do you agree with that?
Mr. Kennedy. I do agree.
Ms. Bonamici. Mr. Gregg?
Mr. Gregg. I do agree.
Ms. Bonamici. Dr. Ponemon?
Dr. Ponemon. I agree.
Ms. Bonamici. Terrific. Okay. So about 80 percent of the
people in this country file their tax returns online. Mr.
Krush, do you file your tax returns online?
Mr. Krush. I do.
Ms. Bonamici. Mr. Gregg, do you file your tax returns
online?
Mr. Gregg. No.
Ms. Bonamici. Dr. Ponemon, do you file your tax returns
online?
Dr. Ponemon. I am old-fashioned. No.
Ms. Bonamici. Mr. Kennedy?
Mr. Kennedy. I am old-fashioned as well.
Ms. Bonamici. So when you understand that about 80 percent
of the people in this country file their tax returns online, we
are talking about security with HealthCare.gov when there is
more personal information on a federal tax return. I just want
to highlight that, that we are talking about security with
HealthCare.gov when the majority of people file their tax
returns online.
All of you call for third-party--third parties to conduct
security testing, and the MITRE Corporation, Blue Canopy, and
Frontier Security have all been doing that for months. In your
opinion, are those companies competent to do the work, yes or
no? Dr.--or Mr. Krush?
Mr. Krush. Yes.
Ms. Bonamici. Mr. Kennedy?
Mr. Kennedy. Yes.
Ms. Bonamici. Mr. Gregg?
Mr. Gregg. Yes.
Ms. Bonamici. Dr. Ponemon?
Dr. Ponemon. I only have knowledge of MITRE and the answer
is yes.
Ms. Bonamici. Thank you. Mr. Krush, to be clear, there have
been no cases of a person's identity being stolen through
HealthCare.gov at this point, is that correct?
Mr. Krush. That is correct.
Ms. Bonamici. Okay. I just want to clear that up because
the title of the hearing suggests that one of the consequences
of signing up through HealthCare.gov is going to be identity
theft. So I wanted to clarify that.
So I--my time is expired. Thank you, Mr. Chairman. I yield.
Chairman Smith. Thank you, Ms. Bonamici.
The gentleman from Texas, the Chairman Emeritus Mr. Hall,
is recognized for questions.
Mr. Hall. Thank you, Mr. Chairman, and thank you for the
hearing and the witnesses. I like old-fashioned people. I don't
know why. But I will ask my fellow Texan there, Mr. Gregg.
There has been talk about March the 31st, and I think you
mentioned that since the deadline for open enrollment is not
until March the 31st, wouldn't hackers be kind of foolish to
exploit the website now because they potentially would have the
opportunity to retrieve a heck of a lot more information after
that date?
Mr. Gregg. Well----
Mr. Hall. Do they think like that or is that too----
Mr. Gregg. No, sir. They do in many ways look for the big
payoff, and as was mentioned earlier, cybercrime can be broken
down into two areas. One is the individuals looking for
military, looking for that type of information, but a big other
portion of it today is monetarily driven. We see a lot of that
out of places like Eastern Europe. We see it out of places like
Russia. And those individuals are looking for personal
information. They are looking for things that they can make a
financial payoff from. And to wait until the time was right
would very much be to their advantage. While it is true
information is not held on HealthCare.gov, information is
passed through that site that they could potentially manipulate
or take advantage of.
Mr. Hall. Thank you. And I have heard of a lot of problems,
but given the problems of the website to date, would you say it
is highly likely that there will be breaches to the healthcare
website?
Mr. Gregg. Yes, sir. I do believe it is very possible or it
is probable at this current state of the site that that could
happen.
Mr. Hall. And once one has occurred, how quickly can
experts find out about the breach?
Mr. Gregg. That all depends. We have seen in previous cases
with things like Gh0st RAT, GhostNet Trojan. We have seen in
cases like with Google and Aurora and others, in some instances
those organizations didn't know until weeks or months later.
Mr. Hall. How quickly should the American people be
notified in the event of a breach?
Mr. Gregg. Immediately.
Mr. Hall. Within hours, days, weeks, or just right now?
Mr. Gregg. Right now.
Mr. Hall. That is pretty clear. Once a breach has occurred
and people have been notified, what actions should people take?
Mr. Gregg. Immediately start to do things like Dr. Ponemon
mentioned as far as change passwords, change IDs, especially
notify and talk to your credit card companies----
Mr. Hall. Now is----
Mr. Gregg. --look at your credit card statements, also
check your credit rating and look at the credit rating
organizations because many times, just like a period of about a
week ago I got an email from Amazon that someone tried to open
up an account under my name and I immediately called my credit
card provider and found out someone had charged about $5,000
worth of merchandise under my name because someone had stolen
my credit card. So you immediately need to take action for that
stuff to put a stop to it if the credit card company doesn't
catch it.
Mr. Hall. This is not like Target where you can check with
your bank or your credit card company for even suspicious
activity or something you think might be happening and that----
Mr. Gregg. That----
Mr. Hall. I think that is what you are telling me.
Mr. Gregg. Yes, sir, that is correct.
Mr. Hall. And how do you find out if--how did you find out
if your Social Security number--is that the way they got to
you?
Mr. Gregg. No, sir, they got a credit card number from me.
Mr. Hall. Credit card?
Mr. Gregg. Yes, credit card.
Mr. Hall. And if medical information had been compromised,
what would you do about it?
Mr. Gregg. It would be very tough. With medical information
or someone has intentionally obtained medical services under
your name, you may not find out until you actually get the
bill, or if they have sent that to another address, you may not
find out until you maybe get denied for a job because they said
you had a preexisting condition they didn't know of.
Mr. Hall. Well, just briefly, what are the steps involved
in repairing a breach?
Mr. Gregg. It is very tough.
Mr. Hall. And should a website be shut down while these
remedies are being considered?
Mr. Gregg. I would say yes, it should, and I mean it is
very tough because, first, you have to contest those charges.
And if it is related to medical, as soon as you contest it
under HIPAA and other laws, then you have no access to the
records or information because it is not your information
anymore. So it can be very difficult.
