Latest Breaking News On - Michael gregg - Page 1 : vimarsana.com
>> even under the currently contrived arrangements. not as a satellite, but nonetheless, the eu should encourage whatever additional arrangements are feasible. and we should be exploring ways, if there are any, by which the wto could help to expose economic intimidation which is not in keeping with its rules, and communicate it sense of concern to the party responsible for generating it. perhaps there could be some steps taken to facilitate preferential access for ukrainians seeking to study and work in europe. fourth, we should keep in mind that the longer run issue is what will russia become, as china increases its influence in the former soviet central asia. we should keep reminding the russian people and their leaders that we respect russia's european identity and culture. and that russia's true destiny is also to be a major european state in a larger democratic west. we should make it clear that we seek neither russia's isolation nor fragmentation, but russia's evolution towards a genuine democracy. one way or another, that day will come. putin stands in the way today with this nostalgic dream of a new empire called the eurasian union. but the fact is that such a prospect is not realistic. none of the would be members of the eurasian union truly desire to limit their sovereignty, to cede it to russia, to participate in the creation of a new union which revokes memories of the recently disappeared union, not to mention the older still russian empire. in brief, and i will conclude on this, we need to construct an open-ended, long-term policy for ukraine as well as a long-term option for russia that may follow. thank you, mr. chairman. >> thank you very much, dr. brzezinski, for those in such. i think you alluded to this in your book, you suggest that russia cannot be a democracy if it's an empire, it cannot be fully and in part if it lacks control of the ukraine. is that if you that you think is driving moscow's behavior towards ukraine now speak with yes, i think, the leadership feels convinced that without ukraine the re- creation of some form of supernatural union, call it simply an empire, is it possible. this is why it's such a strategic stake for putin. what he under estimate, however, in my view, are the consequences of 20 years of independence. these consequences we saw so dramatically and so admirably where that younger generation of ukrainians who have grown up in an independent state stood up and said no matter how cold or hot difficult or how dangerous, we stand for independence because we treasure our independence. what is less visible but it's also true, that that kind of sentiment pervades increasingly believes in such significance entities as kazakhstan and uzbekistan, but also any other smaller former soviet states. to put it simply in very human terms, who doesn't prefer to be a president of his own country or a general and his own army or a foreign minister in his own government, or an ambassador in washington representing his sovereignty rather than to view officials of an entity in which they are subordinate? this is a normal human reaction. nationalism is a deeply contagious social force. and once awakened it is almost impossible to sweep it back into the box. what we are now seeing in ukraine is a long delayed awakening that was coming. one could see it during 20th century. one could see it during the days when they were starving to death of millions of ukrainians by deliberate decisions in moscow. but now it's a pervasive reality, and particular among the younger ukrainians. they feel themselves to be ukrainians. and this is why putin the trace such a historical ignorance when he says as he did just a few weeks ago that ukraine and russia are just but one nation. and, of course, russians are the older brother in the nation, according to him. >> the flip side of that, and i share your views, but the flipside of that so we understand, the totality, the importance of this, is that could we ever see or perceive a democratization of russia if it would be able to achieve their goals of having ukraine join with them in this sphere? >> well, i have no doubt that the ukraine is subordinated. it marks a turning point and russia becomes in effect an empire. in my own personal view is, that first of all i don't think that's going to happen in total, even if there's a progression today. secondly, and, obviously, this is speculated that it is a question of judgment, my gut feeling is that putin's nostalgia for the past, which drives this aspiration for a supernatural union, is simply divorced from political and social economic realities. russia today is no longer and individually motivated entity. mindlessly seeking in the real status the way the nazis did in order to compensate for their defeat in the first world war. it is no longer driven by an ideology which demands super nationality as the basis for superpower status. there is a nationalist element and russia to which he is appealing that is retrogressive. but there's also new manifestation in russia which is gradually becoming in my view more significant. the emergence of an increasingly internationally connected, internationally educated in many cases, middle-class, particularly major cities in russia, moscow, st. petersburg, others. a middle class which increasingly identifies itself with more common western values, including democracy, freedom of travel, freedom to read what one wishes, freedom to say what one desires, and freedom eventually to express one's political preferences. that is a new reality. and is becoming stronger. so my gut feeling, and i've been a student of soviet and russian affairs now almost all of my life, is that this quest for a supernatural union is directly linked to the longevity of the president of russia. and if he fades from the scene for one reason or another, politically or physically, i think there's going to be an accelerated turn towards a redefinition of russia's place in the world, for two reasons. one, which i've already mentioned, an impulse of the middle-class that sees itself part of the west and is increasingly educated in the west, in addition to traveling to it. and secondly, the extraordinarily significant rise in the power and significance of china, and particularly no increasingly so in central asia. the russians are building columba her bike along her new roads spanning the former russian central asia, roads, railroads, investments, increasingly matching and outstripping the russians. investments in the real estate and the natural resources of these newly independent states. these states are ambivalent because -- they are so huge and powerful. but at the same time they know that they create leverage, which gives them room for self-assertion. i know the presidents of the two most important central asian countries, kazakhstan, extraordinarily rich in natural resources, and uzbekistan, the center of islamic self-awareness that's mixed with nationalism. neither of these two leaders wants to be a satellite. in fact, for that reason, he is very carefully maneuvering between china and russia, proposed to putin, and putin was smart enough to accept it, that putin's original name of the eurasian union be changed to eurasian economic union. which was an attempt, of course to limit what the union really means. in other words, don't limit our sovereignty. now, of course, if you have economic nomination, the other one may be adversely affected. but my point simply is this. there is some support for arrangements for customs union and so forth because this can be beneficial in two ways. but there is above all else in the newly independent states, including belarus, doesn't have a notably good democratic record, there is a commitment in all of them, there was self independence. >> senator corker? >> thank you, mr. chairman. doctor, it was impressive to listen to you, to get your insights on issues that are happening throughout the world, and certainly in this part of the world you are quite an expert so i thank you for your comments. i know you listed a number of things, steps that should be taken to reinforce the ukrainian people, and you've talked about the values that they share with the west, the values that middle income people and russia share with the west. and just a natural alliance that should be there. many of us have watched the administration since august, and watch as we deal with russia in ways that we do, and understand that the russian people in many ways should be oriented towards us and that there are issues of commonality that we should be pursuing. at the same time as we watch what's happening, we also -- it seems a deference to rush in so many cases, and almost beginning with syria come you know, stepping into their arms. i know you were just talking about how we need to fertilize and we need to, you know, encourage the ukrainian people to continue to move ahead. we hope there are going to be free elections. i know the standard there is for opponents to be arrested and not be available for election, which makes it more difficult. but what would be your guidance to u.s. outward comments and policy relative ukraine right now and push back? and what effect does that actually have, if you will, on the ukrainian people and an outcome there? >> i think we should learn from experience of poland's emancipation from soviet control in the late 1980s, early 1990s. what emerged in poland was a national movement for independence. somewhat like the mike dunn -- with a dramatic leader who may not have the most senior leader originally and perhaps not always the most intelligent leader but the most effective political leader. and it was under his leadership that eventually that movement forced the ruling, his regime to negotiate, to negotiate an arrangement of the commendation which then was transformed into eventually a democracy, a western type democracy of poland today in the eu and in nato. ukraine needs a clear-cut national narrative. i know there are a number of outstanding ukrainian leaders who participated in what has been transplanting, and some with great personal courage and sacrifice. at the biggest sacrifice that needs to be made is that all of them but one have to agree on a one that will be increasingly the symbol or alternative. because you do with an entrenched regime which can use force and bribery to stay in power and his russia's support. you need to have a figure articulate your aspirations, symbolizes you and becomes a focus of global attention. the second part of your question pertained to what you described as our deference to the russians. i would take some exception to the word difference. i don't think we have really deferred to them. i know what i'm about to say is controversial but, frankly, i think that russia's interference in syria, to some extent, made it easier for us to avoid sliding into direct participation in a work which would've been very damaging to our interests and probably would have spread more widely and more quickly than was the case. such a question of judgment and we may disagree on the. but i think in any case what it illustrates is something more basic than that. our relationship with russia during the cold war was one of hostility. it was a non-zero-sum game. we win, they lose. they win, we lose. today, in many parts of the world the relationship is much more mixed. we don't like what they're doing in ukraine, but in the long run i would like them to become like ukraine and pursued the same path. there are many things they're doing elsewhere that we don't like, but we need them and we do need them in the middle east. in fact, i think the chances of stabilizing the middle east, including in the forthcoming conference, are greater even in the process we have with us not only the europeans, some of whom are very disliked in the middle east as former colonial powers, we also have with us the russians who in some cases are not so disliked. and the chinese who are increasingly being an influence in the middle east and they have a growing state in a stable middle east. that kind of a coalition i think gives us a greater opportunity to pursue arrangements that mitigate and minimize the danger of conflict starting out, and certainly reduces the necessity of us being involved in these conflicts directly. because the fact remains if we become involved directly, some people may applaud us, some people may rub their hands with glee that we are getting stuck, but none of them are going to help us. i don't think the united states is in any position now to duplicate the wars in iraq or afghanistan with a direct military engagement in the middle east. so we do need some recommendations even with the russians on some issues just as we disagree with them on other issues. >> you know, i appreciate your point of view, but as it relates to ukraine which was just outward economic extortion, obviously that's not something that we in any way condone regardless of the complexities of any situation and, therefore, and yet we really didn't speak to that. i think some reasons is because the of the elements that you just alluded to. i understand that relationships are complex and there are many other things that are occurring in regards to how you do those. i understand they come into this, but when it comes to an issue like ukraine where there's no question it was black and white extortion, what should the u.s. do in those cases where because it appears to me that we did not much, if you will. and -- >> i tend to agree with you on that aspect. this is what i mentioned in my testimony that we should take a hard look at wto rules. there are some countries in the wto that have behaved that fashion. we should look at the rules and see what is not acceptable in terms of formal behavior of wto members who benefit from the fact that such organizations contribute to more fluid trade flows and greater access, and we could have opportunities for limited boycotts, limited bans and so forth. i agree with you it's not either black or white. you can have different combinations, but we have to have a sense of balance about it. i don't look in favor of same time, reigniting the cold war, for example, with russia, of the kind we have with the soviet union. in part because we do need russia in some other parts of the world. i also know today in moscow you can read criticisms of the government. you can read newspapers the blast official policies. you can watch skits on television that ridicule the rulers and so forth. we are dealing with a more complicated russia today than the soviet union of the past. >> well, thank you. appreciate your service to our country and your continued involvement in helping us think through these complex issues. thank you. >> senator murphy. >> thank you, mr. chairman. welcome, dr. brzezinski. for all his faults, and five is a pretty savvy politician. he seems -- yanukovych is a pretty savvy politician. he seems to be under the impression he can somehow manage a short-term transition to economic aid in russia with an eventual long-term association with the eu. and for the seems to be under the belief that he can manage that transition without severe repercussions from russia. keeps them happy for her to time, maybe they won't notice if he eventually enters into a roadmap to join europe. when we were there i tried to translate the phrase rip the band-aid off from which apparently does not translate very well in the ukraine. my point was at some point my impression is that you will have to deliver a very tough message to the russians you are going to join the eu and you'll have to potentially as long as putin is there except some of the very bad economic behavior that senator corker talks about, coming along with it unless we can stop it. as the united states and europe together. do you think he is right that there is a way, without our intervention, the ukraine to make the turn to europe in an overt way without raising the ire of russia in a way that will do great damage to the economy? or perhaps you think that senator corker is right, that made with some intervention with the united states migh you mighe able to help manage that situation? >> we should try and resort should try, should certainly encourage the ukraine is to try themselves because ultimately it is not an issue which can be resolved by compulsion or pressure entirely from the outside. we can influence events that we cannot really did take them. my guess is, and emphasized the word guess, is that yanukovych in his gut feels that if he moves towards the west and part of it is also free elections, that he will lose. that's part of the difficulty. now, it's not easy, or maybe not even productive, to speculate publicly about how to manage that. but i will just draw you an analogy again to poland because it's relevant. i mentioned the polling can use the movement that produced a popular leader that eventually sat down with a commons regime which knew it was losing the cubs the soviet union was disintegrating. they knew they had to somehow accommodate the new reality, and contrived we elections which were free. and solidarity one. and then solidarity agreed to the earth while dictator in one went bowling with some approval -- in poland with some approval, the first president. in other words, what the ukraine is has to have is a viable source of political influence but also political dialogue, and some degree of elasticity in getting with yanukovych to see that it's possible. but may not be possible. it may not be possible. he may be too careful. lookouts stupidly rigid he is on the case. he could have sold it just like that. without giving too much fanfare, simply expelling her you're not necessarily even just sending her to germany for medical treatment but simply saying i'm getting rid of her. so she would be outside the country. part of the problem would be solved or perhaps the west would demand shouldn't be permitted to return and campaign but that would be a bit of a stretch. but he didn't have the guts or the imagination to do that. against the is i think a little bit frozen in his anxiety that he might lose. but i think it's worth a try because a lot of it depends on the maturity and flexibility, organizational skill and charismatic appeal of the opposition, including its willingness to play the game depending how it unfolds. >> what speed is one more sense. putin's money is going to run out. so this is a lousy economy. it's an economy from which funds are fleeing to the west. the new middle class is enriching itself but look where it is depositing its money. there could be a crisis in terms of what putin can do for yanukovych. he has to be careful not to use force on the ukrainians. if he uses force on the ukrainians, he will discover very quickly because bit more than he can chew. these are tough people. they are not going to give up their independence. >> i wanted to ask you about the opposition. i know you won't necessary want to comment on individual political leaders in the ukraine, but it struck me when you're there, there's a huge portrait, and yet when you're actually talking to individuals there, there's not a lot of talk of individual political leaders. they are there for variety of reasons, most of which as was mentioned earlier, are not connected to an individual political party and there seems to be a disconnect between what those were there in the left want and what the political opposition is able to deliver. and the worry is if we are really accounting political change in 2015 to ultimately deliver on a potential ultimate salvation of the ukraine, folks out there may have expectations that the political opposition ultimately can't make good on. regardless of who ends up being the standard bearer, how does the political opposition capitalize on a fairly non-political sentiments so that they are captured? >> first of all by trying to create a broader national dialogue. it may be the prime minister, may not want to talk to them. but there are a lot of other people in the key of who are not committed to the regime nor are in nor are entirely against it who can talk to. i can give you but i won't give it to you now publicly of some names from sure would engage in discussion with the opposition to impart because they are an easy about the way things are shaping up. they resent the fact that this territory is not there's exclusive but moscow has prioritized in what they claim to be there exclusive area. they know that greater opportunities shine in the west. they may be interested in alternative deals. a map access and sources. they may be able to contrive. i'm talking literally from the top of my head right now, some arrangement whereby the election is delayed for a while, but with an understanding of the process in the meantime takes root and leads to transition which is exactly what happened in poland. they elected a president from the regime lasted one year. and yet went peacefully in the end. there are many ways you can skin the cat, of the political leadership in ukraine has to be manifested and mature, but also symbolic. i'm not going to mention names but they can't all be running for president. one of them has to be and have to make the cat collection will will be most effective. don't forget, this movement is driven by the passions of the younger people who relish the fact that they are independent. that's a whole new psychological reality. the leader has to be in a sense somewhere other in tune with the mood, has to symbolize it most effectively. if that manifests itself and creates a new ballgame, okay, they can perhaps arrest him, yanukovych can be under pressure from putin. but it might not work. and don't forget, russia is changing, ma too. i'm not sure that everybody in russia is crazy about trying to create some sort of a union in which there's going to be internally more opposition and chime in the meantime gains influence. >> dr. brzezinski, thank you very much for very insightful views and getting a sense of the entire field, as i like to call it. i grew up sitting in the cheap seats, but he gave you a view of the entire field. and it gave you a sense of what impact is in front of you in terms of choices to be made. so i think you've done this for the committee extraordinarily well. there is a reason that i called this hearing as the second hearing of this new session of the congress, after south sudan. because i believe in the importance of the ukraine, in the urgency of protecting civil society that senator murphy saw himself when he was a better, and in the possibilities of what a sovereign ukraine, free i should say, from economic coercion, can ultimately achieve. and i think it is in the national interests of the united states, as well as the ukrainian people, to be able to try to achieve those goals. so we thank you for your testimony. this will not be -- we'll be continuing to monitor the events in the ukraine with both the full committee and with our distinguished colleagues. this record will remain open to the close of -- to the close of business tomorrow, and with that, this hearing is adjourned. [inaudible conversations] >> up and asked a house science and technology committee investigates cybersecurity concerns with healthcare.gov website. secretary of state john kerry is meeting with his counterparts from canada and mexico to discuss revisions to the north american free trade agreement. he will talk with reporters after the meeting and we will have live coverage here on c-span2. president obama will announce changes to government surveillance programs and data collection. the president is expected to focus on steps to increase oversight and transparency. we will have live coverage from the justice department at 11 a.m. eastern on c-span. in the afternoon also on c-span, we will get reaction to the president's speech and proposed changes to federal surveillance programs. a former cia analyst and a british defense official will be at the brookings institution. live coverage begins at 2 p.m. eastern. next, cybersecurity and i.t. officials testified about whether people's personal information is secure at the healthcare.gov website. this house science and technology committee hearing is chaired by congressman lamar smith. >> the committee on science, space and technology will come to order. welcome to today's hearing entitled healthcare.gov, consequences of stolen identity. i recognize myself in opening statement and then the ranking member. when the obama administration launched healthcare.gov, americans were led to believe that the website was safe and secure. as the science, space, and technology committee learned at our hearing in november, this was not the case. we heard troubling testimony from online security experts who highlighted the many vulnerabilities of the obamacare website. these flaws pose significant risks to americans' privacy and the security of their personal information. one witness, mr. david kennedy, who has been re-invited for today's hearing, testified that there are clear indicators that even basic security was not built into the healthcare.gov website. in addition, all four experts testified that the website is not secure and should not have been launched. mr. kennedy will update the committee on the security of the website since november 30, 2013, which was the administration's self-imposed deadline for when it would be fixed. since the november hearing, other events have emerged that prompted the need for today's hearing. in december, a former senior security expert at the centers for medicare and medicaid services stated that she recommended against launching the healthcare.gov website on october 1st because of high risk security concerns. a letter addressed to the committee from mr. kennedy and independently signed by seven other security researchers who reviewed his analysis of vulnerabilities presents some very troubling information. to paraphrase one of the experts, mr. kevin mitnick, who was once the world's most wanted hacker, breaking into healthcare.gov and potentially gaining access to the information stored in these databases would be a hacker's dream. according to mr. mitnick, a breach may result in massive identity theft never seen before. without objection, mr. kennedy's letter will be made a part of the record. further, a recent report by the credit bureau and consumer data tracking service experian forecasts an increase in data breaches in 2014, particularly in the healthcare industry. specifically, the report states, the healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. add to that the healthcare insurance exchanges, which are slated to add seven million people into the healthcare system, and it becomes clear that the industry, from local physicians to large hospital networks, provide an expanded attack surface for breaches. experian provides the identity verification component of the health insurance marketplace enrollment process. despite increased accessibility to healthcare.gov, concerns continue to grow about the security of personal information. the work of this committee will help congress make decisions about what actions may be necessary to further inform and safeguard the american people. we are here today to discuss whether the americans who have signed up for health plans have put their personal information at risk. if americans' information is not secure, then the theft of their identities is inevitable and dangerous. that concludes my opening statement. the gentleman from texas is recognized. >> thank you very much, mr. chairman. since we held on november 19 hearing highlighting security issues at healthcare.gov, up to 110 million people have had their debit card or credit card information compromised or hacked up targets for records. but target was not alone in being successfully had. the "washington post," facebook, gmail, lincoln, twitter, youtube, yahoo!, jpmorgan chase, snapshot, and my friends at dallas-based neiman marcus stores have announced security breaches. however, do you know one system that has not been successfully hacked since the last