OPM Director Defends Cybersecurity Protocol in Wake of Massive Hack

The recent intrusion “may have been the most devastating cyberattack in our nation’s history,” House Oversight Chairman Jason Chaffetz said.

National Journal
Dustin Volz
Add to Briefcase
See more stories about...
Dustin Volz
June 16, 2015, 7:05 a.m.

The dir­ect­or of the Of­fice and Per­son­nel Man­age­ment struck a de­fens­ive tone dur­ing her ap­pear­ance be­fore a con­gres­sion­al pan­el Tues­day, say­ing that the agency had greatly ex­pan­ded its cy­ber­se­cur­ity in re­cent years while partly blam­ing the re­cent hack of fed­er­al-em­ploy­ee data on a lack of fund­ing for in­form­a­tion tech­no­logy.

Ap­pear­ing be­fore the House Over­sight Com­mit­tee nearly two weeks after a massive breach af­fect­ing the per­son­al data of mil­lions of cur­rent and former em­ploy­ees was pub­licly dis­closed, OPM Dir­ect­or Kath­er­ine Archu­leta ac­know­ledged se­cur­ity vul­ner­ab­il­it­ies in the agency’s out­dated tech­no­logy in­fra­struc­ture. But she also hailed the strides OPM had taken un­der her stew­ard­ship to bol­ster its cy­ber­de­fenses.

“Cy­ber­se­cur­ity is­sues that the gov­ern­ment is fa­cing is a prob­lem that has been dec­ades in the mak­ing, due to a lack of in­vest­ment in fed­er­al IT sys­tems and a lack of ef­forts in both the pub­lic and private sec­tors to se­cure our In­ter­net in­fra­struc­ture,” Archu­leta wrote in her three-page writ­ten testi­mony, which she read por­tions of dur­ing the hear­ing. “We dis­covered these in­tru­sions be­cause of our in­creased ef­forts in the last 18 months to im­prove cy­ber­se­cur­ity at OPM, not des­pite them.”

Archu­leta also ac­know­ledged that OPM was aware of a second, po­ten­tially far more dev­ast­at­ing hack of se­cur­ity-clear­ance in­form­a­tion when it pub­licly an­nounced the first breach earli­er this month.

Ac­cord­ing to Archu­leta’s writ­ten testi­mony, in­vest­ig­at­ors dis­covered in May that “ad­di­tion­al sys­tems were likely com­prom­ised” and began no­ti­fy­ing con­gres­sion­al lead­er­ship and se­lect com­mit­tees. Oth­er agen­cies were no­ti­fied in early June of the second breach, the testi­mony reads, and that “there was a high de­gree of con­fid­ence that OPM sys­tems re­lated to back­ground in­vest­ig­a­tions of cur­rent, former, and pro­spect­ive fed­er­al-gov­ern­ment em­ploy­ees, and those for whom a fed­er­al back­ground in­vest­ig­a­tion was con­duc­ted, may have been com­prom­ised.”

The second breach was first dis­closed pub­licly on Fri­day after news re­ports con­cern­ing it emerged.

Over­sight Chair­man Jason Chaf­fetz said OPM had not done enough to mit­ig­ate risk of po­ten­tial hacks. The Utah Re­pub­lic­an ran through a lit­any of audits and In­spect­or Gen­er­al re­ports is­sued over the past sev­er­al years find­ing that OPM had been in­suf­fi­cient in up­grad­ing its cy­ber­se­cur­ity, which he said amoun­ted to “leav­ing all of the doors and win­dows open in your house” for “what may have been the most dev­ast­at­ing cy­ber­at­tack in our na­tion’s his­tory.”

“This has been go­ing on for a long time, and yet when I read the testi­mony that was provided here — we’re about to hear, ‘Hey we’re do­ing a great job,’” Chaf­fetz said. “You’re not. It’s fail­ing.”

Archu­leta said that cy­ber­at­tacks had be­come ex­po­nen­tially more fre­quent and soph­ist­ic­ated in re­cent years and called for more to be done across gov­ern­ment and the private sec­tor to bet­ter de­fend against data breaches.

“Gov­ern­ment and non­gov­ern­ment en­tit­ies are un­der con­stant at­tack by evolving and ad­vanced per­sist­ent threats and crim­in­al act­ors,” she said. “These ad­versar­ies are soph­ist­ic­ated, well-fun­ded, and fo­cused. In an av­er­age month, OPM, for ex­ample, thwarts 10 mil­lion con­firmed in­tru­sion at­tempts tar­get­ing our net­work. These at­tacks will not stop — if any­thing, they will in­crease.”

Archu­leta also made a dir­ect ap­peal to fed­er­al work­ers, say­ing, “The se­cur­ity of your per­son­al data is of para­mount im­port­ance.” She ad­ded that OPM was “com­mit­ted to a full and com­plete in­vest­ig­a­tion of these in­cid­ents and are tak­ing ac­tion to mit­ig­ate vul­ner­ab­il­it­ies ex­posed by in­tru­sions.”

OPM an­nounced earli­er this month that the per­son­al data — such as So­cial Se­cur­ity num­bers, names, birth­days, and ad­dresses — of ap­prox­im­ately 4 mil­lion former and cur­rent fed­er­al em­ploy­ees was swiped in a breach that began last year, was de­tec­ted in April, and China is be­lieved to have com­mit­ted. Re­ports have sur­faced since to sug­gest the hack was far broad­er and more de­bil­it­at­ing than has been pub­licly ac­know­ledged.

