Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  December 17, 2013 4:00pm-6:01pm EST

4:00 pm
ocess and return on their investment just like any other business. if they find a vulnerability >> to jump in, one of the first talks i gave after my phd, i wanted to make the cleese that cyber crime wasn't a law enforcement issue. it did not go over very well. i got a good education shortly thereafter. there are some things that we can look at. we're seeing a change in, the data i have seen is to curbing losses. for payment card fraud, a lot more people are getting notifications because there are a lot more cards out there. when you talk to the card processors, a lot of them are test cases. they're trying to find out if it is a good card. that triggers an alert. you will say yes when they call you. we need to understand the data.
4:01 pm
similarly, when we are talking about the organizations banks they have been interested in understanding the value of protecting their brands against phuiishing. it was not until recently that the banks were going after money sites. there's a huge network of sites that is trying to recruit individuals to act as patsies. these are the runners we are talking about. i think it is important to draw a distinction between how you raise the cost of the payment card sector and the broader more complicated frauds that require investigation. >> this question is for zach. the office new jersey announced a biggest data breach in u.s. history. it affected 160 million credit card numbers.
4:02 pm
statistically, some of you must've been the victim of that. hundreds of millions of dollars in losses. was this a big difference in the sake -- scale in terms of the techniques they were using? >> the short answer is yes. it goes back to something that andy said earlier which is that the population of people who are really sophisticated is shockingly small. i think there's a perception out there that every other eastern european teenager in his lecture is able to pull data -- in a sweatshirt is able to pull data out of the cloud and essentially terrorized americans and western europeans. that is not the case. if you really want to engage in this kind of high-level long- term activity, it is extremely difficult.
4:03 pm
you need a tremendous amount of skill, and you need a group of people who have a division of labor. what separated this crew out from your run-of-the-mill crew are a few things. the biggest thing was patients. these guys were willing to wait for six months to a year after infiltrating to hang out essentially in the systems. they did not exfiltration any data. the systems would not necessarily see brand-new code and immediate exfiltration and look to see, what has changed? what took place just now that allowed this excellent ration? they waited. if you are desperate for cash you are not going to take that time.
4:04 pm
the difference between these guys and almost anybody else without they were willing to wait. they were willing to be patient. secondly they have this division of labor where they had specific people who were skilled at the initial hack. then there were people who were skilled exfiltration. finally, there are people who are skilled at monetization. most groups and gains do not have that kind of really specific division of labor. the other thing that really should be pointed out is that the case we announced in july was really a continuation of the albert gonzalez case. it is amazing case for a number of reasons. in the actually worked on it. -- and the actually -- andy actually worked on it. i was in high school.
4:05 pm
[laughter] it was an amazing case that resulted in the longest sentence in cyber history. he is serving 20 years right now. it was amazing for one reason that albert gonzalez was caught. initially, he flipped. he began cooperating at a very high level. at the same time that he was cooperating at a high level, he was hacking at an extremely high level. simultaneously. he is quite a character. he was caught again and his arrest really spurred on this heartland case which is still producing results as of july of this year. and the -- andy can probably
4:06 pm
give more details on how the case went down. >> business question is having a we are dealing with in my home. if you have a credit card long enough, you will get that letter notifying you that there is then a breach and you should check your credit report and change your passwords. i got two of those a few years back. do any of the steps that are recommended in those letters do anything? i have to say, i do not know that we actually did any tracking of her -- extra checking of our credit report. our finances seem normal and it seemed like nothing happened. is that advice actually constructive? >> personally i think the answer is yes. anything that you do helps and our real-world analogies that work. these are looking for soft targets. they are looking for soft targets on the subway and if there look -- burgled --
4:07 pm
burglarizing houses, they are looking for soft targets. if you change your passwords on a regular basis and if you use two-step authentication, any of those things will put you ahead of 99 point nine percent of the population. if you get to the next step and it is time for monetization and your data, your formation is more difficult to obtain, why would they spend the time to obtain it as opposed to going down the line and finding the person whose password is 1, 2, 3, 4. all of this things work. longer passwords, changing your password. the head of the fbi in new
4:08 pm
jersey, he has now left, but he had a very cheap idea that would be extremely useful and extremely effective. he said, anybody can go out these days and buy a laptop or a desktop for $300. you buy a laptop or a desktop for $300, you set it up in your house, and the only thing that you do on the computer is your online banking. the only thing. you do not check the new york times, you do not check gmail you only do your online banking. you turn the computer off when you're not using it. that would make your bank information a lot more secure. you can get a lytic cd and booted off of that. -- linux cd included -- and will it -- boot it off of there.
4:09 pm
does that make you more secure than anyone else? absolutely. the answer for each one of them is yes stop i would agree with that. we all play a role in protecting data. all this revolves around the act of a criminal. anything we can do to protect ourselves and give some type of insistence to law enforcement -- assistance to law enforcement to combat these crimes, every major data breach we have read about in the news that result in identity theft leads back to the street on some level. if you report something that happens to you and law- enforcement takes action, eventually that all adds up to give law enforcement more information that it needs to work off of. of or gonzalez his arrest was at an atm in new jersey or new york. everything goes back to the street. we forget because it is hard to demystify cyber.
4:10 pm
it is hard to put a face to cyber. but it is all being conducted by real humans with real skills. they all live around. they can be anywhere at anytime. those steps are reactive steps. if we can take those steps proactively, that may give us a fighting chance of individuals. organizations around the world are at the point where they are doing the same for themselves. the results of their security and the effort they put into this, they affect the likelihood of others. they are taking security very seriously. >> my next question is to abigail. you have done some interesting research. only 11% of teens said they felt personally vulnerable to identity theft. only 20% of between's -- of teens had posted their full name date of birth name of their school, and e-mail dress.
4:11 pm
do you think they are more or less vulnerable to id theft? >> the gentlemen here would know more in terms of the law enforcement side. in terms of the behaviors and what teens say they are doing, i think this is by virtue of the fact that there are so many more are forms they are using. there are more opportunities for them to share information about themselves. they are doing so. it would suggest to me that the threats are greater now than they were in the past. the issue of identity theft is on their radar. people are talking about it. the security of their personal information is something that they are cognizant of the -- cognizant of. they say it is a concern for them. they are teenagers, they do not think they have anything worth stealing. they do not make a distinction between themselves and their parents. when someone is an adult they
4:12 pm
may have something that can be stolen. they mostly focus on credit card fraud. the idea of credit) in history is not something they are aware of. in focus groups, we try to talk about that, but it goes over their head. it is more concrete for them to have a credit card and someone steals that number and you are on the hook for whatever they charge. that is more concrete. i think there is an awareness there. the question is -- the report showed that 18 to 29-year-olds had a higher prevalence of identity theft. the question i would have is, they do not feel vulnerable, and there's clearly room to educate kids and parents about what teenagers do new.
