Chaffetz details where OPM went wrong, warns about future

Shutterstock image: breached lock.

Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, released a detailed report on the chronology of the Office of Personnel Management hack that exposed more than 21 million personnel records.

During a Sept. 7 presentation at the American Enterprise Institute in Washington, he said the "most concerning things" were the repeated warnings about OPM's weaknesses and the idea that such a breach was preventable.

Chaffetz pointed to a series of inspector general reports dating back to 2005 that almost annually lamented OPM's insufficient cybersecurity protocols, and he criticized former OPM CIO Donna Seymour for "thwarting and misleading" the watchdogs.

The report criticizes OPM's response to the first signs of intruders on its network.

"Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM's systems incurred," the report states.

OPM Acting Director Beth Cobert said the report "does not fully reflect where this agency stands today."

"While we disagree with many aspects of the report, we welcome the committee's recognition of OPM's swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies and processes," she wrote in a Sept. 7 blog post.

A memo by staffers on the Democratic side of the committee said the breach was due in part to compromised credentials used by OPM's IT contractors and that Chaffetz’s report "fails to adequately address federal contractors and their role in cybersecurity."

In a series of committee hearings, Chaffetz has called for the resignations of senior OPM leaders on several occasions. Former OPM Director Katherine Archuleta resigned in July 2015, followed by Seymour's resignation in February 2016.

In addition, Chaffetz denounced OPM for not implementing multifactor authentication. Only 1 percent of users were required to have personal identity verification cards to access OPM systems, and 11 systems did not have active authorities to operate, he said.

The U.S. Computer Emergency Readiness Team discovered that "OPM was under sustained attack for at least as far back as 2012," he added, and the two attackers who penetrated the system were "likely connected and possibly coordinated."

After the hackers breached OPM's system, Chaffetz said immediate action, including shutting the system down, could have "seriously limited the adversaries' ability to move around the network."

Because of OPM's failure to monitor network activity, "we'll never know everything that was stolen," he added.

When OPM hired a company to diagnose the intrusions, "so much malware was found in the tool, it was said to be lit up like a Christmas tree," Chaffetz said.

He placed some of the blame on the cumbersome federal acquisition process. "It is not swift, it is not effective, it is not efficient, and in the world of cybersecurity, it will sometimes be generations after a new technology has actually come and gone," he said.

Chaffetz advocated using a "zero trust" approach to security on federal networks, which centers on the idea that users inside the network are no more trustworthy than users outside the network.

"Federal agencies, particularly CIOs, must recognize they're on the front line of vital information," he said. "We're taking people and we're dumbing them down" to 1960s technology and coding languages.

Chaffetz also made a veiled reference to the White House's proposal for a revolving fund to support IT modernization projects outside the traditional appropriations process.

"The Obama administration has spent more than $600 billion on don't tell me we're $3 billion from solving this," he said. "There's no just turning this ship around in a couple of months...but that's why" drawing attention to cybersecurity is a starting point.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.