Chaffetz wants answers from US-CERT, OPM on hack
A top watchdog in Congress isn't done with his probes into the theft of personal data on feds.
House Oversight and Government Reform Chairman Jason Chaffetz wants more details on the response to the OPM hacks.
Overseers in Congress are teeing up material for another round of hearings on the breach of personal data on more than 22 million federal employees.
Utah Republican Rep. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, is looking for details on the timeline of the response to the hacks as reported to the U.S. Computer Emergency Readiness Team and details on computer security manuals exfiltrated from the Office of Personnel Management.
Chaffetz wants US-CERT, a unit of the Department of Homeland Security, to report on when it was first contacted by OPM to report the breach, and any reporting or analysis on the nature of the attack, including whether hackers deployed any malicious code that was known to DHS. In an Aug. 19 letter to US-CERT Director Ann Barron-Di-Camillo, Chaffetz also wants information on any site visits made by US-CERT personnel to OPM data centers, and any reports or recommendations from US-CERT to OPM.
Separately, Chaffetz is also seeking information on security document and manuals taken from OPM systems as far back as March 2014. In a June 24 hearing of the committee, OPM CIO Donna Seymour testified that the loss of the material represented a security breach, and that attackers could use the information to "learn about the platform, the infrastructure of our system."
In a letter to acting OPM Director Beth Cobert, Chaffetz asks for details on what was taken, when the thefts occurred, who discovered the breaches, and how the response was handled.
"The fact that security documents and systems manuals were accessed and taken from the network as discovered in March 2014 heightened the need for OPM to protect its network," Chaffetz wrote. The fact that subsequent breaches occurred, and were possibly enabled by the use of exfiltrated security manuals, clearly is something Chaffetz plans on digging into in the future. He wants to hear from OPM by Sept. 1, and from US-CERT by Sept. 2.
Chaffetz and other Republicans on the panel have called for Seymour's ouster as CIO, most recently in an Aug. 6 letter to Cobert.
On the other side of the aisle, Rep. Gerry Connolly, a senior Democrat on the committee, says firings are not the answer. The Virginian told FCW that calls for firings "divert attention from our failure in Congress to provide the necessary resources for investment in OPM and other federal agencies," and added that the United States was enmeshed in ongoing, but below-the-line cyber wars with China, Russia, Iran and North Korea, and that federal agencies are vulnerable targets for attack.
"Going after an agency head or CIO is a lot easier, a lot more comfortable, than dealing with the big systemic questions that Congress has failed to deal with," Connolly told FCW in an Aug. 11 interview on the sidelines of a federal IT conference.