Encryption solution on the i. R. S. Side. We are working with the department of ed. Mr. Hurd how will it help with authentication if you have a user that has stolen credentials . Ms. Garza the solution that we had looked at was not satisfactory to provide the useability of the application so we have moved to an encryption so unless that mr. Hurd that doesnt answer the question. The question is, how does encryption on the back end help with authentication of an attacker that is using stolen credentials . Ms. Garza it does not improve authentication. What it does do is not allow the data to be revealed to someone other than the actual applicant. Mr. Hurd but if you have stolen credentials and youre not able then youre able to spoof that you have the credentials, what are you doing to prevent that from happening . Ms. Garza so there are a set of keys that on the i. R. S. Thats only shared with the department of education. So as the applicant comes in and releases tells us to release the data to the department of education, they dont have access. They dont have the key to deencrypt that data. Its only the department of education once it gets to their site that they will be able to deencrypt the data. Mr. Hurd ok. Ms. Garza that applicant mr. Hurd so mr. Gray, how are you responsible responsible for fafsa. Gov . Mr. Gray yes, sir. Mr. Hurd how are you able to authenticate it to the end user . Mr. Gray we are looking at several proactive measures. Mr. Hurd we are looking portends you are doing something in the future. Do you have a past tense verb that you can use on what you have done . Mr. Gray for the department we follow defense in depth and we have a whole series of actions that were taking to ensure we protect our systems. Mr. Hurd and what are those series of actions . Mr. Gray some of them i referenced in my Opening Statement regarding data lost prevention, web access firewalls. Mr. Hurd how does Data Loss Prevention help with authentication . Mr. Gray it would not. For authentication for fafsa, is the balance between this is an Application Form where users are actually inputting their own data to gain access to apply for a student loan. Mr. Hurd i get that. Its your responsibility to confirm that the person thats entering that data is indeed the person who owns that data. I recognize this is a tough job. I recognize what you have to do is difficult, but you still havent explained to me weve proven and weve seen with the theft of over 100,000 or the impact on 100,000 students that the authentication mechanism within fafsa. Gov and the d. R. T. Tool is lacking. And my concern is that everybodys doing this. And i want to know, what are you doing . And if you need additional authorities to improve authentication on fafsa. Gov, i want to hear that too. Mr. Gray thank you. The authorities that i have has been very adequate. In terms of what were doing, this is the balance between accessibility of the tool which at this point its a web application where a student, perspective borrowers are coming in to apply. The level of authentication for that is currently set where it the t we can identity proofing piece comes in when we are disbursing the funds. For the d. R. T. , the challenge what were doing is looking at doing is masking and encrypting the data so if an identity thief logs in through our system, they will not see that data which would not allow them to exploit this vulnerability. Mr. Hurd madam chair woman, i apologize for going over my time. Ms. Foxx no problem. Without objection, im going to recognize mr. Duncan for unanimous consent request. Mr. Duncan thank you very much, madam chair. I realize you are not going to be able to get to me for questions so i want to make a unanimous consent request to include in the record at this point an email from one of my constituents, melissa, who is the Financial Aid administrator at the Tennessee College of applied technology because she has four good suggestions to help with this problem in her email. Thank you very much. Ms. Foxx thank you, mr. Duncan. Ms. Kelly, youre recognized for five minutes. Ms. Kelly thank you, madam chair. In recent years, hacking, Identity Theft and cybercrimes have been on the rise. I have been a victim myself. Federal agencies have to do their part to secure their systems but Congress Must acknowledge the impact its own actions have had on the ability of agencies to protect their i. T. Systems. Many agencies face serious challenges in modernizing outdated legacy i. T. Systems and implementing stronger cybersecurity measures under the severe budget cuts that have been imposed by republicancontrolled congresses. One of the agencies hit hardest by these cuts is the i. R. S. In may, 2016, the i. R. S. Then chief Information OfficerTerrence Mulholland testified, and i quote, the i. R. S. Budget system is the most critical challenge facing i. T. Modernization. Mr. Corbin and ms. Garza, what are the impacts of budget cuts on the ability of the i. R. S. To modernize and secure i. T. Systems . Are we putting taxpayers at greater risk . Mr. Camus so congresswoman, one mr. Corbin so, congresswoman, one thing that congress did do is appropriate the 290 million. We did take a portion of that funding to help us get the tools that ms. Garza had described to help us identify, monitor our systems more closely. We also continue to invest in the return review program, or r. R. P. , and so that allows us to create rules and filters so that as returns come in were able to evaluate those returns and then for potential fraud or Identity Theft and then stop those returns before they are actually paid out. Ms. Garza i think its on. I want to thank congress pour the money that we did for the money that we did receive. It was extremely beneficial. It allowed us to put new technologies in place that are protecting our systems at a much higher level than we had done in the past. In this incident itself, we were able to address the situation a lot quicker than we would have been able to