OPM Director Defends Cybersecurity Protocol in Wake of Massive Hack

The recent intrusion “may have been the most devastating cyberattack in our nation’s history,” House Oversight Chairman Jason Chaffetz said.

National Journal
Dustin Volz
Add to Briefcase
See more stories about...
Dustin Volz
June 16, 2015, 7:05 a.m.

The dir­ect­or of the Of­fice and Per­son­nel Man­age­ment struck a de­fens­ive tone dur­ing her ap­pear­ance be­fore a con­gres­sion­al pan­el Tues­day, say­ing that the agency had greatly ex­pan­ded its cy­ber­se­cur­ity in re­cent years while partly blam­ing the re­cent hack of fed­er­al-em­ploy­ee data on a lack of fund­ing for in­form­a­tion tech­no­logy.

Ap­pear­ing be­fore the House Over­sight Com­mit­tee nearly two weeks after a massive breach af­fect­ing the per­son­al data of mil­lions of cur­rent and former em­ploy­ees was pub­licly dis­closed, OPM Dir­ect­or Kath­er­ine Archu­leta ac­know­ledged se­cur­ity vul­ner­ab­il­it­ies in the agency’s out­dated tech­no­logy in­fra­struc­ture. But she also hailed the strides OPM had taken un­der her stew­ard­ship to bol­ster its cy­ber­de­fenses.

“Cy­ber­se­cur­ity is­sues that the gov­ern­ment is fa­cing is a prob­lem that has been dec­ades in the mak­ing, due to a lack of in­vest­ment in fed­er­al IT sys­tems and a lack of ef­forts in both the pub­lic and private sec­tors to se­cure our In­ter­net in­fra­struc­ture,” Archu­leta wrote in her three-page writ­ten testi­mony, which she read por­tions of dur­ing the hear­ing. “We dis­covered these in­tru­sions be­cause of our in­creased ef­forts in the last 18 months to im­prove cy­ber­se­cur­ity at OPM, not des­pite them.”

Archu­leta also ac­know­ledged that OPM was aware of a second, po­ten­tially far more dev­ast­at­ing hack of se­cur­ity-clear­ance in­form­a­tion when it pub­licly an­nounced the first breach earli­er this month.

Ac­cord­ing to Archu­leta’s writ­ten testi­mony, in­vest­ig­at­ors dis­covered in May that “ad­di­tion­al sys­tems were likely com­prom­ised” and began no­ti­fy­ing con­gres­sion­al lead­er­ship and se­lect com­mit­tees. Oth­er agen­cies were no­ti­fied in early June of the second breach, the testi­mony reads, and that “there was a high de­gree of con­fid­ence that OPM sys­tems re­lated to back­ground in­vest­ig­a­tions of cur­rent, former, and pro­spect­ive fed­er­al-gov­ern­ment em­ploy­ees, and those for whom a fed­er­al back­ground in­vest­ig­a­tion was con­duc­ted, may have been com­prom­ised.”

The second breach was first dis­closed pub­licly on Fri­day after news re­ports con­cern­ing it emerged.

Over­sight Chair­man Jason Chaf­fetz said OPM had not done enough to mit­ig­ate risk of po­ten­tial hacks. The Utah Re­pub­lic­an ran through a lit­any of audits and In­spect­or Gen­er­al re­ports is­sued over the past sev­er­al years find­ing that OPM had been in­suf­fi­cient in up­grad­ing its cy­ber­se­cur­ity, which he said amoun­ted to “leav­ing all of the doors and win­dows open in your house” for “what may have been the most dev­ast­at­ing cy­ber­at­tack in our na­tion’s his­tory.”

“This has been go­ing on for a long time, and yet when I read the testi­mony that was provided here — we’re about to hear, ‘Hey we’re do­ing a great job,’” Chaf­fetz said. “You’re not. It’s fail­ing.”

Archu­leta said that cy­ber­at­tacks had be­come ex­po­nen­tially more fre­quent and soph­ist­ic­ated in re­cent years and called for more to be done across gov­ern­ment and the private sec­tor to bet­ter de­fend against data breaches.

“Gov­ern­ment and non­gov­ern­ment en­tit­ies are un­der con­stant at­tack by evolving and ad­vanced per­sist­ent threats and crim­in­al act­ors,” she said. “These ad­versar­ies are soph­ist­ic­ated, well-fun­ded, and fo­cused. In an av­er­age month, OPM, for ex­ample, thwarts 10 mil­lion con­firmed in­tru­sion at­tempts tar­get­ing our net­work. These at­tacks will not stop — if any­thing, they will in­crease.”

Archu­leta also made a dir­ect ap­peal to fed­er­al work­ers, say­ing, “The se­cur­ity of your per­son­al data is of para­mount im­port­ance.” She ad­ded that OPM was “com­mit­ted to a full and com­plete in­vest­ig­a­tion of these in­cid­ents and are tak­ing ac­tion to mit­ig­ate vul­ner­ab­il­it­ies ex­posed by in­tru­sions.”