hearing? healthcare.gov. also since the last hearing the center for medicare and medicaid services, cms, contractors have been working around-the-clock to improve the performance and security of healthcare.gov. there's been numerous fixes to the website that improve the site's responsiveness, compared to its first 60 days. millions of americans have been able to access the site and obtain medical coverage. during that entire time, top security contractors, including blue canopy, frontier security, have been working to test the system and identify weaknesses that need to be addressed. the chief information security officer has also been running weekly penetration tests to support security mitigation for cms. further, cms says that none of the majority witnesses concern voiced in the november hearing have turned into any actual breach of security. the last hearing did not seek a single witness said any information about the security of the pictures of healthcare.gov. not with intent to maintain the integrity of the website. today at the same kind of hearing. as smart and as experienced as these witnesses are, not one of them has actual knowledge of security structure at healthcare.gov. the best that they can do is speculate about vulnerabilities. i think it would be good for members to remember that. i am concerned that the intentions in this hearing appears to be to scare americans away from healthcare.gov site. this appears to present a continuation of a cynical campaign to make the affordable care act fail through lack of participation. while we're holding this hearing, both the house oversight and government reform committee and energy and commerce committee are holding similar events. all with the apparent goal to create a sense of fear, thereby manufacturing and artificial security crisis. it is my hope that all of our witnesses can agree that it is important to make healthcare.gov worked for the american people, to give all of our citizens access to affordable health care. i do not want to believe that any of the witnesses testifying today want the site to be hacked or shut down. or even see the program failed. or see americans go without health care insurance. this country faces a lot of real issues and real policy talent. if we are truly interested in hacking and identity theft can we should have representatives of the largest retail ended stations in the country are -- in the country here. instead it appears that majority has allowed the committee to become political messaging to agree. hanky. i hope the committee hearing will be the last of this topic. absent some actual allegations of wrongdoing and so we can focus on the oversight issues facing the country and this committee. mr. chairman, before i yield i would also like to comment on the letter you want to put in the record. i was hoping after reading it that you would have some testimony or give the people opportunity other than a 24 hour showing of this letter. but you don't have to take my word on this. mr. kennedy's own document reads this report is for public use your the report is not a scientist has one and -- he did not give us testimony in time when late yesterday after and presented his report out of the blue. and i'm guessing your counsel told him to make it a better because we routinely accept outside with some groups and experts all the time with minimal notice. so the -- address to you and me. however, i cannot remove another time when a witness for the committee also felt they had to write us a little. i think it is an elaborate way to try to get testimony before the committee in violation of the 48 hour rule. as the substance of the report commit includes what amounts to testimony from experts who are not appearing before us. it is against the practice of the committee to accept testimony from people who are not personally available to answer our questions. the one thing i do know is that none of the individuals who signed these statements in the packet have worked on healthcare.gov or the security protocol behind the website. in other words, they know no more about the actual security other side and does mr. kennedy. in deference to the chairman i will withdraw my exception i will point out -- objection but this report concludes land which i consider boulder and beneath the dignity of the committee. that alone should be reason to keep out. even if the chairman is comfortable with wha the way our rules are being stretched, if you insist i will withdraw but i want the record to reflect that we have gone beyond acceptable behavior of this committee. thank you. >> i would recognize myself to respond. all committees including this one have a long-standing practice of affording them the courtesy of entering items that they believe are relevant to the topic at hand into the record. i'm sure the ranking member knows this. members on both sides are general approach the development of the record in the spirit of bipartisanship and comedy. i am disappointed that the gentleman from texas would now seek to question of letter i asked be placed in the record. we frequently place items in the record that express the opinion of theirs groups or make statements regarding an issue at the request of members on both sides of the aisle. often those have written those letters are not testifying before the committee and have not been asked to do so. yet their opinions are still made part of the record. one such example is a 54 page submission that was requested be placed in the record at a hearing last august. this document which was not even addressed to the committee but instead to the administrator of epa was entered into the record without comment. it includes a letter from six different indian tribes signed by eight different people, none of whom testified before this committee. it includes a letter from the lawyer who represented the tribes. he also did not testify before the committee, yet we made his letter a part of the record. finally, it includes another letter to the administrator of epa that purports to be from 15 different national organizations, 17 international organizations, 75 alaska organizations and numerous other organizations from other states. none of these organizations testified before this committee. i have placed mr. kennedy's record in the letter today. is testifying shortly and members want the option to question him on his comment. >> mr. chairman? >> i'm still in the middle of my statement. i regret the ranking member has questioned the long-standing prerogative of a member to enter a relative document into the record. especially when members on her side of the aisle have done so many times without objection from the majority. i hope this is not indicative of her desire to make this committee's business more partisan. that concludes my statement and i will now introduce the witnesses. >> mr. chairman? >> i'm going to introduce the witnesses. spent mr. chairman, i object to the entry of the record of the letter into the record. spent the letter has already entered into the record. the objection is not diamond. >> and to i would ask for a vote whether we into the record -- enter the letter into the record. >> that is no longer a proper motion because it is not diamond. >> i think it deeply politicized the hearing. >> i'm sorry for the ranking members comments the cost of your own that it is the first witness. mr. david kennedy is ceo of trustedsec. he is considered a leader in the security field. via spoken at conferences worldwide. prior to moving to the private sector, mr. kennedy worked for the national secret agency and the niceties bring in cyber warfare and forensics analysis. mr. kennedy received his bachelor's degree from the university of our second witness, mr. waylon krush is a vote cofounder and ceo of lunarline. is also a founding member of the warrior to cyberwar program, a free six-month cybersecurity a camp for returning veterans. a veteran of u.s. army, mr. krush is recipient of the military a working with highest honors in the field of intelligence. he holds a bachelors degree in computer information science from university of maryland university college. he's also a certified information system second professional, certification and accreditation professional, certified information systems auditor. he has more than 3000 hours of training at the national cryptologic school. our third witness, mr. michael gregg, is ceo of superior solutions inc., an i.t. security consulting firm. mr. gregg organization perform security assessments and penetration testing for fortune 1000 firms. he's published over one dozen books on i.t. security and is well known security training and speaker. mr. gregg israeli side i print publications in the cybersecurity expert and as an expert commentator the network broadcast outlets such as fox, cbs, nbc, abc, and cnbc. mr. gregg wants to associate degrees and bachelor degree and a master's degree. our final witness, dr. lawrence ponemon is the chairman and founder of the ponemon institute, research think tank dedicated to advancing privacy, data protection and information security practices. dr. ponemon is considered a pioneer in privacy auditing is named as one of the most influential people for security. dr. ponemon consults with leading multinational organizations on global privacy management programs. he has extensive knowledge of regulatory frameworks and cybersecurity including financial services, health care, pharmaceutical, telecom and internet. dr. ponemon earned his master's degree from harvard and ph.d at union college in schenectady new. he also attended the doctoral program at carnegie mellon university. we welcome you all and look forward to your expert testimony. mr. kennedy, will you leaders often? >> thank you, mr. chairman. good morning to everybody in the house science and technology committee, to the honorable mr. smith as both ranking member, ms. johnson but it's great to see you folks again as with all of the other ranking members here today. i appreciate your time to hear us discuss the issues with the healthcare.gov security concerns as was the consequences around the stolen identities. what a want to start off with is to me this is not a political issue. i take no political party stands. i have no particular. for me personally this is a security issue. working in the security industry for over 14 years as was thing a number of years iraq and afghanistan my testimony today is to talk about the issues with security, and that's it. when i talk about the issues we see today its base of expertise of working in the industry doing assessments on the record basis, in a chief security officer for a number of years as was running my own company. i'm not alone. the mention of the document that was released yesterday at seven independent security researchers that are well known, including a number of folks that have worked for the chinese government, to train with the chinese government as was work close with a united states. today is not to talk about a political party problems with the but also to discuss just security issues alone. i'd like to give thanks to kevin mitnick, chris gates, eric smith, kevin johnson for providing their testimony, or the comments on the issues we see today. we are pretty unified in our approach. everybody that i shared with, i put nondisclosure agreements and work with them come on a consistent feedback we got was that healthcare.gov is not secure today. nothing has changed since the november 19 testimony. it's even worse. additional security researchers have come into play providing additional research, additional findings that we can tell that the website is not getting any better. since the november 19 testimony, there's only been one half of a vulnerability that we discovered that has been addressed or close to being mitigated. basically they get a lucrative work on and it's still vulnerable today. i wanted a disclaimer, and no way, shape, or form do we perform any hacking on the website. that's a misnomer. we look at the site from a health perspective, not attacking the reform, not sending data to the cyber really looking at the health of the. another analogy, same expertise was being investigated industry, it wasn't anywhere near doing anything security related and i was the person that was a mechanic. 14 years of being a mechanic at a card drove past me that was leaking oil, the engine was making sounds. basically a lot of problems, the doors are open, windows are open and everything else. as a mechanic i could probably say the engine probably has some issues. same thing with technology and web application. web application are no different than a car with an engine problem. there's a lot of pieces that make the car work, to make a website work. from our testimony here today as was what we discovered in the previous past there's a number issues that are still there today with the website. to put in perspective i would like to put for the record there wasn't 70-110 million cards taken from target. that's not acted. they were 70-110 million personal pieces of information taken about individual people that shop at target. there were 40 million credit cards taken to the issue with target isn't specifically around credit card. personal -- the informatiinformati on can be debited i.t. architect you are not liable as a consumer. what you can't fix is your personal identity. look at target for example, that includes addresses, e-mail addresses, phone, e-mails. that doesn't include social setting of his. just admit independent security person get targeted yesterday. this is the click the link get hacked the computer and took full control of the. the personal information about social city numbers, first name, last and come home of record, those are all a recipe for disaster when it comes to what we see from personal information being stolen. it's not just that. as an attacker five access to the united states infrastructure, it has integration through the iris, dhs, third party providers as well for credit checks. i have access to those agencies inevitably in and klier online profile, immediate and all online presence. this isn't just healthcare.gov alone. i'm not trying to single out tonight a little bit i'm focusing on a much larger issue which is security in the federal government alone is added that state. we need to work together to fix it and work on more changes. thank you. >> thank you, mr. kennedy. mr. krush. >> chairman smith, ranking member johnson, and members of the committee, thank you for this opportunity to testify on important topic of cybersecurity. i am waylon krush, founder and ceo of lunarline, one of the fastest-growing cybersecurity companies. also i'm the founder of the cyber warrior program. as stated earlier. i've been asked to speak on cybersecurity day as relates to healthcare.gov and just listening to music in the eye has some very simple points i want to make right away. first of all, if none of us here build healthcare.gov. if we are not actively doing, not a path to vote early, but an active for the assessment and doing penetrations and running that exploitable code on healthcare.gov, we can only speculate whether or not those will work. so anything that's been said thus far if were talking about any type of site can just identifying a vulnerability and the actual working on the site, no nanoparticles work in the background, what -- how each one on lockdown, nobody here at this table can tell you that they know there is on the billy. another thing i would like to talk about today is in the federal government, something different we have is we is something called risk management framework. this committee has helped develop that and i will tell you that is one of the most rigorous processes as relates to cybersecurity and privacy in the entire world. when i say the entire world, most security standards are just a subset of the risk management framework. it's one of this area some security into a perspective that has been taken to build other security standards or basically copy, cut and paste a great new security standards to this is a six step process but it includes a categorization, selection, implementation, validation. authorization and most importantly continuing monitoring of all of the controls. just looking at it you might think there's about 360 controls, 853 provisions to when you dig deeper there's several thousand information controls that are federal information systems must undergo, including they must be continuously testing. another point i would like to make is that if anybody here is actually, when out to these websites, and i'm not talking about hacking, but if we extract addresses configured in anything outside the bounds of what's allowed in the federal government, you're basically breaking the law. you can't just go out and say i found his own ability and then exploited to try to get media attention of any like that but if you do that you are breaking the law. it's pretty simple. last but not least, healthcare.gov is one of many hundred or thousands of federal information systems out there and websites. and you know, i've worked in the threat area. i can tell you my background is not only a soldier that was on the u.s. army information operations raid team complete teams, information security monitoring team, protocol analysis, signals analysis and including working in critical infrastructure protection for a few years, all across the world, if you go out until someone, and this is just the truth when were out actively taking down websites, i consider all day and speculate about a vulnerability. but until i've actually exploited the vulnerability, there's no way to tell whether the attack will actually work. there's a lot more going on in the background that everybody needs to understand. another note, and last but not least, about healthcare.gov but if one needs to understand, is that with all of immediate attention it is only giving you think the most high payoff target and the federal government. you would think that healthcare.gov is something that everybody would want to go after. that is truly not, that is media spin if anything. healthcare.gov is one of many websites as personal information in it. it's connected to other systems, but think it is in a connected record all the systems and that leaves them vulnerable also shows kind of a lack of knowledge of the backend system capability, meeting those connections are very secure and their authorized on both sides. him i've been lucky enough to work with cms and hhs on cybersecurity configuration. out of everybody here at least at this table i probably have the most hands-on knowledge, but i can't come here and just speculate about what his actual vulnerable to the system and what is not. the truth is, once on the threats i, as we've seen in the eu can probably tell that healthcare.gov is not the one getting attacked. most cybercriminals, especially those with advanced capabilities, they go where the money is, right? they will go after the target, and median market, then go after the places that contain lots of data related to intellectual property. because it just makes sense, right? if the u.s. government spends billions on our research and development, and we don't protected, and some of the country takes that, you just saved them billions of dollars. thank you. >> thank you, mr. krush. mr. gregg. >> thank you, chairman smith, and thank you, ranking member johnson, members of the committee for having me here today. minus michael gregg, i'm going to break down my speech into three parts, my presentation. first, how healthcare.gov could potentially be hacked. why healthcare.gov needs independent review by third parties. and also what would be the result of this, what could be the potential impact. my concern is that healthcare.gov is a major target potentially for hackers looking to steal not only personal identities but also information that could be used to steal their identity. although i understand healthcare.gov does not store the information, it passes that information back and forth between third party, government and other organizations. there are many different ways that that site could be hacked. the are some prominent ones, these are the same ones listed by prominent websites, could be things like cross site scripting, injection, could be buffer overflow. there are many different ways this could be done. while that sounds warned to many of you, fact is these are known attacks their use against known sites everyday from target to neiman marcus to google, too many others. some of things that concern me come in the past we've seen the 834 data. data that is passed the backend to the insurance companies. we've seen and we've heard reports this information being corrupted and not being correct when it is being received. that indicates at some point the data is not being handled correctly. all input data, all process data, all output data has to be correct. if not there some type of problem meaning that it is not being properly parsed. that same type of situation could lead to an attacker put in some type of data and misusing that in some way or launching an attack.
MoscowMoskvaRussiaKazakhstanCanadaGermanyTexasUnited-statesAfghanistanAlaskaBelarusChina in china. 200 more expensive than they are here. let's multiply that by 1.14 million. and president obama addressing the nsa scandal, saying he's going to overhaul the whole program. what exactly does that mean? hold on tight, here we come. "varney & company." ♪ [ male announcer ] this m has an accomplished research and analytical group at his disposal. ♪ but even more pressive is h he puts it to work for his clients. ♪ morning. morning. thanks for meeting so early. oh, it's not a big deal at all. come on in. [ male announcer ] it's how edward jones makes sense of investing. ♪ there's nothing like being your own boss! and my customers are really liking your flat rate shipping. fedex one rate. really makes my life easier. maybe a promotion is in order. good news. i got a new title.. and a raise? manament couldn't make that happen. [ male announcer ] introducing fedex one rate. simple, flat rate shipping th the reliability of fedex. >> we've got big obamacare headlines to deal with. we know just over 2 million americans have signed up for the plan. but who have signed up have paid for a plan? according to censors for medicare and medicaid who testified before congress yesterday, no one knows, listen to this. >> the most important number as has been reported by many news outlets is whether individuals have paid. does the administration collect this information? i'm just asking, do you collect this information? >> right now we're not, but we will be. >> so we don't know at this point how many people have actually paid for coverage? >> that's right. charles: one of the reasons why we're still unclear how many people have actually paid, well, you see, that part of the website still not functioning properly. and we're starting to see more and more democrats distance themselves from the president over this disastrous obamacare rollout. the latest is democratic congressman from arizona ann kirkpatrick teaming up with the democrat supercommittee and releasing an ad to distance herself from obamacare. check this out. >> ann kirkpatrick listens and learns and why she blew the whistle on the disastrous health care website calling it stunning ineptitude. charles: that's a stunning ad and security experts are telling congress, exchange website, all are not safe from hacking attack. and we're going to get the latest from a hacker who testified before congress yelled. right now the futures higher? well, they're kind of mixed. yesterday was a down day in the market. listen we're at a pivotal point earlier in the year and we need to finish higher. is this rally going to go higher or a major pullback? we're looking for signals of a correction. we'll kick it off with the opening bell next. ♪ [ bell ringi, applause ] five tech stocks wi more than a 10%... change in after-market trading. ♪ all the tech stocks with a market cap... of at least 50 billion... are up on the day. 12 low-volume stocks... breaking into 52-week highs. six upcing earnings plays... thatecently gapped up. [ me announcer ] now the world is your trading floor. get real-time market scanning wherever you are with the mobile trader app. from td ameritrade. over the pizza place on chestnut street the modest first floor bedroom in tallinn, estonia and the southbound bus barreli down i-95. ♪ this magic moment it is the story of where every great idea begins. d of those wh believed they had thpower to do more. dell is honored to be part of some of the world's great stories. that began much the same way ours did in a little dorm room -- 2713. ♪ this magic moment ♪ is yoyour tv powered by coal? nural gas? nuclear? or renewables like solar... and wind? let's find out. this is where america's electricity comes from. a diversity of energy sources helps ensure the electricity we need is reliable. take the energy quiz. energy lilives here. ♪ you, my brown-eyed girl >> we're not sure if it's a break through, but this new contact lens that manages diabetes further proof that google is the new conglomerate of the 21st century. more on that throughout the show this morning. let's head to chicago. tres knippa, this has been a rocky start to the year. the day we might be actually down for the year. are we consolidating or is this the beginning of the long-awaited correction? >> it's pretty hard to talk about a correction when you're this close to the highs. it's a little unconvincing right now. i'm going to wait. granted, some of the earnings stumbles that you've seen i guess gives me a little bit of cause for concern. i don't think what's driving this market is earnings. if you want to see a correction, check out the action in the japanese stock market or the nikkei. you want to see a market that's corrected, there it is and the reason that's important is that we should be learning. isn't this whole idea here, if you increase monetary policy, that's what they're doing, they're doubling the money supply in two years and everything will be okay and growth will follow and guess what? they just made a new record for a current account deficit. whoops, something is wrong with that model. we need to learn from it. charles: a lot of things this week we need to learn from. sharp decline in some of the stocks a yellow if not a red flag. thank you. and steve forbes and sandra smith are here for the whole hour. steve, i'll begin with you. to me i feel like it's been 835 days since we've had say a 10% correction. it feels like this is as vulnerable as the market. >> if you had a double nasdaq up 38%, a pause that refreshes, i don't mind. i think barring a foreign policy crisis, which is a very real possibility this year, this market should do just fine. the fact is-- >> where do the policies crisis come from? it feels like that -- we've got some issues and hot spots, where could we get a black swan event in foreign policy? it's not black swan, it's in the middle east. israel, hezbollah as never before. israel has to make a decision soon what if anything about iran and the shiite civil war going on over there. bad stuff. so you can get a real blowup there. charles: sandra you're more in line with tres knippa in the sense that fed policy, a shift in fed policy makes the market more vulnerable than the past couple of years. >> we didn't see the selling until the fed said taper. i think that the stock market rally is closely tied to the fed's policies and at the end of the day, goldman sachsasking are stocks too expensive avr avrillying 30% in 2013. however, i'm going to point back to history. anytime we've had a stock market rally that we had in 2013, the next year typically saw another rally, a small rally, but typically did have an up year and i always consider history. charles: so do i. we also have to say that the common sense aspect we all know, you can't just go straight up forever. you have to have a hiccup or two. >> and the fact that people are so cautious i think is a bullish sign. charles: i'm a contrarian as well. what we call an economic indicator, ups said the large surge on holiday shopping squeezed its bottom line. nicole, where are the shares this morning? >> they weren't able to deliver some packages on time. they're cutting their guidance for 2013. the stock is down 3.1%, 97.37. as you noted the holiday season sort of took them by surprise. of course, they set records with the amount of packages they did set. it was a shortened holiday season, six days fewer between thanksgiving and christmas, and the last minute on-line surge of shopping really took them by surprise. charles: yeah, well, it's reflected in the stock. hold on there, nicole. right now i want to go to the market watcher tom layfield, joins us from bermuda. let's start with best buy. a huge drop yesterday. what does this mean for best buy? a lot of investors thinking maybe it's oversold. >> it could be. best buy is a good company. they've had a problem with the turn around, a slow december sales which a lot of people did. you look at companies like j.c. penney, like sears, which are probably not good comparison to best buy. best buy is a much better company. and retailers are hard business and fallen behind the curve. charles: and brick and mortar is a harder business? >> people are going to brick and mortar, you feel it, touch it and end up ordering on amazon. people are using these like show rooms. and you used to use the sears category to order, but they order on-line if they're getting the best deal. charles: let's talk about on-line and move to yahoo!. second in commend gets fired and overnight the editor in chief quits. john, i know you're a fan of marisa mayer, it feelses like it's on her reputation and alibaba and nothing she's actually done. and now another exec out and it's not necessarily a good sign. >> it may be a house cleaning. we don't know what's happened with the editor in chief. i think that marisa mayer has done a good job. it's up 130% since she took over yahoo!. i would not buy yahoo! right now, but i still think she has a chance of turning what most people never have a chance of turning around and that's a dinosaur that was headed to the tar pit. getting katie couric to come on-line. i don't know a woman past-- not a woman, any person past what the internet age is is going to draw a lot of viewers to the internet. i like what she's done and the fact they're going to on-line content. charles: they say we're an on-line content company, not a search company anymore. last but not least, twitter. it's teaming up with amazon with an on-line payment company and using products directly from the twitter feed. does this change the dynamic and make the stock a buy for you? >> absolutely not. i like twitter, like the company. the ceo did a wonderful job, but trading ridiculous to revenue. 