4:13 pm
there's something they are doing, like using a variety of passwords. a variety -- 50% of teens say that they are doing that. that is the most helpful thing they can do to protect their information. a lot of them are still not doing it. and the focus group they say, that is complicated and burdensome. the idea of dual authentication, when i log on to facebook i have to do that every time, there is a convenience factor which overrides any particular personal vulnerabilities they feel. are they going to age into adulthood when they go to college and out into the world are they going to start to take out loans for their education and will they bring an awareness of these issues that i don't think waziristan for previous generations? -- i don't think wasn't they are as much for previous
4:14 pm
generations? i think the threat is greater now. they do seem more aware of it. they recognize that once they become an adult and get a credit card or instance, they are particularly vulnerable. how will that play out in terms of their actual behaviors? >> to avoid seeming like a what's wrong with kids these days? i will share this anecdote. when i was a kid, they were a little bit looser about what would pass muster. i made a fake id based on my college id. this was 1989. i put my social security number on my fake id as well. i thought, why not? >> can i piggyback off of one thing? this is above my pay grade but as a federal why, most things are. [laughter] the harsh reality, if you want to call it harsh, is that
4:15 pm
security and convenience are in constant tension. we should all recognize that. corporations need to recognize that. there sometimes that corporations perhaps make it easier to access -- legitimately access -- your data then it should be. it is based on their understanding and their history and what they want to provide with the most convenient and best possible interface. they are afraid that if their services are harder to use than their competitors, people will migrate to their competitors. we are all responsible. everybody is responsible for taking the steps that they can to make themselves more secure. who wants to change their password every two weeks?
4:16 pm
who wants to do the dual identification. it is a pain. we should at least recognize as a starting point that these two things are in tension with one another. >> if they recognize the personal vulnerability more, that tension would be greater. they might have a harder time going down the road of convenience. one thing that is interesting, we did as kids online, is your social security number available online to your knowledge? a lot of people said their full name was, their school was, but only about 2.0-4.0% said that their social security number was. kids have clearly been told, do not hear your card with you. do not give the number out. many do not even know their social security numbers. that is not something they will share off the top of their heads full but they have heard this message, and that is something
4:17 pm
that they don't understand why it is important, but they recognize that a lot of people are telling them that is something you should not share with anyone. >> it is important when we talk about whether or not they are vulnerable -- certainly the attack surface whether you are an adult or a teenager. we don't all know where that goes. at the end of the day, it does come down to [inaudible] >> you did a paper in 2011 suggesting that what is under threat is not a specific credentials, but the whole identity on the internet. it has emerged organically through sites like linkedin facebook, foursquare, whatever. how well can you still protect your identity while documenting
4:18 pm
yourself through these different portals? >> this is why i hate the term identity theft. if i'm going to steal this water bottle, we have one of two options. allen, if you steal the water bottle, we will find a part of your anatomy that you like and we will chop it off. but we also say, why not you leave the water bottle here? we intuitively understand that we have a responsibility to mitigate fast. they cannot all be law enforcement. do not park in that neighborhood, lock your doors, have insurance. these are all things that we intuitively understand as part of the theft model. what we under -- what we're talking about is more the case of me going to andy and saying,
4:19 pm
i am abaco, may i have my water bottle? here's my business card. if we wanted to stop that, we could go after me the big knife or we could say, what can we do to empower and the two make better decisions -- andy to make better decisions about whether the person claiming to be abigail is abigail. we can compare to the payment industry's bonds to fraud. we have consumer protection laws in this country that were fought against by the early credit card companies. now it turns out to be their best friend. consumers were not afraid to adopt credit card in america. we can argue about whether that was ultimately a good thing. now we have this inconvenience. we have to go back and say, i
4:20 pm
did not make that purchase. most of the responsibilities and the financial burden rests on the banks. this broader question of opening up new lines of credit or taking access to goods and services which require social security numbers and other information -- if i say your social security number i can tell when and where you were born. why isn't anyone looking and saying hey, that person is a teenager. they cannot have a mortgage with that social security number. we have to figure out how to put these protections in place at the decision-making process. unfortunately, there is a financial conflict of interest here. the same people who are responsible for making a lot of the decisions about how and when to grant credit are also invested -- have a vested economic interest in ensuring
4:21 pm
the availability of their services to make that decision. you have people proposing, maybe teenagers should have a lock on their ability to take out a large amount of credit. for me, that seems like a no- brainer. let's make it harder for everyone to get a line of credit. if you want a line of credit you can get one. but it will be a little harder to grant -- get. the real risk is, when does fraud and the criminals get systematic enough that they can actually break the authentication systems that we use now? online, that is just a username and password. when fraud protection fails to keep up, you will have some decision-makers who say, here is my fraud rate and here is my
4:22 pm
online access to banking. when that fraud rate gets too high they are going to lose a lot of important infrastructure that has made a lot of things cheaper and easier. >> we have been discussing passwords. a few years ago, the advice you would get would be this i.t. department prescription. a long, complex password that you can barely remember and change it every 90 days. now we are saying that a two- step verification process is a better answer. is that the case? if not, what else is it going to take to ensure that it is not so simple to take over my account. >> i will take a stab at that. 76% of all data breaches that we have investigated and analyzed from around the world, the attacker leverage a week or
4:23 pm
stolen credentials. to factor identification -- to fawo-factor identification with help. there are some unique capabilities that can bypass -- they are more sophisticated for targeted attacks. how do i become you without interacting with you? we go back to the phishing. 90% of the acts that we investigated that were reported to us leveraged phishing. we partnered with a company who contributed last year and found -- what they do is phishing education and training.
4:24 pm
they sent out an e-mail to see how many would click the link. at seven or eight e-mails, you are getting up to 90% fix errors -- click throughs. you have to sent several e-mails before you get a 90% success rate. the lack of two factor identification continues to work against us. we need to change that behavior. >> i am looking at the apps on my phone and i have google authenticator. it works for my google account and my blog. if i turn on facebook and twitter, it works pretty well as well. my bank will send me a code if i login from an unusual place to stop
4:25 pm
the business banking account i have is not supported. i am a fire as customer, -- a g fios customer. this verizon have that identification? >> i do not work in the fios department. [laughter] >> say you have all of this important data about you. i say this, not really knowing a lot about the burden involved in setting this up internally. is this something that will be a commonplace thing right after you set your username and password, give us your mobile phone number? >> as a company, we take great strides to protect consumer data and the privacy of our customers. as we look at solutions that we create, we build solutions based upon the statistics of our data row or.
4:26 pm
we look at what is happening and what is feeling around the world and how can we offer solutions to mitigate that. some of the things we do -- we do offer stronger identification methods. we offer a lot of identification strategies. at the end of the day, it is an up or problem that we as a company are committed to solving. for two-step verification to work you have to login from your desktop. i entered the code and facebook will only ask me to submit the code if it is a strange one. for that to work, these companies need to know a lot about you. they know a whole lot about what you spend. should you say, yes, you should
4:27 pm
be peaking at what i'm doing all the time? so you know when a login is not for me. >> all of these questions are about fraud. none are simple but i can't say that for example, the steps that banks take when you apply for a credit card online, i'm sure most of you know that you apply for a credit card online and the bank sends a cookie on the machine that applied for that credit card online. i'm working on a case now and we took down 25 people in new jersey and new york and pennsylvania. mostly around the northeast. they had applied for and received tens of thousands of
4:28 pm
fraudulent credit cards. this is not a tremendously sophisticated fraud. they had a huge network, dozens and hundreds of people working for them. they would apply for credit cards online and receive -- jarecki credit cards to addresses they controlled. they would use them for a decent. of time -- a decent period of time and build up the credit slowly and then bust them out. there was a massive bust out case. from this address, we know that from this ip, we know that 44 credit cards were used on this single machine. that was helpful to the eventual prosecution.