OPM an­nounced earli­er this month that the per­son­al data — such as So­cial Se­cur­ity num­bers, names, birth­days, and ad­dresses — of ap­prox­im­ately 4 mil­lion former and cur­rent fed­er­al em­ploy­ees was swiped in a breach that began last year, was de­tec­ted in April, and China is be­lieved to have com­mit­ted. Re­ports have sur­faced since to sug­gest the hack was far broad­er and more de­bil­it­at­ing than has been pub­licly ac­know­ledged.

On Fri­day, the gov­ern­ment an­nounced that the hack­ers had suc­ceeded in sta­ging a second, po­ten­tially far more com­pre­hens­ive hack of the agency that ex­posed sens­it­ive se­cur­ity-clear­ance in­form­a­tion of in­tel­li­gence and mil­it­ary per­son­nel. The White House and oth­ers have not yet com­men­ted on how dam­aging that hack — also be­lieved to be or­ches­trated by China — could be for Amer­ic­an agents and spies, some of whom would likely be sta­tioned abroad.

Chaf­fetz pressed Archu­leta to provide more de­tail about the size of the OPM in­tru­sion, cit­ing re­ports that it may im­plic­ate as many as 14 mil­lion in­di­vidu­als, but she re­peatedly de­murred on grounds that an in­vest­ig­a­tion in­to the hack is on­go­ing. Chaf­fetz also tried re­peatedly to force an an­swer out of Archu­leta as to wheth­er sens­it­ive in­form­a­tion of mil­it­ary per­son­nel, con­tract­ors, or CIA agents was com­prom­ised, but each time she said she would need to dis­cuss that in­form­a­tion in a clas­si­fied set­ting.

“You have com­pletely and ut­terly failed,” Chaf­fetz told Archu­leta, not­ing that the In­spect­or Gen­er­al’s Of­fice had found the se­cur­ity sys­tems so flawed last year that a re­com­mend­a­tion was made to tem­por­ar­ily take the data­bases off­line.

“You made a con­scious de­cision not to do that, you kept it open, the in­form­a­tion was vul­ner­able, and the hack­ers got it,” Chaf­fetz, rais­ing his voice, said. “They’re go­ing to prey on the Amer­ic­an people.”

Sylvia Burns, the chief in­form­a­tion of­ficer for the De­part­ment of In­teri­or, said of­fi­cials be­lieved that only OPM data had been ac­cessed dur­ing the hack and that oth­er gov­ern­ment agen­cies were likely not com­prom­ised, though she noted that the in­vest­ig­a­tion is still on­go­ing.

OPM As­sist­ant In­spect­or Gen­er­al Mi­chael Es­s­er cri­ti­cized the of­fice for hav­ing a “his­tory of strug­gling to com­ply with” the Fed­er­al In­form­a­tion Se­cur­ity Man­age­ment Act. Es­s­er also high­lighted con­cerns about the use of IT sys­tems that lack val­id au­thor­iz­a­tion checks.

At least one law­maker sug­ges­ted Tues­day that some mem­bers of OPM lead­er­ship should resign. Rep. Ted Lieu, a Cali­for­nia Demo­crat who holds a de­gree in com­puter sci­ence from Stan­ford, used the hear­ing to con­demn a “high level of tech­no­lo­gic­al in­com­pet­ence” across gov­ern­ment and noted that when oth­er agen­cies are be­set by scan­dal, high-rank­ing of­fi­cials are of­ten forced to step down.

“I’m look­ing here today for a few good people to step for­ward, take re­spons­ib­il­ity and resign for the good of the na­tion,” Lieu said. Chaf­fetz promptly re­spon­ded: “Well said.”

This story has been up­dated.

What We're Following See More »
Vekselberg Met with Cohen Days Before the Election
22 hours ago

Eleven days before the presidential inauguration last year, a billionaire Russian businessman with ties to the Kremlin visited Trump Tower in Manhattan to meet with Donald J. Trump’s personal lawyer and fixer, Michael D. Cohen, according to video footage and another person who attended the meeting. In Mr. Cohen’s office on the 26th floor, he and the oligarch, Viktor Vekselberg, discussed a mutual desire to strengthen Russia’s relations with the United States under President Trump, according to Andrew Intrater, an American businessman who attended the meeting and invests money for Mr. Vekselberg."

Mueller Tells Court He’s Ready for Papadopoulos Sentencing
2 days ago
Cohen Business Partner to Cooperate with Investigators
3 days ago
Trump Meeting with Wray and Rosenstein
4 days ago
DOJ Asks Watchdog to Look into Any Infiltration of Trump Campaign
5 days ago

"The Justice Department asked its internal watchdog to examine if there was any impropriety in the counterintelligence investigation of President Donald Trump’s 2016 campaign, after the president demanded Sunday that the department investigate the motives behind the inquiry. Earlier Sunday, in one of a series of tweets targeting the probe into whether Trump associates colluded with Russia during the 2016 campaign, Mr. Trump wrote: 'I hereby demand, and will do so officially tomorrow, that the Department of Justice look into whether or not the FBI/DOJ infiltrated or surveilled the Trump Campaign for Political Purposes - and if any such demands or requests were made by people within the Obama Administration!'"


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.