The embattled director of the Office of Personnel Management on Wednesday took issue with press reports that the controversial data breach affected four times as many employees than previously disclosed, defending her agency’s long-term response to the breach and use of contracts against criticism from lawmakers and her inspector general.
“The number of 4.2 million employees has not changed,” Katherine Archuleta told a hearing of the Oversight and Government Reform Committee, referring to the estimate—about half former and half current federal employees—of workers whose personnel files were exposed to hackers believed to be working for the Chinese government.
“But the 18 million provided by the press [on security clearance background files] is preliminary and unverified—it is not a number I’m comfortable with,” she said. “I’m not going to make estimates. Or be in a position of providing inaccurate data.”
Archuleta also confronted critics calling for her head by saying, “I’m more committed than ever to serving our employees.”
Chairman Jason Chaffetz, R-Utah, said he convened the second in a series of hearings on the OPM data breach because “OPM is hastily trying to board up the house well after the hurricane has destroyed it.” He cited uncertainty about the costs and scope of the breach and OPM’s delayed responses to inspector general inquiries on cybersecurity procedures. “It seems like in addition to a data security problem, we have a data management problem,” Chaffetz said. “It is unclear why so much background information related to security clearances was readily available on the OPM system to be hacked.”
Chaffetz suggested that “a quick trip to Best Buy” might have avoided the data breach in the first place, and he accused Archuleta of statements that were “misleading” and “lies” during a July 2014 television interview with Government Matters discussing an earlier breach, in which she said that no personally identifying information had been exposed.
Ranking member Rep. Elijah Cummings, D-Md., thanked the chairman for postponing a committee discussion of whether to call for Archuleta to resign because he first wanted answers from OPM contractors USIS and KeyPoint that he’d been seeking unsuccessfully for seven months.
Just last night, Cummings said, he received a letter from USIS “that disclosed that the breach at USIS affected not only [Homeland Security Department] employees, but our immigration agencies, our intelligence community, and even our police officers here on Capitol Hill. My immediate concern was for the employees at these agencies, and I hope they were all alerted promptly,” Cummings said.
He repeated a longstanding demand for an explanation from USIS’s parent company Altegrity as to why the company awarded executive bonuses after the Justice Department sued it for defrauding the government using incomplete background checks.
The contractor representatives’ responses, however, were overshadowed by Archuleta’s own defense, which came as a Federal News Radio survey of employees showed 80 percent calling OPM’s communication on coping with the data breach “poor,” with 75 percent calling for her resignation.
“Those numbers don’t make me happy,” she said. But her agency, at a time when the government faces 10 million cyberattacks every month, “has taken significant steps to meet our responsibilities. We’re committed to a full and complete investigation and action to mitigate the vulnerabilities in our system.” She acknowledged that “there is a clear need to dramatically accelerate these efforts.”
OPM in the past two years has spent $70 million implementing a system for a new network to create a more secure environment to which it will migrate its inventory of personnel data behind firewalls, with anti-malware tools and two-factor user authentication. Archuleta said she has created a new position of cybersecurity adviser to report directly to her. And she will be meeting regularly for the first time with private-sector cybersecurity firms.
Though OPM does encrypt its data, she said, encryption would not have prevented the major breach because the attacker obtained privileged user data. OPM is not able to comply with an inspector general’s recommendation that it shut down some databases because “current systems would mean retirees would not get paid, and security clearances would not be issued,” she said.
In response to Rep. Mark Meadows, R-N.C., who read statements from Archuleta’s 2013 confirmation hearing in which she pledged to make IT a No. 1 priority, the OPM director said, “The record will show I have been dealing with legacy systems that have been in place for 30 years, and that over the past 18 months we made progress” as shown in the fiscal 2014 and 2015 budgets. “I’m as upset as you are,” she said. “But we have adversaries.” The challenge is “throughout the government, not just OPM. “
A tough critique of OPM’s information technology practices came from inspector general Patrick McFarland, who told the hearing of his “serious concerns” that OPM is not following proper IT procedure and lacks knowledge of the true cost and scope of its cyberprotection plans. When OPM began its overhaul of IT infrastructure to create what it calls “the shell,” it created “no charter, no feasibility study identifying which applications have to be moved,” he said.
McFarland’s past audits suggest that OPM’s $93 million technical infrastructure improvement project does not include the cost of migrating 50 major systems, that its inventory of systems is inaccurate and that its timeline of 18-24 months is “unrealistic.” Instead of rushing with a controversial sole-source contract, OPM instead should “step back and deliver a business case proposal,” he said.
Donna Seymour, OPM’s chief information officer, disagreed, saying, “We believe the inventory is complete,” and that OPM has “made significant progress” since the IG’s tough 2014 report.
A plea for caution came from Ann Barron-DiCamillo of the Homeland Security Department’s U.S. Computer Emergency Readiness Team. “There is no silver bullet or magic solution,” she said, and OPM has been “making up for years of underspending on IT. The Internet was designed for ease of use,” she added. “OPM is not unlike other agencies, it did some things well, others not.”
CERT, Barron-DiCamillo added,” is concerned because it relies on voluntary information sharing from agencies, and the harsh criticisms of OPM might “have a chilling effect.”
The contracts were confronted with charges that they were the “weak link” that permitted the hacking, due to inadequate log-on requirements. Eric Hess, CEO of KeyPoint Government Solutions, which has active federal contracts, testified that “We see no evidence,” contrary to press reports, that the company was “in any way responsible” for the breach. True, it was a KeyPoint employee who reached into the OPM system that probably allowed the hackers in, but he had access to OPM on his own, Hess said. Keypoint also permitted CERT to examine its systems on-site and followed the DHS team’s recommendations for tightening security.
Rob Giannetta, chief information officer of USIS, expressed reluctance to speak for his corporation or its board, saying he rarely meets with them. He said that when the USIS database was breached in 2014, the company notified OPM, which later terminated its contract for performing security clearance checks. “This led USIS to exit the background investigations business and ultimately to bankruptcy,” he said.
He listened impassively as Cummings berated him for vacationing in Italy, preparing to leave his job, and receiving a bonus of $95,000. (OPM’s Seymour, subsequent questioning revealed, received a $7,000 bonus.)
Rep. Ron DeSantis, R-Fla., told the OPM director that his constituents thought it strange that “no one has been fired” after the OMB data breach. In rebuttal, Rep. Gerry Connolly, D-Va., said, “It’s easy to make her a scapegoat, but we’re facing a much bigger threat than a management snafu. It’s a systematic organized, financed penetration campaign organized by the Chinese government,” he said. The threat is also aimed at “commercial retail and banks.”
Congress, Connolly said, has neglected IT resources for agencies. “This Alice in Wonderland, off with their heads” approach, he added, “misses the big picture. It is a disservice to the country.”