in the past because of the new monitoring capability and the Data Analytics capabilities that we implemented using those resources. Ms. Kelly and would you say more is needed . Ms. Garza we would always be thankful for any Additional Resources for continued support in this area. Ms. Kelly to make us more secure . Ms. Garza yes. Ms. Kelly its not only i. T. Resources. Mr. Mulholland said modernization and cybersecurity measures, and i quote, will require sustained resources in the area. Do you agree with that assessment . Ms. Garza i would agree with mr. Mulhollands assessment of our needs. Mr. Corbin yes, maam. I would agree as well. Ms. Kelly yet, again, congress has failed tone sure that agencies have the resources they need to carry out their missions. For instance, under the i. R. S. Restructuring and reform act of 1998, congress gained i. R. S. The authority to hire a limited number of individuals to staff critical, technical and professional positions at salary levels greater than general rates. This Pay Authority was to help the agency atrack highly qualified individuals with a advanced Technical Expertise who might otherwise be available for Government Service at normal federal salary levels. The i. R. S. Used this authority to fill 168 of these positions from 1998 to 2013. Does critical pay play a role in making federal government jobs more appealing to highly qualified technical individuals who may be interested in Public Service but would be earning a much higher salary in the private sector . Ms. Garza congresswoman, the streamline Pay Authority we had was extremely beneficial to the i. R. S. Because of that authority, we were able to bring onboard highlevel architects, engineers and cybersecurity experts. Over the last several years, they have helped us ensure that we were doing what was needed to secure our perimeter and make sure our systems were running much better. The important component of this was the streamline part of the critical pay. It allowed us to offer jobs when we found somebody after the announcement was made and we identified somebody much quicker than the normal process would have been. A lot of times what we found was without the streamline component when we got back to the individual to see they were still interested, the time had lapsed so long that we were not able or they were no longer available or willing to come to work for us. So it is the critical component. Ms. Kelly but this Pay Authority expired in 2013, has not been reauthorized, so american taxpayers lose when congress ignores its responsibilities. Congress can ensure swiftly pass streamline critical pay reauthorization to provide adequate resource levels for cybersecurity at all agencies. Thank you. Thank you, madam chair. Ms. Foxx thank you, ms. Kelly. Ms. Issa, youre recognized for five minutes. Mr. Issa thank you, madam chair. I look forward to the reauthorization if we can get the reforms that were required as of our last couple of hearings on the use of those 168 slots. But let me go on to the actual data breach. Ms. Garza, under your interpretation of a data breach, this is a data breach, right . Its a major incident, its a data breach, is that correct . Ms. Garza under the definition of data breach it is classified as a data breach. Mr. Issa ok. So we had a data breach. Let me turn it around for a moment because both you and mr. Gray said that you had no and i think mr. Runcie all said the same thing, you had no information that personally identifiable information had specifically been compromised. Thats pretty paraphrasing all of you . Ms. Garza thats correct. Mr. Issa well, ill go to i. R. S. First. Ms. Garza, you were there for the kickoff of the Affordable Care act website, and as you know, in that website if somebody looking at their information at the top of the screen simply went up there and changed the state, they might actually look at somebodys personally identifiable information, that was a vulnerability that was discovered right there in the http line, right . Do you remember that . Ms. Garza that was on the c. M. S. Side. Mr. Issa right. Ms. Garza so dont have any details. Mr. Issa just for historical sake, i actually did it. You could and somebody did it themselves. You could simply change the state and you could end up with somebody elses identifiable information on your screen. Now, they would have said there was no breach, as mr. Gray is sort of saying, because there was no proof anyone took that information and used it. But let me ask it another way. If you put a team of white knight hackers onto this vulnerability, could you have harvested information, in your estimation . Ms. Garza i think the evidence is that after the fact, yes, we there were people that were accessing that application for bad reasons. Mr. Issa ok. So mr. Gray, i want to get you on the record, under oath with an accountable statement. If theres evidence that people did nefariously gain some information, whether they used it or not, and that a team of white knight hackers or bad people could have harvested information, dont you have to admit this is by definition a data breach, not just a hypothetical vulnerability but a vulnerability that was recognized that caused the shutdown of this tool . Mr. Gray thank you for the question and request for clarification. I would say that when when im speaking about a data breach im speaking about the department of Education Systems and through my analysis there was no Department Data that was compromised or viewed through this. This was a case of unlawfully obtained information that was used to go through our system, to pull information from the d. R. T. Mr. Issa ok. But in this case were talking about you together represent like an automobile and youre saying that your righthand wheel didnt come off, but the lefthand wheel did or could have. Ultimately, the construction of the entire product was brought to a halt as a result of a failure, right . Mr. Gray yes. Mr. Issa ok. And both of you i just want