4:29 pm
on the 44th application, from the same machine, why wasn't there a sort of automatic rejection? maybe the bank thought that it was a startup founder. fair enough. but the same thing applies in stolen identity refund fraud. i don't know how many of you know about stolen identity refund fraud, but it is something that directs all of us directly. it is stolen from the united states treasury. it is the theft of real people's social security numbers and the filing of tax returns using social security numbers of real people. the fees fill out -- theives fill out tax returns that indicate that the applicant is due for a refund. they direct a refund check to an actors that they control. they deposit them into accounts.
4:30 pm
because the united states treasury $2 billion a year, every year. to me, that is a shocking amount . a lot of the fraud is centered on puerto rican citizens because puerto rican citizens have social security numbers but they are not required to file 1040 forms must they work in the continental united states. it is a big pool of social security numbers that will not already have a 1040 form. we broke up a ring in a case that i worked on with about 14 arrests and $65 million in real losses to the united states treasury. why is it that -- the irs knows
4:31 pm
where the online tax refunds -- where the 1040 forms are being filed from they can tell you that 56 were filed from the same computer. we have one computer in the bronx that had filed multiple applications. if you want to say h&r block will file hundreds of applications from one computer then fine. then all tax preparer should have to register with the irs. it is all a continuum.
4:32 pm
we are moving towards greater security. it is a cat and mouse game that we were referring to before. it would make it a lot more difficult to monetize. the difference between public and private response with id theft is something we talked about the other day. it seems that you can prepare the loss prevention teams of major credit card issuers with what seems to be in effect the irs. you wonder if the irs is good at it -- if the irs is as good at catching fraud is american express. to what extent can you improve that, given that more effective irs enforcement gets people upset? >> that is exactly right. it is a resources issue. it was said earlier, but to
4:33 pm
effectively monetize a search, you need a lot of people. you need a lot of criminals who are willing to work together. you also need, quite frankly crooked postal workers. the postal service, without getting into too much detail, it is beginning to be able to crack this stuff. you will see that 700 tax refund checks are being delivered along the same mailroom. what does that mean? all of this stuff is so reactive. we first see that and then you have to start at the bottom with the mail carrier. you tried to arrest the mail carrier and then you get to the next step. the people at the top of the pyramid are very sophisticated you have to get through all of those layers. exit sound like an episode of
4:34 pm
the wire here. >> exactly. it is a great case, but it is a $65 million case. it is a $2 billion problem. people like me who are on the line are not the ones who can solve that problem. that is the reality. >> most organizations are protecting themselves to some extent. we try to bring more of an evidence-based, risk approach to this problem. it is hard to understand. it is important that we have to understand our pattern. in the effort of attribution, it means give victims methodologies and things like that that help us understand and demystify the threat.
4:35 pm
as security professionals, we have to look at the products that we sell. what vulnerabilities are we creating? all of us have to take a little bit of ownership in understanding what vulnerabilities we introduce. how does that threat landscape go back to ourselves? we are constantly going through that process. that is as an organization, and on an individual basis. we are protecting fortune 500 security companies. >> next question, something about the federal government back in 2007. the right budget recommendations to better protect private sector organizations. of those 31 recommendations which, if any, have you seen as being most effective? >> i like the rules that grew out of this bed is basically a
4:36 pm
lightweight approach to regulation. it does not prescribe specific processes. it does not say you have to hire a consultant to give you an entire process. you have to think in your organization, what are red flags that you want to look at for identity fraud? you don't have to tell us, you just have to have a plan in case something bad does happen to your organization we will come in and look and see that you did have a plan and you were looking for bad things. that is a very nice model of the government identifying risks without being overly prescriptive and away -- information is varied across companies. you cannot have a one-sided model. abigail? >> i think it all comes down to
4:37 pm
innovating. i am not pointing out one specific recommendation. as we evolve, we are looking at the landscape and it is constantly changing. with that changing model, we have to point out ourselves. i tell organizations, and this comes back to it as well, you are your best intelligence source. a lot of the threats happen to us because we do not know about them. when we talk about the red flag, the job is for us to look at ourselves internally and focus on what it is that is happening to us so that we can then protect ourselves? if you look at breaches, 86% of data breaches were notified by someone else. that is the important part. with the red flags portion, that is a big part. adding us to a point where --
4:38 pm
getting us to a point where we can see internally what is going on . >> the recommendation i liked was don't use social security numbers so often. and yet, at, you have to enter it both times. >> i want to jump in here. there is an important thing -- an important point to make in regards to these systems. the social security number is aptly critical. we need them and we have to use them. but we have to treat them as an identifier. you know me as alan friedman, that is not a secret. the distinction is that we also have decided to say, well, it is also an authenticator. we is the same thing as an identifier, how the computer looks you up. there is only one you. there are many john smith's, but only one of them is you. so we also say, you are the only
4:39 pm
one who uses it, so we use it as megan -- authenticator. that is the real danger. if you put your social security card, it says, not for use in -- not for identification purposes. we have decided to use them for identification purposes, but we need further layers in the authentication process. a final interesting study your social security number is actually very predictable. it is a function of where and when you were born. there is a wonderful study that basically went from taking a picture of you, to actually being able to guess at 67% accuracy, the first five digits of your social security number by doing facial recognition mapping into online social network profiles, and if you have your hotel and -- if you
4:40 pm
have your hometown in your birthday you have a good chance a guessing just from statistics. i think that demonstrates the data that we have. we cannot just assume that it is private. >> now i'm thinking of what a clear picture of my face i posted on linkedin and twitter for top the next question -- so much has changed in the past five years in terms of ways of ♪ finding information about people and the amount of data collected on our purchases and activities online. if we are identifying -- if we are inviting identity thieves instead of you for, to the panel, what would they say are the biggest challenges? >> i want to look for
4:41 pm
centralized data storage. i want to be able to leverage and get more return on my investment. i will focus on the easy prey but at the end of the day i still have to have and make sure i maintain those relationships in the underground two will facilitate my criminal activity. i have to navigate the landscape within the underground, and i will be completely cognizant of the steps i must say and i will continue to do research on organizations that take security seriously and those that don't. i will try the easiest way to get into an organization to steal that data before i try anything else. we have sophisticated means, but i will not share them with you if i don't have to. those tools are in my arsenal for a later date. i will use them on a security
4:42 pm
