After a tough day of questioning from a House oversight panel on Wednesday, Office of Personnel Management (OPM) leadership and other government officials testified Thursday in front of the Senate Committee on Homeland Security and Government Affairs to further clarify the extent of the biggest theft of government records in U.S. history.
Though she faced less contentious questions from Thursday’s Senate panel, OPM Director Katherine Archuleta defended the work she's done bolstering the agency's cybersecurity in the 18 months since her appointment. There also appeared to be some partisanship behind some of the senators' questions throughout the hearings.
Sen. John McCain (R-AZ), for example, pressed Archuleta to name the Chinese government as the perpetrators of the hacks. The Obama administration had avoided calling out the Chinese publicly due to diplomatic concerns, but Director of National Intelligence James Clapper said Thursday that China is the top suspect in the breaches.
Ranking Member Tom Carper (D-DE), meanwhile, defended OPM leadership by pointing out that a deputy director for the agency still has not been confirmed by Congress.
Though OPM Inspector General Patrick McFarland continued to stress his concerns with OPM strategy and leadership, U.S. Chief Information Officer Tony Scott defended Archuleta and OPM CIO Donna Seymour, delineating the improved security at the OPM since their arrival.
Sen. Cory Booker (D-NJ) asked Scott whether he thought Archuleta and Seymour were fit to lead the agency.
“I do, sir,” said Scott. “I’ve spent time on the ground with the team at OPM. They are working really, really hard and doing the right things. I’ve talked to them about the leadership and they tell me they are very, very supportive of their efforts.”
Expressing concern about scapegoating and the recruitment of future government leaders, Scott emphasized, “I think we need to be careful about distinguishing fire starters from fire fighters in this particular case. And they have my support.”
With optimism, Scott said other agencies will learn important lessons from the OPM incident. “There is work being done by the OPM that could serve as a template for other agencies,” he noted. “We have to learn from this and be much faster” with government response.
However, piggybacking on his testimony from Wednesday, McFarland expressed strong concerns about how the OPM will fund the proposed changes to its IT infrastructure. He said the various sources of funding the OPM is seeking—which includes an additional $21 million for 2016, $5 million from the Department of Homeland Security (DHS), and another $68 million from other program areas—are sporadic.
Sen. Carper continued to highlight the OPM’s need for a deputy director, a political appointment. “As director, you are the commanding officer,” he said. “You need a deputy” who acts as an executive director.
Archuleta said the OPM plans to hire a cybersecurity advisor to assist the Seymour and help the agency move along its initiatives.
Sen. Rob Portman (R-OH) asked whether adversaries in the second breach of the security background clearance forms, or SF86s, could have also manipulated data on the network by adding or deleting derogatory information. DHS Office of Cybersecurity and Communications Assistant Secretary Andy Ozment said adversaries had the type of access that provided an ability to change data, but said he had no proof that changes were made. Ozment said his colleagues in the cybersecurity environment would “view that as unlikely.”
Establishing a timeline
One of the most confusing aspects of OPM the incidents, clarified several times during Thursday’s hearing, was the timeline of events.
Ozment provided the clearest timeline, noting that both OMP breaches were discovered in April 2015, but that two-factor authentication technology implemented in government systems actually prevented further unauthorized access starting in January 2015.
The first breach of OPM data occurred at a Department of the Interior (DoI) data center beginning in October 2014, Ozment testified. Specific data was removed from that data center in December 2014, which ended up being the now reported 4.2 million personnel records that federal employees have or are currently receiving notification about.
The second, more wide-ranging, breach affecting the SF86 forms was also discovered in April 2015. Adversaries, according to Ozment, breached the OPM’s database in May 2014 and until April 2015, but were specifically active on the network from June 2014 until January 2015. Though adversaries were essentially halted in January, government officials did not learn of the intrusion until April.
Ozment also pointed out that, though the government became aware of the breach in April, it's taken various time frames for forensics teams to assess what occurred in each system.
Forensics from the first breach of personnel data in the DoI data center was rapidly completed, hence the total number of 4.2 million records and the subsequent notification.
The SF86 breach involves other agencies and much more varied data, so forensics teams are still working out the extent of the breach.
Archuleta confirmed that notification has only been provided to individuals whose records were compromised in the personnel records breach. No one affected by the second SF86 breach has been notified yet, she said.
Sen. Benjamin Sasse (R-NE) asked if the attacks are over.
Ozment said, “I don’t think any cyber expert would ever say we’ve completely blocked intruders. That is the state of the world we are living in right now. That’s a universal truth.”
Now in its second week of President Barack Obama’s “30-Day Cyber Sprint,” OMB’s Scott said his office will come back to Congress with a list of proposed recommendations for federal agencies moving forward. He, along with Ozment, also expressed their strong backing of cyber-threat information-sharing legislation.
“This is an all-hands-on-deck moment,” said Sen. Carper, in summing up Thursday’s hearings. “We need to figure out how to be a team.”
- November 2013: Adversaries access an OPM database and remove manuals that could be used to map certain commercially available platforms. Rep. Jason Chaffetz (R-UT) referred to these Wednesday as “blueprints” and “keys to the kingdom.”
- May 2014 – April 2015: Adversaries breach an OPM network containing SF86 security background clearance forms. These 127-page documents can contain highly sensitive data on the subject and acquaintances.
- June 2014 – January 2015: Adversaries become active on network containing SF86 forms. It is not yet known publicly how many, if any, were exfiltrated or manipulated. June 2014, however, appears to have been the most active month.
- August 2014: Federal contractor U.S. Investigations Services (USIS) announces records of at least 25,000 government workers have been compromised, including those of DHS employees.
- October 2014 – April 2015: Adversaries breach OPM personnel data stored in a Department of the Interior data center.
- December 2014: Specific personnel records data of 4.2 million federal employees is removed by adversaries.
- December 2014: Federal contractor KeyPoint announces records of more than 40,000 government employees have been compromised. Credentials from KeyPoint used in separate OPM breach.
- January 2015: OPM implements two-factor authentication technology, thereby unknowingly halting certain adversarial control.
- Mid-April 2015: DHS discovers the two OPM breaches while deploying new technology. Forensic investigation commences.
- May 28 – 30, 2015: OPM opens up bids for vendors to aid in breach notification, identity theft protection and credit monitoring.
- Early June, 2015: Forensics reveals that adversaries accessed SF86 forms.
If you want to comment on this post, you need to login.