Mr. Hall. Well, my time is almost gone. I believe that all
of you would agree that while no website can be 100 percent
safe, every precaution needs to be taken to ensure the security
of the site.
Now, Mr. Chairman, there are far too many questions
surrounding the launch of the healthcare website, and until
these are resolved, the security of Americans' personal
information is going to remain at risk. That is your
understanding. Is that why we are having this hearing?
Chairman Smith. That is exactly correct, Mr. Chairman.
Mr. Hall. And I thank you for the work on this issue and I
thank each of you. And thank you, Mr. Chairman, for a good
hearing.
Chairman Smith. Thank you, Mr. Hall. Would you yield me the
balance of your time?
Mr. Hall. I yield my balance of my time today, tomorrow, or
next week or any time.
Chairman Smith. Mr. Kennedy, I would like for you to
reemphasize the point you made in response to my initial
question about why the government doesn't even know whether it
has been hacked or not--that is HealthCare.gov. Why the
government really can't say or state credibly that there had
been no successful security attacks.
Mr. Kennedy. Yes, sir. So if you look at the HealthCare.gov
infrastructure, it was built independently of HHS, including
the Security Operations Center piece. There is contractual
language on that. There is testimony from the Congress that
also states that as well. So the Security Operations Center, as
of November 17, had not been built or implemented, which means
that they didn't have the security monitoring or detection
capabilities to detect the attacks that are being mentioned
here today. So to reemphasize, they don't know.
Chairman Smith. And they don't know. That is why they can
say there hasn't been any. They are not in a position to know
one way or the other.
Mr. Kennedy. That is correct.
Chairman Smith. Okay. Thank you, Mr. Kennedy.
Mr. Kennedy. Yes, sir.
Chairman Smith. The gentleman from California, Mr. Takano,
is recognized for his questions.
Mr. Takano. Thank you, Mr. Chairman.
Mr. Krush, would you like to respond to that?
Mr. Krush. Sure, I would love to. Actually, we have been
talking about all of these supposed breaches that have been
going on related to HealthCare.gov. If they couldn't monitor
those, how in the world do you have a number? The number would
be zero if there was no capability to actually look at what
kind of attacks are coming through the ether.
Mr. Takano. Okay. Thank you very much.
Mr. Gregg, I would like to focus on a couple of areas of
your testimony. First, you argue that the site HealthCare.gov
really needs a third party working to probe the system for
weaknesses; and second, you assert that medical records are at
risk on HealthCare.gov and you list the kind of damage that can
be done with stolen medical records. And you state previously
in a post--Huffington Post post that ``however, the United
States has some of the very best minds in the world when it
comes to cyber security and there is no doubt that
HealthCare.gov can be fixed if the right people are given the
chance to test it.'' Do you still feel that way?
Mr. Gregg. Yes, sir. That is one of the reasons why I am
here today----
Mr. Takano. Okay.
Mr. Gregg. --is because I believe with independent third-
party assessment and the right assessment done, we can get to
the bottom of this.
Mr. Takano. Okay. Well, thank you. I just want know were
you aware prior to your testimony today that MITRE, Blue
Canopy, and Frontier Security were all working on third-party
verification?
Mr. Gregg. MITRE, yes; the others, no.
Mr. Takano. Okay. You were aware that MITRE was aware, so I
don't understand how, you know, in your testimony you still
assert that third-party work needs been done but you had
knowledge that a third-party audit was actually being conducted
by MITRE?
Mr. Gregg. Yes. One, the article was written before that.
It was written before that time. And two, I do not know if
MITRE has finished their research or not or what the findings
of those are.
Mr. Takano. Okay. But you did raise this question as if
third-party verification--I was led to the impression that
third-party verification wasn't being done, but in fact, you
had knowledge it was being done?
Mr. Gregg. Not at the time of the article.
Mr. Takano. Okay. But in your testimony you lead us to
believe that you raise it as a concern but it has----
Mr. Gregg. You quoted the article and you quoted a
statement directly from the article that I said that needed to
be done. At that time nothing had been done.
Mr. Takano. But it is not in your----
Mr. Gregg. Is that the question?
Mr. Takano. The testimony that you submitted for this
Committee doesn't acknowledge it but yet you are telling me
here you had knowledge of it that it was being done.
Mr. Gregg. I----
Mr. Takano. Your testimony leads us to believe that it was
not being done.
Mr. Gregg. As of this hearing, I do have knowledge.
Mr. Takano. Okay. But your--but you----
Mr. Gregg. At the time of the article, no.
Mr. Takano. Okay. Okay. Very well. You know, Dr. Ponemon,
you talk about the medical records, you know, and identity
theft, and a lot of your work has shown that 95 percent of the
people who commit these sort of deeds are motivated by Robin
Hood motivations. Would you explain about that a little bit?
Dr. Ponemon. It is not 90 percent but it is a large
percentage. I think it is 29 or 30 percent, but it is still
pretty significant. A Robin Hood crime, as we define it in the
research, is where someone, for example, has a family member or
friend who basically has an illness and they are not insured
and basically they will kind of look the other way if you will
and allow that person to use their insurance credentials so
that when they show up at a hospital or clinic, they are
getting better treatment than just right off the street.
Mr. Takano. Well, common sense would sort of tell me if
that is sort of the big motivation, what would motivate someone
to go and----
Dr. Ponemon. Sure.
Mr. Takano. --try to steal someone's identity, that
expanding healthcare coverage, providing quality coverage for
more and more people would reduce this--the likelihood of this
sort of crime.
Dr. Ponemon. You have to understand I will be biased in
that because I think we all deserve good healthcare. So if
basically you had good healthcare, the value of a credential
would be meaningless, right, because we all have that
credential. So there is no value if you will in stealing
someone's credential because everyone is going to have a
credential that will give them reasonable healthcare.
Mr. Takano. So actually, if we made this healthcare
website--you know, if it was very successful and more and more
people got enrolled, the actual--we would reduce the risk of
the misuse of medical records?
Dr. Ponemon. It could work one way or another. It is really
hard to determine that. In theory, you are right. I mean you
could basically say that 29 or 30 percent, the Robin Hood
portion of the crime, the medical identity theft might actually
be nonexistent.
