The chairman of the House Oversight Committee is asking the leadership of the Office of Personnel Management to resign amid rolling revelations about a massive hack of personal data stored by the agency that has affected millions of former and current federal employees.
"If they don't," Rep. Jason Chaffetz said, "I think the president should fire them."
"If we want a different result, we're gonna have to have different people," Chaffetz, a Utah Republican, told reporters Tuesday after attending a classified briefing for House members where OPM officials discussed the breach.
Chaffetz singled out OPM Director Katherine Archuleta and OPM Chief Information Officer Donna Seymour, both of whom testified earlier in the day before his committee about the hack of its systems that officials have privately blamed on China. The breach exposed the data of at least 4.2 million individuals, though several lawmakers have suggested it could be far higher.
Chaffetz has held the gavel of the panel for six months, but he has earned a reputation for being less bombastic than his fiery predecessor, Rep. Darrell Issa, a Republican from California, and less prone to knee-jerk reaction.
Few members of Congress had come out to publicly call for OPM resignations, but the desire was echoed across party lines Tuesday. Earlier in the day, Rep. Ted Lieu, a California Democrat who holds a computer science degree from Stanford, condemned a "high level of technological incompetence" across government and noted that when other agencies are beset by scandal, high-ranking officials often are forced to step down.
"I'm looking here today for a few good people to step forward, take responsibility, and resign for the good of the nation," Lieu said.
House Homeland Security Chairman Michael McCaul, a Texas Republican, said he would wait until more information was known before asking for any resignations. "Let's see how the investigation goes," he told reporters after the briefing.
Chaffetz and a bipartisan sequence of lawmakers spent nearly three hours Tuesday lacerating Archuleta and others for failing to do more to shore up OPM's cyberdefenses. Chaffetz pointed to a litany of inspector general reports issued in recent years that found the agency's systems outdated and vulnerable, highlighting one issued last November that called for some databases to be taken offline because they were so inadequate. That recommendation, in addition to several others—such as adoption of standard encryption standards—went largely unheeded by OPM leadership, which said Tuesday that it had greatly improved cybersecurity in recent years.
Following the public hearing, Archuleta and other administration officials led a classified Housewide briefing to discuss certain elements of the breach. Though she repeatedly refused to answer questions at the public hearing by saying certain details were classified, Chaffetz and other lawmakers who attended indicated the classified follow-up did not yield much additional information.
"Quite frankly, I didn't hear much classified in the classified briefing," Chaffetz said. "There wasn't a whole lot of information there."
When asked if the 4 million estimate for the number of impacted people was accurate, Rep. Jim Langevin, a Rhode Island Democrat who cochairs the congressional cybersecurity caucus, said, "significantly more than that, given what was taken and who else could be affected."
Chaffetz also would not pinpoint a precise number of individuals impacted by the hack, but suggested it could balloon far higher. Some reports have suggested that data for 14 million employees may have been exposed.
"The only thing we know for sure is that it's more than 4.2 million," Chaffetz said. "How many more, I don't know. They would not fess up to that."
Langevin said the classified briefing was not well-attended, noting that less than a fourth of House members showed up—though Minority Leader Nancy Pelosi and Minority Whip Steny Hoyer were spotted entering the meeting. When asked how the U.S. should respond to the hack, he said that would be decided after the investigation was complete.
"I suspect that we should take some strong actions against the perpetrators," he said without ruling out sanctions or a "hacking back" response.