Lawmakers rip OPM's 'failure'

Members of Congress heaped hard questions on federal IT leaders at a June 16 hearing and suggested strongly that somebody needs to be fired.

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen.

(Image: Sergey Nivens / Shutterstock)

"You failed, utterly and totally."

That was the blunt message that Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform committee, delivered -- and many of his fellow lawmakers echoed -- to senior civil servants at a June 16 hearing on the massive breach of the Office of Personnel Management.

"This has been going on for years, but when I read the testimony that's been prepared, we're about to hear, 'But we're doing a good job!'" Chaffetz exploded. "You're not, it's failing!"

The committee did not take kindly to the nuanced, defensive remarks offered by OPM Director Katherine Archuleta and the other senior officials who offered testimony, especially as they denied some of the more surprising allegations coming out of the debacle -- the possibility that as many as 14 million people were compromised in the breach, and that a small business discovered the malware on OPM's systems -- and claimed OPM had been aggressively updating its cybersecurity posture.

OPM can't answer all the questions

"I would be happy to discuss that in a classified session," was Archuleta's stock response to many questions, at one point leaving her sounding a bit like a certain taciturn NFL running back.

Was the breach part of a coordinated foreign effort to undermine U.S. security? Classified.

Were cabinet-level employees and military personnel exposed in the breach? Classified.

Did hackers gain access to OPM's systems by hacking OPM contractors, or did they perhaps access the system through employee email accounts? Classified, and classified.

The committee was scheduled to hold a classified hearing on the OPM breach following the public session.

Archuleta also declined to give an estimate of how many individuals' personally identifying information (PII) may have been exposed. She stood by OPM's estimate that 4.2 million current and former federal employees were exposed in an initial breach, but could not say how many individuals might have been exposed in a second breach that compromised highly sensitive background check information.

A memo distributed by OPM on June 15 and obtained by FCW pointed federal employees to the Federal Trade Commission's Identity Theft Clearinghouse if they suspect their information was being misused following that second breach, which was disclosed June 12.

The memo said that beyond the initial OPM breach disclosed June 4, OPM "has recently discovered" more systems had been compromised that contain data from background investigations of current, former, and prospective federal government employees, as well as other individuals that underwent a federal background investigation.

OPM said it is working with the Department of Homeland Security and the FBI to determine the number of people affected by that separate intrusion. The agency said it will notify those individuals whose information may have been compromised "as soon as practicable."

Private sector thrown under the bus

During the hearing, feds took aim at the private sector and OPM doubled down on its assertion that CyTech Services did not discover the breach when it detected malware on OPM's systems.

Ranking Democrat Elijah Cummings of Maryland opened his remarks by questioning why representatives from the previously hacked USIS were not at the hearing, and several congressmen questioned whether the December hack of KeyPoint Government Solutions, a background check investigator contractor for OPM, may have given hackers the "keys" they needed to access OPM networks.

OPM CIO Donna Seymour referred the latter question to the classified briefing.

Archuleta repeated the assertion that, despite reporting to the contrary, it was OPM, not the Virginia small business CyTech Services, which discovered the breach.

"So the New York Times and others who wrote [that CyTech had detected the breach] were wrong?" Chaffetz queried.

"That is correct," Archuleta responded.

CyTech issued a statement June 15 confirming it had detected malware on OPM's systems on April 21, 2015, but the service-disabled-veteran-owned small business noted it couldn't say whether OPM already knew of the breach. OPM had maintained it discovered the breach itself sometime in April 2015, but OPM spokesperson Sam Schumach told FCW he couldn't provide the exact date of discovery.

Security measures that failed -- and those that wouldn't have worked?

Andy Ozment, assistant secretary in the Homeland Security Department's Office of Cybersecurity and Communications, admitted that the hacked OPM data -- including Social Security numbers -- was not encrypted, but he said that in this particular hack, encryption would not have made a difference.

"Encryption in this case would not have protected the data," he said, explaining that hackers accessed files with user privileges so they would have viewed them plainly as authorized users would have, encryption or no.

On Einstein, DHS's perimeter security system, Ozment noted that the system had failed.

"Security cannot be achieved through only one type of tool," he said. "Einstein is a perimeter system, but it will never be able to block every threat."

Comparing Einstein 1 and 2 to security cameras on a building, Ozment said Einstein 3A -- currently being rolled out -- acts more like a gatekeeper scanning "cars on the highway" and actively blocking unauthorized traffic from even approaching the system/building.

IG ignored?

"In the FY 2007 FISMA report, we identified a material weakness related to the lack of IT security policies and procedures," OPM Assistant Inspector General Michael Esser said in his prepared testimony. "In FY 2009, we expanded the material weakness to include the lack of a centralized security management structure necessary to implement and enforce IT security policies."

And Esser noted that each OPM program office had to fend for itself when it came to cybersecurity.

"The program office personnel responsible for IT security frequently had no IT security background and were performing this function in addition to another full-time role," he testified. "As a result of this decentralized governance structure, many security controls went unimplemented and/or remained untested, and OPM routinely failed a variety of FISMA metrics year after year."

He also noted OPM's lack of a centralized server and database inventory.

"Even if the [advanced cybersecurity] tools I just referenced were being used appropriately, OPM cannot fully defend its network without a comprehensive list of assets that need to be protected and monitored," Esser wrote.

Lawmakers hammered the administration officials for refusing to shut down OPM systems after numerous IG reports identified key weaknesses, and noted that in fiscal 2014, 11 out of 21 OPM systems were operating without a valid security assessment and authorization.

Archuleta and others responded that cybersecurity has been a top priority, but that fixing broken processes takes time.

'Essentially no consequences'

U.S. CIO Tony Scott touted his 30-day "Cybersecurity Sprint" and OPM's Seymour noted aggressive security improvements have taken place since the breach, but Congress remained unimpressed on a bipartisan basis.

"It is clear to me that there is a high level of technological incompetence across federal agencies," said Rep. Ted Lieu (D-Calif.). In past failures of this magnitude, he noted, leadership has resigned or been fired to send a message that "the status quo is not acceptable."

"When there is a culture problem ... leadership has to resign," he said. "What I'm looking for is a few good people to accept responsibility and resign for the good of the nation."

None of the witnesses offered themselves as tribute.

"Has anyone lost their job over this?" Rep. Glenn Grothmann (R-Wis.), asked Archuleta.

After a grueling three hours in which she was often rebuked for not giving yes-or-no answers, Archuleta finally responded with a one-word answer, and it wasn't the one the members had been seeking: "No."

Esser noted that there were "essentially no consequences" for operating systems without proper authorizations, as OPM had done leading up to the breach. And while OPM's Seymour argued there were consequences, she couldn't provide a specific example.

Archuleta also defended OPM's security challenge in her written testimony.

"In an average month, OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network," she noted. "These attacks will not stop -- if anything, they will increase."

She also gave herself and her agency credit for their efforts.

"We discovered these intrusions because of our increased efforts in the last eighteen month to improve cyber security at OPM, not despite them," she said.

Mark Rockwell contributed to this story.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.