Mr. Takano. So we would remove--we could possibly remove a
huge motive for people to try to hack into this system if they
were trying.
Dr. Ponemon. Well, yes, but remember, the value of a
medical record is more than just getting the insurance. You
see, that is only a very small part of it. There is a lot of
information, rich information, and you--we have done studies
and the Russian Federation, other parts of the world, and if
you had a look at the most valuable piece of information right
now on an individual basis, it would be a medical record. And
in fact, just yesterday in Fox News, business news, they did an
article on the value of different types of information, and
medical information in the black market is much, much more
valuable than, say, credit or debit card information or
authentication data.
Mr. Takano. Okay. Well, thank you very much, Dr. Ponemon.
Dr. Ponemon. And thank you.
Mr. Takano. Thank you.
Chairman Smith. Thank you, Mr. Takano.
The gentleman from Indiana, Mr. Bucshon, is recognized for
his questions.
Mr. Bucshon. Well, thank you all for being here. It is a
fascinating hearing. We had a previous hearing, which was also
very fascinating. And we were four for four no one would get on
the website last time, but we are three for four this time.
In my view, this is about confidence the American people
have in their government and whether or not their government is
doing everything they can to protect their privacy. It is not
about healthcare at all. We could be talking about any other
website that the federal government has. And we know the GAO
came out and reported thousands of breaches across the federal
government, so to argue that this website is going to be secure
and that nothing is going to happen I think is a false argument
because it is going to be breached. There is going to be
information stolen.
I think from my perspective--I was a medical doctor before.
I think when you throw in the healthcare part of it, it becomes
very personal for people. I understand people out there in my
district are concerned about the Department of Defense being
hacked, maybe a few people, but when you start talking about
the potential for information that they perceive, whether it is
real or whether it is perceived, is personal information. I
think all of us in hearings like this and across government and
the Administration, in both political parties, need to
recognize the fact we need to do whatever we can to regain the
confidence of the American people that we are protecting their
personal information as best we can. Even though I do recognize
the website itself doesn't have that on there, it does have
portals that people that are smart can potentially access that.
And this is actually one of the biggest problems in
electronic medical records, that we have. My medical practice
established an electronic medical record in 2005. I love
electronic medical records but there are two issues. There is
of course security issues and then there is compatibility
issues about getting medical information across different types
of electronic medical records.
So, I think it is unfortunate that all of you are somewhat
subjected to a national discussion about healthcare, and I
appreciate all of you trying to confine your comments to the
security aspects and not the larger national debate about how
we provide quality affordable healthcare to all our citizens,
which I think is a goal we all have and certainly as a medical
doctor I have. So it really doesn't matter if HealthCare.gov is
a low-propensity target by some hackers out there. In the minds
of the American people when you mention their healthcare, this
is the biggest target in the federal government in their minds.
Whether that is real or perceived doesn't really make a
difference.
So Mr. Krush, the GAO came out with this report, as you
know, in 2012, saying there were 22,156 data breaches, 4,000 at
CMS alone. And you have a relationship with CMS so you have to
recognize that we can't make the case that any website is going
to be secure to try to make a political argument to prove that
the way we are managing healthcare is the right way to go. I
mean that is not the discussion, is it? The discussion is how
do we protect information? You would have to agree with that,
wouldn't you?
Mr. Krush. I absolutely agree with that. I will just say
that I agree with that and with the idea that the process that
we use, you know, to secure the data on federal information
systems is just very rigorous, and that is my complete argument
here.
Mr. Bucshon. Yes. And I would agree with that. I think when
it comes to the confidence, I know we have discussed third-
party people out there looking at this. And I will be honest
with you. I am a Member of Congress and I have no idea whether
there is a third-party person out there--and there obviously
is--looking at this. So our charge is to get that to the
American people, because if the American people don't know--and
I can tell you as a political person trying to get a message
across to 700,000 people is difficult and that is just 700,000
people. We need to do better getting the information out that
there are actually people that are in government that are
looking at this to preserve people's personal records. That is
my view. Mr. Kennedy, how do we do that?
Mr. Kennedy. Well, I think if you look at the broader
picture here and not just HealthCare.gov but just in the
federal space, end-to-end testing, proactive security measures,
things that are definitely outlined as being best-of-breed
security practices need to be performed. And I am not saying
that NIST doesn't have those. It is just that they are loosely
followed. And, to comply with FISMA is not necessarily a
rigorous process.
So what I have to say to that is, we have to focus on
putting security in the very forefront, in the very beginning
stages of what we hire a contractor or we go after an
organization, throughout the entire process of that.
HealthCare.gov is a prime example of the failures of being able
to implement security in a rigorous manner or in a process that
includes security throughout the entire life cycle. And if you
do that, you have a better product. You have something that
people can stand by and say, listen, we are doing our
reasonable amount of assurance here and we are protecting your
information, not just, kind of slapping it together and
throwing it out there.
Mr. Bucshon. My time is expired. I would like to say let's
all of us work together to regain the confidence of the
American people. Thank you.
Ms. Edwards. Parliamentary inquiry----
Chairman Smith. Thank you.
Ms. Edwards. --Mr. Chairman.
Chairman Smith. Thank you, Dr. Bucshon.
I am sorry?
Ms. Edwards. Mr. Chairman, I have a parliamentary inquiry.
Chairman Smith. The gentlewoman is recognized for her
parliamentary inquiry.
Ms. Edwards. Thank you. Mr. Chairman, isn't it true that
the Committee and House rules require witnesses to submit
factually correct financial disclosures forms?
Chairman Smith. There are certain limitations to that, but
within those limitations, I think that is the case and I think
all of our witnesses have done so today.
The gentleman from--
Ms. Edwards. Mr. Chairman?
Chairman Smith. Yes. The gentlewoman continues to be
recognized.
Ms. Edwards. Mr. Chairman----
Ms. Johnson. Point of order----
Ms. Edwards. --I yield to----
Ms. Johnson. Point of order, Mr. Chairman.
Chairman Smith. The gentlewoman is recognized.
Ms. Johnson. I make a point of order that the witness
testifying today has not complied with the House Committee's
rules regarding financial disclosure. And under those
circumstances, I request that the testimony be stricken from
the record. I am very----
Chairman Smith. Obviously, I object to that and----
Ms. Johnson. I expected that.