40 times the revenue or whatever it is right now. that to me, i just can't justify that. i love what twitter is doing. nielsen ratings are a terrible antiquated system. they're becoming the player in the live media and a player in the payment system. this is an awesome company, i think a game changer, i just don't like the valuation here. charles: take a look at the google stock. they've got a device and could change the lies of 20 million people that's just in the united states that suffer from diabetes. it's a microchip in a contact hence and detects blood sugar levels. john, do you think this could be a game-changer for google? >> not a game changer, but you have to do so much to move the needle when you have as much revenue as google has, diabetes is the biggest problem the united states has as far as health. it's huge what they're getting into and the fact that google is using their money to become the private version of skunkworks. when you have a company like apple and the only thing they can do with money is give it back to shareholders, it shows the management is not very creative. google management is creative. charles: i love that point and investors love to see companies put money to work. the buybacks and other. i'm jealous because you're from bermuda, but it's 50 degrees here and not as jealous. the wall street forecast reveals that 57% of economists do not support extending jobsless benefits and do not raise the minimum wage either. steve forbes, this is a central issue in the mid term elections and even the presidential elections. economists aren't necessarily known for being passionate. they're just numbers guys. so does this translate to the real world? >> i think what republicans, they should have known this was coming, the white house signaled this several months ago, they're going to wage a fight on the minimum wage and equate it with prosperity and republicans need to make the point most of those go to teenagers, part-time workers and the like and it's going to hurt the very people that need it the most, those who get it starting out this thing is a job killer. 85% of the research comes to that conclusion and they've got to fight it on this is a job killer, we want job creation and come up with our own-- >> sandra, to steve's pointless than 3% of people make minimum wage, but the way they've framed it not to have a livable wage that people try to feed kids on this and that's a heartless problem. >> that's not the point to be able to live on minimum wage. this would be a jobs killer for a college student or anybody who needs a part-time job or a full-time job that makes minimum wage. businesses have already spoken out on this, not willing to hire in an environment where they're willing to hike minimum wage. economists are the numbers guys, we're looking at this, we can't afford the jobless benefits to extend, and when it comes to the minimum wage, this is not the environment you raise minimum wage. >> although the democrats think it might be the central issue for winning votes, a lot of times, two different things. go back to nicole, two stocks are hitting highs, first, american express. >> right, both hit highs, let's start with american express, 3.7%, upgraded over at susquehanna, 107 target. $104 target and obviously came out with numbers that topped wall street's estimates. >> i think you've got another name for us, too, hitting a high for us today. >> morgan stanley looking good. 3% today. a new high, 32.95. had a fall in quarterly profits and legal bills, but the earnings did beat the estimates and that $33 right now. and a new high for american express and new high for morgan stanley. thanks a lot. nicole, john layfield. are you with us? quickly, 30 seconds, oil services the drillers, you happen to like those, which are you buying now? >> sea drill based out of bermuda. and 9% yield. one the youngest. and insco, and i even both of these and mixing privatizing and opening up the energy sector i think is going to be here quite a while in a bull market. charles: you're playing the idea that we've got to drill for more oil around the world and these guys are sort of a pits and shovel kind of thing? >> absolutely, yeah, i'm playing on a couple of themes and one of the main themes is people are going to start drilling for oil everywhere, you look at the renaissance in north america. the privatization in mexico is really a big deal aad i think these are two great ways to play it. charles: i hope mexico's new president lives up to the pre-election hype. a little waffly here. and we're up 10 points all over this morning, and we're just about flat or even for the year, it's been a volatile year and we're just two weeks into it. exchange.com. you want to talk about volatile. far from secure, tens of thousands of people's personal data vulnerable to hackers and appears the administration is doing so little to stop them. more from this man after the break. >> healthcare.gov is a major target potentially for hackers looking to steal not only personal 0 identities used to steal their identity. my dad has aor afib.brillation, he has the most common kind... ...it's not caused by a heart valve problem. d, it says your afib puts you at 5 times greater risk of a stroke. that's why i take my warfarin every day. but it looks like maybe we should ask your doctor about pradaxa. in a clinical trial, pradaxa® (dabigatran etexilate mesylate)... ...was proven superior to warfarin at reducing the risk of stroke. and unlike warfarin, wit no regular blood tests or dietary restrictions. hey thanks for calling my doctor. sure. pradaxa is not for people with artificial heart valves. don't stop taking pradaxa without lking to your doctor. stopping increases your risk of stroke. ask your doctor if you need to stop pradaxa before surgery or a medical or dental procedure. prada can cause serious, sometimes fatal, bleedin don't take pradaxa if you have abnormal bleeding or have had a heart valve replaced. seek immediate medical care for unexpected signs of bleeding, like unusual bruising. pradaxa may increase your bleeding risk if you're 75 or older, have aleeding condition or stomach ulcer, take aspirin, nsaids, or blood thinners... ...or if you have kidney problems, especially if you take certain medicines. tell your doctors about all medicines you take. pradaxa side effects include indigestion, stomach pain, upset, or burning. if you or someone you love has afib not caused ba heart valve problem... ...ask your doctor about reducing the risk of stroke with pradaxa. open to innovation. open to aition. open to boldids. that's why n york has a new plan -- dozens of tax free zones all across the state. move here, expand here, or start a new business here and pay no taxes for ten years... we're new york. if there's something that creates more jobs, and ows more businesses... we're open to it. start a tax-free business at startup-ny.com. think of an organization like microsoft. microsoft spent 30 years trying to secure their operating system so to think that you could stand something up this quickly and secure overnight. well, that's very hard or almost impossible to believe. charles: so, essentially what we're talking about is a problem that was created in the very beginning, there was a rush to get this thing out and a lot of protocol wasn't used, the vetting system wasn't correct. we had to have it at a certain time and driven maybe by some sort of ego or public relations, rather than actually doing it the right way. having said that, a lot of people say the only way to really fix this thing is to scrap it, completely scrap it, start from scratch. is that the right alternative here? >> well, that's one approach, but the other approach is that at bare minimum, let's bring in some independent outsiders totally independent. let's let them look at the site and see what kind of problems they find and put some type of mitigation in place to try to fix those problems, at least to start with and see how bad this really is. you know, normally when we do assessments, we try to do this in such a way as where we look at it the same way the attacker would and see what the attacker would fine. at least to begin it let's do it that way. facebook and others do this, they bring in individuals and they also welcome input from outsiders as far as to help problems. we need to do that, also, with healthcare.gov. >> do you think that the department of health and human services is up to it in the sense that they're against the law from congress requiring them to state publicly if there have been security breaches. target had to do it, that's the law, but they're fighting that law. they've even had the mentality to do this thing? >> i don't know. that's one of the reasons why we need to bring in outsiders to look at this, and the other real issue that you're bringing up, is the fact that the actual number of attacks or probes against this site that they've reported are actually quite low. one of them was like 16, i believe the other one was in the 30's. that's a very, very, very low number. normally in sites we look at, we see anywhere from hundreds to potentially thousands of hits a day. >> so you think there's a coverup here? >> i don't know if there's a coverup-- yeah, i don't know if there's a coverup. it may actually be that they're not detecting the stuff and not picking it up to begin with so they don't actually see it's there or the attacks are actually there and they, you know, are covering this stuff up. it's got to be one of the two. charles: michael gregg, coverup, ineptitude, whatever it is, we're all vulnerable. thank you for your expertise. >> thank you. charles: steve forbes on reinventing american, the next industrial revolution here at home and he's going to kick it off in chicago. talk about odd bedfellows, it's a big topic next. ♪ every breath you take, every move you make♪ ♪ every bond you break, every step you'll take i'll be watching you♪ >> great day for apple, they start selling iphones in china. and it can be yours for only $874. disappointing profits at capital one financial and down she goes. there is the stock coming up soon. down almost 5%. and we've got steve forbes with us and he and chicago mayor rahm emanuel announced the reinauguration of the chicago summit. they'll bring in entrepreneurs, academics, elected officials, all in one pot together. what's the goal with all of this, steve? >> to brain storm and discuss and to move ahead, true reindustrialization of america. you mentioned earlier, the energy revolution we're having in this country, cheap energy, a lot of firms that went overseas are coming back home and with the constant good supply of cheap energy you'll see it applied in ways you haven't before. chicago seemed a good place to do it, center part of the country and east coast, west coast and mid america is surging ahead. charles: for the last three or four years i said we should have something akin to the chicago world's fair. that, a lot of people argue, kicked off the second industrial revolution and consumerism which there's a big backlash again. are we even set up in this country to even embrace another industrial revolution? >> the nice thing about this country there's still enough freedom for the entrepreneurs to do it even if the rest of the country is oblivious to it. google, 15 years ago, google was a number not the great search engine and doing everything else in the world. yes, it's going to be done and bringing people together, brain storming, as they make things happen. >> i was looking at the cast of characters, sam zell in the picture. a big chicago guy, a huge success story. these are a lot of great guys. >> harold hamm, another great guy, dave cody, good things with honeywell and rahm emanuel, a mayor having to get real things done to focus on how to get things moving. charles: steve, i'm getting a wrap signal, why aren't we in an industrial revolution, with technology and-- >> it's happening, and it's part and parcel bringing that he thinks to something underway. >> you're always ahead of the curve. thank you for joining us. and another hour of varney, we're going to talk about the google diabetic contact lenses and some are calling it revolutionary, has the possibility of changing the lives of millions of americans, billions around the world, maybe. it's important to see how this thing develops. . >> oh, it's my contact. oh, now i've got two in one eye. ♪ [ male announcer ] how did edward jones become one of the biggest financial services companies in the country? hey. yos? not anymore. come on in. [ male announcer ] by meeting you more tn halfway. it's how edward jones mas sense of investing. (vo) you are a business pro. seeker of the sublime. you can separate runway diculousness... from fashionhat flies off the shelves. and you...rent from national. because only national lets you choose any car in the aisle... and go. and only national isanked highest in car rental customer satisfaction by j.d. power. (natalie) ooooh, i like your style. (vo) so do we, business pro. so do we. go national. go like pro. charles: well, the markets trying to scratch out the first positive week of the year, and while we have this, google getting into the medical technology business. a contact lens can help manage diabetes. jeremy kaplan loves this and dr. segal, he's here too, and we also have dr. ablow on the cancer blogger who's getting criticism for sharing her battle online. is there anything wrong with that? and there are a lot of things wrong with obamacare, so says one lawyer who uses the term poison pill. china's going to keep buying u.s., and, well, we have ourselves to blame, monica crowley here on that. and i am so sick and tired of hearing people say the only reason the market's up is because of the fed. we've got a man who's got three stocks overbought to prove his point. hey, this is going to be a lot of fun. ♪ ♪ charles: all right. google already dominates the internet, and they've made a move into military technology, robotics, they purchased a robotics firm, they're pioneering wearable technology with their google glass, and not to mention that they dominate the mobile phone space with the android operating system. and, oh, by the way, google is a search engine too. but now they're making inroads into medical technology, announcing a contact lens embeddee with a tiny microchip that will let you monitor blood sugar levels for die diabetics. jeremy kaplan says this is going to be a game changer. >> this is a great application of technology, google doing what they do best, innovating. charles: okay. now, there are some people in the tech world who kind of yawned at this. apparently, microsoft had the same announcement in 2011. in fact, google hired the guy at microsoft be who was running the operation saying that's really hoe hum. >> very true, but it's a great example of who is doing the innovation, because the guys in the labs came up with this concept, google says it's great, we'll pay you to keep working on it. >> wait a second. what we're talking about is, basically, sensors in your eye in your contact lenses -- >> right. >> -- with a chip in there and a wireless chip and sensors. i've got to say, do we really want electricity in our eye? what next, you going to try to fix cataracts with this contact lens? i'm kidding, but there is this concern about that, don't you think, having electricity so close to your eye? >> absolutely. it's sending the readings wirelessly somewhere, probably to your smartphone, so you've got a radio directly this your eye as well. the fda definitely needs to take a look at this, and it's years until this is going to happen. >> can i just give you follow-up twitter feeds. one person said get out of my head, google. [laughter] and then they wrote will google next create a computer that's better than apple or ibm? the twitter verse is afire. charles: they are using the internet to make the point. [laughter] it is, i guess it's advancement. and to your point, these old, lumbering giant, you know, it feels like whether it's the microsofts of the world, intel just had a bad earnings report, they're really losing steam to these upstar starts -- upstarts who are willing to try almost anything to think out of the box. >> google's got vast cash reserves, and they're throwing it at whatever happens. wearable technology in all of its forms, here it's in your eye. all of these concepts that they just keep throwing out, and some of them stick. that's how you innovate. charles: hey, monica, you know, the privacy stuff, google so teach into our lives. they're going to know, you know, how we keep our room temperature, they're going to know so many things about us, and now this information -- yeah, right now you could detect glucose, but maybe you could detect my feelings, you know? maybe it's like a mood ring. how much do we want them to have into our lives? >> and bill hemmer said this morning maybe you blink once, it turns the lights off, maybe you blink twice, it makes a cup of coffee. charles: but you love it though. you have nothing to hide, so it doesn't matter to you. >> i don't have anything to hide, all my stuff is out there. [laughter] look, i think we have to put a little bit of faith in these companies, and if they do wrong, we'll hold them to the fire. >> yeah. but that requires a big element of trust, and literally google now is in your eye. not only are they in your computing, business and every part of your life, now they're literally going to be in your buy eyeball and maybe other places where the sun don't shine. [laughter] charles: you need help. >> google was working with the government in this terms of the nsa -- charles: right. that's the point i wanted to bring you in on, right. >> how can you trust a company like google when they say, trust us, we're not sharing your most personal information with the government or anybody else. >> i would argue the problem was not with google, but with the government. all the nsa spying stuff, if the government says you have to do something, you have to do it. when i talk to them -- charles: yeah. i guess another argument is just that any entity that has this much information on us, it's hard to control them. >> by the way, what if you use visine? [laughter] charles: that's why i think we need the next five years to get the kinks out. jeremy, thanks a lot. markets open 30 minutes, we're trying to scratch out a winning week here. it's been a rocky start to 2014. want to go to nicole with this specific stock, electronic arts. how's that working out? >> reporter: right now it's up about 10.5%, 23.83. i have to say we were just reading a note from cowen this morning that talked positively and even alluded to the fact that the company's likely to beat their december numbers. so that's good news for electronic arts if that's to come to fruition, and we see a pop on that news. charles: yeah. it's interesting because earlier in the week gamestop got hammered and electronic arts is up. it just shows you, video games going well, the brick and mortar version not. twitter is teaming up with an online payment company that's going to allow users to buy products directly on twitter. sounds exciting, how's the stock reacting? >> a whole new concept for twitter. 5.3% to the upside, 63.86. you talk about possible transactions with twitter, they're working reportedly with an e-commerce company called stripe. buy rating on the $75 target, so twitter early this year -- early this year, right? we're only on january 17th -- charles: it feels longer. >> the beginning of january a lot of the analysts started to hit it and say it's a niche stock, and then this last week or so there's been a real turn around, and the analysts are liking this one again. charles: thanks a lot, nicole. want to get back to this google contact lens. nearly 26 million americans suffer from diabetes, and that's about 8.5% of the population, and it costs the ccuntry $245 billion back in 2012. we've got dr. segal with us too, fox news medical contributor. will this device change people's lives? >> it's too early to tell, but i actually think it will. google went into health market back in september and started a separate company, and they're trying to deal with diseases associated with aging, charles, and this is a big deal. i'll tell you why, because when we treat diabetes, we guess. in other words, we do a test in the morning, maybe if we're lucky, you get another one at night, but that's about it. you're guessing the rest of the time, and you approximate treatment. with this contact lens -- and google is talking to the fda about this -- if this contact lens measures the sugar inside your eyeball every second, we could have insulin adjusting to that the same way the body works and much better control, much less problems with diabetes, and health care costs will go down. it could be enormous. >> sorry, charles. doc, what about having, you know, sensors in your eye and electricity in your eye an issua concern? >> it's not really -- great question, liz. it's not really electricity, it's -- >> it's a computer chip. >> right, that then has an antenna and beams it to a computer somewhere. a doctor could literally have it in their office online following somebody's sugar and adjust the amount of insulins that's delivered. i don't think there'll be any issue with shock or anything like that, it's a wireless situation. the real issue is how accurate is it going to be, but i like the idea of going to a part of the body. people don't realize this, but the eyes really give you an idea what's going on in the bloodstream without getting into the blood, so you don't have to get a finger stick, have something under your skin. it could be very, very easy to do this through a contact lens. i think they're heading in the right direction. charles: on the one hand, doc, i've got to tell you, it feels like we've given up the preventive war. last week we had a pharmaceutical company that has this new drug because we let our livers get so fat and then we get cirrhosis of the liver. it feels like the easier we make it to live with these problems that we bring upon be ourselves the less likely it is we'll start changing our habits that are destructive. >> i think, charles, first of all, that's a very important point, but i think we can do both at once. we're talking 380 people with diabetes right now, and the projections are in another decade it's going to be over 500 million. so -- in the world. so this isn't a huge problem. it's a huge problem in the united states. we have to do both. we have to increase our exercise, decrease our weight. but if you have diabetes and a lot of people really are worn with a -- born with a tendency where it's not their or fault. well, this'll be a great treatment, a great way to analyze it. so we need to do both. we shouldn't get laidier, we should get smarter, exercise more -- lazier. charles: dr. segal, have a great weekend. senator bernie sanders from vermont ripped walmart about income inequality yesterday. take a listen to what he had to say. >> do you think the walton family, worth $100 billion, is in need of welfare from the middle class of this country, or do you think maybe we should raise the minimum wage so that those workers can earn a living wage and don't have to get medicaid or food stamps? charles: we've got monica and liz here. liz, to you first. he's leaving a lot of stuff out there, being a little vague on the facts. >> yeah. none of us, we're reporters and columnists. we're not talking in defense or, you know, against walmart, we're just reporting the facts. and, you're right, he is leaving out a lot here. and this is now a personal attack on the walton family that has taken off on the internet with the faces of the walton family, and that's dangerous for them. let me back up. walmart has repeatedly said and reports have indicated and journalists have reported they do have great benefits. walmart workers like to work at wal-mart for the benefits. the health men tints this some instances are better than health reform's own benefits. free preventive care, free vaccinations. also retirement went fits as -- benefits as well, education assistance too. so that is often left out in the discussion. also left out in the discussion, d.c. policies. washington policies that have created income inequality. charles: right. monica, this is a battle cry for the midterm and presidential election, the haves versus the have nots and the greed factor of the haves, and they really despicably don't want you to have anything. >> yeah. and this is the battle cry of the socialists. and we have seen this now in this country over the last couple of years, you saw it in the occupy wall street movement, in a lot of the rhetoric coming from president obama and other people on the far left. charles: monica, why do you think it's going to work though? why do they think it's going to work? why is this is central element to their battle plln? >> you know what? when you're talking about true idealogues, and they're not concerned about making policies work. charles: votes with this? >> well, they believe that they can get votes with it because it's a huge wedge issue. it's about driving envy. >> right. >> it's about pitting people against each other instead of having a unified america where it's an ambitious