OPM Blames Legacy IT Systems in Contentious Hearing

Tensions ran high Tuesday during a House Oversight and Government Reform Committee hearing investigating the hack of the Office of Personnel Management (OPM). At times outright contentious, several lawmakers lashed out at representatives from the OPM, including both its director and chief information officer (CIO), laying blame at the feet of the agency’s data protection policies and systems and calling for the resignation of its leadership.

Committee Chairman Jason Chaffetz (R-UT) was perhaps the most vocal critic of the OPM, naming, for example, a number of data breach incidents affecting the agency in recent years. “This has been going on for a long time," he said, "and yet when I read the testimony (submitted by the OPM) that was provided here today saying, ‘Hey, we’re doing a great job,'—You’re not!"

“We’re talking about the most vital information about the people we care about the most,” he said. “For years, it has been a complete and total, utter failure. I read the letter you sent out to employees, and it’s grossly inadequate.”

At issue during the hearings were two separate breaches of the OPM, one including as many as 4.2 million federal employees, the other compromising the security background checks of current, former and prospective federal employees and contractors. It is not yet known how broad the latter breach is because, according to OPM Director Katherine Archuleta, the agency is currently working with other agencies that had access to OPM data to determine the breadth of the data breach. She also admitted the total number of affected workers will likely be more than 4.2 million.

Archuleta said the agency, which faces approximately 10 million cyber intrusions per month, has taken “an aggressive posture” but admitted it has “not yet determined the scope or impact” of the breach. Defending her actions since being appointed by President Barack Obama in 2013, she said, “If we hadn’t introduced new technology, we would not have known about these intrusions, and we immediately implemented additional security measures.”

But that wasn’t enough for many of the lawmakers on the committee.

Rep. Ted Lieu (D-CA), who has a background in computer science, said databases with unencrypted Social Security numbers, like the ones affected in the OPM breach, are “totally unacceptable.” He scoffed at the agency for not conducting a risk assessment, calling it a “failure of leadership,” something that goes beyond the OPM. “Leadership at the DEA, the VA and SSA have all been fired," he said, adding, "The status quo is not acceptable” and that he’s “looking for leadership to resign for the good of the nation.”

Chaffetz chimed in, “Well said.”

Rep. Carolyn Maloney (D-NY) said she considers the OPM hacks to be more damaging to U.S. national security than the 9/11 attacks because of an apparently coordinated effort by foreign actors to target government workers and contractors by accessing troves of detailed background information, including health and employment data. Rep. Gerry Connolly (D-WV) likened the spate of recent breaches to a “road map” of government employees.

“The United States of America is under attack,” said Ranking Member Elijah Cummings (D-MD). “Foreign countries are targeting the personal information of millions of Americans.” He said the OPM breaches are part of a larger trend of state-sponsored data collection on individual Americans in sensitive national security and leadership positions. He also questioned whether there are links to last year’s USIS and Keypoint hacks, both of which were contractors that supplied background checks to the agency.

Though the witnesses could not publicly testify to all the questions asked during the hearing, including the Keypoint connection, a second classified hearing was set for early Tuesday afternoon to discuss more sensitive national security issues, such as the potential effect the OPM hack would have on U.S. government personnel and specific foreign allies tied to the U.S., and whether a zero-day vulnerability or connections to other data breaches were to blame for the OPM hacks.

Following those classified hearings, Cummings issued a press release, noting, “I now feel more strongly than ever that the Oversight Committee must hear directly from OPM’s two contractors—KeyPoint and USIS—either in transcribed interviews or in formal testimony before the Committee. I also believe the Committee should now request a much more detailed, comprehensive and classified briefing from government IT experts about the specific vulnerabilities that contractors pose to our government’s cybersecurity.” 

Throughout the course of the morning’s hearing, the OPM's Archuleta took the brunt of the committee’s ire. In particular, Chaffetz peppered Archuleta about why more wasn’t done to protect the OPM's databases. He queried why the OPM did not shut down 11 of its computer security systems upon recommendation last year from the Office of the Inspector General (IG). At the time, the IG said the systems were operating without the agency's certification.

"You didn’t shut down your systems," Chaffetz said. "I want to know why.”

Archuleta explained that in addition to legacy systems, the OPM has other responsibilities, including payroll and health benefit processing for government employees. Archuleta repeatedly blamed legacy systems, some of which dated back to 1985 and use outdated COBOL programming language, as part of the problem. Such legacy systems, she said, could not be encrypted, for example. Office of Management and Budget (OMB) CIO Tim Scott noted that information-security practices such as data segmentation in databases are much more difficult in legacy systems.

Assistant IG for Audits Michael Esser said critical weaknesses identified in the audits included continued information-security governance issues dating back to 2007, decentralized controls over its systems—an area, he testified, that has recently improved—security access and authorization as well as technical controls and tools that have not been used properly.

OPM CIO Donna Seymour, who was hired by Archuleta, said the agency is  launching a new architecture system that will implement additional security features. Plus, since learning of the breach, the OPM has instituted two-factor authentication for remote access to its databases and implemented new firewalls with tighter restrictions on access. But, Seymour testified, it takes time to make necessary changes.

OMB's Scott said the federal government must get better at sharing threat data across federal agencies as well as in partnership with private organizations. He also backed a defense-in-depth approach that lines up multiple information-security protections without relying on one silver-bullet solution. “You have to have a number of different measures,” he said, “so if that one doesn’t work, there’s another one” to help. But, he admitted, to the consternation of the committee, the government is “years and years” from a comprehensive solution. He advocated, however, for a triage-like system that prioritizes more sensitive systems.

“We 're conducting regular cyber-state reviews with agencies,” Scott said, where solutions such as two-factor authentication, continuous security patching and minimizing the number of system administrators all contribute to what he called “hygiene factors that lead to good cybersecurity.”

Rep. Matt Cartwright (D-PA) also asked how federal agencies can better leverage their contracts with vendors to improve cybersecurity. Archuleta said the OPM is currently working to ensure that all federal agencies are applying the same standards to contractors, for example. Additionally, Department of the Interior CIO Sylvia Burns said it’s important for agencies to “beef up security contracts and to continuously monitor” them.

“Site inspections are also important,” OPM’s Seymour added. “We do that.” She stressed the importance of continuous monitoring. “Looking at a system every three years is not good enough.”

As for the breach that sparked the hearings, Rep. Glenn Grothman (R-WI) asked if the attackers have been fully rooted out of the OPM systems. Department of Homeland Security Office of Cybersecurity and Communications Assistant Secretary Andy Ozment said, “We have a joint-interagency task force led by the DHS in conjunction with the FBI and NSA and have worked with the OPM and DoI, and they have assessed the adversary has been fully removed from the networks, but it’s extremely difficult to have 100-percent certainty in these cases."

“So they could be, but you think probably not?” Grothman asked. 

“Yes sir.” 

Want to watch all the fireworks for yourself? The full hearing is archived here:

photo credit: Cyber Security - Cyber Crime via photopin (license)