team that is a little more secure. >> abigail? >> i don't know enough about the back end of it. but in terms of just the many opportunities that people have to share their information and are encouraged to do so and can provide them with a lot of value, it seems that there are more and more that is out there. there's just a lot more that you can land upon, i would think. i do not know the backend. >> after sarah palin's e-mail got hacked, you can research a lot of that stuff pretty easily. >> at the automatic site, one of the things we've seen with data breaches is password files. you don't just run a dictionary
4:43 pm
attack, but you can run all of the passwords that have ever been used for zap those -- zappos. there up into things that have changed. fake ids have become a global business. predominately driven by american university students. you can get a large amount of very good quality ids instead of having to rely on some guy in a basement. there is someone with a plan in china will make them for you. there is anecdotal evidence of successful criminal use of some of the defenses we have set up as an autoimmune attack. you are a clever criminal who is trying to exploit a small number of people + identity is for a large gain. you will start affirmatively asserting that the real person
4:44 pm
is the identity thief. that will come up things and give you a lot more time to its valuable data -- extract valuable data. >> i think that just in the last five years, at the federal level anyway, there's been a lot more federal law enforcement attention being paid to fiber then there was -- cyber than there was before. the secret service has really taken the lead on a lot of these things. they have a long-standing dedication to it. all of the other agencies we deal with are more cyber aware. that would make me a little bit nervous as an identity thief. what would make me happier is that in the last five years, there has been an explosion of
4:45 pm
the sheer amount of data that exists. that is going to continue and there'll be more data that is online tomorrow than there is today. that is going to continue. i will be happy with that. it seems, and this is all apocryphal there is less of the original hacker mentality among cyber thieves, and it used to be that the thrill of the chase was a shared ethos. if you could get in and share your skills improve your skills to the community that you are in
4:46 pm
-- and these folks are in communities, they know each other. it is to be that you could show yourself, get in, get out, and demonstrate that you can infiltrate, but it was not as organized in the dedication to monetizing breaches as there is now. unfortunately, some criminals have become more professional. i think that is a trend that we have been trying to deal with. we will continue to deal with that. it has gotten away from our -- an idealistic group. there is more dedication to getting paid then there used to be. >> that sounds like good capitalists. >> to talk about the landscape from the criminal's perspective
4:47 pm
the russian government has come out recently and publicly stated that if you are a russian cyber criminal and you are hacking you should not travel outside of russia. especially not to countries where the u.s. has extradition treaties. that has been publicly put out by the u.s. government. there is law-enforcement around the world that is working together. it is the same for security organizations. companies in the financial sector realize that they cannot fight these adversaries on their own. that is an important part. i would also say that i would really focus, and i am a student and i studied the regulatory environment globally -- i change my operations based upon the regulatory environment. i also track the arrests of bad
4:48 pm
guys around the world. i understand how they are arrested. i understand how law enforcement is doing what they do. that is an important part. they are students of their craft. they are honing their skills. we want to share -- you do not know there could be a lot of myths about a certain type of criminal. how long have they been arrested? until they talk to another cyber criminal, they are naturally going to know. that information travels very quickly amongst the underground. they communicate in a manner that is much more efficient than most security teams communicate. >> last question for me. there's been a lot of chatter
4:49 pm
about policies in place at sites like facebook and google plus. when i got online, there was no such thing. your aol account could be ever what -- whatever. now, it is much easier to figure out who exactly it is you are talking to. howard teams and their parents dealing with the fact that they are making it easier for people to figure out in real life, and still interact with all these services that were not option back in the day? >> a lot of teens say they are using privacy settings and they are aware of them. but there are some that are not. i think 10% do not have any privacy settings on any of their accounts.
4:50 pm
the majority says that they have them on all of their accounts. they are clearly made aware of those issues. they are doing other things in terms of their various passwords and variety of passwords. we did parallel surveys of parents and teens previously and parents -- there is a bit of a disconnect. parents think they know more about what their teens are doing and teens say they know. a lot of parents are using parental controls. not a majority, but there is room for that. the challenge is that parents are not only concerned about identity theft, but they are concerned about stranger danger and the personal safety of their kids. air monitoring those activities. they are looking at their children's browser histories.
4:51 pm
the parents actually underestimated teens' concern about identity theft. they thought they would be more concerned about reputational damage, like if someone posted a picture they did not like. it is on parents' radar. they recognize that their kids are focused on it. they may not agree with that but the kids are aware of it. the challenge that you are highlighting the fact they are encouraged to do a lot of information. how do they balance what is ok and what is part of the experience versus maintaining the privacy of their information? the survey we have done would suggest that there are challenges that they are having. there is not always a clear solution. a lot of things are not. they do not necessarily think about the wealth of information
4:52 pm
that could be available particularly on cross platforms. if we had done a survey of identity thieves themselves, we might've learned a lot about how they did that. but you guys obviously know more about that. >> pseudonymity is critical online. for tumbler, for example it is a very popular and active community. it is popular with the community and minority groups. it is based on a culture of pseudonymity. it is a reverse of what people are doing. twitter is seen as a private network, limited and actually very accurately -- actively controlled.
4:53 pm
facebook is the is global. everyone you have ever met is on facebook full. the studies i have seen on teens suggests that they do care about privacy. they care passionately about privacy. for a teenager privacy is about hiding information from your parents. that is the main issue. it is a question of control. it is very important. the most dangerous thing that i have seen in terms of security behavior is password sharing is seen as a sign of intimacy. that is the weight that you know to 10th graders really care about each other, they share their passwords. that is a very dangerous path to see enforced. we hope that like many of the things we do with teenagers, that ends. >> many teenagers said they had
4:54 pm
shared their passwords of people aside from their parents. there was a disconnect between their recognition and concern about privacy and behaviors that might not be protecting that identity. >> now is your opportunity to quiz these fine folks. does someone have the microphone? please raise your hand and it will be -- a microphone will somehow make its way to you. >> hi, susan grant. consumer federation of america falls. should there be a law that says that certain entities have to pay damages to breach victims automatically? perhaps a set amount or actual damages, whichever is greater,
4:55 pm
as a way to incentivize the holders of consumer data to secure better? >> there is a market emerging around cybersecurity liability insurance. as that continues to mature and grow, and not to push liability onto one respective party or another, but organizations are looking at what is my liability? what am i going to be responsible for? i think you will see that market continue to evolve over time. i know the government is doing a lot of work and research on that. >> on the question of -- three years -- every security company has to sell what they were selling last year, but now we get a different route. three years ago it was data loss prevention. there is a pretty active set of incentives or organizations to minimize.