country. the country is built on aspiration that you want to get into the wealthier class, and you can do it through hard work. what they do is pit people against each other. that guy is rich, you should be envious of him. you should take from him so you can have a little more. >> deeply, profoundly cynical is what the message is coming out of bernie sanders. charles: well, they think the it's going to work. hey, i'll say it again, even when the fed does stop printing money, you can and will make some money in the markets. hey, let the market pull back. the key is you want to buy great companies and great industries. i'm going to have a debate with dan schafer, he's our favorite eternal bearks right after this. >> gdp -- >> i deal with individual investors every day, none of them are overly enthusiastic. even people in this market, they are so afraid. it's not like disturbers of money coming in, you've got rotation out of bonds into equities, but that euphoria, i don't see it. welcome back. w is everything? there's nothing like being your own boss! and my customers are really liking your flat rate shipping. fedex one rate. really makes my life easier. maybe a promotion is in order. good news. i got a new title. and a raise? management couldn't make that happen. [ male announcer ] introducing fedex one rate. simple, at rate shipping with the reliability of fedex. of the dusty basement at 06 35th street the old dining table at 25th and hoffman. ...and the little room above the strip mall f roble avenue. ♪ this magic momt it is the story of where every great idea begins. and of those o believed they had the power to do more. dell is honored to be part of some of the world'great stories. that began much the same w ours did. in a little dorm room -- 2713. ♪ this magic moment ♪ charles: pram ma set to announce some changes in the controversial nsa spying ram later today. rich edson is at the white house. rich, what are we going to hear from the president today? >> reporter: good morning, charles. what we expect from the president is much further review about these programs. he's going to kick, according to senior administration officials, much to have this to -- much of this to congress, the intelligence committee. many of these authorities expire by march 28th, so before he reauthorizes that or seeks reauthorization from congress, he's going to rely on the intelligence community and congress to input, figure out what this system's going to look like. one of the more tangible things the president will announce though is that the nsa is going to need a judicial sign-off to access that metadata, people's phone calls. all that gets caught up in the nsa system right now. government officials need a court to sign off before they access it, but much of this going forward is going to be up to input from the intelligence committee and congress. there will be more details when the president speaks, scheduled for 11:00 this morning. charles: rich edson, really appreciate it. hey, want to get back to the markets. joining us is market watch or dan schafer. dan, you know, we know you're a bear, but today you actually are going to point to three names that have rallied in this market, and you say specifically because of the federal reserve. >> yes. charles: okay. let's start with the first one, apple. >> okay, ask me why. charles: i am asking why. [laughter] >> every night, charles, what do you hear oo tv? the dow jones, and you hear the s&p 500. so where do you think the money's going? if you look at -- charles: what money? >> the money that's coming from the federal reserve into -- charles: can you walk us true that? >> yeah. charles: the fed buys mortgage backed securities, how does that money end up in the stock market? >> their buying through the banking system because the banks are holding a lot of debt on their books that they need to get rid of. a lot of that's nonperforming too. so the federal reserve creates these dollars, and they buy the debt off the banks' balance sheet. is the bank lending the money? i don't see it happening. the parameters of getting a loan today are horrible. so the bank has the money. what are they going to do with it? are they just going to sit on it? they offer all these tier levels in banking that we don't get to see, so what are they doing? they're farming the money out to their best clients with the top credit rating and they're buying stocks, or the bank's buying the stocks. they're going to buy the stocks that move the indexes. so what moves the index? charles: okay. let's backtrack a little bit. my beef with the argument, the fed argument is that it's been made for four years, and it was made primarily as a cautionary reason not to be in the market. i'm not saying you, but in general. most of the guys say the insinuation is that as soon as the fed gets out of the way, the market will crash. so don't buy stocks, instead buy gold. and that argument has been completely wrong, and it's crushed a lot of people. >> right. charles: they bought gold which is now down. >> yes. charles: okay. so i just want to get back to the original premise. now, let me just hit you on apple for a moment. apple's got an 11 pe. it's down 17% from the all-time high. i find it interesting that you would pick a stock that most people would consider cheap to say it's overvalued because of the fed. >> because it's the leading stock in the s&p 500 index. if you take the first ten stocks in the index, they represent a major portion of the s&p. because it's a weighted index. so apple by itself, forget the pe for a moment. that's a pricing issue. but the fact that -- cheryl: well, there's the e part of it too, the earnings issue. >> we're talking specifically about apple, and i think your next stock is ge -- charles: no, wait one second because i want to go to exxonmobil next because that's another example for you. >> it's top of the -- charles: past five years exxonmobil's up less than 30%. show me the correlation. >> i don't have the calculations. the multiplier effect that it's weighted, it's weighted in the average just like a dow stock. ibm moves a certain percentage, a certain amount, it moves the dow a lot more because of the mathematical calculations of how the indexes are created. so when exxon moves, when apple moves, when ge moves, even a small move in them can move the index much larger. and that's what i'm saying. the money's going to flow to make the indexes -- charles: right. [inaudible conversations] so many more buyers than sellers of exxonmobil, the stock seems to be rell thetively flat. let's talk about gold because gold wuss supposed to be the play. the fed's pumping money, buy gold. that's what the central message has been, and people who have listened to it, they also bought a bomb shelter, every gun they could buy and ten years' worth of ammunition. help them out, because they're watching the show right now, and there's no ventilation in those bomb shelters. >> and they sold the dollar too. i actually didn't buy gold -- charles: why didn't that part of the argument work? >> do you remember when interest rates in the 30-year treasury were below the 10-year? gold is signaling a major deflationary depression coming. that's what the message is from gold. the dollar, i believe, is going to get much stronger, and that's the signal. >> profit growth is really strong. profit growth for the s&p is pretty -- charles: dan, we've got to bring you back. i love this discussion. i'm glad you came here, and at least you tried to connect the dots. a lot of people just throw it out there. appreciate it. all right, cancer patients taking to social media to tell their story, and they're being called out because of it. this is deep. this is making the rounds, and we brought the best guy in that we knew for it, dr. keith ablow is with us. he's next. ♪ ♪ charles: new highs for a couple of big ns this you know, american express and morgan stanley, and disappointing profits and lukewarm forecasts from intel, and those shares are trading lower so far this morning. now it's time for me to try, as stuart would say, and make you some money. i love this company called applied microcircuits. they're launching a land new chip called data center -- [inaudible] and i think it's going to help to revolutionize the crowd space. it's going to be provide more power. these data centers are growing by leaps and bounds. all the information has to go up into the sky. i think they're going to be a big player, in the meantime, their margins have been expanding like crazy. your next leg up should take it to 14, but longer term i think it could go even higher. hey, we've got a former new york times editor who's criticizing a cancer patient for discussing her illness on twitter, saying that she should, quote, go gently with her tweets. but is it wrong for her to want to even discuss her illness on line? well, let's ask dr. keith ablow. he joins us now. dr. ablow, you're no fan of twitter, but certainly out there sharing their agony and their pain with others, what could be wrong with that? >> well, certainly not. there can with a lot wrong with it. and, charles, here's the problem, i don't know how you get the medium out of the message to steal a line from or marshall mccluhan, the great media scholar. because here's the thing, how can you get the fact that your patient is now, well, an entertainer of sorts, a journalist of sorts to folks she's never met out of the doctor/patient be relationship, for instance? how do you take that out of the relationship between her and her children as she starts to contemplate perhaps a limited number of days? but she's also thinking, well, what kind of a tweet might tweak people out there. maybe it'll be more emotional if i talk to my daughter and my son together. >> doctor, it's e. mac here. i want to bring you to what the former new york times editor bill keller wrote, and that's really lighting up on the internet and social media. she is saying -- he, he in a column is essentially writing, wrote a column attacking -- >> yes. >> finish the cancer patient saying that his own fan basically had nor -- father-in-law had more dignity saying she's wrong in what she's doing, she's behaving more like a warrior, raising false hopes, and that imprison italy seems -- implicitly seems to peg patients like his father-in-law as failures. what is the impact out there? something that the twitter sphere is saying this is inpenetrablely obtuse, self-serving and tone deaf. >> well, listen, i disagree. i don't know that she's raising false hopes. perhaps she's helping people be hopeful. but she's also doing something different. she is turning these incredibly dramatic moments that are human moments of incredibly grave significance into something that's also about the internet and about twitter. and, frankly, you might to something very different because you are confronting this illness in a public way. it will be unconscious -- charles: right. >> -- but you might make different decisions about how to treat your illness, because you'll think, well, i'm going to get more followers. that's perverse. that's horrific. twitter is a courage period. she -- scourge. she shouldn't use it. charles: docker we don't know if that's her goal. wouldn't you agree with the cynics at "the new york times," it's a complicated situation. doctor, i want to go to one more topic, and i need your thoughts. >> all right. charles: profiting from fear. yesterday we had the co-founder of a company that sells products that sanitizes your cell phones. both of these companies are making money off the fact that people are afraid they're going to get germs and die tomorrow. what do you make of this atmosphere of profiting off of fear? >> well, if it's irrational fear, i don't like it. we've had this discussion before, charles. i don't invest in companies that i think are taking people down a bad path. however, some of the ingreed credibilities in coldeze are associated with reducing symptoms that you might have during a cold, and i'm a big fan of the la placebo effect. you know, any test of an antidepressant against a placebo, it's interesting, it's about a ten-point spread. the placebo reduces depression too. there's no illness for which a placebo is completely imto tent. if people think their colds are going to be shorter, well, for some large percentage of people, they will be. and you know what? if you think materializing your phone is a good -- sterilizing your phone is a good way to not get sick, you're got to get less colds in some people. charles: that's a great endorsement for both products, or i guarantee they'll be tweeted later on by someone. [laughter] dr. ablow -- >> you got me there. take it easy, or brother. charles: hey, up next, a legal poison pill for obamacare and how the next president could kill it altogether again. maybe mrs. pelosi should have read the bill first. >> but we have to pass the bill so that you can find out what is in it away from the fog of the controversy. [ telephone rings ] [ shirley ] edward jones. [ male annncer ] w with nearly 7 million investors... oh hey, neill, how are you? [ male announcer ...you'd expect us to have a highly skill call center. kevin, neill holley's on line one. ok, great. [ male announcer ] and we do. it's how edward jones makes sense of investing. [ car alarm irps ] ♪ [ male announcer ] we don't justertify our pre-owned vehicles we inspect, analyze, and recondition each one, until it's nothing short of a genuine certified pre-owned mercedes-benz for the next new owner. [ car alarmhirps ] hurry in to your authorized mercedes-benz dealer for 99% financing during our certified pre-owned sales event through february 28th. charles: well, this week we learned that china holds a record $1.3 trillion of our nation's debt closely followed by japan is $1.2 trillion. america is said to be on sale in this china. will they big deal. >> it's been a big deal for a long time. look, the american government, and these are leaders on both sides. i mean, the democrats are more guilty of spending and taxing and borrowing than the republicans, but there are enough republicans that have gone down the road of big government, big spending for a long enough time that that's why we're in this predicament. we have a legislative branch that cannnt stop itself from spending. just this week we had over a trillion dollar spending bill, omnibus spending bill pass through busting the sequester caps, right? rap cheting up all kinds of programs, ratcheting up spending still with an estimated $600 billion estimate which is probably a lowball estimate. what we're talking about, you have folks on both sides of the aisle. again, not everybody, but they cannot stop themselves from spending, and as long as we have an out of control government in this regard, you're going to have countries like china who are flush with cash that can come in and buy up the debt. you know what it is? it's economic warfare. there was a chinese general, i quoted from him in my book about a year and a half ago, who said we don't have to engage in military warfare against the united states, we're engaging in economic warfare. charles: and the your point, they're winning, because we can't stop ourselves from spending. >> correct. charles: all right. thanks a lot. the administration has a habit of picking and choosing which parts of obamacare they think is enforceable and delaying some parts they don't like and then keeping some parts into place. our next guest says this approach is going to eventually kill obamacare, give our next president the upper hand to dismantle this law piece by piece. let's bring in attorney brian callahan. brian, the president, you know, has been sort of willy-nilly. it's interesting, monica just sort of blamed both parties with respect to our incestuous borrowing. but it seems like congress, all of congress has stepped back and let the president sort of dictate how this law is enforced. >> well, charles, you know, the president said earlier this week he boasted that he's got a pen, and he's willing to use it to act where congress is not willing to act. so i think the trouble for the president is that, as i point out in the journal this week, the next republican in the white house is going to have the same pen. and he's going to have, i think, far more opportunity to affect a broader rollback of obamacare precisely because of the decisions that this administration has made to suspend and negate some of the key provisions of that law. charles: okay. so a president has been established then, if the republicans are lucky enough to win the house, let's say they win it all. they get the white house, and they control the senate and the house, do you think that they have -- they would be able then to just go ahead and dismantle the whole thing? >> look, i think the preferable route is legislative repeal of this law root and branch. but the point i make is you've got these are not just one-off decisions that the administration has made. there are legal interpretations underlying those decisions, and those are going to be available to the next republican president. they could -- i'll give you one example. you know, the president has now said the hardship exemption to obamacare that allows a waiver of the individual mandate, they've said that exemption is available for people who felt the negative impact of obamacare. now think about that. a hardship exemption from obamacare due to obamacare. [laughter] that's very -- yeah. very easily lends itself to turning the individual mandate into a dead letter if that interpretation is in the hands of the critics of this law. charles: hold on one second, brian. e. mac's got a quick question. >> brian, it's e. mac here. this goes beyond the fact that congress didn't read the law, this goes beyond the fact that this is after the fact refereeing or clean up because people in congress didn't read the law. what we're telling now is 15 different instances where the administration has said, you know what? we're not going to enforce this, that or the other part of the law, or we're going to delay it. and here's what's at issue. it doesn't matter either side of the political aisle who's doing this, it's a constitutional problem. we also have, you know, the senate saying we're going to basically defend the filibuster, and we have now the d.c. circuit court, the second most powerful behind the supreme court, packed with democrats. that's the court that enforces the executive order toes, that's the court that basically rules on administration regulations and rules. this is a danger zone this country is in. is this a constitutional issue right now? >> i think that's exactly right. so, you know, in our constitutional system whennyou have a bad law this' unpopular that needs to be changed, what you do is you go to congress, and you change it. but this president has clearly calculated that going to congress to fix this law would require him to do something he refused to do the first time around which is to compromise on health care reform. and so as a kind of expedient, an end run around congress -- which has been willing, more than willing to suspend and delay key provisions of this law -- he's decided to try to do it administratively, but i think that could very well backfire in the hands of a republican successor. charles: a lot of potential successors are licking their chops. brian, we appreciate it. >> thank you very much. charles: hey, you know the real estate cheerleaders have been saying the housing market is bouncing back, but who exactly is buying homes, investors or families? we're going to debate it right after this. ♪ ♪ [ male announcer ] what if a small coany became big business overnight? ♪ like, really big... then eanded? ♪ or their new product tanked? ♪ or not? what if they embrace new technology instead? ♪ imagine a company's future with the future of trading. company profile. a research tool on thinkorswim. from td ameritrade. does your mouth oft feel dry? a dry mouth can be a side effect of many medications but it can also lead to tooth decay and bad breath. that's why there's biotene. available as an oral rinse, toothpaste, spray or gel, biotene can provide soothing relief, and it helps keep your mouth healthy, too. remember, while your medication is doing you good, a dry mouth isn't. biotene -- for people who suffer from dry mouth. is your tv powered by coal? natural gas? nuclear? or renewables like solar... and wind? let's find out. this is where america's electricity comes from. a diversity of energy sources s ensure the electricity we need is reliable. take the energy quiz. energy lives here. charles: ups says the surge in late onlie holiday shopping is squeezing its bottom line. shares down almost 2%. best buy, a big drop yesterday, does it mean it's time to buy the stock today? that stock down over 4% as well. moving on to yahoo!, second in command gets fired and, guess what? now the editor-in-chief quits. those shares down fractionally. a lot of people still believe in twitter teaming up with a company to allow people to buy things directly from twitter. two stocks hitting new highs, american express and next morgan stanley, reported this morning. the street likes what hay heard. -- they heard. next, the real estate cheerleaders, well, they're back. they're optimistic, they're excited saying housing is back. should we really be that optimistic? we'll be right back. measure that's correct. cause i'm rely nervous about getting trapped. why's that? uh, mark? go get help! i have my reasons. look, you don't have to feel trapp with our raise your rate cd. if our rate on this cd goes up, yours can too. oh that sounds nice. don't feel traed with the ally raise your rate cd. ally bank. your mon needs an ally. crestor got more high-risk patient bad cholesterol to a goal of under 100. way to go, crestor! yh! tting to goal is a big deal, especially if you have high cholesterol plus any of these risk factors. because you could be at increased risk for plaque buildup in your arteries over time. so, when diet a exercise aren't engh to lower cholterol, adding crestor can help. go, crestor! ♪ ♪ oh, yeah [ emale announcer ] crestor is not right for everyone, like peoplwith liver disease or women who are nursing, pregnant, or may become pregnant. tell your doctor about other medicines you'rtang. call your doctor rht away if you have muscle pain or weakness, fl unusually tired, have loss of appetite, upper belly pain, dark urine, or yellowing of skin eyes. these could be sig of rare but seris side effects. crestor! yes! [ female announcer ] ask your doctor about crestor. if you can't afford your medication, astrazeneca y be able toelp. charles charles all right. let's get back to nicole and back to google because it's hitting another all-time high again. >> reporter: now today up to 1160, right now 1158 and change. but 1160, the high on google, all-time high, of course. we've been focusing on the latest development by google which is the glass with the wire chip that will have a mini sensor to determine their glucose. good for diabetics. pretty amazing. i was walking on the street last night, i saw somebody with google glasses on. charles: oh, boy. >> it's here for real. charles: okay. steve martin should get a cut of that. let's get back to the economy ask talk about housing. joining us is brock mclean with homes.com. housing showing signs of life, but it seems to me it's been more a story of investors, the chinese, wall street and not a main street story. set me straight on this. >> well, i think it's certainly an interesting element in the recovery we've seen. i can tell you from a homes.com perspective, consumers are as interested as ever in buying and sellingg charles: when you say that, it doesn't jibe with the day. in other words, new home sales, 28% are first-time buyers. that number used to be in the 40s. >> yeah. charles: people in the top 100 metropolitan areas are paying more to rent than to buy, and they're willing to do that there. exactly. because there's still challenging lending restrictions, it's as challenging as it's ever been. meanwhile, you have portfolios come in, buying up portfolios, turning them into rentals to really meet that demand. a third of the houses this the country are rented today. charles: we had the permits and housing starts numbers out this morning. a little bit disappointing, but the trend is shocking. is that a greater trend of the urbanization of america, or does that reflect something else? >> it's a really good question, and i think from the portfolios buying single-family homes, turning them into rentals. our sister company, forrent.com, the growth we're seeing there, the demand for rentals i think is happening across the country. but depending where you are you're seeing recovery happen at a much more rapid pace than maybe some areas that were harder hit. charles: maybe i was sitting there, maybe i thought like the market, i could time it, and then all of a sudden the house that i've been watching, it hit 170,000, and now it's 200,000, and i feel like i missed it. >> that and the combination of interest rates while certainly have increased being near historic lows, a lot of anxiety at the consumer level, and it's been a challenge to time that market perfectly. charles: walk us through the steps for a real, true housing recovery. what are the things we're going to have to see? >> well, i think depending on where you are. homes.com tracks 300 local markets across the country, give a consumer an idea of what's happening where i live, not just nationally. and what you find is while 80 markets -- charles: i mean, are we talking jobs? regulations? lending? i mean, real quick, we've got 30 seconds left, what are the three or four things that have to happen tomorrow for this to be an honest to goodness recovery? >> jobs, consumer confidence, easing of restrictions, the ability for consumers to really be competitive in the buying process, to try to get in the head of some of these institutions that are stepping in. charles: and, of course, go to homes.com. we only said it three times -- [laughter] >> i appreciate it. charles: hey, check this out, it's a 16th century prayer book, and it's going up for auction, and you won't believe how much, but you're going to find out next. [ male announcer ] this is the story of the little room over the pizza place on chestnut street the modest first floor bedroom in tallinn, estonia and the southbound bus barreli down i-95. ♪ this magic moment it is the story of where every great idea begins. and of those who believed they had thpower to do more. dell is honored to be part of some of the world's great stories. that began muchhe same way oursid in a little dorm room -- 2713. ♪ this magic moment ♪ open to innovation. open to ambition. open to boldids. that's why n york has a new plan -- dozens of tax free zones all across the state. move here, expa here, or start a new business here and pay no taxes foren years... we're new york. if there's something that creates more jobs, a ows more businesses... we're open to it. start a tax-free business at startup-ny.com. >> president obama talking tough about the nsa. he says he's going to reform that agency that's gotten out of control. he apparently forgot he's been the guy controlling it for the past five years. we'll have analysis of the president's not-so-grand speech after all tonight, 7 eastern. please be with us. ♪ ♪ charles: all right. we call this segment old money and for a good reason. today we have a 500-year-old manuscript, and you will never believe the price. joining us is nicholas hall with kristy's, want to talk to you, this is a prayer book. >> this is a prayer book. it was made in about 1505 in brugge which was one of the great cultural centers of europe. it was, if you like, the northern equivalent of florence. it is 250 pages of which 67 consist of full-scale miniatures. there are additional miniatures the, the months of the year, signs of the zodiac and beautiful borders on almost ever single page. it is, in my opinion, the finest illuminated manuscript that remains in private hands bar none. so this, if you