Chairman Smith. --I am afraid that the gentlewoman is not
the one to make that determination.
Ms. Johnson. I am not finished.
Chairman Smith. Well, does the gentlewoman have----
Ms. Johnson. I am recognized, Mr. Chairman, and I have----
Chairman Smith. Does the gentlewoman have something to say
that is pertinent to her inquiry?
Ms. Johnson. --not finished my statement. I am very
concerned about the testimony we heard from Mr. Kennedy a
moment ago. He testified on the record that he did not disclose
government contracts in his truth-and-testimony form that he
and his company have received, and our Committee Rules
require----
Chairman Smith. He also said he was not----
Ms. Johnson. --a witness disclosure----
Chairman Smith. --required under the----
Ms. Johnson. --requirement to be filed out by each--filled
out by each witness. On that form Mr. Kennedy answered the
question saying ``not applicable.'' This means that he did not
comply with the rules of our committee, and as such, I ask that
he be removed----
Chairman Smith. That is not necessarily----
Ms. Johnson. --from--the testimony from the Committee----
Chairman Smith. --a legitimate----
Ms. Johnson. --until he accurately and fully discloses the
federal grants and contracts that the entity he represents have
received on or after October 1, 2011----
Chairman Smith. Mr. Kennedy, do you want to respond whether
you were required to disclose that or not?
Mr. Kennedy. Thank you, sir. The question was have I done
work in the federal space prior in the past or currently. The
answer to that is on behalf of TrustedSEC, we do not work in
the public sector or government, which is what I disclosed in
the statement there. In addition, I have worked for NASA as
well as other federal government agencies in my capacity as a
Chief Security Officer for a Fortune 1000 company, as well as
my prior roles as a security consultant for former entities. So
to answer the question there on what was submitted, I do not do
work for the public sector. I am plenty busy in the private
sector keeping everybody else protected. Thank you.
Chairman Smith. Thank you, Mr. Kennedy. I think you have
answered the question.
And I would like to continue our questions. And the
gentleman from Massachusetts, Mr. Kennedy, is recognized for
his.
Mr. Kennedy of Massachusetts. Thank you, Mr. Chairman, and
thank you to the witnesses for being here today.
I want to start out by saying I know--I think Teresa Fryer
was mentioned earlier in this hearing, and I know that she is
actually testifying I think at this moment or just moments ago
in front of the Committee on Oversight and Government Reform.
And her testimony before was referenced about--some of the--her
remarks on HealthCare.gov and she just recently said today that
the HealthCare.gov website is secure based on a December 18
security assessment. She stated that the system exceeds the
best practices to ensure security and that the risk mitigation
policies are being implemented and executed as planned. As a
result, attacks have been successfully prevented. She
recommends that a new ATO should be given when the current one
expires just to make sure that we are all up to date on the
current testimony.
Now, a couple of, I think, points of clarification: Mr.
Kennedy, I think one of us here supports the ACA, but I will
leave that up for the gallery to decide. The--now, I noticed at
the--I think in your initial testimony and the initial
testimony of the witnesses, you were nodding your head when Mr.
Krush said that unless you are actually able to dive into the
inner workings of the website, which you have made clear that
you did not hack into, you did not do anything illegal, but
that you would not have any way of knowing in detail what part
was vulnerable to attack unless you had done so. Is that
accurate?
Mr. Kennedy. We can't tell the inside of HealthCare.gov
without actually testing it. That is 100 percent accurate. What
we can see are symptoms of a much larger issue. And if you
wouldn't mind for just--if I can read a--one of the things that
I submitted from Ed Skoudis just as an example if you are okay
with that, sir.
Mr. Kennedy of Massachusetts. Yes, go ahead.
Mr. Kennedy. Thank you. Mr. Skoudis said, ``I have worked
on dozens of large-scale breach cases over the past 12 years
looking at the root cause of vulnerabilities of attacker
methods. Reviewing the security issues discovered in
HealthCare.gov, I can tell you this is a breach waiting to
happen. Or given the numerous vulnerabilities, perhaps a breach
has already happened. These are exactly''--and he emphasized on
that--``the kind of security flaws bad guys exploit on large-
scale breaches.''
Mr. Kennedy of Massachusetts. So, Mr. Kennedy--and I
appreciate that, but the point is--and I think we have heard it
actually reiterated a number of times here--is that we don't
know. You don't know. You testified before that HHS doesn't
know. If HHS doesn't know, you don't know, so much of this is
in fact--it is a concern but it is speculative, right?
Mr. Kennedy. It is an underlying portion of HealthCare.gov,
absolutely, yes.
Mr. Kennedy of Massachusetts. Okay. So--now--thank you.
And, Mr. Krush, do you--out of your expertise, can you just
give me off the top of your head what you believe to be the
biggest data breaches--recent data breaches? This is something
that is fairly common. Obviously, Target and Neiman Marcus in
the news today. How many--are you aware of others?
Mr. Krush. Well, interestingly enough, you know, the
thing--when it comes to data breaches, I think Target is a
perfect example of someone that had the capability to identify
a breach. The thing that is of most concern to me is that there
are a lot of industry and even government organizations that
don't have the capability to do that.
Mr. Kennedy of Massachusetts. So, sir, Target, Neiman
Marcus obviously in the news now. Do you recall Heartland
Payment Systems data breach back in 2008? Does that ring a bell
with you?
Mr. Krush. It does.
Mr. Kennedy of Massachusetts. At least from some estimates
134 million credit cards exposed. How about TJX Companies in
2006, 94 million credit cards exposed; Epsilon, which exposed
the emails of millions of customers stored in over 108
different retail chains; RSA Security, top-notch security firm;
Sony Playstation Network, over 77 million Playstation Network
accounts exposed, all private sector, yes?
Mr. Krush. Yes.
Mr. Kennedy of Massachusetts. This is something the private
sector invests billions of dollars a year in trying to protect,
yes?
Mr. Krush. Yes.
Mr. Kennedy of Massachusetts. This is something that is
very difficult and has to be on the cutting edge in order to
defend against, yes?