4:56 pm
it is the only area where we are seeing cyber insurance actively driving -- driving -- thriving. there is a real consequence. breach notification is not free. it is enough of a cost that it has additional counsel. that gets the attention of senior management to invest in mitigation and then insurance. the real challenge is creating an environment where you have insurance not just pushing the risk onto another party, but actually internalizing that to the insurers are turned working with customers to minimize the overall loss. >> to add one thing, i do not want to advocate one way or another, but one thing that we should consider if we are thinking about a law like that is, who would be impacted the most? we see a lot of breaches that are not against a verizon, not
4:57 pm
against an at&t company. they have tremendous amounts of resources dedicated to breach prevention. some of the most effective breaches that we see now and a growing trend are attacks against point of sale terminals for very small businesses. your local chinese restaurant has a credit card terminal. there is information stored on those. when that is breached, it is not as if the chinese restaurant has a tremendous amount of excess cash to be able to try to mitigate those risks. if there was automatic liability, you might be hurting the little guy a lot more than -- you might be dis-incentivize thing. but >> we have seen
4:58 pm
organizations go bankrupt. they have to get three cybersecurity incident. but to shift the focus from regulation and law to empowering organizations, we mentioned earlier that 60% of organizations do not detect the breach themselves. that means they do not have any control over their response they do not have any control over their public messaging or strategy. they do not have control over how they would or would not approach a strategy dealing of regulation of stop -- of regulation. we should focus on liability and empowering organizations to be able to detect things on their own stop we have to give them the ability to control how they will move forward full top back to life the next question? >> you touched on this a little bit. and you address this vividly the role of consumer education? has there been a success recently and what more can we be
4:59 pm
doing? >> certainly education is always a great tool. i do not think you can have enough of it. as the landscape for the cyber criminals is becoming easier to monetize and to leverage criminal activities, i think it is important for us to truly understand and train and make the where the threats. not just the behaviors of what we do and what can be done, but this threat does exist. i think the more awareness we can give around the frat, the more we should do so. >> visibility is key. helping consumers understand their actions in context. it is another thing to just say your password must have all of these things. there is a great tool that just launched this week out of microsoft research. it is a password guesser.
5:00 pm
it is hosted by microsoft research. they are encouraging people to enter their password letter by letter and what it will do is it will try to predict what the next letter in your password is as you guess -- enter it. the computer can read your brain. they can actually>> that type of tool is so powerful. a gives you this evidence in front of you immediately. that is the kind of tool that we need at the point of interface and we need to use tools so that security is something that is part of the dialog without saying, follow these rules. >> we did talk a little bit about who they would want to
5:01 pm
hear from particularly to make them aware of their own vulnerability, not just once they are no longer minors. maybe they are 19 years old or 20 years old and they went to get their college loan and were denied because their identity had been breached, and their credit was no longer clean and good. making it more real is particularly important for teenagers because it is not as recognizable to them as something that could affect them. >> one more question? >> just a follow-up on your question about the password guesser. i am 55. it says i am at the peak of my decision-making. they are saying don't write down
5:02 pm
your password. you are saying make it difficult. i had 30 things for which i have a password. but i'm not supposed to write it down. i can't remember that. i understand what you're saying, but for the average person. i write it down. >> i hate that advice. you should write down your password but you should write it down with the assumption that your house is a fairly safe space. it the bad guy is sitting in front of your computer, you have a lot of other problems. [laughter] if you can't trust the people you live with, that is a different thing. assuming that is a safe space it is better to have that. the other thing is that your e- mail a dress with which you do the most important things should have the best password and
5:03 pm
should be changed regularly. if that is compromised, it can lead to compromising everything else. you should have one of or to or three classes of passwords. you don't need to have an intense password for the washington times or the new york times. >> the best advice i ever got was not just to write down your password, put it in your wallet. if somebody picks it up, the piece of paper they're going to want is not the one with random strings of information on it, it is these pieces of paper. >> there are a lot of different ways you can go with this conversation. at the end of the day whatever you do has to be something you can employ consistently. adversaries are consistently key logging. they are capturing every
5:04 pm
password you have. to have a very long password, i bad guy could still steal it. we start talking about multifactor authentication. look at the applications that you use and what are the security methods that are being employed. you need to constantly move your online identity, move the way you authenticate. in the security system we call it shell games. we want to move different places. we would not want to appear to be the same thing all the time. you will do that in your online persona. think in terms of that. how do i make it harder for the bad guy to know who i am, where he am, and how to get access to me and the things that are important to me? if that is changing your password that might be a strong
5:05 pm
strategy for you. >> i think we are supposed to stop. you can quiz us off-line, afterwards. i want to thank you all. thank you as well. [applause] >> the senate homeland security held a hearing today about the shooting at the washington navy yard that happened in september. the head of the union representing the officers said problems in the government delayed the response to the shooting. here is a look at the testimony. >> federal and employees -- federal employees are extremely vulnerable to criminal and terrorist threats. my fellow fps law enforcement officers are trained and competent and equipped to respond.
5:06 pm
bureaucracy and inefficiency restricted our law enforcement officers, whose office is one mile away from the navy yard, in assisting in the pursuit of the navy shooter. it was because there were not fees paid. everything must be viewed in context of the leadership required to accomplish the mission. to say the least it remains unfocused and broken at all levels. security place a significant role in the protection of all occupants, but the frustrating and outright wasteful bureaucratic system and counter systems go through a flawed security systems process and are then reviewed why committees who have to divert funding. that is not true security. security and the opposite
5:07 pm
building is not based on the opposite building to pay. why should other buildings be different? we are constantly beleaguered by new or modified systems and conflicting demands throughout the assessment process. i have lost confidence in the ability of the director's ability to resolve the process. they have offered to make the integrated rapid visual screening tool compliant. officials at the federal protective service and i agree that that would be a good start to remedy the assessment problems. contract security guards at major facilities are at risk. their limited to the powers of a citizen.
5:08 pm
that is accomplished by federal police officers who can respond. how can we demand less? how well are the boots on the ground agents doing and providing protection of federal buildings? overall, they are doing quite well. they have very little field experience and they have an in adequate field staff. can we do better? absolutely. any organization is in trouble when leaders are not held accountable. a public file disclosure reveals that a regional director violated rules when he arranged to buy a system from his neighbor on behalf of the government. it was a three day suspension,
5:09 pm
and that is the opposite of accountability. there is been equal misconduct by higher officials. with accountability, performance across the board can improve with ethical management that builds on best practices in the region. give them tools that work and direction on priorities, and we will make sure that the job is done. in conclusion, federal employees and the public that they serve deserve the best and most effective protection that we can provide. they are not getting it now. >> you can see the entire hearing of the washington navy yard shooting tonight on c-span at 10:30 eastern. >> what is going on today comes down to two words. they are not my two words.
5:10 pm
those are obama's words. i have a couple of questions. look at the constitution. does the president have the power to fundamentally transform america? of course not. why would you want to fundamentally transform america? that means you don't like america very much. that means you don't like capitalism or private property rights very much. that means you don't like our constitutional system very much. when you keep saying changes hard. we need more time for change. you need to understand that this is a direct attack on our constitutional system. >> best-selling author and lawyer, reagan administration official mark levin will take your calls in-depth. that is life.
5:11 pm
it is the first sunday of every month on c-span 2. >> we want to know what your favorite books were in 2013. join other readers to discuss the most notable books of this year. >> a live look at the senate and the fiscal budget agreement. today they cleared a hurdle surpassing the threshold needed to break the filibuster, including the final passage which is likely to happen tomorrow. right now on the floor we see the budget chairman who is talking about gop related to military retirement benefits in the agreement. republican support was
5:12 pm
surprisingly strong, after days of uncertainty fueled by lyrical posturing and tea party opposition. that was in fiscal 2014 and 2015. over 10 years it would defeat -- decrease the deficit slightly. the budget committee chairman that we just saw, and the house committee chairman, paul ryan, said these are modest steps toward adjusting the budget in a more rational way. you can read more about story at the new york times website. also, on capitol hill today senator tom coburn released the waste book. he said there was a greek just federal spending. this is -- egregious spending.