like, to illuminate a manuscript what the largest, most flawless diamond would be to, in the diamond world. charles: is there a single author, you know, the artist -- >> this is a really good question. this was, actually, there would with one scribe who wrote, because every word in it is, of course, handwritten. and there'll be one scribe who wrote it, but the artists who contribute the illuminations would have been varied, and they would have been working together and designing this book together. and one of the greatest and what is interesting about this is that whoever commissioned it enlisted what was normally a painter painting altar pieces, gerhard david, who was a major painter represented in the metropolitan museum, to produce the madonna and child which is the most significant page in the book. but there would have been three or four other -- >> you know, this historical significance of this so important. we're talking, what, how much would this go for, do you think, at auction? >> well, when -- >> about 12 million? >> well, we think -- >> 25 million. >> we think could be 20 million, could be -- >> holy cow. and no other book exists like this in the world, right? >> absolutely. >> you know, trinity college in dublin has a long, you know, inventory of books -- this is a rarity. and this also provides the lush, voluptuous literature. i use that word carefully, because it's true. historians have said this. of christianity that we don't get now in our day and age of how the medieval mind viewed christianity. it comes forth in the book of hours like this. >> absolutely. and consists of, i mean, one of the most interesting pages in the book is this fantastic opening to the office of the dead which is the burial mass, and it's decorated, the border is decorated with skulls. and you see this incredibly realistic depiction of monks lowering a coffin into the ground. and, of course, death was very much on the me teefl mind. >> the immediacy of the christian faith was more apparent than now. >> absolutely. >> it's so gorgeous. and when you go to the national archives in washington and you look at our founding documents -- the constitution, the declaration -- they're all under glass, temperature controlled, lighting controls for preservation purposes. how is this so well preserved? >> that's -- it's been in one collection for a very long time. it was bought in the 19th century by the rothschilds who was the founder of the austrian branch of the banking family. it stayed with them til the 1940s when it was taken by the nazis -- charles: nicklaus, when is the auction? >> the auction is january 29th at 2:00 in the afternoon. charles: it's beautiful. i'm going to tell you right now, i'm saying north of 20 million. thanks a lot. >> it's a great thing. charles: hey, your take on china owning america, that's next. welcome back. how ieverything? there's nothing like being your own boss! and my customers are really liking your flat rate shipping. fedex one rate. really makes my life easier. ybe a promotion is in order. good news. i got a new title. d a raise? management couldn't make that happen. [ male announcer ] introducing fedex one rate. simple, flat rate shipping with the reliability of fedex. afghastan, in 2009. on the u.s.s. saratoga in 1982. [ male announcer ] once it's ened, usaa auto insurance is often handed down from generation to generation. because it offers a superior level of protection. and because usaa's commitment to serve current and former miliry mbers and their families is without equal. begin your legacy. g an au insurance quote. usaa. we know what it means to serve. charles: china holds a record $1.31 trillion of our nation's-adding another $12 billion in december so when we ask if you thought china would end up and in america all together here is what you had to say. this should scare every american but too many don't even understand what that means. it will get to the point here, debtholders will be calling the shots for our country, politicians especially in washington d.c. of got to learn to go on a fiscal diet. your thoughts on this one. >> government is the most inefficient apparatus on the face of the earth, they have no profit motive. the only thing that motivates them is getting reelected. that means buying votes, putting money back in your district, back in your state, in little incentive to restrain the growth of government and spending. liz: this is a national security issue, but will china stop buying the debt? charles: the rabbi and our real estate, china is buying america. the can't buy this guy. he is next. connell: leave it to us to talk about how you lose your identity online. electronic crime that has never been seen before. that is where we start off on markets now. the attack on targets live through and i virus programs and it is more than target. russian fingerprints all over it. should the president be putting more pressure on world leaders to crack down on the underbelly of the cyberworld. we will get into that in this hour. part of goldman's big money success getting out of new york. how the financial giant spread its staff around the country and save a lot of money in doing so in the minds behind this campaign, the creators of the devil baby. the i years this hour, and changing the world of marketing
Trinity-collegeDistrict-of-columbiaUnited-statesNew-yorkJapanIranVermontChinaAustriaRussiaDublinIreland necessary tunneling capacity under the hudson and tunnels currently serving extraordinary number of passengers on amtrak side and -- >> very diplomatic, mr. chairman. much painful history. >> those tunnels are over 100 years old. your first, do i agree, that it is an essential investment? we absolutely must do something about those. i believe we're approaching 110-year-old tunnels. they not only constrain capacity but at certain point they will become a real safety risk. and you know, think about the upheaval that will result if we were to lose that capacity all of a sudden. could it be a candidate for the new starts program? yes it could. what we would need is a local project sponsor to come forward to do all the development work and most importantly, come up with the necessary local match. and your final question, i need special legislation to help make that happen? we'll take a turn on that but i don't think so. i think, i mean obviously the entire program expires at the end of the year but i think the question you may be alluding to is, how do we deal with a new start project for which amtrak is a participant? i don't know that i new legislation for that. >> would you check and get back to us? >> we can. we've had amtrak do necessary investments as part of east side access. they are responsible for the harold interlocking which is a very large portion of that project. so there may be a way of doing this without special legislation but if it is needed we'll certainly call it to your attention. >> you don't think it will be? >> i don't think so on its face but -- >> could you get back to me in writing in a couple of days? >> sure. >> finally the montague tunnel, we have a real interest in restoring this tunnel. give me a status report how it is going, how the repair it's going? >> my understanding things are boeing along well. this is one of the benefits you get from closing the entire facility. you dot no not have to worry about safety risks posed by the workers. you have the ability to put all kind of equipment in the tunnel because you don't have to move trains through it at the same time. i've heard nothing to the effect that they are off schedule or overbudget. and indeed, in some of these tunnels we are making what we call our local resiliency funding some investments to move utilities to the roof of the tunnel, should we have flooding again we won't lose all signaling capacity and cabling. >> full speed ahead? >> yes, sir. >> thank you. >> i want to thank our witnesses for your testimony today. this hearing is adjourned. >> california governor jerry brown delivers his state of the state address today. we'll bring you his remarks from the state capitol in sacramento. live at noon eastern, here on c-span2. and later, governor nicky hayley of south carolina delivers her fourth state of the state address. we'll bring you live coverage from the statehouse in columbia at 7:00 p.m. eastern also here on c-span2. a panel of cybersecurity experts are split on whether people's information is secure at healthcare.gov. they testified last week before the house science and technology committee. this is two hours. >> the committee on science, space and technology will come to order. well could come to today's hearing healthcare.gov, consequences of stolen identity. i will recognize myself in opening statement and then the ranking member. when the obama administration launched healthcare.gov, americans were led to believe that the website was safe and secure. as the science, space and technology committee learned at our hearing last november this is somely not the case. we heard troubling testimony from online security experts who highlighted many vulnerabilities of the obama website. these flaws pose significant risk to american's privacy and the security of their personal information. one witness, mr. david kennedy, who has been reinvited for today's hearing, testified that there are, quote, clear indicators that even basic security was not built into the healthcare.gov website, end quote. in addition, all four experts testified that the website is not secure and should not have been launched. mr. kennedy will update the committee on the security of the website since november 30th, which was the administration's self-imposed deadline when it would be fixed. since the november hearing other events have emerged that prompted the need for today's hearing. in december a former senior security expert at the centers for medicare & medicaid services stated that she recommended against launching the healthcare.gov website on october 1st because of quote, high-risk security concerns. a letter addressed to the committee from mr. kennedy, and independently signed by seven other security researchers who reviewed his analysis of vulnerabilities presents some very troubling information. to paraphrase one of the experts, mr. kevin mitnick, once the world's most wanted hacker, breaking into healthcare.gov and potentially gaining access to the information stored in these databases would be a hacker's dream. according to mr. mitnick, a breach may result in massive identity theft never seen before with without objection mr. kennedy's letter will be made a part of the record. a recent report by credit bureau and consumer data service experion forecast a increase in data breaches in 2014, particularly in the health care industry. specifically the report states, quote, the health care industry by far will be the most susceptible to publicly disclosed and widely scrutinized data breaches in 2014. add to that, the health care insurance exchanges which are slated to add seven million people into the health care system and it becomes clear that the industry from local physicians to large hospital networks provide an expanded attack surface for breaches, end quote. experion provides identity verification component of the health insurance marketplace enrollment process. because of increased accessibility to healthcare.gov, concerns continue to grow about the security of personal information. the work of this committee will help congress make decisions about what actions may be necessary to further inform and safeguard the american people. we are here today to discuss whether the americans who have signed up for health care plans have put their personal information at risk. if americans information is not secure then the theft of their identities is inevitable and dangerous. that concludes my opening statement and the gentlewoman from texas, miss johnson is recognized for hers. >> thank you very much, mr. chairman. since we held our november 19th hearing highlighting security issues at healthcare.gov up to 110 million people have had their debit card or credit card information compromised by a hack of target store records but target was not alone in being successfully hacked. the washington post, facebook, gmail, linkedin, twitter, youtube, yahoo!, jpmorgan chase, snapchat, and my friend at dallas-based neiman marcus stores have announced security breaches. however, do you know one system that has not been successfully hacked since the last hearing? healthcare.gov. also since the last hearing, the center for medicare & medicaid services, cms, staff and contractors have been working round-the-clock to improve the performance and security of healthcare.gov. there has been numerous fixes to the website that have improved the site's responsiveness compared to its first 60 days. millions of americans have been able to access the site and obtain medical coverage. during that entire time top security contractors including blue canopy, frontier security, and the mitre corporation have been working to test the system and identify weakness that is need to be addressed the chief information security officer has also been running weekly penetration tests to support security mitigation steps for cms. further cms says that none of the majority's witnesses concerns voiced in their november hearing have turned into any actual breach of security. the last hearing did not feature a single witness who had any actual information about the security architecture of healthcare.gov. nor what is being done to maintain the integrity of the website. today we have the same kind of hearing. as smart and experiences as these witnesses are, not one of them has actual knowledge of security structure at healthcare.gov. the best that they can do is speculate vulnerabilities. i think it would be good for members to remember that. i'm concerned that the intentions in this hearing appears to be to scare americans away from healthcare.gov site. this appears to present a continuation of a cynical campaign to make the affordable care act fail through lack of participation. while we're holding this hearing, both the house oversight and government reform committee and the energy and commerce committee are holding similar events all with the apparent goal to create a sense of fear, thereby manufacturing an artificial security crisis. it is my hope that all of our witnesses can agree that it is important to make healthcare.gov work for the american people, to help give all of our citizens access to affordable health care. i do not want to believe that any of the witnesses testifying today want the site to be hacked or shut down or even see the program fail. i or see americans go without health care insurance. this country faces a lot of real issues and real policy challenges. if we are truly interested in hacking and identity theft, we should have representatives of largest retail institutions in the country here to discuss the challenges they face in protecting people's information. instead it appears that the majority has allowed the committee to become a tool of a political messaging to a degree and i never witnessed anytime in my time in congress and i'm in my 22nd year. thank you i, i hope that the committee hearing will be the last of this topic, absent some actual allegations of wrongdoing so at that we can focus on legitimate oversight issues facing the country and this committee. mr. chairman, before i yield, i would also like to comment on the letter you want to put in the record. i was hoping after reading it, that you would have some testimony or give the people opportunity, other than 24-hour showing of this letter but you don't have to take my word on this. mr. kennedy's own document reads, this report is for public use. the report is not appended to his testimony and i imagine it is not added because it would violate our 4-hour rule. he did not get us testimony in time but when late yesterday afternoon presented this report out of the blue. and i'm guessing your counsel told him to make it a letter because we routinely accept outside letters from groups and experts all the time with minimal if it is. so the report now portends to be a letter addressed to you and me. however i can not remember another time a witness before the committee felt they had to write a letter. i think it is elaborate way to get testimony in front of the committee in violation ever the 4-hour rule. as the substance of the report, it includes what amounts to testimony from experts who are not appearing before us this committee is against the practice of the committee to accept testimony from people not personally available to answer our questions. one thing i do know none of the individuals who signed these statements in the packet have worked on healthcare.gov or the security protocols behind the website. and in other words, they know no more about the actual security on the site than does mr. kennedy. if deference to the chairman i would withdraw my objection but i would this report includes language i consider vulgar and beneath the dignity of the committee. that alone should be reason to keep it out. even if the chairman is comfortable with the way our rules are being stretched, if you insist, i will withdraw but i want the record to reflect we've gone beyond professional behavior of this committee. thank you. >> i will recognize myself to respond to the ranking members comments. all committees, including this one have a long-standing practice affording members the courtesy of entering items they believe are relevant to the topic at hand into the record. i'm sure the ranking member knows this. members on both sides have generally approached the development of the record in the spirit of bipartisanship and comity. i'm disappointed that the gentlewoman from texas would now seek to question a letter i've asked to place in the record. we freakily place items in record that express opinions of various groups and make statements regarding issue at request of members on both sides of the aisle. often those who have written those letters are not testifying before the committee and have not been asked to do so. yet their opinions are still made part of the record. one such example is 40, excuse me, 54-page submission that mr. mafe requested be place mid-the record at a hearing last august. this document was in the even addressed to the committee but instead to the ad min straight tore of the epa, was entered into the record without comment. it includes a letter from six different indian tribes signed by eight different people, none of whom testified before this committee. it includes a letter from the lawyer who represented the tribes. he also did not testify before the committee yet we made his letter a part of the record. finally it includes another letter to the administrator of the epa that purports to be from 15 different national organizations 11 different international organization,5 alaskan organizations and numerous other organizations from other states. none of these organizations testified before this committee. i have placed mr. kennedy's letter in the record here today. he is testifying before us shortly and members will have the opportunity so question him on its contents. >> mr. chairman. >> i'm still in the middle of my statement. i regret the ranking member has questioned the long-standing prerogative of a member to enter a relevant document into the record especially when members on her side of the aisle have done so many times without objection from the majority. i hope this is not indicative of her desire to make this committee's business more partisan. that concludes my statement. and i will now introduce the witnesses. >> mr. chairman? >> i'm going to introduce the witnesses and that -- >> mr. chairman, i object to the entry of the letter into the record. >> the letter's already been entered into the record and objection is not timely. >> mr. chairman i would ask for a vote whether we enter the letter into the record. >> that is no longer a is proper motion because it is not timely. >> well, mr. chairman, i think you have deeply politicized this hearing. >> well i'm sorry for the ranking member's comments that caused it. i will now recognize our first finance witness mr. david kennedy is president and ceo of trustedsec llc. mr. kennedy is considered a leader in the security field. he has spoken at many conferences worldwide including black hat, deaf con, info second world and information security summit among others -- d-efcon. mr. kennedy worked for the snags kurt agency and united states marines in cyber warfare and forensics analysis. mr. kennedy received his bachelors degree from malone university. our second witness, mr. waylon krush is the foe counter and ceo of lunar line. he is also a founding member of the warrior to cyber warrior program, free six month cybersecurity boot camp for returning veterans. a veteran of the u.s. army mr. krush is recipient of the middleton award one of the highest honors in the field of intelligence. holed as bachelor degree in compute are information science from university of maryland. he is also a certified information systems security pry professional, certification and accreditation professional, certified information systems auditor and has more than 3,000 hours training with the national cryptologic school. our third witness, mr. michael gregg is ceo of superior solutions, inc., an i.t. security consulting firm. mr. gregg's organization performs security assessments and penetration testing for fortune 1000 firms. he has published over a dozen books on i.t. security and is well-known security trainer and speaker. mr. gregg is frequently cited by print publications as a cybersecurity expert and has an expert commentator for network broadcast outlets such as fox, cbs, nbc, abc and cnbc. mr. gregg holds two associates degrees and a bachelor's degree and master's degree. our final witness dr. larry upon that mon, ponemon. think tank to advancing privacy research and security practice siss. he was named by security magazine as one of the most influential people for security. dr. upon that mon consults with -- ponemon consults with national organizations on privacy programs. he has extensive knowledge for regulatory frameworks and data protection and cybersecurity and including financial services, health care, pharmaceutical, telecom and internet. he earned his master's degree from harvard university and phd and union college in new york. he attended system science es program at carnegie mellon university. we look forward to your expert testimony and mr. kennedy, will you lead us off. >> thank you, mr. chairman. good morning to everybody in the house science and technology committee. honorable mr. smith as well as ranking member of house science and technology committee miss johnson great to see you folks again as well as other ranking members here today. i appreciate the time to hear to discuss the issues with the healthcare.gov security concerns as well as consequences around stolen identities. what i want to first start off with to me this is not political issue. i take no political party stance. i have no party affiliate. for me personally this is security issue. working in the security industry 14 years including working for the national security agency as well spending number of years in iraq and afghanistan my testimony here today is to talk about issues with security and that's it. so when i talk about the issues that we see here today it is based on my expertise working in the security industry doing assessments on regular basis, and being chief officer officer for fortune 1000 company for numb of years and running my own company. the document had seven independent researchers well-known in the security industry including number of folks that worked for united states government, do training for the united states government as well as work closely with the united states government. today is not the to talk about the political party problems with it but also discuss just security issues alone. that is what i'm here to talk about today. i would like to give a thank to kevin mitnick, kevin johnson for providing their testimony on, their comments on the issues that we see today. and we're pretty unified in our approach. everybody that i shared with put them on non-disclosure agreements to work with them and consistent feedback that we got that healthcare.gov is not secure today. nothing has really changed since the november 19th testimony. in fact from our november 19th testimony it is even worse. additional security researchers come into play providing additional research, additional findings that we can definitely tell that the website is not getting any better. in fact since the november 19th, 2013, testimony, there has only been one-half of a vulnerability that we discovered addressed or even closely to being mitigated. when i say one-half, basically did a little bit of work on it and it is still vulnerable today. i want to throw a disclaimer out there, in no way, shape or form did we perform any type of hacking on website. that is misnomer. the type of techniques we look at from health perspective doing what we call passive reconnaissance, not attacking the site in any way, shape or form. i like to put another analogy. say my expertise wasn't being in the security industry and wasn't doing anything security related and i was person with mechanic. 