Mr. Krush. Yes.
Mr. Kennedy of Massachusetts. Are you aware of how many
times the House of Representatives has voted to cut funding or
appeal the Affordable Care Act this Congress?
Mr. Krush. I am not.
Mr. Kennedy of Massachusetts. Would the number close to 50
seem accurate to you?
Mr. Krush. Unfortunately, I just don't have that insight.
Mr. Kennedy of Massachusetts. Okay.
Mr. Krush. I can talk about risk assessment----
Mr. Kennedy of Massachusetts. Well, take my word for it.
Mr. Krush. --if you like.
Mr. Kennedy of Massachusetts. Take my word for it.
I yield back the balance of my time.
Chairman Smith. Thank you, Mr. Kennedy.
The gentleman from Oklahoma, Mr. Bridenstine, is recognized
for his questions.
Mr. Bridenstine. Thank you, Mr. Chairman. I appreciate the
time.
I would like to start by asking our witnesses a question.
Are you familiar with Tony Trenkle? He was the Chief
Information Officer for the Centers for Medicare and Medicaid
Services. And his job was to oversee the development of
HealthCare.gov and his job was to,--as--you know, the last
thing before launching the website he had a security waiver he
was supposed to sign. Do you guys remember any of this by
chance? And he didn't sign it. He refused to sign it and he
resigned. His boss, Marilyn Tavenner, CMS Administrator, who is
not a Chief Information Officer, who arguably would not be
qualified to sign off on a security waiver, she signed it. He
didn't. He is qualified. She did, she is not qualified. She is
an appointee of the President of the United States.
Interestingly, her boss, Secretary of Health and Human
Services Kathleen Sebelius, testified before Congress that she
had no idea that a security waiver was supposed to be signed,
that it didn't get signed, and that her subordinate, another
Barack Obama appointee, signed it. She didn't know. It would
seem to me you have a qualified person not signing it and then
having to resign, and the Administration was not clear about
why that person had to resign, namely Tony Trenkle. In fact,
they didn't answer the question why. But it would appear--and
this gives me concern--that people are making decisions for
political reasons, not in the best interest of security of our
citizens.
And so some of you on this panel are CEOs, I think three of
you. And then, one leads a research institution. Just a quick
yes-or-no answer, in your institutions if this was going on,
would you guys have an issue with it? Would somebody in your
organization be fired? We will start with you, Mr. Kennedy, and
just go down the row.
Mr. Kennedy. Coming from being a Chief Security Officer for
a Fortune 1000 company, I would say the answer to that would be
yes. That would raise a major concern for me.
Mr. Krush. I would just talk to the point that the
authorizing official, if it was the CSO and he or she was the
one authorized to sign for the system, you know, this is
actually one of the breakdowns in the risk management framework
right now. You have what is called--you usually have the CIO or
the director that are in charge of maybe a program, an
organization, and they are directed as the authorizing
official. I would say if we are going to look at one of the
weaknesses in the process government-wide is that that Chief
Information Security Officer should be where the buck stops
always. Right now, there is----
Mr. Bridenstine. So you are acknowledging that he should
have signed it if it was secure, and his refusal is a big
breach of trust here with the American people?
Mr. Krush. I acknowledge that under the current process----
Mr. Bridenstine. And then he was forced to resign,
arguably.
Mr. Krush. The current process allows for the authorizing
official to be whoever is directly in charge of the entire
information system. So, that being said, I think that that is a
weakness in the process. Right now, it should be the Chief
Information Security Officer where it stops. They are supposed
to know the system, the security capabilities, and they are
supposed to be the ones that should be responsible, but that is
not the process that we are currently using in the government.
Mr. Bridenstine. Well, it was the process that was supposed
to be used until he refused and then resigned. Going down the
line?
Mr. Gregg. I would also say yes and I would add to that
that, as we talked about earlier, with external third parties
looking at this, that is just a piece of it, them looking at
it. The other part is those items are actually implemented and
they are signed off on.
Dr. Ponemon. It is my turn, I suppose. Yes, it is a big
ethical issue in my opinion. I think the key variable is that
the security of our country and the citizens of our country
should be more than a political issue.
Mr. Bridenstine. Agreed.
Dr. Ponemon. But I don't think the solution is to have
local CSOs, people who are middle-level management. It should
be a major, major function of the government to have a CSO for
the entire United States and then----
Mr. Bridenstine. I am going to bring back my time. I have
only have 30 more seconds but I appreciate your answer and you
can submit it for the record.
Dr. Ponemon. Absolutely.
Mr. Bridenstine. But I would like to just say that I am not
going to put this in for the record, Mr. Chairman, because I
don't want it to create any issues on the other side of the
aisle, but this comes from an article from CBS News dated
November 6, 2013. So people watching at home have access to it.
It is on the internet. It has all been disclosed.
And I would like to say, finally, in my last five seconds
this is exactly why the American people have lost trust in
their government. This is exactly why the American people have
lost trust in their government.
Mr. Chairman, I yield back.
Chairman Smith. Thank you, Mr. Bridenstine.
The gentleman from Illinois, Mr. Hultgren, is recognized
for his questions.
Mr. Hultgren. Thank you, Mr. Chairman. Thank you all for
being here. This is such an important topic and something I am
certainly hearing from my constituent as I travel around my
District of great concern and wanting answers and so I
appreciate you being here.
I have got a couple of different questions. I am going to
address the first one to Mr. Krush if I could. According to
your written testimony, you say that based on what you have
read publicly thus far, ``HealthCare.gov is most likely
categorized as a moderate system referring to the National
Institute of Standards and Technology or NIST's security levels
of low, moderate, and high.'' I wonder, is that an appropriate
categorization for this kind of personal data that we are
talking about here being available and accessible through the
HealthCare.gov website, including people's medical files?
Mr. Krush. So usually we reserve high for, you know, grave
danger to national security, to the confidentiality, integrity,
and availability could, you know--for most of the high systems.
So usually to me when something is categorized with that, it is
usually life or death. And since HealthCare.gov is not that,
it--there are some areas where, depending on the organization,
there is something called organizationally defined parameters.