5:13 pm
>> sorry to keep you waiting. a bill that raises $60 billion in spending and has $34 billion in tax increases on the american people. whether you agree with my people or not is not the issue. if you look at the $700 billion in deficits, some grown up in the room has to question whether or not we are spending money wisely. inside the waste book is a what i consider stupid and poor judgment when it comes to spending money in a time when we have very little money to spare.
5:14 pm
we have also had the defense department and others screaming about the coverage disparity. the fact is that is not true. congress is probably going to pass this bill. the house already has. the senate probably will today.? eye on the ball. we still provided money to study romance novels. we provided money to the state department so they could buy some votes by getting likes on facebook. we even helped nasa fund studies of congress. my contention is that had congress been focused on doing the job of setting priorities and cutting wasteful spending, we could have avoided the
5:15 pm
government shutdown and the budget deal that we are now considering that raises the burden on the american tax player -- pair. -- payer. the air force but $600 million worth of airplanes, and as soon as they're ready they shipped them to the desert. and this is the same agency that is going to lease $7 billion worth of equipment in afghanistan, wasted valuable equipment because it is too hard to get to some other part of the world. this speaks volumes about why the american people have lost confidence. the truth is we would rather borrow money than cut spending. that is the truth.
5:16 pm
the american people have a right to expect more from us than that. we see no waste. we cut no waste. and we embrace increasing the burden on the american people because we will not do our job. it is republicans and democrats alike. i will take your questions. yes? >> can you tell us if anything has ever resulted from this? has ever -- congress ever gone back and looked at the military? >> yes. i have been raising cain about the airplanes for months. they are now going to be transferred to home link security. it is really interesting if you dig into the background of the airplanes. the military came up with all
5:17 pm
kinds of excuses why they didn't want to use them. the real fact is that they wanted c130's instead of these. again, here is my point, does congress hold the administration accountable? does it hold itself accountable? who makes that decision? if there were supply problems, which they contend maintenance and supply congress -- problems, then why are we holding them accountable? there is no accountability, and that is a function for leadership. i will give you a controversial one. political science funding to study congress, it is pretty obvious what congress'problems are.
5:18 pm
the american people haven't figured out. should we we borrowing money and spending more money on that. that was much to the chagrin of the political science teachers. it is not that it is bad. it is should we be making those decisions when we are barring a significant amount of money against the future of our children. if we had a surplus may be those of the appropriate things to do. we are not in surplus. we are in much more dire straits in the long term we recognize now in the short term. the way to get out is cutting $1 billion, cutting $30 billion at a time. whether you agree with me or not that some of the should not be
5:19 pm
done, you cannot disagree with everything that is in the book. let the lemonade some of these things, rather than raise fees on the american public. >> in regard to the budget agreement, some people are saying that congress returned to regular order on the budget. could congress start looking at this? >> yes. we could have done appropriation bills last year. why did we not do that? you're asking the wrong person why we are doing regular order. that is a decision fully made by the majority leader. he chose not to do that. the one he did put on he pulled after today's. -- two days. regular order is a function of leadership. we had caps.
5:20 pm
again, congress'willingness to live within the means provided by the american public is what the american public wants. they don't like limiting our spending. and they will not do the hard work of eliminating the fullest this that is in the expenditures every year of the federal government. this is not hard to do. this is all googled. all it takes is somebody willing to say maybe we ought to get rid of the foolishness. that goes back to leadership, subcommittee leadership, appropriation leadership, that requires people to do the right thing for the right reasons. yes? >> on facebook you hydrated a
5:21 pm
bunch of things -- higllighted a bunch of things related to waste and the military. >> there are some good things happening in the military. if you look at what has been done in putting in modern entertainment techniques and saving $1 billion last year. that was leadership exerted by her and her branch of responsibility. she knows that. what we ought to be doing is training generals that actually lead and go out and do the right thing with the right skill set and save the american people money. if you wanted to save $100 billion a year, you could do it without affecting our readiness, our training, or our supply.
5:22 pm
we listed that in fact -- back in black, but it has gotten worse and not better. >> i wonder about the timing with the budget deadline being this week. how would you like to see this progress forward to address the spending issues? >> congress ought to be charged with doing oversight first. i will give you an example. the labor and workforce committee in the house. we put out a study on job training. they don't have any metrics that say they are working. they took 36 programs and converted it into six. we have done nothing like that in the senate. here is a way to save billions
5:23 pm
of dollars a year that has not been considered in the senate. i go back and make a point that the charge of the appropriation committee is to do the oversight, find the waste, where can you eliminate overhead? where can you streamline, given where we are today? we are going to look at new cuts and where we can save the taxpayer money. if you want oversight -- if you want to read some of the 50 reports we have put out in the last five years, if you were a curious appropriate otor, you might find some valuable information. the reason it is hard work is
5:24 pm
because somebody has to get money. what does that translate into? that translates into somebody is not happy with me at home. that translates into, that most are more interested in getting reelected than fixing what is wrong with the country. >> with the debt ceiling vote coming up again in march, what is your approach to that going to be? do you think that you should demand cuts in exchange for voting about the deficit? >> i do not think the american people believe there is a debt ceiling here. >> has it ever not been passed? it is a lie when people say there is a debt ceiling. every time the career politicians in this town to
5:25 pm
greta way to get it through -- figure out a way to get it through. if you did it, in 10 years you would have a balanced budget. he you would not have to raise the deficit anymore. i have not voted for the debt ceiling increase because it is not honest with the american people. it is meaningless. we ought not to spend money we do not have. the reason we ought not to spend the money is because all we're doing is decreasing the standard of living of the present generation. in $3 trillion worth ofspending,, we can find four percent that is wasteful.