14 years being mechanic can nick and car drove past me, puffing blue smoke out of the muffler and engine making clanking sounds and lot of symptommic, doors are open, windows are open, everything else. as a mechanic i can say with a reasonable level of assurance the engine has issues. same thing with technology and will be applications. there is lot of piece that is make the car work. there is lot of piece that is make a website work. from our testimony here today as well as what we've discovered in the previous past there's a number of security issues sill there today with the website. and to put it in perspective i'd like to for the record that there wasn't 70 to 110 million credit cards taken from target. that is not accurate. the correct statistic there were 70 to 110 million personal pieces of information taken about individual people that shopped at target. there were 40 million credit cards that were taken. the issue with target isn't specifically around credit cards. credit cards can be reissued. your credit that gets taken from the credit cards can be debited back into your account. you're not liable as consumer. but what you can't fix is your personal identity. if you look at target, for example, 70 to 110 million personal piece of information, addresses, email addresses phone numbers additional information that is what you can't replace. we've seen number of individuals selectively being targeted from a personal information perspective because of that. that doesn't include social security numbers. i had another independent security person get targeted, claiming to be target. as thing as they clicked link, it hacked computer and took full control of it. this doesn't relate specifically to just credit card data. that is not on the healthcare.gov website, first name, last name, email address, home of record those are recipe for disaster when it comes to what we see from personal information being stolen in theft. so not just that. as an attacker if i had access to the healthcare.gov infrastructure it has direct integration to the irs, dhs as well as third party providers as well for credit checks. if i have access to those government agencies i can complete entire online profile of an individual, everything that they do and alter entire online presence. this isn't just healthcare.gov alone. i'm not trying to single out healthcare.gov alone. i'm focusing on a entire issue of security in the federal government is in really bad state. we need to work together to fix it and work on more sweeping changes. thank you. >> thank you, mr. kennedy. mr. krush. >> chairman smith, ranking member johnson and members of the committee. thank you for this opportunity to testify on an important topic of cybersecurity. i'm waylon krush, founder and ceo of lunar line. we're one of the fastest growing cybersecurity companies. i'm also founder of the cyber warrior program. as stated earlier. i have been asked to speak on cybersecurity today as it relates to healthcare.gov and just listening to mr. kennedy i actually have some very simple points i want to make right away. first of all, if none of us here built healthcare.gov, if we're not actively doing a, not a passive vulnerability assessment, but an active vulnerability assessment in doing penetrations and running exploitable code on healthcare.gov, we can only speculate whether or not those attacks will work. so anything that has been said thus far, if we're talking about any type of dot-gov or site, just identifying passively a vulnerability and not actually working on the site, knowing how the protocols work on the back end, what type of defense in depth, how each one of the assets locked down nobody here at this table can tell you they know there is vulnerabilities. another thing i would like to talk about today, in the federal government something a little bit different than we have in the commercial organization we use something called the risk management framework. and this committee actually helped develop that and that is one of the most rigorous processes as it relates to cybersecurity and privacy in the entire world. when i say the entire world, most security standards are just a subset of the risk management framework. it is one of those areas from a security control perspective has been taken to build other security standards or it is basically copy and cut and pasted to create new security standards. this is a six-step process. includes categorization, selection, implementation, validation, authorization, and most importantly continuous monitoring of all the controls. you know, just looking at it, you might think, well there is about 360 controls in the special publication,53 revision 4. when you look a little bit deeper there are several thousand information security controls that are federal information systems must undergo from a security architecture perspective including they must be continuously testing. another point i would like to make is that if, if anybody here is actually went out to these websites and, i'm not talking about passive but if we have extracted addresses, if you went to the website and done anything outside of the bounds of what's allowed in the federal government, you're basically breaking the law. you can't just go out and say, i found this vulnerability and then exploit it to try to get media attention or anything like that. if you do that, you're breaking the law. it is pretty simple. and last but not least, you know, healthcare.gov is one of many hundreds or even thousands of federal information systems out there and websites and you know i have worked in the threat area. i can tell you my background is not only a soldier that was on the u.s. army's information operations red teams, blue teams, information systems security monitoring teams, protocol analysis, signals analysis and including work in the critical infrastructure protection for at&t for a few years, all across the world, if you go out and tell someone, and this is just the truth when we're out actively taking down websites, i can sit here all day and speculate about a vulnerability but until i have actually exploited that vulnerability, there is no way to tell whether that attack will actually work. there's a lot more going on in the background everybody needs to understand. another note and last but not least about healthcare.gov that everyone needs to understand, is that with all of the media attention that it is currently getting you would think it is most high target in the federal government. you would think healthcare.gov is something everybody would want to go after. that is truly just not, that is media spin if anything. healthcare.gov is one of many websites that have personal information in it. it is connected to other systems but saying he it is interconnected to all these systems that leaves them vulnerable, shows a lack of knowledge about the back end system capabilities. meaning those connections are very secure and authorized on both sides. you know, i have actually been lucky enough to work within cms and hhs and cybersecurity deployment and configurations, out of everybody here at least at this table i probably have the most hands-on knowledge but i can't come here and speculate what is actually vulnerable to the system and what is not. the truth is, once again on the threat side, as we've seen in media you can probably tell that, you know, healthcare.gov is not the one getting attacked. most cyber criminals, and especially those with advanced capabilities they go where the money is, right? they will go after targets, they will go after neiman marcus, they will go after these place that is contain lots of data related to intellectual property because it just makes fiscal sense, right? if the u.s. government spends billions of dollars on our research and development and we don't protect it and some other country takes that, you just saved them billions of dollars. thank you. >> thank you, mr. krush. mr. gregg. >> thank you, chairman smith. thank you ranking member johnson, members of the committee for having me here today. again my name is michael gregg. i'm really boeing to break down my speech into three pieces and my presentation. first how healthcare.gov could potentially be hacked. why healthcare.gov needs independent review by third parties. also what would be the result of this? what could be the potential impact. my concern is that healthcare.gov is a major target potentially for hackers looking to steal not only personal identities but also information that could be used to steal their identity of the although i understand healthcare.gov does not store that information, it pass that is information back and forth between third party government is sites and other organizations. there are many different way that is that sight could be hacked. there are some prominent ones. these are the same ones listed by prominent websites like owasp. cross site scripting, sequel injection. it could be ldap injection, could be buffer overflow. there are many different ways this could be done. while that sounds foreign to many of you, the fact is these are known attacks used against known sites every day from target to neiman marcus, to google, to many others. some of the things that concerns me are in the past we've seen for example, the 834 data. that's data passed to the back end to the insurance companies. we've seen and we've heard reports of this information being corrupted and not being correct when it is received. that indicates at some point the data is not being handled correctly. all input data, all process data, all-out put data has to be correct. if not, there is some type of problem, meaning that data is not being properly parsed. the same type of situation could lead to an attack or putting in some type of data and misusing that in some way or launching an attack. also, as i said, healthcare.gov is very large attack surface. this is a very large program or application. it was built very quickly. a large attack surface makes it very hard to secure. so i find it hard to believe that during the release and also the update of the site that all the items that our previous speaker spoke of, as far as fisma, fips 199, 200, those things were taken care of and passed all those requirements that they're required to by law and that those were properly completed. microsoft, think of those folks, for example. they have spent almost 30 years trying to secure their operating systems and still we see microsoft products, their operating systems being brought under attack. to think that healthcare.gov be built so quickly and be secured to me is very hard to believe. when we have a large application or website to be reviewed, typically we do it in a couple of different ways. we start at the very beginning before the site is actually developed. we do things as far as audits. we do vulnerabilities assessments and do pin testing. all three of these things are required to actually look at and examine the site. pin testing is a very important part of this process because pin testing means we're looking at the site the same way the attacker would. we're saying what would the attacker see? what could they use? what could they do with this and how do they leverage this potentially for attack? i don't believe those types of assessments have been done to this day and been properly completed. so what's been reported currently what we see with healthcare.gov that they are running weekly assessments, that they are potentially patching the site but a lot of that activity we're talking about is reactive in nature. that means when we're finding a problem, we're actually fixing it. that doesn't mean we gone out and found all possible problems or all potential ways an attacker may leverage that and get access to the site. some might argue if healthcare.gov is actually vulnerable why hasn't already been attacked? if you think about it from an attacker's standpoint, we've seen attackers have fortitude and also patience to a wait for the right time. look at target. did they attack immediately? they waited until the right time and right moment to actually do this. this could be the same thing. they will wait until after march. they will wait until the deadline. they will wait there is trove of information for them to go after. then they're going to target it. so what could be the impact on consumers, potentially reduce credit ratings. increased difficulty getting loans. could be criminal issues. could be emotional impact. could also be very damaging as far as medical information that could be lost. could be potentially people don't get hired for a job. it could be they get the wrong treatment because someone else obtained treatment under their name for some other type of disease or some other type of problem they didn't have. it could potentially them being denied application or job for some reason. in closing i would just like to say this. when our organization builds application we bring everybody together. we bring end-users, developers, we bring everyone together, security professionals to make sure the site is secure and security can be built in from the very beginning. i do not believe that has been done in this case. hacking today is big business. it is no longer the lone hacker, individual in their basement. today it is organized crime, very large groups potentially out of places like russia and eastern europe. we can fix these problems but for these problems to be fixed means we need external assessment of this site by independent third parties. thank you very much for your time. >> thank you, mr. gregg. and dr. poneman. >> thank you, mr. chairman. and thank you for inviting me. first, let me just start off by saying i am the research wonk to this panel much these people are absolutely brilliant and they understand the technical aspects and security issues but what i would like to do is talk a little bit about the consequences of identity theft and medical identity theft and that is really my focus and the basis of my comments, research that my institute conducts and sometimes by the way they call my institute the pokemon institute. it is upon any mon institute which is my name. to understand the potentially consequences of to each individual, to households and society as a hole whole. more than a decade we study the cost and consequences of data breach through extensive consumer studies as well as benchmark reserve on privacy and data protection practices of companies in the private and public sectors. in the area of health care we conducted for annual studies on medical identity theft and patient privacy and security protection within hospitals and clinics. we survey consumers on their perceptions about the organizations they trust or they trust the most to protect their privacy. among u.s. federal government sector, for example we're pleased to report some good news. that the u.s. -- usps, the postal service gets very high marks for trust. another, this might be a little surprising, irs is actually trusted for privacy. not for anything else. just joking but definitely for privacy practices as well as the veterans administration. they were a bad guy, right? remember they lost a lot of data. i'm a veteran. i was on the list of that 26 million. but they turned things around and they're trusted for privacy. so today i've been asked to testify about the possibility of like identity theft on the healthcare.gov website and potential consequences to the american public. identity theft and medical identity theft are not victimless crimes and affect those most vulnerable in the society, such as ill, elderly and poor. beyond doing numerous research study that is i just mentioned this is an issue that really struck home for me. last year my mother, she's 88 years old. she lives alone in tucson, arizona and suffered from a stroke. she was rushed to a hospital and admitted immediately. unbeknownst to her identity theft was on the premises, made photocopies of her drivers license and credit cards and debit cards in her purse. also she has all the passwords, everything in a little post it note in her purse as well. she doesn't listen to me. that's the problem. the thief was able to wipe out her bank account and were charges on her credit card and debit card amounting to thousands and thousands of dollars. in addition to dealing with her serious health issues she had to cope with stress of recovering losses and worry about more threats to her finances and medical records. the situation with my mom in the hospital, and those who are sharing personal information on healthcare.gov are not dissimilar. let me explain. my mother had reasonable expectation that personal information she had in her wallet would not be stolen, especially by a hospital employee. and those who visit and enroll in healthcare.gov have an expectation that people who are helping them purchase health insurance will not steal their identity. they also have a reasonable expectation that all necessary security safeguard are in place to prevent cyberattackers or malicious insiders from seizing their personal data. in my opinion the controversy regarding security of the healthcare.gov website is both a technical issue as we heard in, from these gentlemen but also an emotional issue. in short, security controls alone will not ease the public's concern about the safety and privacy of their personal information. based on our research, regaining the public's trust will be essential to the ultimate acceptance and success of this initiative. so, following are some key fact that is we learned from our consumer research over the more than a decade of doing these kinds of studies. first, the public has actually a higher expectation their data will be protected when dealing with government sites than commercial sites. in other words, when i'm going to the veterans administration i have a higher expectation of privacy. whether it is rational or not, that is basically what we see. second loss of one's identity can destroy a person's wealth and reputation and in some cases their health. further the compromise of credit and debit cards drives the cost of credit up for everyone, thus making it more difficult for americans to procure goods and services. third medical identity theft negatively impacts most vulnerable people in our nation. beyond financial consequences, contamination by health records by imposters can result in wrong diagnoses and extreme cases being fatal. there are no credit records to track medical identity theft it is nearly impossible to know if you've become a victim. what is the solution? let me give you three ideas. first on the trust issue. let's think about accountability. it is important to demonstrate accountability and the best way to do that in my mind is rigorous adherence to high standards. we mentioned nist. nist is a great standards but very high standards above the bar and showing the american people that this particular website or any website that collects sensitive personal information is meeting or exceeding that standard. number two is ownership. what i would like to see the is the chief information security officer is your chief executive officer. you know, that's good news, when the ceo steps up to the plate and does what needs to be done and in this case i would love to see our president take ownership for the website and insure that good security and privacy practices are met as priority, not just on healthcare.gov but across the board. and third is verification. i'm an auditor. i have to admit this. i'm biased or used to be an auditor at pricewaterhousecoopers. this need that we can say we're doing all the good thing but having third party expert tell us we're meeting and exceeding the standard is very good idea and noble idea. that being said i think first person concluding giving some time back on the clock. thank you. >> well -- >> not exactly. >> i wasn't watching time, i'm sorry. >> thank you, doctor ponemon appreciate your testimony. i will recognize myself for questions. let me direct to mr. kennedy. the administration maintains there has not been a successful security attack on governor goof. is that an accurate statement? >> thank you, mr. chairman. basically what we know from the monitoring capabilities within the healthcare.gov infrastructure is that as of november 11th they had not stood up a security operations center or had the capabilities even to detect an actual attack. so they also stated they detected 32 attacks overall, however if you have no monitoring detection capabilities period how are you detecting all the different attacks that are happening? the statement is accurate because they don't necessarily know the actual attacks that are occurring in there. in addition i like to mention that the chief information security officer from hhs said that the governor governor did not follow best practices. -- healthcare.gov as a testament to mr. krush's testimony the best practices were not followed and did not meet best practice when they were implemented. >> let me talk to that. >> i'm sorry, mr. krush, you can get time to someone else. i would like to ask a question to mr. gregg. do you agree with the assessment by mr. kennedy they don't have the capability? and furthermore let me say you did have administration firms say in november there were 16 i think security breaches or incidents and then 32 in december. are those figures plausible and where do they get them. >> well they're potentially plausible if they either weren't monitoring or didn't pick up the attacks. for most of the sites we look at and companies we work with, we see anywhere from hundreds potentially, you know 1,000 or more hits a day. a lot of that stuff is scripted but for a number to be that low, i would think one they're not detecting it or two their detest, capability is not correct. >> thank you, mr. gregg. dr. ponemon breach notification standards for obama care even meet the minimal standards put in place for the private sector? >> i think the private sector for the most part, that varies quite a bit. there are industry standards i think for example, are much higher than the standards in the government. the nist for example, the need to comply with certain standards for example, around cloud computing and fed ramp and there are standard that exist that are fairly reasonable. for the most part though, i think if you're looking for best practices would you probably look at industry versus government. >> okay. mr. kennedy another question for you. is mr. krush right in what he said in his oral testimony that passive pinging or reconnaissance of healthcare.gov is not sufficient to raise concerns about the website's security? >> thank you, mr. chairman. i would like to address that would be passive reconnaissance you have the ability to enumerate exposures or vulnerability. any research other testers been in number of years especially on technical side would collaborate. security researchers said the same thing, website itself is vulnerable. this is not speculation. these are vulnerabilities on website today that could lead to information being exposed and critical flaws attacking individual people by visit together website. to answer your question by doing passive reconnaissance you can absolutely identify exposures. there are techniques without attack site to do it. i would question the other seven security research theirs also testified looked at same type of research came to the same exact conclusion as myself. >> thank you, mr. kennedy. mr. krush i do have a question for you. apparently you have a contracts with a company that does work for cms, is that accurate? >> that is accurate. >> and then how much, what is the amount of those contracts both past and present? >> i actually don't know that off the top of my head. but -- >> i. >> 10 of millions of dollars in the contracts in the federal government right now. >> right. so you have 10 of millions of dollars of business with cms directly or indirectly. >> not cms. >> with a company that does work for cms? >> no. those amounts are very high. i'm talking across the government. i don't know specifically with cms that is why i can talk from technical perspective and not speculate -- >> testimony thaw filed i think it is 1.5 million you do have the? >> that sounds good. >> if you take my word for night yep. >> in that case, isn't it natural that we might suspect that your testimony is a result of your being paid by, directly or indirectly by cms? and here you're not going to actually testify against them if you have $1.5 million worth of contracts with them, isn't that reasonable assumption. >> well, chairman smith, actually as it relates to cms, if you look at the gao docket i have protests with them. you know, on contracting side, me and cms are not necessarily best of friend. i'm here to talk about the cybersecurity in -- governor governor. >> i know what you would rather be talking about you still seems to me 1.5 million or more in contracts does perhaps influence your testimony. that is all i have to say on that. so my time is up and gentlewoman from texas is recognized for her questions. >> thank you very much. very interesting hearing. mr. krush, you were cut off earlier when you were going to make a comment on mr. kennedy's testimony. would you like to make that now? >> i actually have a few here. so just across the board. earlier mr. gregg talk to the fact that you know, the healthcare.gov didn't implement what we call fips 199 and 200. just to clarify what that is for everyone here. federal information processing standard 199. requires you to categorize information system in accordance with confidentiality and availability of a information system. we know that was completed because there was a letter from miss tavenner out from the authorization process. fips 200 is baseline controls for all federal information systems. we know that was completed because they had an ato letter that specified some of the vulnerabilities and what actual process dealing with healthcare.gov was. so i just wanted to talk to that point. and you know, talking about, also, weighting from target's perspective, waiting until, you know, a certain time to act, i don't think any of us here have also worked on the target.com website or back end database. i would tell you that a lot of advanced attackers, you know, unless you've conference sick sampling and actually picked up the crumbs, you don't know when they actually attacked. i think that is under investigation right now. healthcare.gov, seems that mr. kennedy brought up the point there was no security operations centers. some of those 1., whatever million dollars been allocated to my company was actually related to those early on. there is actually two security operations within hhs you might want to know. they have a centralized one which does monitoring of the entire enterprise. on top of that cms has its own security operations centers and i can tell from you a technology perspective, some of the technologies they have implemented is, you know, top-notch. it is what you would expect in a top tier security operations center in the u.s. federal government. >> thank you. according to mr. gregg's testimony that this site is a major target and but the attacks won't be accurate or of interest or of value until after march, what do you anticipate that march will bring? >> nothing. you know, the truth is when it comes to, march, if it an attacker wants something off of a site they will continuously do whatever they can to gain access. think one of the things that was also said is that, you know, there are certain number of incidents and those numbers do sound low but once again, everybody here, none of us have worked in the security operations center which does exist within cms and we, so we don't necessarily know what the escalation requirements are. so for example, most government websites literally are enumerated passively, meaning, and this is still considered an incident slew through cms, if you do scans on website, looking for open ports, protocols and services that is considered an incident. now does every organization report those? no because you would have hundreds of thousands of reports a day. however, some of the, i got a call last night from actually a news reporter and called me up to talk about mr. kennedy's analysis he had done on the website. and i just want to be clear that, you know, if him and his security researchers actually did go to a dot-gov, did passively enumerate and pull data in unauthorized manner that is a very significant issue. i was also, i went to the course while i was in the military for the fbi and i can tell you that is a grave, is great concern to us when anybody goes out to a federal government website without permission, and is actually passively enumerating and executing something to pull data off that website. melissa: >> thank you very much, dr. poneman, for my last question. you indicated your mother had this incident happened with her identity. what about that stolen information affected her health care? >> you know, in the case of my mom, she would fall into the category of an a, an identity, she is an identity theft victim but not a medical identity theft victim. really her medical records were not exposed. and so that would be a different crime. thank goodness she is not a medical identity theft victim because that's bad news. it is really hard. >> thank you. >> thank you. >> my time has expired but i hope someone would ask the value of someone having hacked the healthcare.gov. >> okay. thank you, miss johnson. mr. hall has said that because mr. brown has a time commitment that is almost immediate he is going to allow mr. brown to go ahead of him in the questioning. so the gentleman, mr. brown is recognized. >> thank you, mr. chairman. thank you, mr. hall for, for giving me this opportunity. it has come to the oversight committee, subcommittee of this committee's attention there is, or at least was an affordable care act information technology exchanges steering committee chaired by senior white house officials, established back in may 2012. almost a year and 1/2 before the rollout of healthcare.gov. the white house steering committee's charter ex-police officers it i directed the formulation of a working group, working groups including one on security. it also turns out that a chairman of this obamacare website steering committee is the u.s. chief technology officer in the white house science office, who also happens to be the immediate past cto of the department of health and human services. upon learning this, i as chairman of the oversight subcommittee, along with the full committee chairman, mr. smith and research and technology subcommittee chairman, dr. boshon sent a letter to the white house requesting that mr. todd park, the u.s. cto and healthcare.gov steering committee chairman