That allows the organization to say if they process, store,
transmit, manage, or review privacy data, it allows them to
make the recommendation to go to high. But from what I have
read thus far about the site, because of the interactions with
the other websites, meaning the handing off through the
controlled APIs and the way that it deals with
interconnections, it still would be moderate. If one of those
interconnections are high, then they--then what they have to do
is actually--they do--well, we are going to do this anyway.
They have to develop what is called an ISA, an Interconnection
Security Agreement. And what that requires both sides to do is
agree on the cyber security rules, including on how quickly
they report any instance related to those.
Mr. Hultgren. Let me jump in here real quick. I would say
again for my constituents this is of high concern to them and I
think for us as well. And I would agree with my colleagues of
how important this is in people's lives. And, boy, talking
about medical care, it sounds like life and death to me
oftentimes is making sure that our medical records are
protected.
I am going to jump to Mr. Gregg. Is there any evidence that
HealthCare.gov meets NIST's data security standards and who
should certify that HealthCare.gov complies with the Federal
Information Security Management Act?
Mr. Gregg. I have not seen that evidence as far as whether
or not they have been certified so I cannot say on that.
Mr. Hultgren. Okay. Let me open this up to any others. Mr.
Kennedy, Dr. Ponemon, let me open this up to you all, any
thoughts you might have. National Institute of Standards and
Technology, NIST again, provides agencies with the guidance
they need to develop and launch networks and websites that are
fully and properly secure. Should NIST's role be expanded or
increased with any new authority and responsibility
specifically in regards to HealthCare.gov? Would NIST be best
qualified to verify and certify how well agencies meet their
security standards' compliance? And in today's case, should
NIST review HealthCare.gov? Start with Mr. Kennedy.
Mr. Kennedy. I would agree with that. I think if you look
at not just technology-specific areas. You have the CDC, the
Centers for Disease Control. Prevention, which is really about
getting information to the American people about diseases,
things like that. The same oversight needs to be there and the
expanse of NIST needs to be there for more of a governance
structure over our security practices inside the government.
Again, NIST is more of a guidance role right now to adhere to.
I think the expansion on this is really to bring more security
integration throughout the whole government, the whole federal
government, to really build best practices in. Right now, it is
kind of intermittent not whether they do it or not. So I agree
that, yes.
Mr. Hultgren. Okay. Any other comments or thoughts?
Mr. Krush. They currently write the guidelines, the NIST--
National Institute of Standards and Technology special
publications and also they write different guidance on
different types of technologies. I think just understanding
systems from a risk perspective, if you have one organization
that is in charge of the information security for every single
government organization, it is--you will never come to the same
risk decision. The problem lies in the fact that somebody at
HHS is going to know about HHS systems and the security and the
requirements better than someone, you know, in an office
somewhere up at NIST.
Mr. Hultgren. I think that my fear is accountability, too.
Sometimes I see it in bureaucracies, there is a desire to
protect, hey, if we have a breach, don't let anybody know. I
want to make sure that doesn't happen.
Mr. Gregg, do you have any thoughts on this?
Mr. Gregg. No, but I would agree many times this stuff is
covered up and it is not released immediately. We even see with
Target that we are getting some information, but yet to see the
full picture.
Mr. Hultgren. Okay. Dr. Ponemon, real quick, what are some
of the serious consequences that consumers face in the wake of
medical identity theft? Are there financial consequences in
addition to medical consequences?
Dr. Ponemon. Yes, and our research we find that a fairly
large percentage of our sample suffered some financial
consequences, and sometimes it is just staggering. It could be
thousands or tens of thousands of dollars. Keep in mind that
the people who are at risk are not necessarily wealthy people,
people who are low income. And so on a proportional level it
could be their total yearly income just basically the costs
associated with cleaning up your medical record.
Mr. Hultgren. Doctor, you are right, and I think that is my
fear is those who are most vulnerable are right on the edge----
Dr. Ponemon. Absolutely.
Mr. Hultgren. --something happens there, they don't have
anything to fall back on. People with significant resources do.
Thank you again for being here. Chairman, I appreciate the
opportunity and I yield back.
Chairman Smith. Thank you, Mr. Hultgren.
The gentleman from Texas, Mr. Weber, is recognized for his
questions.
Mr. Weber. Thank you.
Mr.--is it Krush or Krush? I have heard it both ways.
Mr. Krush. It is Krush but in the Army I used to say Krush.
Mr. Weber. It is Krush, okay. All right. Well, just call
you for dinner is the main thing, right?
Mr. Krush, you said, I think, that you were lucky enough to
have worked for the HHS or was it the CMS?
Mr. Krush. So I was fortunate enough to work early on on
the central office at HHS.
Mr. Weber. Okay.
Mr. Krush. I have also provided training actually related
to the risk management framework and we develop online training
for CMS.
Mr. Weber. I want to draw attention to the word luck. You
said you were lucky but then later you said you had contracts
totaling around $10 million? $1 million? $10 million?
Mr. Krush. $1 million.
Mr. Weber. $1 million. Okay.
Mr. Krush. But I would say when I was talking about luck, I
was actually talking about the individuals that are at the
central office are probably some of the most talented cyber
security people I have met. And that is just the truth. I have
worked with them when they were contractors and now they are--
--
Mr. Weber. Okay. And then you said I am working for the
CMS--and I wrote it down--you weren't ``best of friends''
with----
Mr. Krush. That is correct, with CMS.
Mr. Weber. --was the words you used.
Mr. Krush. We actually had a recent protest with them.
Mr. Weber. Okay.
Mr. Weber. But you had government contracts so you might
not have been best of friends, but you weren't enemies, right?
Mr. Krush. Absolutely not.
Mr. Weber. Yes, you weren't enemies. It wasn't maybe a
marriage, but at that dollar rate, you might be interested in a
long-term relationship? What do you think?
Mr. Krush. At those dollar amounts----
Mr. Weber. Yes, sir.
Mr. Krush. --a long-term relationship? If it was a little
bit more probably.
Mr. Weber. Okay. I see. You are going to play hard to get.
So were you hired on experience and good performance?
Mr. Krush. Absolutely.
Mr. Weber. Okay. So you think performance is important?
Mr. Krush. Absolutely.