On Fri­day, the gov­ern­ment an­nounced that the hack­ers had suc­ceeded in sta­ging a second, po­ten­tially far more com­pre­hens­ive hack of the agency that ex­posed sens­it­ive se­cur­ity-clear­ance in­form­a­tion of in­tel­li­gence and mil­it­ary per­son­nel. The White House and oth­ers have not yet com­men­ted on how dam­aging that hack — also be­lieved to be or­ches­trated by China — could be for Amer­ic­an agents and spies, some of whom would likely be sta­tioned abroad.

Chaf­fetz pressed Archu­leta to provide more de­tail about the size of the OPM in­tru­sion, cit­ing re­ports that it may im­plic­ate as many as 14 mil­lion in­di­vidu­als, but she re­peatedly de­murred on grounds that an in­vest­ig­a­tion in­to the hack is on­go­ing. Chaf­fetz also tried re­peatedly to force an an­swer out of Archu­leta as to wheth­er sens­it­ive in­form­a­tion of mil­it­ary per­son­nel, con­tract­ors, or CIA agents was com­prom­ised, but each time she said she would need to dis­cuss that in­form­a­tion in a clas­si­fied set­ting.

“You have com­pletely and ut­terly failed,” Chaf­fetz told Archu­leta, not­ing that the In­spect­or Gen­er­al’s Of­fice had found the se­cur­ity sys­tems so flawed last year that a re­com­mend­a­tion was made to tem­por­ar­ily take the data­bases off­line.

“You made a con­scious de­cision not to do that, you kept it open, the in­form­a­tion was vul­ner­able, and the hack­ers got it,” Chaf­fetz, rais­ing his voice, said. “They’re go­ing to prey on the Amer­ic­an people.”

Sylvia Burns, the chief in­form­a­tion of­ficer for the De­part­ment of In­teri­or, said of­fi­cials be­lieved that only OPM data had been ac­cessed dur­ing the hack and that oth­er gov­ern­ment agen­cies were likely not com­prom­ised, though she noted that the in­vest­ig­a­tion is still on­go­ing.

OPM As­sist­ant In­spect­or Gen­er­al Mi­chael Es­s­er cri­ti­cized the of­fice for hav­ing a “his­tory of strug­gling to com­ply with” the Fed­er­al In­form­a­tion Se­cur­ity Man­age­ment Act. Es­s­er also high­lighted con­cerns about the use of IT sys­tems that lack val­id au­thor­iz­a­tion checks.

At least one law­maker sug­ges­ted Tues­day that some mem­bers of OPM lead­er­ship should resign. Rep. Ted Lieu, a Cali­for­nia Demo­crat who holds a de­gree in com­puter sci­ence from Stan­ford, used the hear­ing to con­demn a “high level of tech­no­lo­gic­al in­com­pet­ence” across gov­ern­ment and noted that when oth­er agen­cies are be­set by scan­dal, high-rank­ing of­fi­cials are of­ten forced to step down.

“I’m look­ing here today for a few good people to step for­ward, take re­spons­ib­il­ity and resign for the good of the na­tion,” Lieu said. Chaf­fetz promptly re­spon­ded: “Well said.”

This story has been up­dated.

What We're Following See More »
Saudis Admit Khashoggi Killed in Embassy
2 days ago

"Saudi Arabia said Saturday that Jamal Khashoggi, the dissident Saudi journalist who disappeared more than two weeks ago, had died after an argument and fistfight with unidentified men inside the Saudi Consulate in Istanbul. Eighteen men have been arrested and are being investigated in the case, Saudi state-run media reported without identifying any of them. State media also reported that Maj. Gen. Ahmed al-Assiri, the deputy director of Saudi intelligence, and other high-ranking intelligence officials had been dismissed."

Mueller Looking into Ties Between WikiLeaks, Conservative Groups
2 days ago

"Special counsel Robert Mueller’s investigation is scrutinizing how a collection of activists and pundits intersected with WikiLeaks, the website that U.S. officials say was the primary conduit for publishing materials stolen by Russia, according to people familiar with the matter. Mr. Mueller’s team has recently questioned witnesses about the activities of longtime Trump confidante Roger Stone, including his contacts with WikiLeaks, and has obtained telephone records, according to the people familiar with the matter."

Mueller To Release Key Findings After Midterms
2 days ago

"Special Counsel Robert Mueller is expected to issue findings on core aspects of his Russia probe soon after the November midterm elections ... Specifically, Mueller is close to rendering judgment on two of the most explosive aspects of his inquiry: whether there were clear incidents of collusion between Russia and Donald Trump’s 2016 campaign, and whether the president took any actions that constitute obstruction of justice." Mueller has faced pressure to wrap up the investigation from Deputy Attorney General Rod Rosenstein, said an official, who would receive the results of the investigation and have "some discretion in deciding what is relayed to Congress and what is publicly released," if he remains at his post.

FinCen Official Charged with Leaking Info on Manafort, Gates
2 days ago
"A senior official working for the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has been charged with leaking confidential financial reports on former Trump campaign advisers Paul Manafort, Richard Gates and others to a media outlet. Prosecutors say that Natalie Mayflower Sours Edwards, a senior adviser to FinCEN, photographed what are called suspicious activity reports, or SARs, and other sensitive government files and sent them to an unnamed reporter, in violation of U.S. law."
DOJ Charges Russian For Meddling In 2018 Midterms
2 days ago

"The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of 'Project Lakhta,' a foreign influence operation they said was designed 'to sow discord in the U.S. political system' by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.