make himself available to the committee to answer questions regarding the security issues with healthcare.gov. by january 10th, last friday much the white house has ignored that letter that the committee's request until just yesterday when it provide ad last-minute response that rebuffed this committee. let me repeat, rebuffed this committee. that letter did not come from the senate confirmed president's science advisor. to whom the letter was addressed but from the politically-appointed ostp legislative affairs director. my question for the panel, simply is this. don't the american people deserve answers from those who are in charge of overseeing implementation of the obamacare website's security protocol? after all, mr. park is the assistant to the president, as chief technology officer of the united states, and the chair of healthcare.gov's steering committee, wouldn't mr. park, or shouldn't he, know and be involved in the security details of the website? start with mr. kennedy. >> thank you, sir. when you look at at a website and its security there are multiple people need to be involved to understand the progress of it. i would agree with your assessment there should be some involvement in that case. in addition i would also like to clarify the amount of information getting around secure compos sure to the website has been vast. you have chief information from security officer hhs didn't say it followed best practices. number of other individuals saying security operations center hadn't been started yet. healthcare.gov was completely independent and started completely independent of hhs being part of them. this is mismanaged issue. i don't understand how we're still discussing whether or not the website is insecure or not. it is. there is know about that. >> it is insecure? >> it is insecure absolutely 100%. there is no questioning that. people from hhs have said that it is not a question of whether or not it is insecure. what we need to do to fix it. just to point to mr. krush's point he said to routers which is article he mentioned earlier, krush said not reviewed kennedy's findings or done any work on healthcare.gov site itself this is purely speculation. it's a bunch much hogwash. personally seems to be politically biased unfortunately. >> thank you, mr. kennedy. back to appreciate your long answer but this is actually a yes or no answer. mr. krush, do the american people deserve to know? >> yes. >> okay. mr. gregg? >> yes they do. however i like to add i understand the nist process and others quite well. i coauthored a book on it. also develop ad course for villanova university on accreditation. statement as to a scan. a scan is not passive. a scan is active. yes they do deserve an answer on this. >> doctor? >> ditto, yes. >> well i agree. the answer is yes. i'm very disappointed with the administration. we've asked for information. the american people deserve to have that information. and i will do everything that we can to try to get mr. park to give us that information or the administration. mr. chairman, my time's run out. so i yield back. >> thank you, dr. broun. gentlewoman from maryland is recognized for her questions. >> thank you, mr. chairman and thank thank you for your witnesses today. thank you, mr. kennedy, do you have any federal contracts for security? any? >> as of right now, no. >> have you had? >> yes, i have. >> and what were they? >> working for the federal government? >> yes. >> federal security contracts. >> yes. >> what were they? >> i would be happy to disclose those -- >> i appreciate in writing if you would. >> sure. >> tell us the federal contracts you've had dealing with information security in the areas that you claim to be -- >> i would be happy to write you that. >> and mr. krush, just want to ask you really briefly if you could tell us the security standards, compared those that are used for federal government as to the private sector? you have alluded to that a bit. if you could very quickly. >> sure. so one thing to understand, and just to go back to mr. gregg. i've also written, coauthored a book on, we've taken over 10,000 pages of information from national institute of standards and technology. the department of defense instructions, intelligence community directives and also you know, some of the sap programs and consolidated that and that book is used in places such as syracuse university to teach people that actually want to understand this very rigorous federal process. . . a lot of these organizations that had kind of best tactics out there they were integrated into that revision. by revision for we've integrated the department of defense standards, the and and tells me standards, also a lot of standards the kind outside the realm or threat-based. most as you will find most musicians don't look for those. >> the depth and rigor compared to a commercial organization to which will get in the government, and have worked on both sides, 50% of my contracts are with fortune 50 and 100 companies. i can tell you the depth and rigor you implement on a federal information systems as it should be is much more intense than what you see in the commercial markets. >> is healthcare.gov or to the rigor attached to healthcare.gov attached come any different than any of these federal systems you've indicated? >> no. it's the same. >> i wonder if the standards you describe our above, and i think you said this, our above those that you would find in the commercial sector? >> i would say yes. >> thank you. >> mr. gregg, you mentioned some information, speculation about medical records, these the healthcare.gov. are you aware of any medical record is maintained on healthcare.gov? >> no. the information is simply passed through. >> exactly. is there any medical record, personal medical record contained on healthcare.gov? >> no. >> thank you. and then dr. poneman, just out of udacity, you talked about your mother's experience which essentially horrible, but she can experience identity theft through healthcare.gov, isn't that correct? >> absolutely not. >> right, thank you. i just wonder, mr. krush, if you could help me if you will, of the experience you had in developing and working on a federal information systems, is it your conclusion that you would feel safe in coding or personal information through healthcare.gov? >> i put that in my testimony. i would put my personal information on healthcare.gov. i said this more than once. i continue to stand by that. >> mr. kennedy, lastly i want to go back to your federal work. that i can find disclosed. i know you got a small business loan from the small business administration, for quote businesses that do not qualify for credit in the open market. again, what is the other federal security work that you don't? >> i'd be happy to disclose that in written testimony. >> can you give me an example writer on the record speaks i would need to get permission from a customer. >> would like to do, i will write you a letter in your financial disclosures made in this record requires that. did you put that in your financial disclosure? >> no. know. listen, my experience -- know, the question you asked be was dead to have federal experience -- >> it's my time, mr. kennedy. did you put the financial disclosure information in the record as required by our committee's because are not required to put that in there. >> thank you. >> it's not on the up of trustedsec. >> the gentleman from texas is recognized for his questions. >> thank you, mr. chairman. so, mr. gregg, could a security breach of healthcare.gov result in people's medical files be accessed? >> yes. it could. the information could be accessed. the real damage would come afterwards. have that information could be used to it to be used potentially to gain information of financial data. it could be used for identity theft. it could be this cute many different ways. that damage as mr. kennedy other to earlier is not just something as simple as replacing a credit card. this can be long-term, very damaging to an individual. >> there was the recent gao report that document there was 111% increase in federal agency data breaches in the past three years. specifically, the g.a. report noted that there were 22156 incidents revealing personal information since 2012, up from 10,000 in 2009. interestingly enough the centers for medicare and medicaid services, the healthcare.gov operator, had the second most breaches in the report, fy 2012. mr. krush said the hackers are going where the money is, and not necessary interest in these government sites but yet we see a substantial increase in the number of incidents that are happening. what can you, mr. kennedy do you agree with mr. krush that people really are not interested in these government sites? what's your opinion on that? >> thank you, sir. i do not agree with mr. krush his testimony. i believe the hackers know where the money is and there is a lot of money to meet in the personal information site. as most other agencies the look to do demise to us, having direct access into vhs, irs is a treasure trove for additional hackers out there. there's a lot of money for the organized crime, a lot of money for what we call state-sponsored attacks. i would not a great with his assessment. there's plenty of money to be made. there are breaches happening all the time there. >> if i g could a government sie and i'm a hacker, what are the treasures out there that i'm going to glean that's going to help me do whatever i think is i have been mulling? >> i think it's a fair question. it depends on the motivation of the hacker. of three criteria. your average black cat that may be politically motivated. you have to organized crime which is looking for monetary value. there's also a huge black market that surpass the credit card industry for what we call partners. selling compromise infrastructure to it -- is a huge market. i can sell that to an attacker for thousands of dollars to make the big bucks off of it. used a portion of the identity theft, fraud, other areas in the state-sponsored element which is other governments, entities in order to infiltrate intelligence. that's a huge business right now. we see it happening off a number of government entities as was eastern european countries. >> would you accountable putting your personal information and healthcare.gov? >> absolutely not. >> mr. gregg? >> no, sir, i would not. >> dr. poneman, would you? >> i'm not sure. >> i want to go back to you, dr. poneman. one of the things you talked about was you wanted to talk about the consequences of stolen identity. one of the things might be helpful is, these people that are forced to go to access their health care through healthcare.gov, what would you advise them to do, you know, to access that as their filling out that information? are there some preventative things they can do that would minimize some of the potential consequences if the system is reached? >> gave the site is secure, that's a good step, right? but as an individual what he would do it on healthcare.gov or whether it's a website like amazon.com, we need to be smart. we need to understand that our data could be at risk. the bad guys are really smart. for example, we should not be using the same password over and over again. our computer should have the most current version of antivirus or anti-malware technology. these commonsensical approaches does make a difference. that should be across the board. if you have dated it is extremists sensitive and confidential, then basically your garden, your level of concern should go up. a lot of people don't think about these issues well enough. they don't think that they will become a victim. with 110 million records here, and 90 million records there, everyone, every single person in this room is a victim of some data loss, and probably at least had one data breach notification in the last five years. it's a big problem. >> thank you, mr. chairman. i yield back. >> thank you, mr. knock of our. the gentleman from oregon is recognized for her questions. >> thank you very much, mr. chairman and thank your witnesses for being here today. this hearing is about healthcare.gov but i just want to make a big picture, that the trend for certainly about more than a website. it's about an issue of great importance which is about the availability of health care to all americans. when i saw the title of this hearing i was pretty in was the type of acts -- background, i've worked on identity theft issues. i was a little baffled about why we're doing this in the context of healthcare.gov and in the science committee. that's being said, we all acknowledge that there have been some series of technological problems rolling out, the affordable care act. but i'm really concerned that some people listening our constituents might really be concerned that there are risks involved in rolling through the website that aren't really there. so i want to clarify a couple of things. first of all i want to make it clear to he her constituents tht identity theft is already a federal crime. that if someone knowingly commits identity theft, that's a federal crime. if they do it, aggravated identity theft, the our enhanced penalties. so i want to make clear that if there is identity theft, that is already against the law. the department of justice prosecutes that. there are several -- civil laws. identity theft is an issue we should be concerned about but i'm baffled about why we're talking about it in the terms of healthcare.gov. mr. krush, want to ask a couple of questions. first i want to acknowledge and thank you for your service to this country to understand dr. poneman, you're a veteran as well. thank you for your service. mr. krush, you talked about how some people are suggesting that healthcare.gov is a major target for hackers. based on your background, your military and cyber city background, could you discuss the range of hackers and different motives and talk about where healthcare.gov is on the scale of high payoff targets. he mentioned this in your testimony. but we talk about that range just a bit? >> yes. actually it's very interesting in them we are here on the committee of science, space and technology. i will tell you something, from a high payoff targets perspective especially when you're dealing with advanced attackers. the more nation sponsored attackers and those even on the criminal organizations, they are after some very specific targets. i'm not going to go into those but i will tell you, from a government perspective, in all reality if you're looking at the dot mil and the dot gov kind of domains, healthcare.gov is not really a huge high payoff target. space systems, technology, related to weapons systems, intellectual property source come information related to clinton's. information related to quite possibly not only personal information on a person but maybe weaknesses such as relationship issues, where they can be played on or blackmailed. there's websites that include information on criminals that are actually part of support systems. literally, we keep all of this information online. if you can imagine from in attackers perspective, you could literally, you know, not to leave the paper, but there's ways you can get into the system and change an outcome of quite possibly cases or what actually you have done in the past. >> thank you. thanks much. i want to follow up a little bit. it's my understanding that we've already established, there aren't medical records on healthcare.gov. mr. gregg confirmed that in response to represented edwards question. do you agree with that? >> correct. those are at the provider. >> would you agree there is more personal information in a federal tax return than it is in a healthcare.gov insurance application? >> i agree. >> mr. kennedy? >> i do agree. >> mr. gregg? >> i do agree. >> dr. poneman? >> i agree. >> about 80% of the people in this country violate tax returns online. mr. krush, do you fall yours online? >> i didn't. >> mr. gregg? >> no. >> dr. poneman? >> on old-fashioned, no. >> mr. kennedy? >> on old-fashioned as well. >> we understand about 80% of the people in this country file their tax returns online, we are talking of security with healthcare.gov when there's more personal information on a federal tax return. i want to highlight that that we are talking about security with healthcare.gov. when the majority of people file their tax returns online. all of you call for third parties to conduct security testing. the mitre corporation, blue canopy and frontier security have all been doing that for months. in your opinion are those companies can' copied it to do e work, yes or no? >> yes. >> mr. kennedy? >> yes. >> mr. gregg? >> dr. poneman? >> i only have knowledge of mitre in the answer is yes. >> thank you. mr. krush, to declare their then no cases of a persons identity being stolen through healthcare.gov at this point, is that correct? >> correct. >> i want to put that up because the title evidence suggests one of the consequences of signing up through healthcare.gov is going to be identity theft. so i wanted to clarify that. so my time has expired. thank you, mr. chairman. >> the gentleman from texas, the chairman emeritus, mr. holcomb is recognized. >> thank you, mr. chairman. thank you for the hearing and the witnesses i like old-fashioned people. i don't know why. but i ask my fellow texan, mr. gregg, there's been talk about march 31 and they think you mentioned since the deadline for open enrollment is not into march 31, would hackers be kind of foolish to exploit the website now because they potential have the opportunity to retrieve a heckuva lot more information after that day? do they think like that? >> no, sir. they do in many ways look with a big payoff. as was mentioned earlier, really cybercrime to be broken into two areas. one is the individuals looking for military, looking for that type of information. but a bit of a portion of it is monetarily driven. we see a lot of that in places like eastern europe, we see it in places like russia. those individuals are looking for personal information. they are looking for things they can make financial payoff from, and to wait until a time was right would be to their advantage. while it is true information is not held on healthcare.gov, information is passed through that site that they could potentially manipulate or take advantage of. >> i've heard of a lot of problems but given the problems of the website to date, would you say it's highly likely that there will be breaches to the health care website the? >> yes, sir, i do believe it's very possible or it is probable that could happen. >> once it has occurred how quickly can experts find out about the reached? >> that all depends. we've seen in previous cases with things like ghost met a trojan can we sing cases like with the google and ahwar and others. in some instances those organizations did know and to weeks or months later. >> how quickly should the american people be notified in the event of a great? >> immediately. >> within hours? days? right now? >> right now. >> that's pretty clear. once a breach has occurred in people have been notified, what actions should people take? >> immediately start to do things like dr. poneman mentioned as far as change passwords, change ids, especially notify and talk to your credit card companies. look at your credit card statements, also check your credit rating and look at the credit rating organizations. because many times, just like a period of about a week ago, i got an e-mail from amazon this would open up an account undermining. i called my credit card provider and found that someone had charged about $5000 worth of merchandise undermine it because someone stole my credit card. you need to take action to put a stop to it if the credit card company doesn't get get. >> this is not like target we can check with your bank or credit card company, even suspicious activity or something you think might be happening. i think that's what you're telling? >> that is correct. >> how do you find out -- how did you find out your social security number -- is that the way they ge got the? >> no, sir. they got my credit card number. >> if medical information had been compromised, what would you do? >> very tough with medical information awesome is potentially obtaining medical services on your name. you may not find out until you actually get the bill or if they sent that to another address you may not find it into the maybe get tonight for a job because they said you're a preexisting condition they did know a. >> what are the steps involved in repairing the breach of? >> it's very tough -- >> should a website be shut down while these remedies are being considered? >> i would suggest it should. it's very tough because first got to contest the charge. if it's related to medical as soon as you contested under hipaa and other lawscome of no access to the records or information because it's not your information anymore. it can be very difficult. >> my time's almost gone. i believe that all of you would agree that while no website can be 100% safe, every precaution needs to be taken to ensure the security of the site. mr. chairman, ther the unfortune question surrounding the launch of the health care website ended to use a result of the sector to of americans personal information is going to remain at risk. is that your understanding? is that why we're having visiting? >> that is exactly correct. >> i thank you for the work on this issue and i think each of you and thank you, mr. chairman for a good hearing. >> would you do me the balance of your time to? >> i yield about someone time today, tomorrow, next week, anytime. >> mr. kendig, i would like to do we emphasize the point you made about why the government doesn't know whether it's been hacked or not. that is healthcare.gov. why the government really can't stay or state credibly that there have been no successful security attacks. >> if you look at the healthcare.gov infrastructure was built independent of hhs including the secret operation centerpiece. there's testimony in front of congress, also states that as well. to secure the operations and as of the 17th had not been built or intimated which means they didn't have the security monitoring capabilities. to reemphasize, they don't know. >> they don't know, that's why they can say that hasn't been any, they are not in a position to know one way or the other? >> that's correct. >> the gentleman from california is recognized for his questioning. >> thank you, mr. chairman. mr. krush, would you like to respond to? >> i'd love to. actually we've been talking about all of the proposals, breaches have been going on related healthcare.gov. if they could monitor those, how and what do you have a number? the number would be zero if there was no capability to actually look at what kind of attacks are coming through the ether. >> thank you very much. mr. gregg, i want to focus on a couple of areas your testimony. first you argue that the site, healthcare.gov really needs a third party working to grow the system for weaknesses. and second you assert that medical records are at risk on healthcare.gov annual is the kind of damage that can be done with medical records. you state previous in a post, "huffington post," post that quote, however, the u.s. has some of the very best minds in the world when it comes to cybersecurity and there's no doubt that healthcare.gov can be fixed if the right people are given the chance to test it. do you still feel that way? >> yes. that's one of the reasons why i'm here today because i believe with independent third party assessment and the right assessment done we can get to the bottom of this. >> thank you. were you aware prior to your testimony today that mitre, blue canopy and front your security were all working on a third party dedication? >> mitre, yes. the others, no. >> you were aware that mitre was aware. so i don't understand how, and tell your testimony, you still assert that third party work needs to be done, but you acknowledge that a third party audit was actually being conducted by mitre? >> yes. ones of the articles written for that was written for the time come into, i don't know if mike has finished the research were not by what the finest of those are. >> you did raise this question at the third party certification -- >> i was led that third party wasn't been done but, in fact, you acknowledge it was being done speak was not at the time of the article. >> in your testimony you let us to believe, you raised it as a concern, but -- >> you quoted a statement director from the article that i said that nee needed to be done. at that time nothing had been done. >> but the testimony submitted for this committee doesn't acknowledge it. but yet you're telling me here you had knowledge of it, that it was being done to your testament leads us to believe it was not being done. >> as of this hearing i do have knowledge. >> okay. spent at the time of the article, no. >> very well. you know, dr. poneman, utah about bashing you talked about the medical records and identity theft, and a lot of your work, 95% of the people commit these sort of deeds are motivated by robin hood motivations. would you explain? >> it's about 90% but it's a large percentage but i think it's 29 or 30% but it's still pretty significant. a robin hood crime as we define it in the research is where someone, for example, has a family member or friend and who basically has an illness and they are not insured, and basically they will sort of look the other way, if you will, and allow the person to use their insurance credentials so that when they show up at a hospital or a clinic there getting better treatment than just write off the street. >> common sense would tell me if that's a big motivation, what motivates someone to go and steal someone's identity. expanding health care coverage, providing quality coverage for more and more people would reduce this, the likelihood of this. >> you have to understand. will be biased in that because i think we all deserve good health care. so basically if you could health care, the value of a credential would be meaningless because we all have that credential. there's no value if you will in stealing someone's credential because everyone is going to have a credential that will give them reasonable health care. >> if we made this health care website very successful, and more and more people got enrolled, we would reduce the risk of the misuse of medical records. >> it could work one way or another. it's really hard to determine that. in theory you're right. you could basically say that 29 or 30%, the robin hood portion of the crime, the medical identity theft might actually be nonexistent. >> so we could possibly remove a huge motive for people to try to hack into this system? >> well, yeah, but remember, the valley of the medical record is more than just getting the insurance. that's only a very small part of the. there's a lot of information, which information. we've done studies in the russian federation and other parts of the world. if you do look at the most valuable piece of information right now on an individual basis, it would be a medical record. just yesterday in fox news, business news, did an article on the valley of different types of information. and medical information in the black market is much, much more valuable than say credit or debit card information or authentication data. >> thank you very much. thank you. >> the gentleman from indiana is recognized for his questions. >> thank you all for being here. it's a fascinating here. we had a previous in which is also very fascinating. we were for for for no wicket on the website last time, but we are three for for this time. in my view this is about confidence of the american people have in their government. whether or not the government is doing everything they can to protect their privacy. it's not about health care. at all. we could be talking about any other website that the federal government has and we know the gao came out and reported thousands of bridges across the federal government. so to argue that this website is going to be secure and nothing is going to happen, i think is a false argument. it is going to be preached. it is going to be information stolen. i think from my perspective, i was a medical doctor before, i think when you throw in the health care part of the company becomes very personal to people. i understand people out there in my district are concerned about the department of defense being hacked. maybe a few people. but when you start talking about the potential for information that they perceive whether it's real or whether it's perceived, is personal information, i think all of us in hearings like this and across government, in the administration, in both political parties need to recognize th that we need to do whatever we can to regain the confidence in the american people that we are protecting their personal information as best we can do even though i do recognize the website itself doesn't have that author, it does have portals and people who are smart can potentially access that. this is one of the biggest problems in electronic medical records that we have. my medical practice established an electronic medical record in 2005. i love in electronic medical records but there are two issues, security issues and compatibility issues about getting medical information across different types of electronic medical records. i think it's unfortunate that all of you are somewhat subjective to the national discussion about health care and i appreciate all of you trying to confine your comments to the security aspect and not the larger national debate about how we provide quality, affordable health care to all our citizens, which i think is the goal we all have, certainly as a medical doctor i have. so it really doesn't matter if healthcare.gov is a low propensity target by some hackers out there. in the minds of the american people when you making their health care this is the biggest target the federal government in their minds, whether that's real or perceived it doesn't really make a difference. so mr. krush, i mean, the gao came out with this report as you know, in 2012 saying there were 22156 david regis, 4000 inseam is alone. you have a relationship with cms. you have to recognize that we can't make the case that any website is going to be secure to try to make a political argument to prove that the way we are managing health care is the right way to go. that's not the discussion. that discussion is how do we protect information. you would have to agree with that speak with i agree with that. it. i would just say i agree with that, with the idea that the process that we use, you know, to secure the data on federal information systems is a very rigorous. that's my complete argument. >> i would agree with it. when it comes to confidence i know we discussed third party people out there looking at this, and i'll be honest with you, i'm a member of congress and i have no idea whether there's a third party person out there, there obviously is, looking at this. so our charge is to get that to the american people. is the american people don't know it, and i can tell you as a political person trying to get a message across to 700,000 people, it's difficult. that's just 700,000 people. we need to do better getting the information out that there are people that are in government looking at this to preserve people's personal records. that's my view. mr. kennedy, how do we do that? >> i think if you look at the broader picture here and not just healthcare.gov but just in the federal space, end-to-end testing, proactive secret images, things that are outlined as being best security practices need to be performed per i'm not saying nist doesn't have the. to comply with fisma isn't a rigorous process. 