Mr. Weber. So would you say that the performance in rolling
out HealthCare.gov was sterling or problematic?
Mr. Krush. It was problematic.
Mr. Weber. Very problematic. Can you understand how some
Americans would question the ability of the company that put
together HealthCare.gov?
Mr. Krush. I can.
Mr. Weber. Sure, makes sense. So it is no surprise to you
that their credibility has been called into question.
Mr. Krush. Um-hum.
Mr. Weber. Do you fault us for doing our due diligence to
try to protect the American public?
Mr. Krush. I do not.
Mr. Weber. So you think it is a good thing what we are
doing here?
Mr. Krush. I think that every time--unfortunately, we are
as a nation fairly reactive, just like, you know, industry. We
wait until something big happens before we talk about it. You
know, cyber security----
Mr. Weber. That is a yes or no. It is a good thing we are
doing here because I am running out of time.
Mr. Krush. Oh, absolutely it is a good thing--
Mr. Weber. Yes, good. Well, I am glad----
Mr. Krush. --to talk about it.
Mr. Weber. Good. I am glad to hear you say that.
Mr. Kennedy, you also think it is a good thing?
Mr. Kennedy. Absolutely I do.
Mr. Weber. How about--Mr. Gregg?
Mr. Gregg. Yes, I do.
Mr. Weber. Doctor?
Dr. Ponemon. Yes, I do.
Mr. Weber. Okay. Well, I am glad to hear that we are
finally doing something that is advantageous. You know, that is
kind of rare for Congress.
Mr. Krush, on February the 19th, 2013, you tweeted ``don't
just worry about China breaking into systems.'' And then you
went on Fox News and talked about it. Do you recall that?
Mr. Krush. I don't remember that tweet but, yes, I am
very--actually, I don't tweet that much at all but I did go on
Fox News related to the APT, correct.
Mr. Weber. Yes, I know. You don't do a lot of tweeting. I
looked at them.
Mr. Krush. Yes.
Mr. Weber. When you tweeted out ``don't just worry about
China breaking into systems,'' what did you mean by that?
Mr. Krush. Actually, I think, sir, that was probably--when
I was tweeting, I just reposted a news article and that was
probably just the title.
Mr. Weber. But you recognize that we have a lot of cyber
security attacks hitting our government, like a million a year.
Mr. Krush. Oh, absolutely. I have helped to develop many
security operation centers in the government and industry, and
there are organizations constantly knocking at our door and
trying to knock it down.
Mr. Weber. But China would only attack those military
websites. They would never go for HealthCare.gov, would they?
Mr. Krush. Interestingly enough, most organizations, you
know, state-sponsored organizations--and I put this in my
testimony--they are always looking for jump points, .gov, .mil,
period.
Mr. Weber. So the people in China that are attacking us, is
their level of proficiency low, medium, high?
Mr. Krush. Very high.
Mr. Weber. So we are well advised to warn the American
people that they are going to have information on
HealthCare.gov that may be spread across the globe?
Mr. Krush. You are well advised to warn everybody in the
federal government and even in industry that cyber security and
privacy absolutely needs to be one of your top priorities.
Mr. Weber. Okay. Well, I appreciate you understanding that,
Mr. Chairman, I yield back.
Chairman Smith. Thank you, Mr. Weber.
The gentleman from New York, Mr. Collins, is recognized for
his questions.
Mr. Collins. Thank you, Mr. Chairman. And I find that it
has been about two months since our last meeting. Mr. Kennedy,
welcome back.
As one of the last witnesses, I tend to see that there are
times people will try to defend the indefensible, and the best
way to defend the indefensible is to confuse the issue and muck
it up and raise other things. I have heard and seen some of
that today. So I would like to come back here at the end and
remind everyone that all four witnesses last time, including
the Democrat witness, testified absolutely the website was not
secure on October 1. They testified that absolutely the website
was not secure on November 19. We couldn't get agreement as to
whether we should shut it down immediately or not, but the
testimony indicated that October 1 was a date certain set by
the Obama Administration to launch HealthCare.gov irrespective
of whether it was ready, and I think the American public know
it was not ready.
So I think it brings into question if it was a date
certain, it wasn't let's launch the website when it is ready.
Let's launch it when it will do the job and handle the traffic.
Let's launch it when it was secure. No. It was let's launch it
on October 1 because we promised it would be October 1 whether
it is ready, whether it is secure, doesn't matter. Launch it.
And we did. And the American public in watching this hearing
can see for themselves that that was the overriding concern,
certainly not security.
So now, here we are today, and yes, we have a different
witness, but I guess I would ask our witness, Mr. Krush,
whether you think the website was ready to be launched on
October 1 or not? That is a yes or no.
Mr. Krush. That is a no.
Mr. Collins. And do you think it was secure then on October
1?
Mr. Krush. So if you have read my testimony and my previous
testimony, you will see that I said the process was followed
and a risk-based decision was made. That is why it is called
risk management framework and not the no-risk process.
Mr. Collins. So I guess what I come back to here is that
there are those today that tried to say this was a politicized
hearing and so forth, which I don't think it is. I think we are
just back to talking to the American public who are being told
that, to sign up, they must share this delicate information,
including Social Security numbers.
I think the fact that Target or Neiman Marcus happened to
have had their issues doesn't defend this. Two wrongs don't
make a right by any stretch of the imagination. But I am trying
to point out and remind folks this website was launched on
October 1 for only one reason: political reasons. It was not
ready. The Administration knew it was not ready. If it is not
ready, it is not secure. It wasn't secure. We know it wasn't
secure. Now, we are being told today to trust the
Administration and, Mr. Krush, to trust some of your judgment.
Something happened in the last week or two or month. It is now
secure. Well, I guess I am not quite ready to accept that just
because you say it is so. That doesn't necessarily make it so.
So, I am just trying to bring us back to where we were October
1, where we were on November 19, where we are today. And
certainly, I am confident three of our witnesses today, Mr.
Kennedy, do you think it is secure today?
Mr. Kennedy. Absolutely not.
Mr. Collins. Mr. Gregg?
Mr. Gregg. No, I do not. And usually when sites are rolled
out, they are rolled out in a beta first----
Mr. Collins. Right.