5:26 pm
all we did was put up his book trade -- book. i didn't even include a lot of the reasonable things that most people with real work history would say that is not good value. that is not why spending. where is everybody asking the questions as we continue to borrow ourselves into oblivion. $700 billion deficit. think about that and what is going to be required of the young people. they are going to have to service that from last year. this is a moral issue. it is not a political issue. when you're spending money you don't have a on things you don't absolutely need, and the result is lowering the standard of delivering for the young people
5:27 pm
bash of living for the people-- of living for the people in the country that should not be. they should have the opportunity to take advantage of what this country has historically been. it has been an advantageous ways to start a life. >> if republicans are willing to leverage up vote and make it contingent upon demands, what are your thoughts? >> i have not been a good spokesperson for other republicans during but put it that way. >> the agency picks the projects. what can congress do about some of the research projects? >> good question. it has historically been a
5:28 pm
problem with congress. you can take the affordable care act if you want. that is a good example. if you will watch the legislative process, most of the time they legislate without having the knowledge of what they are doing. if they have a lack of knowledge, it leads to bureaucracy d. that is 80% of what they are doing. they need to know the issues, know the programs, and write specific language that lets them know what to do. that requires work. they need to understand how the program works. i know how homeland security worse. i know what is working. i know what is not working. when we authorize it, we are going to be specific about what
5:29 pm
they are required to. that requires work. most people don't want to go to those depths of knowledge and do the work. that is why they are giving grants out to things that would be very questionable to the commonsense person and the average american. we have not reigned in the power to do that. we will appropriate to make sure something comes into the district. we won't do anything about how they make a judgment that is based on sound principles and good finance. the problem is congress. you cannot blame the bureaucracy. you have got to blame congress. yes? >> has wasteful spending gotten better in your time here? has there been less waste. they>> i think people are looking
5:30 pm
at it. i am not sure i can quantify. the budget is so much higher than it was. it is twice as big. whether the wasteful spending is twice as much or not, i am not sure. here's what i know. whether washington knows it or not, the american people know it, if you look at all the surveys about what they think. when they see this, what are they to think when we buy $7 million worth of airplanes and half of them are sent away, and half of them are put down. the question is, that is just washington. that is not a good enough answer anymore. it is impacting the standard of living of other people in the country. we put out nine join dollars --
5:31 pm
$9 trillion dollars worth of savings. what we did is what the career politicians wanted us to do. we will come to an agreement because it is politically smart to do it. i naturally it is stupid for the young people of the country. >> were any of the amendments that you were hoping to pitch going through? >> my amendments are not going to be considered. i think what we ought to do is hold contractors accountable. there are two sides to this. actually, there are three. there are things they do that don't have to do it defense. it is not fair to say, the
5:32 pm
defense budget of this, when 10% of it has nothing to do with defense. two, how do we buy major weapons systems. you will never solve the spending problem unless you deal with the contractors and this country. they do not have any capital and risk. there are total cost overruns because the contractor is making money every time he goes over. if you do not have capital at risk, you are not going to focus. they know how to control costs 30 they know how to help increase them ca. >> why isn't there more support for this? there are $500 hammers and $600
5:33 pm
toilet sheets -- seats. why isn't this changing? >> this is not going to change it. the only thing that is going to change it is that the american people quit sending these people appear. the reason i am a senator is i don't want to fall into that habit of making a decision based on my political career and set of what is best for the country. with term limits, that is something that can happen. if you had really strong term limits, the people here would not be the same people here today. it would be different people. it would be somebody that ran a camera for years and knew what that was like, and knew it was up and down in their profession. they would apply the lessons they learned in life here.
5:34 pm
it comes from careerism. >> can you talk about the nfl nhl, and the protective status. i am wondering if there was progress made on that? >> they did a nice piece on it that talk a lot about it. if you are in a state that has a pro football team, or runs a program of tournament, the career politicians are afraid to touch it. it is $100 million. that $100 million that we are giving to a lead people in the front offices of these major leagues is made by the money you are paying in taxes to pay for it. it speaks volumes about the arrogance of washington.
5:35 pm
it is a tax year mark specifically for some of the most well-to-do people in the country. i cannot get a cosponsor wor. what does that say to you? i recommend you look at what espn did. look at what a sham it is. it goes back to the question the gentleman in the back asked. who is here? i love football. i love golf. but i don't think that a person making $40,000 a year ought to pay a penny more in taxes because the leaks in the offices get a special tax break to take home millions of dollars every year. we are asking the regular joe to have less so that they can have a whole lot more. it is not right. it is not any different than a
5:36 pm
earmark in a spending bill. >> what do you think about the argument of promoting the sport in general? >> i am sure it is just like the real state agents. the heads of the organizations don't come anywhere near that in terms of compensation. >> on the distraction of the weapons -- destruction of the weapons, i mentioned the pentagon would say that they are destroying them because they don't want them going into other people's hands. >> what that says is that they have a crystal ball that says we're not going to need them again in some other area of the world. it also speaks volumes about
5:37 pm
their ability to contract on the transport of equipment and the cost. going read the history of what happened in afghanistan and iraq . read the reports associated with military purchases. we rushed to buy these. we are now going to be tearing them up when we may need them somewhere else. it is the consequence of making the decision now based on what was a stupid decision before. when the history is written about iraq, it is going to be a case history about what not to do, in terms of supply chains. >> can you comment on the cost for the obamacare promotion website? >> it is footnoted. $60 million is advertising for the website.
5:38 pm
it is probably close to $600 million. that does not include the backend cost. they will get it fixed. but the incompetence of rolling it out, nobody could not be critical of. and the amount of money they spent. when you talk to people who actually do this for living, and no had to do it, we are going to pay five times more than what it should cost. that is waste. competency is what is lacking in washington, and the members of congress, and in the head of a lot of agencies. take some of the people who have run large organizations and bring them in. we ought to do that. we bring people and that have a political chip and put them in a
5:39 pm
position of responsibility regardless of whether or not they have the requirements for competency in order to do the job. it is not any wonder that we fail on capability and leadership when it comes to a lot of positions and a lot of agencies. thank you all for being here. i appreciate it. >> we heard the senator talking about not liking the budget agreement that was debated in the senate. there is a boat happening right now in the senate. some republicans don't like the agreement, including the cuts in military benefits. there was a tweet about what the budget chair said.
5:40 pm
it said, she supports efforts to change the military pension cut later but not until after the cut is passed through the budget bill. and there is a conversation about nominations happening in the senate. there is a debate on that ending before the senate for they leave for holiday break. janet yellen should be confirmed by the end of the day saturday. that is with everyone agreeing. >> c-span. we bring public affairs of ends directly to you, putting you in the room and congressional hearings, white house events and conferences. and offering coverage of the u.s. house, all of a public service, created by the cable tv industry and funded your local cable or satellite provider. now you can watch us in hd.
5:41 pm
>> a federal judge ruled on monday that the national security agency collection of records is likely unconstitutional. we will look at that and the future of the nsa collection program on saturday morning's "washington journal" with james andrew lewis. and there will be discussion with professional scholars about the performance of congress. that is tomorrow morning at 7:00 a.m. eastern on c-span. 13 states and the district of columbia run their own health care exchanges. 37 states rely on they're looking at the state experience in an rolling people
5:42 pm
and the health care program. >> good afternoon, everybody. welcome. i am sarah rosen wartell. we are delighted to coast today's event which builds on a history of collaboration. i also want to give a special welcome. we have a great many people who have registered and signed into our web guest online. we are thrilled to have you with us. we will have that archive. very glad you are able to join us. the timing for this could not be better. if you open the pages of the newspaper, you will see a heated debate about enrollment in
5:43 pm
health coverage and the affordable care act, and what is going to mean for who gets health care in this country. each day we seem to have a bigger public following on what that is and the opportunities that there are to expand coverage. today we will take a step back and focus the conversation on lessons from the past and what those lessons tell us. there is some very good and hard work that is been going on on the state level. the maximizing enrollment project under national direction has helped 8 implement strategies to enroll eligible families into medicare -- medicaid. we will hear about the
5:44 pm
strategies and how they have been successful, and how they can be applied to the affordable care act. we will hear about what expectations are realistic and which ones are not for the aca. you are in for a treat with the panel. you will hear from one of the country's most inspired leaders gretel felton. and you will hear from gretel felton. you will also hear from alice weiss, one of the country's experts on pretension and health care -- retention and health care.