's would have to say to that is we have to focus on putting security in the very forefront in the very beginning stages one hire a contractor or we go after another organization. to the entire process of that, healthcare.gov is a prime example of the failures of being able to implement security in a rigorous manner or in a process that includes security throughout the entire lifecycle. if you do that you have a better product, something that people can stand by and say we'r we are doing our reasonable amount of insurance and we're protecting your information, not just kind of sloppy get-together, throwing it out there. spend i would like to say let's all of us work together to regain the confidence of the american people. thank you. >> parliamentary inquiry. >> thank you, doctor spend i had a parliamentary inquiry spent the gentlewoman is recognized. >> mr. chairman, isn't it true that the committee on house rules require witnesses to submit factually correct financial foreign? >> there are certain limitations of that but within those limitations i think that's the case and i think all of our witnesses have done so today. >> mr. chairman? >> yes. the gentlewoman continues to be recognized. >> why don't i get -- >> point of order. >> gentlewoman is recognized. >> i make a point of order that the witness testifying today has not complied with a house committee rules regarding financial disclosure, and under those circumstances i request that the testimony be stricken from the record. i am very -- >> august the i object to that. and -- >> i expected that spent the gentlewoman is not the one to make that decision. >> i am not finished. i am recognize, mr. chairman,. >> if the generally have something pertinent to say to her inquiry. >> i am very concerned about the testimony we heard from mr. kennedy a moment ago. he testified on the record he did not disclose government contracts industries in testimony form, that he and his company have received. our committee rules require -- >> he also said he was not required [talking over each other] >> filled out by each witness. on that form, mr. kennedy answered, the question saying not applicable. this means he did not comply with the rules of our committee and as such i ask that he be removed -- >> that is not necessary and legitimate -- >> into the accurately and fully discloses the federal grants and contracts that he or the entity he represents have received on or after october 1 speak do want to respond whether you disclose that are not? >> the question was have i done work in the federal space bar in the past or currently. the answer is on behalf of trustedsec we did not do work in the public sector or government which is what i disclose in the statement. i have worked for nasa's was other federal agencies in my capacity as a chief security officer, as was my prior role as a security consultant for former entities. so to answer the question in what was a victim i did not do work for the public sector. i'm busy in the private sector keeping everybody else protected. >> thank you, mr. kennedy but i'd like to continue our questions. the gentleman from massachusetts is recognized. >> thank you, mr. chairman and thank you to the witnesses for being here today. i wanted to start out i saying, teresa fire -- teresa fire was mentioned earlier in this hearing. how does one before was referenced about some of her remarks on healthcare.gov and she just recently said today that the healthcare.gov website is secure based on a december 18 security assistant to she stayed the system exceeds the best practices to ensure security and risk mitigation policies are being intimated and executed as planned. as a result hacks have been successfully presented. just make sure we're all up-to-date on the current testimony. now, a couple of a thing point of clarification. mr. kennedy, i think one of this year supports the aca, but i will leave it up for the gallery to decide. i noticed i think in your initial a testament and you were nodding your head when mr. krush said, unless you are actually able to dive into the inner workings of the website, which you may declared you did not do anything illegal, but you would not have any way of knowing in detail what part was global to attack unless you have done so. is that accurate? >> we can't tell the inside of healthcare.gov without testing, that is 100% accurate. what we can see are symptoms of a much larger issue. if i can read one of the things i submitted just as an example. mr. scotus said i've worked on dozens of large-scale cases. we've investigated issues discovered in the healthcare.gov i consider this is a breach waiting to happen. given the form of those perhaps a breach has already happened. these are emphasized on that. >> mr. kennedy, i appreciate that, but the point is anything recorded reiterated a number of times here, that we don't know but you don't know. you testified before that hhs dozen of the hhs doesn't know, you don't know. much of this is a concern. >> the underlying portion of healthcare.gov, absolutely. >> mr. krush, out of your expertise could you give me off the top of your head what you believe to be the biggest data breach? target and neiman marcus, how many are you aware of others'? >> interesting enough, when it comes to the breach, i think target is a perfect example of someone that has the capability to identify a breach. the thing that is of most concern to me is that there aren't lots of industry and give government organizations that don't have the capability to do that. >> target, neiman marcus is always in the news now. be recalled heartland payment systems data breach back in 2008? >> yes spent at least from some effort 100 reform and credit cards exposed to how about tjx companies in 2006, 94 men credit cards exposed? epsilon which exposed e-mails of millions of customers, over 186 ritchie change. sony playstation network, over 77 million playstation network account exposed to all private sector, yes. >> yes. >> the private sector invest billions of dollars a year trying to protect? >> yes. >> has to be on the cutting edge in order to defend against? >> yes. >> are you aware of sometimes the house of representatives has voted to cut funding or repeal the affordable care act speak with i am not. >> does the number close to 50 seen accurate do you? >> unfortunate i just don't have that. i can talk about risk assessment if you like. >> take my word for it. i yield back the balance of my time. >> the gentleman from oklahoma is recognized for his questions. >> thank you, mr. chairman. i appreciate the time. i would like to start asking our witnesses a question from our youth me with troy trenkle? he was the chief information officer for the centers for medicaid and medicare services. his job was to oversee the development of healthcare.gov and his job was, the last thing before launching the website he had a security where he was supposed to sign. these guys remember any of this by chance? and he didn't sign. he refused to sign it and he resigned. his boss, marilyn tavenner, cms administrator, who is not a chief information officer who arguably would not be qualified to sign on a security waiver, she signed it. he didn't. he is qualified. she did. she is not qualified. she's an appointee. of the present of the united states. interestingly, her boss, secretary of health and human services kathleen sebelius testified before congress that she had no idea that he security waiver was supposed to be signed, that it didn't get signed, and that her subordinate, another barack obama appointee, find it. she didn't know. it would seem to me have a qualified person not signing it and then having to resign, and the administration was not clear about why that person had to resign, namely troy trenkle. in fact, they didn't answer the question why. it would appear, and this gives the concern, that the people who are making decisions for political reasons not in the best interest of the security of our citizens. and so some of you on this panel are ceos, i think three of you, and one leads a research institution, just a quick yes or no answer. in your institution, if this was going on with you guys have an issue with the? would someone be fired? go down the row. >> coming from being a chief security officer for fortune 1000 company i would suggest. that would raise a major concern for me. >> i would just talk to the point that the authorizing official, if he or she was the one authorizes either the system, this is one of the breakdowns in the risk management framework right now. you have -- user have the cio or the director that are in charge of maybe a program, an organization and they're directed as an authorizing official. i would say if we're going to look at one of the weaknesses in the process governmentwide is that the chief information second officer should be where the buck stops always. right messages to your notion that he should have signed it if it was secured and his refusal, a big breach of trust with the american people? >> i acknowledged that undisputed and he was forced to resign spent our current process allows for the authorizing official to be whoever is dragged in charge of the entire information system. so that being said, i think that's the weakness in the process. right now it should be the chief information secure the officer of where it stops. they're supposed to know the system, the security capability and they're supposed to be the ones that should be responsible but that's not the process we are currently using and the government. >> it was the possibility of those to be used until he refused and then resigned. going down the line. >> i would also suggest i would add to that, that what we talked about earlier with external third parties looking at this, that's just a piece of it. the other part is those items are implemented and signed off on. >> it's my turn i suppose. yeah, it's a big ethical issue in my opinion. i think the key variable is that security of our country and the citizens of a country should be more than a political issue. >> agreed. >> but i don't think the solution is to have local ciso, people middle level management. it should be a major, major function of this government should be to have a ciso for the entire united states and -- >> i'm going to bring back my time. i only have 30 more seconds but i appreciate your answers, and you can submit for the record. that i'd like to just say, i'm not going to put this into the record, tricky because i don't want to create any issues on the other side of the album this comes from an article from cbs news dated november 26, 2013, the people at home watching an accident on the internet. it's all been disclosed but i like to say finally in my last five seconds, this is exactly why the american people lost trust in their government. this is exactly why the american people have lost trust in the government. i yield back. >> the gentleman from illinois is recognized for his questions. >> thank you, mr. chairman. thank you all for being here. this is such an important topic and something i'm hearing from my constituents as i travel around my district, the great concern and wanting answers. i appreciate you being here. i've got a couple of different question. i will address the first one to mr. krush. according to your rant is going to say based on what you have read publicly, healthcare.gov and the quote healthcare.gov is most likely categorize as a moderate system referring to the national institute of standards and technology, security levels of low, moderate and high. is that an appropriate categorization for this kind of personal data that we're talking to being available and accessible through healthcare.gov website including people's medical files? >> so usually we reserve high, or you know, grave danger to national security to the confidentiality and integrity for most of the high systems, usually when something is categorize with that, it's life or death. since healthcare.gov is not that, there are some areas where depending on the organization, there's something called organizationally defined parameter. that allows the organization to say if they process, store, privacy did it allows them to make recommendations to go too high. what i've read thus far about the site, because the interactions with the other websites, handing off to these controlled ac eyes and the way they are dealt with interconnections it still would be monitored if one of those interconnections are high, then what they have to do is actually come to do, have to develop what's called interconnection security agreement. but that requires both sides do is agree on the cybersecurity rule including on how quickly they report in -- >> let me jump in real quick. i would say are my constituents this is a concern to them and i think for us as well. i would agree with my colleagues about important this is. talk about medical care. sound like life-and-death to me oftentimes is make sure our medical records are protected. i'm going to jump to mr. gregg is there any evidence that healthcare.gov needs nist's security stands and you should certify that healthcare.gov complies with the federal information security management act? >> i have not seen that evidence into force whether they have been certified so i cannot say. >> let me open this up to any others, i don't know if -- let me open this up to you all, any thoughts you might have. national institute of standards and technology, nist comprise agency with the guys they need to develop and launch networks and websites that are fully and properly secure. should nist's role be increased with any new authority and responsibility specific regard to healthcare.gov? would nist the best qualified to serve the hell agencies needed to get a standards, compliance and in today's case should nist review healthcare.gov? start with mr. kennedy. >> i would agree but if you look at not just technology specific area, cdc, which is -- same oversight needs to be there and expense of nist needs to be there over our security practices inside the government. this is more of a guidance role right now. i think the expansion is really to bring more security, integration throughout the whole government, the whole federal government to build best practices in. >> any other comments or thoughts? >> they currently write the guidelines, the nist national institute stands and technology special publication and also they write a different guidance on different types of technology. i think just understanding, if you have one organization in charge of the information security for every single government organization, you will never come to the same risk decision. the problem lies in the fact that somebody at hhs is going to know about hhs systems and the security and the requirements better than someone in an office somewhere up at nist. >> my fear is accountability making sure sometimes, i see it in bureaucracies there's a desire to protect if we have a breach, to let anybody know. mr. gregg, any thoughts? >> no. but i would agree many times this stuff is covered up and it's not released the media. we see with target there was some information but have yet to see the full picture. >> dr. poneman, real quick, what are at this is consequences that consumers face in the wake of medical identity theft? are there financial consequences in addition to medical consequences? >> we find a fairly large percentage of our sample suffer some kind of financial consequences and sometimes it's staggering, it could be thousands, tens of thousands of dollars. keep in mind that people are at risk are not necessarily wealthy people, people who are low income. we wrote on a proportional level it could be a total yearly income. basically the cost associated to clean up your medical records. >> that's my fear. those are most vulnerable are right on the edge. if someone happens, they don't have anything to fall back on. people with significant resources do. thank you for being here, mr. chairman. i yield back. >> the gentleman from texas is recognized. >> thank you. isn't crushed or krush? >> it is crushed by denny on the i uses a crush. >> just call you for dinner is the main thing, right? >> is that i think you are lucky enough to work for the hhs or was it the cms? >> i was fortunate enough to work early on on the central office at hhs. i've also provided training actually related to the risk management framework to develop online training for scene is spent i want to draw attention to the word looked. -- the word looked. >> i would say when i was talking about like i was talking about the individuals that are at central office, probably some of the most talented cybersecurity people i've met. that's just the truth. i worked with them and their contractors and now they are in charge of -- >> you said working for the cms and i wrote down the words best of friends quote unquote. >> that's correct, at the cms. we had a recent protest with them. spin but you have to government contracts so you might not invest the french but you weren't enemy's? >> absolutely not. >> it wasn't maybe a marriage but at th that dollar but you mt be interested in a long-term relationship? what do you think? >> at those dollar amounts, it was a little bit more probably. >> i see. you're going to play hard to get. so were you hired on experience and good performance? >> absolutely. >> so you think performance is important? >> absolutely. >> would you say that the performance in rolling out healthcare.gov was storming or problematic? >> it was problematic. >> very problematic. can you understand how some americans would question the ability of the companies that put together healthcare.gov? >> i can. >> sure, makes sense but it's no surprise do that their credibility has been called into question. do you fault us for doing our due diligence trying to protect the american public? >> i do not. >> you think it's a good thing what we are doing your? >> i think every time unfortunately we are as a nation very reactive, just like industry. we went into something big happens before we talk about it. cybersecurity -- >> yes or no, a good thing? i'm running out of time. >> absolutely stunning good, i'm glad you said that. mr. kennedy come also think it's a good think? >> absolutely i do. >> mr. gregg? >> i do. >> doctor? >> yes, i do. >> i'm glad to hear we are finally doing something that is advantageous. that's kind of rare for congress. mr. krush, on paper 19, 2013, you tweeted don't just worry about china breaking into systems, and then you went on fox news and talk about it. do you recall that? >> i don't remember that tweet, but i'm very passionate actual i don't wait that much at all but it did go on fox news related to the abt spent you don't do a lot of tweeting. when you tweeted out don't just worry about china breaking -- what did you mean? >> i think is probably when i was waiting i just reposted a news article and that was probably just the title. >> but you recognize we have a lot of cybersecurity attacks hitting us, our government like a million a year's? >> absolutely. i've helped to develop many secured operations in the in the government and industry, and there are organizations constantly knocking at our door and trying to knock it down. >> but china would only attack the military websites. they would never go for healthcare.gov, with a? >> interestingly enough, most organizations, state-sponsored organizations, and i put this in my testimony, they are always looking for choke point. dot gov, dot mil, good spent the people in china, their level of proficiency low, medium, high? >> very high. >> we are well advised to warn the american people that they are going to have information on healthcare.gov that may be spread across the globe speak with you are well advised when everybody in the federal government and industry that cybersecurity needs be one of your top priorities spent i appreciate you understand the. i yield back. >> the gentleman from new york is recognized for his questions. >> thank you, mr. chairman. i find it's been two months since our last meeting. mr. kennedy, welcome back. as one of the last witnesses i tend to see, there are times people try to defend the indefensible. and the best way to defend the indefensible is to confuse the issue and muck it up and raced other things. i would like to come back here at the end and remind everyone that all four witnesses last time, including the democrats, testament also be the website was not secure on october 1. they testify that absolutely the website was not secure on the from a 19th. we couldn't get agreement as to whether we should shut it down immediately or not, but the testimony indicated that october 1 was a date certain set by the obama administration to launch healthcare.gov. irrespective of whether it was ready, and i think the american people -- public know, it was not ready. so i think it brings into question if it was a date certain, it wasn't let's launch the website when it's ready. let's launch it when it will do the job and handle the traffic. that's launch it when it is secure. no. it was let's launch on october 1 because we promised it would be october 1. whether it's ready, whether it's secure, doesn't matter. launch it. we did. the american public can see for themselves that that was the overriding consensus. here we are today, and yes, we have a different witness, but i guess i would ask our witness, mr. krush, whether using the website was ready to be launched on october 1 or not? that's kind of a yes or no. >> that is a no. >> do you think he was secured in on october 1? >> so if you've read my testimony and my previous testimony will see that i said the process was followed, and a risk-based decision was made. that's what it's called risk management framework, and not the note nist risk process spent i guess what i come back to hear is, there are those today that try to say this was a politicized hearing and so forth to which i don't think it is. i think we are just back to talking to the american public who are being told to sign up, they must share this delicate information including social scooting numbers. i think the fact that target or neiman marcus happened to that other issues doesn't defend this. two wrongs don't make a right by any stretch of the imagination. but i'm going to point out and remind folks, this website was launched on october 1 for only one reason, political reason. it was not ready. the administration knew it was not ready. if it's not ready it's not secure. it wasn't secure. we know it wasn't secure. we are being told that they could trust the administration, mr. krush, to trust some of your judgment. something happened in the last week or two or month. it's now secure. well, i guess i'm not quite ready to accept that just because you say it is so. that doesn't necessarily make it so. so i'm just trying to bring us back to where we were october 1, where we were on november 19, where we are today. and certainly i'm confident three of our witnesses today, mr. kennedy, do you think it is secure to a? >> absolutely not. >> mr. gregg? >> no, i did not. usually when such a role but they are rolled out in a beta first, small group. >> dr. poneman? >> it's hard to tell. these people are the experts. based on what i'm hearing, again at his a citizen of this country i'm concerned. i'm not happy with what i'm hearing. >> mr. krush, i'll let you answer that as well. >> i think my testimony and everything i've been saying here is, none of us worked on healthcare.gov, so speculating that it is secure or not is not something i'm willing to say. >> so you would say today, you would not state affirmatively to the american public that it is secure? >> based on information that i have read, a risk-based decision was made. there was a mitigation strategy that was very clear. they are doing weekly scans, daily scans, mitigation and remediation. that's pretty secure. >> so you are stating yes, it is secure? >> i am stating based on information i have right now i would say it is secure. >> we can have that difference of opinion, and i guess i'll leave it at that for the american public to make their own decision. i yield back. >> the gentleman from illinois is recognized. >> thank you, mr. chair. mr. krush, some like -- unlike
New-yorkUnited-statesTexasAfghanistanAlaskaChinaIllinoisCaliforniaIndianaOregonRussiaWashington