Chaffetz details where OPM went wrong, warns about future

Shutterstock image: breached lock.

Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, released a detailed report on the chronology of the Office of Personnel Management hack that exposed more than 21 million personnel records.

During a Sept. 7 presentation at the American Enterprise Institute in Washington, he said the "most concerning things" were the repeated warnings about OPM's weaknesses and the idea that such a breach was preventable.

Chaffetz pointed to a series of inspector general reports dating back to 2005 that almost annually lamented OPM's insufficient cybersecurity protocols, and he criticized former OPM CIO Donna Seymour for "thwarting and misleading" the watchdogs.

The report criticizes OPM's response to the first signs of intruders on its network.

"Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM's systems incurred," the report states.

OPM Acting Director Beth Cobert said the report "does not fully reflect where this agency stands today."

"While we disagree with many aspects of the report, we welcome the committee's recognition of OPM's swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies and processes," she wrote in a Sept. 7 blog post.

A memo by staffers on the Democratic side of the committee said the breach was due in part to compromised credentials used by OPM's IT contractors and that Chaffetz’s report "fails to adequately address federal contractors and their role in cybersecurity."

In a series of committee hearings, Chaffetz has called for the resignations of senior OPM leaders on several occasions. Former OPM Director Katherine Archuleta resigned in July 2015, followed by Seymour's resignation in February 2016.

In addition, Chaffetz denounced OPM for not implementing multifactor authentication. Only 1 percent of users were required to have personal identity verification cards to access OPM systems, and 11 systems did not have active authorities to operate, he said.

The U.S. Computer Emergency Readiness Team discovered that "OPM was under sustained attack for at least as far back as 2012," he added, and the two attackers who penetrated the system were "likely connected and possibly coordinated."

After the hackers breached OPM's system, Chaffetz said immediate action, including shutting the system down, could have "seriously limited the adversaries' ability to move around the network."

Because of OPM's failure to monitor network activity, "we'll never know everything that was stolen," he added.

When OPM hired a company to diagnose the intrusions, "so much malware was found in the tool, it was said to be lit up like a Christmas tree," Chaffetz said.

He placed some of the blame on the cumbersome federal acquisition process. "It is not swift, it is not effective, it is not efficient, and in the world of cybersecurity, it will sometimes be generations after a new technology has actually come and gone," he said.

Chaffetz advocated using a "zero trust" approach to security on federal networks, which centers on the idea that users inside the network are no more trustworthy than users outside the network.

"Federal agencies, particularly CIOs, must recognize they're on the front line of vital information," he said. "We're taking people and we're dumbing them down" to 1960s technology and coding languages.

Chaffetz also made a veiled reference to the White House's proposal for a revolving fund to support IT modernization projects outside the traditional appropriations process.

"The Obama administration has spent more than $600 billion on don't tell me we're $3 billion from solving this," he said. "There's no just turning this ship around in a couple of months...but that's why" drawing attention to cybersecurity is a starting point.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter


    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.