Mr. Gregg. --very small group, and then to a large group.
Mr. Collins. Mr. Ponemon, do you believe it is secure
today?
Dr. Ponemon. You know, it is hard to tell. I am not--these
people are the experts, but they simply--based on what I am
hearing, again as a citizen of this country, I am concerned. I
am not happy with what I am hearing here today.
Mr. Collins. Okay. And, Mr. Krush, I will let you answer
that as well, please.
Mr. Krush. I think my testimony and everything I have been
saying here is none of us worked on HealthCare.gov, so
speculating that it is either secure or not is just not
something I am willing to say.
Mr. Collins. So you would say today you would not state
affirmatively to the American public that it is secure?
Mr. Krush. Based on the information that I have read, a
risk-based decision was made. There was a mitigation strategy
that was very clear. They are doing weekly scans. They are
doing daily scans. They are doing mitigation and remediation.
Mr. Collins. Okay. I was kind of hoping for a yes or no.
Mr. Krush. I would say that is pretty secure.
Mr. Collins. So you are stating, yes, it is secure?
Mr. Krush. I am stating based on the information I have
right now I would say it is secure.
Mr. Collins. Okay. Well, we can have that difference of
opinion and I guess I will leave it at that for the American
public to make their own decisions.
Mr. Chairman, I yield back.
Chairman Smith. Thank you, Mr. Collins.
The gentlewoman from Illinois, Ms. Kelly, is recognized for
her questions.
Ms. Kelly. Thank you, Mr. Chair.
Mr. Krush, unlike some of the other witnesses, you have
extensive experience working on federal government websites
from the inside developing countermeasures against potential
attacks and ensuring that websites are as secure as possible.
Is it true that what might appear like a security vulnerability
or even a successful exploit from the outside does not actually
always result in a security threat?
Mr. Krush. That is correct, Ms. Kelly. Actually, we like to
set up things called honey pots meaning that we will set up--we
want to know what the attackers are actually doing to our
websites and our systems, so we set up ports, protocols, and
services that may not have anything to do with the website to
kind of find out who is coming in, what they are doing, and so
that we can then build countermeasures internally to deal with
those type of things.
Ms. Kelly. I have also been told that a site security team
will leave the appearance of a weakness in place so that
hackers will waste their time. There are other times, as I
understand it, seeming weaknesses are purposely put in place
and what IT professionals--like you just said, honey pots,
where a genuine hack or even a white hacker gets caught trying
to penetrate a system. And you just said that that was true. Do
you imagine with HealthCare.gov that is--honey pots are in
place or----
Mr. Krush. So, Ms. Kelly, because I didn't set up the honey
pot, I can't speculate on that either, but it is a very normal
practice and best practice in the government to set up honey
pots so that we can understand what our adversaries or external
organizations are trying to gain access to and what type of
things they are actually doing to our websites.
Ms. Kelly. Okay. And lastly, the HealthCare.gov website
uses remote authentication to help verify that the users are
who they claim they are in order to help cut down on medical
fraud. These sorts of security practices can sometimes make
websites clunky and the user interface problematic. Can you
address this issue for us? Is it possible that these sorts of
kinks and glitches experienced on HealthCare.gov were do to its
enhanced security measures by any chance?
Mr. Krush. The great thing about security is if it is done
right, it won't work. No, I am joking. So a lot of times when
we lock down systems in the federal government, if we followed
every single security control that is put forward for us, we
would turn that box or that system into a completely unusable,
you know, locked-down box meaning I couldn't log into it as an
administrator but neither could you. So what we do is we look
at the controls from a security engineering perspective and
decide what are the best, you know, security controls to
implement and how that is going to affect our operational user
base. And so to answer your question that is a possibility but
I didn't actually do the identity management system so, once
again, I can't really talk to that fact.
Ms. Kelly. Thank you so much. I yield the rest of my time.
Chairman Smith. Okay. Thank you, Ms. Kelly.
I don't see any other Members here to ask questions so this
concludes our hearing today. Thank you all again for your
contributions to the subject at hand. We heard a lot of good
testimony and we will continue to be in touch.
We stand adjourned.
[Whereupon, at 11:12 a.m., the Committee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Mr. David Kennedy
[GRAPHIC] [TIFF OMITTED] 86900.045
[GRAPHIC] [TIFF OMITTED] 86900.046
[GRAPHIC] [TIFF OMITTED] 86900.047
[GRAPHIC] [TIFF OMITTED] 86900.048
[GRAPHIC] [TIFF OMITTED] 86900.049
[GRAPHIC] [TIFF OMITTED] 86900.050
[GRAPHIC] [TIFF OMITTED] 86900.051
[GRAPHIC] [TIFF OMITTED] 86900.052
[GRAPHIC] [TIFF OMITTED] 86900.053
[GRAPHIC] [TIFF OMITTED] 86900.054
[GRAPHIC] [TIFF OMITTED] 86900.055
[GRAPHIC] [TIFF OMITTED] 86900.056
[GRAPHIC] [TIFF OMITTED] 86900.057
[GRAPHIC] [TIFF OMITTED] 86900.058
Responses by Mr. Waylon Krush
[GRAPHIC] [TIFF OMITTED] 86900.059
[GRAPHIC] [TIFF OMITTED] 86900.060
[GRAPHIC] [TIFF OMITTED] 86900.061
[GRAPHIC] [TIFF OMITTED] 86900.062
[GRAPHIC] [TIFF OMITTED] 86900.063
[GRAPHIC] [TIFF OMITTED] 86900.064
Responses by Mr. Michael Gregg
[GRAPHIC] [TIFF OMITTED] 86900.065
[GRAPHIC] [TIFF OMITTED] 86900.066
[GRAPHIC] [TIFF OMITTED] 86900.067
[GRAPHIC] [TIFF OMITTED] 86900.068
[GRAPHIC] [TIFF OMITTED] 86900.069
Responses by Dr. Lawrence Ponemon
[GRAPHIC] [TIFF OMITTED] 86900.070
[GRAPHIC] [TIFF OMITTED] 86900.071
[GRAPHIC] [TIFF OMITTED] 86900.072
[GRAPHIC] [TIFF OMITTED] 86900.073