5:45 pm
she has also previously served for the editor and chief for vanity fair, a very important and influential magazine. and one of our board members is judy woodruff w. . it is my honor to introduce one less person. she is a program officer at the foundation since 2001. she leads there maximum enrollment work. here at the urban institute we have a wonderful partnership and are grateful for their support of our policy research. thank you. >> thank you sarah. welcome to today's briefing.
5:46 pm
the foundation has worked to expand access and coverage for all americans and to expand programs that increase the number of people with health insurance. the maximizing enrollment program has worked hand and hand with 8 states to transform the policies and procedures for medicaid and children's health insurance programs. these states, alabama, illinois louisiana, massachusetts utah, virginia, and wisconsin have identified and implemented pioneeringed and implemented pioneering innovations to streamline and simplify eligibility, enrollment and retention in their states. they've revamped coupleumbersome
5:47 pm
enrollment processes and changed business processes and procured new tools. in addition to tailorred technical assistance provided to grantees, the program offered a forum for peer to peer learning opportunities across states enabling participants to share information about challenges as well effective strategy streamlined eligibility, enrollment, and retention.
5:48 pm
in the meantime you can bind existing resources at the max enrollment website. she is the senior advisor where she provides policy and procedure information. >> good afternoon. about six weeks ago, i was listening to a well-known news anchor on a well-known television show who introduced a segment with the words, and this was about one month ago now six weeks into full implementation of the affordable care act, and i thought to
5:49 pm
myself really? how about three years down and years to go in terms of implementation of the law. it underscores how many of us feel about the intense focus right now on the functionality of some website versus the entire initiative contained in the law, all aimed at improving health care and lowering the costs. those are the famous goals of the so-called aaa. this topic today, maximizing enrollment, is a very important part of that bigger picture story. the activities we will talk about today predates the passage and enactment of the affordable care act.
5:50 pm
this got started in 2000 and nine, the year before the -- 2009 the year before the law was enacted. these are the issues about enrollment people in the programs that exist on the books , which people are qualified but not enrolled. that has been a challenge in this nation for some time. with the affordable care act it is just moving into a new phase. there are tools and technologies to make these programs more responsive and outreach better to the population. there is the need for those kinds of programs and efficiencies. that need has moved into higher gear than ever before. we are very delighted to have them here to talk about this and to talk about the role of states in solving the problem. i just have a couple of
5:51 pm
housekeeping notes grade -- notes. if you are watching this online, please submit your questions at any time during the conversation. you can also tweak your questions to #aca. we would appreciate it if those of you with us today would complete the green of valuation form before you leave today to help us put on a truly first- rate briefing, not just today but in the future worr. finally, please turn off the ringers on your cell phones. you also have on your chairs biographies of the speakers today. i will be making a reef introductions of them now. our first speaker you heard
5:52 pm
introduced earlier as alice weiss of the national academy of the state policy. she is one of the two directors of the maximizing enrollment program. they have been working closely with these8 8 states. what can you share about those lessons learned and how that is influencing the finance going on that may affect people in other states? >> thank you for the question. the process of streamlining enrollment is not new to states. the aca will be a transformation of systems, but the process of trying to make enrollment simpler has been going on for a number of years. that is part of our work with maximizing enrollment. i cannot go further without
5:53 pm
acknowledging the work of my colleagues and the deputy director of the program. and thank you for the support of the foundation, the robert wood foundation for all of their work. what we've been reporting out is that states have been able to make some tremendous strides forward. we focused on three key areas that we saw. the first was, harnessing technologies to streamline the enrollment policies. the second was focusing on strategies that worked to streamline and make the process more efficient. the third was learning from the states about how to manage program change. i want to talk about each of them quickly and offer some lessons from that. the states did tremendous work. they use technology to make enrollment simpler. how did they do that? they adopted and perfected
5:54 pm
online and telephonic applications long before the aca required that. they used notices and echat and electronic consumer-facing accounts to improve the communication with consumers. they used electronic document management and other strategies to take the paper out of the process and make the process work more safely and quickly for those involved. they updated their business processes. i hope to talk more about that. that was to make the process simpler. this was making the process work and figuring out how to motivate that in the absence of a paperless product. there was amazing work that the states were doing for
5:55 pm
eligibility to allow for the state to use day-to-day all ready had to make the enrollment process a lot simpler, to avoid all of the needless documentation when the state already had the documentation and make it easier from a consumer perspective. along the lines of program management, we saw that the states had a vision that they developed and designed from looking at the strengths and their own challenges and opportunities. they mentioned the diagnostic assessments that the states developed. they were able to say, this is where i am doing well. this is where you need help. from that, they focus the vision. we saw some amazing innovations including from the two women here that you will hear from later. they used data to inform the program management which made a
5:56 pm
big difference to them and him proved across agency communication from the state and local lover to make sure the vision was shared, clearly communicated, and clearly articulated. there are some key lessons that come from what we observed. first, states are most successful when they can keep their consumers in mind. that means the enrollees walking in the door, but also those who are trying to support and engage division, and the faith holders involved in that. all of these are key supports that help the states achieve their goals. leadership admission has been essential to helping our state. that is going to be important in the aca. nothing implemented self. change, particularly cultural change, takes time.
5:57 pm
don't implement technology for technology's sake. make sure that policy is driving out. but make sure that your policies data-driven and evidence-based. this requires new approaches to working processes. most importantly, the power of change is really driven by states owning the change and developing a system for what they want to accomplish. we will talk more about that as we continue the conversation. >> great insights. we look forward to expanding on those. we will hear from the senior fellow here at the urban institute and the experience of health enrollment, not just what we learn through maximizing enrollment but also pass lessons that could be applicable now and help us understand the process of understanding what people under the affordable care act may need. >> we know it takes time.
5:58 pm
i will give you an example from the children's health insurance program. chip in roll -- enrolls nine in 10 eligible children. that is a high mark. but it took time to reach that point. the congressional research service talks about why there was such low participation levels. it took five years before enrollment ramped up to the city and state levels. we know that it takes time. the reason it takes time is because it is a program with significant responsibilities shared between the state and federal governments. that is a good airing and that -- thing in that it helps us
5:59 pm
undertake challenges we have not undertaken before as a country. some will succeed. someone succeed -- some won't succeed. they will eventually migrate toward the most successful properties -- policies. in general, the few states that quickly enrolled people did so by eliminating the need for consumers to use paperwork. governor romney wanted to make sure that elderly people were enrolled. they did a data match with the old program and enrolled them. those who did not enroll were
6:00 pm
automatically enrolled. there are similar opportunities. states can use data from the food stamp program or snap program. information about children of newly eligible parents. they can use that to qualify people for coverage. in october, four states that implemented this. those enrolled nearly of a quarter million more in one month based on those data matches. an extraordinary accomplishment. that is just four states. it is not even the 25 states that are expanding medicaid. it will be taking time. i am convinced that if some of those approac