to make sure because i heard s. Garza say it both of you admit under the reforms, as c. I. O. s, you have Budget Authority and the authority necessary to shut down or to make what changes are needed to control the security and accuracy of your work, is that right . Mr. Gray yes, sir. Mr. Issa ok. So now my question to you in the short time remaining is, although this is about education and its about the tremendous impact on students who will have a burdensome time applying, if we are to do the next level of reforms that this committee would be required to, if weve given each of you authority and one of you says ive got a breach and the other says i dont, how do we resolve within the hierarchy of the executive office of the president , sort to speak, how do we resolve making sure that the failure of the whole is in fact controlled by somebody . In other words, im looking at the two of you. You gave slightly different testimony. I think youve come together on testimony, but i want to know, how in the future we do two things, one, make sure somebody above you, sort of a superc. I. O. , can make sure somebody is looking at the entire vehicle and not just a left tire and a right tire and then secondly, where were those White Knights in this process . Where were the third parties who scrubbed this trying to find the vulnerabilities. Somebody found it and it wasnt either of your teams. Take an evens from either of you in the time im allowed. I dont know where those White Knights were, sir. I do know there were other entities within the government, usds specifically that was assisting as well. Mr. Issa as will said earlier, before the fact you dont know. After the fact you could recreate it. Ms. Garza the two questions to you. Very senior in this position. You have experience. How do we bring together organizations like you that have to make sure there is oversight of the combined authority. Two, how do we make sure there are White Knights proactively in the future to try to find these things, and maybe to concurrently and constantly try to find them . Ms. Garza we actually do have processes in place that where we do penetration testing. Where we have individuals that come in and test our applications to ensure that they are not subject to white hackers coming in and getting away with the data. Mr. Issa white hackers, im ok with. Ms. Garza bad guys. We do have that process in place and we do use it. I dont recall right now if that process was utilized on this application. It clearly should have. And perhaps we would have been able to avoid this. As far as your other question, as the i. R. S. Continues to work with other agencies to provide data, it becomes more and more important that we actually address the concern that you have raised. I dont have an answer for you right now, but its something that we need to be very thoughtful about. I think this is going to start happening more often. Mr. Issa thank you, madam chair. Chairman foxx choir. In the priority of the chair i think it would be helpful to this committee and congress as a whole to get some sense of what kind of priority you put on testing your systems. Because its pretty obvious that Something Like this should have been tested and should have been aggressively tested any time you are sharing data with another agency. I hope the committee will follow up on that. Mr. Raskin mr. Runcie, there has been a documented pat ench of abuse with the Student Loan Companies for many years. Lots of scams are taking place. In 2012 the i. G. Reported that Student Loan Company improperly accessed student borrower accounts to change the Contact Information of the borrowers in order to, quote, make it difficult for the borrowers to be contacted by their loan servicers. Why would they do that . Whats the scam . Can you explain to us how that works for them . Mr. Runcie thank you. They are commercial entities and they are feeforservice entities. Mr. Raskin these are legitimate businesses. These are not internet scammers . Mr. Runcie they are not internet scammers, but the nature of the interaction between those entities and the students involved i cant characterize that, but they are businesses formed by commercial services whether its loan consolidation or something else. It seems and it appeared in cases where they want to have a level of control to create a transaction or to continue through the process, they change email addresses and potentially mailing addresses and so forth to facilitate the process that they are taking the students and borrowers through. Mr. Raskin they take over the students account . Mr. Runcie they may charge, im going to make up a number. Say they charge 100 for could be sol days consolidation, or more. There is an agreement that they will consolidate the loans and create a lower payment amount or whatever the agreement is. And they would be paid for that. Mr. Raskin did this actually take place . In one example the i. T. Reported in 2013 a company charged borrowers a monthly fee, 60, to put their loans into forebarons with the promise of enrolling them in the Public ServiceLoan Forgiveness Program, eventually, which they werent qualified for. Did that actually happen with people . Mr. Runcie my understanding that there are these companies that provide these services. As part of that process sometimes they put people in the forebarons with the understanding that they are ultimately going to go into consolidation. Those are third Party Entities involved in a transaction that doesnt include the department except for the fact that they are using the email addresses and the resources that we have to facilitate transactions where they make money. Mr. Raskin to get you straight there. They are using your website essentially as the framework to access their victims, then they prey on the people. But as far as you know, they might still be in this scam relationship with the students . Mr. Runcie we have looked at i. P. Addresses and looked at some of the activity, and in some cases