Chaffetz wants answers from US-CERT, OPM on hack

Jason Chaffetz

House Oversight and Government Reform Chairman Jason Chaffetz wants more details on the response to the OPM hacks.

Overseers in Congress are teeing up material for another round of hearings on the breach of personal data on more than 22 million federal employees.

Utah Republican Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, is looking for details on the timeline of the response to the hacks as reported to the U.S. Computer Emergency Readiness Team and details on computer security manuals exfiltrated from the Office of Personnel Management.

Chaffetz wants US-CERT, a unit of the Department of Homeland Security, to report on when it was first contacted by OPM to report the breach, and any reporting or analysis on the nature of the attack, including whether hackers deployed any malicious code that was known to DHS. In an Aug. 19 letter to US-CERT Director Ann Barron-Di-Camillo, Chaffetz also wants information on any site visits made by US-CERT personnel to OPM data centers, and any reports or recommendations from US-CERT to OPM.

Separately, Chaffetz is also seeking information on security document and manuals taken from OPM systems as far back as March 2014. In a June 24 hearing of the committee, OPM CIO Donna Seymour testified that the loss of the material represented a security breach, and that attackers could use the information to "learn about the platform, the infrastructure of our system."

In a letter to acting OPM Director Beth Cobert, Chaffetz asks for details on what was taken, when the thefts occurred, who discovered the breaches, and how the response was handled.

"The fact that security documents and systems manuals were accessed and taken from the network as discovered in March 2014 heightened the need for OPM to protect its network," Chaffetz wrote. The fact that subsequent breaches occurred, and were possibly enabled by the use of exfiltrated security manuals, clearly is something Chaffetz plans on digging into in the future. He wants to hear from OPM by Sept. 1, and from US-CERT by Sept. 2.

Chaffetz and other Republicans on the panel have called for Seymour's ouster as CIO, most recently in an Aug. 6 letter to Cobert.

On the other side of the aisle, Rep. Gerry Connolly, a senior Democrat on the committee, says firings are not the answer. The Virginian told FCW that calls for firings "divert attention from our failure in Congress to provide the necessary resources for investment in OPM and other federal agencies," and added that the United States was enmeshed in ongoing, but below-the-line cyber wars with China, Russia, Iran and North Korea, and that federal agencies are vulnerable targets for attack.

"Going after an agency head or CIO is a lot easier, a lot more comfortable, than dealing with the big systemic questions that Congress has failed to deal with," Connolly told FCW in an Aug. 11 interview on the sidelines of a federal IT conference.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


Reader comments

Fri, Aug 21, 2015 Mike

While obscurity is not security we in the cyber security field use the principle of responsible disclosure. Yes asking for info on dates and who knew what when would seem harmless but asking for audit details (like some are calling for in the FEC) before the systems are patched is irresponsible. It would be like leaving your cell phone on the table of a restaurant with a stick note on it with your password. Of course if they don't get the fixes in by a reasonable time go after them for that and by all means share your audits after you fix all of the issues raised.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group