White House Office of Personnel Management Director Katherine Archuleta went back before Congress Tuesday to defend her agency’s handling of the massive hack of millions of federal employee records discovered earlier this month and make the case she should keep her job to see the crisis through.
Archuleta and assistant inspector general for OPM Michael Esser appeared before the Senate Financial Services and General Government Appropriations Subcommittee Tuesday to brief the upper chamber for the first time on the breach, now believed to have compromised the personal data and security clearance background information of 18 million federal workers.
Tuesday’s hearing touched on both the breach itself and OPM’s ongoing Information Technology Modernization Project, aimed at updating and securing the unencrypted legacy systems housing the stolen data of millions of federal employees dating back to 1985 — a project Esser’s office has described in years of IG reports as over budget, behind schedule and ineffective.
“What I hope to hear from our witnesses today is not the same stale line that more money is needed, but an explanation to why the federal government failed to do the basic job of protecting personal data of millions of employees with the vast resources it already has at hand,” Arkansas Republican Chairman John Boozman said in his opening statement.
Part of the agency’s effort to update those systems include a $21 million budget increase for fiscal year 2016 to continue upgrading OPM’s systems to meet Federal Information Security Management Act (FISMA) guidelines, which set the cybersecurity standards for all federal agencies.
“You will find significant problems with [other federal agencies] not following IT security best practices including FISMA,” former Homeland Security Department Chief Richard Spires told lawmakers. “Given the situation we find ourselves in across most federal agencies, I would expect you to find significant breaches.”
According to Archuleta, Esser and Spires, even if the agency had complied with those standards and encrypted the compromised data, it would not have stopped the hackers from accessing and reading it.
“My [chief information officer] has advised me that even if there had been 100 percent FISMA compliance, there is no guarantee that systems won’t get breached,” Archuleta said. “If there’s anyone to blame, it is the perpetrators — they’re concentrated, very well funded, focused, aggressive efforts to come into our systems.”
“I don’t believe anyone is personally responsible. I believe that we’re working as hard as we can to protect the data of our employees, because that’s the most important thing that we can do, and I take it very seriously. I’m as angry as you are that this has happened to OPM, and I’m doing everything that I can as quickly as I can to protect the systems.”
Archuleta told lawmakers she inherited the vulnerable legacy systems and lax cybersecurity practices responsible for the breach when she took over OPM in 2013. But according to Esser, not all of the compromised systems at OPM were legacy systems, and some could have been protected with modern security upgrades that were never implemented.
“There are many legacy systems at OPM,” Esser said. “But based on the work that we’ve done in our audits and ongoing work that we’re doing, it’s our understanding that a few of the systems that were breached are not legacy systems — they’re modern systems that current tools could be implemented on.”
“So the idea that this is all legacy and stuff is really not the case,” Boozman said. “I think that’s really important.”
Archuleta repeated steps the agency has taken to increase security she described to the House last week, including implementing two-factor authentication for accessing OPM systems and limiting access credentials to qualified staff.
The director’s first appearance before the House Oversight Committee last week failed to impress lawmakers in the lower chamber, many of whom accused Archuleta of making poor decisions in regard to the cybersecurity of OPM servers, suggested she wasn’t qualified for her job and lambasted her for the office’s lack of an appropriate apology to government employees. Several suggested she step down or be fired.
The breach, believed to have been opened a year ago and perpetrated by Chinese hackers, compromised private information including Social Security numbers, dates of birth and other background information belonging to up to 18 million federal employees, according to an estimate FBI Director James Comey recently gave Congress. So far, OPM has only confirmed an affected number of 4.2 million current, former, and prospective federal employees and contractors.
A second recent disclosure from investigators acknowledged a second security breach at OPM, exposing the information of millions of security clearance-wielding defense and intelligence agency federal employees, putting sensitive national security secrets at risk.
Included in those security clearance applications are the most intimate details of federal employees’ lives, including disclosures about histories with drugs, alcohol and sexual relationships — information often sought by foreign governments to use as blackmail in coercing federal employees to become informants.
Archuleta said the agency is providing 18 months of credit monitoring and identity theft insurance to federal employees affected by the breach and added OPM is working with law enforcement to safeguard federal employees in intelligence and law enforcement in danger of being targeted by criminals they have investigated or apprehended in the past.
The scope of the breach is still being investigated, according to the director, who added she would brief lawmakers further on the progress of the investigation in a classified briefing later Tuesday.