Leadership from the Office of Personnel Management (OPM) faced a second round of heated questioning Wednesday during a House Committee on Oversight and Government Reform hearing examining the scope of and response to at least two major hacks of millions of sensitive government employee records.
For perspective on the tenor, lawmakers referred to the OPM incidents as a “low level, but intense cyber cold war,” and a “Cyber Pearl Harbor.”
Of the two major breaches, the OPM is only willing to state that 4.2 million personnel records were compromised. A second, and likely more wide-ranging, breach affects security clearance background checks, also known as Standard Form 86s (SF86s). Throughout the four-hour hearing, OPM Director Katherine Archuleta continued to refuse to put a number on the compromised records, citing the ongoing investigation.
But Chairman Jason Chaffetz (R-UT) brought up past comments made by Archuleta stating that the OPM possesses 32 million individual records.
“How many of those records are at play here,” Chaffetz asked. “Are there 32 million records at play here?”
“I will not give a number that is not completely accurate,” Archuleta said.
Though Archuleta did not deny that the 32 million records were potentially breached, the likelihood of an even higher number of individuals affected is possible since SF86 forms—made up of 127 pages of forms and questions—often contain sensitive data from a subject’s family, friends, spouses, employers and past acquaintances. “That form is complicated,” she said, “and that is why I’m being very careful about putting out a number.”
On the back of the potentially devastating scope of the breaches, OPM Inspector General (IG) Patrick E. McFarland said his agency has a “suitcase of concerns” and characterized the OPM’s response to the incidents as “dangerous.”
In no uncertain terms, McFarland stated, “The approach they are taking will fail. They’re going too fast and not doing the basics.” He said they’re speeding through projects, rather than slowing down and focusing on securing their systems. “The actual crisis at the OPM was with the breach – that part is over,” he said. “They need to safeguard the system right now, then move forward appropriately.”
He also said, at times, the IG has been frustrated by the OPM’s slow response to IG questions, saying, “We ask for answers from them and it takes a long time to get those answers. We ask definitive questions and we don’t get definitive answers.”
A major point of contention during the hearing was the OPM’s speedy process for contracting a third-party vendor to help with credit monitoring services, notification and identity theft protection, which, at present, has been a reportedly frustrating and highly publicized experience for the millions of federal employees who’ve been notified—including lawmakers and their staffs.
According to OPM Chief Information Officer Donna Seymour, the time between proposing and awarding the $21 million contract took less than 48 hours, but, she added, the OPM did receive a number of proposals.
Lawmakers, however, are concerned the OPM didn’t take enough time to appropriately vet the contractors. Rep. Elijah Cummings (D-MD) questioned Seymour on their choice of vendors and whether they did their due diligence. She said the OPM received many proposals but that they decided on a partnership proposal from CSID. Chaffetz questioned OPM due diligence by citing a current Securities and Exchange Commission investigation of one CSID board member, Owen Li.
It turns out, however, that Chaffetz cited the wrong person. There is an Owen Li under investigation, but it's not the one who serves on CSID's board.
During the hearing, Chaffetz lashed out at the OPM for quickly choosing a vendor while slowly responding the IG’s flash audit from last week. “The audits have been coming from the IG since 1997,” he said. “You have to talk about an IG flash audit, but you award a $21 million contract in less than 48 hours.”
The IG’s McFarland also expressed concern about how fast the OPM chose a contractor and said his office will investigate.
Lawmakers also pressed the OPM to divulge more details on how the hackers infiltrated their systems and the roles played by other breaches of KeyPoint and USIS.
The OPM’s Seymour testified that manuals were exfiltrated from OPM systems during an unauthorized intrusion in 2013. Though no personally identifiable information was accessed at the time, lawmakers queried whether the manuals could have been used to map OPM systems or gain other advantageous insight for the subsequent hacks. Seymour said they could have helped the adversaries better understand the OPM platform, but would not have given them more specific diagrams of OPM systems. Yet, later, Chaffetz referred to the manuals as a “blueprint” for OPM systems, calling them “the keys to the kingdom.”
Archuleta also, for the second straight day, confirmed that credentials from a KeyPoint employee were used in the second breach.
“So are active contracts (between the OPM and KeyPoint) coming to an end?” Rep. Bonnie Watson-Coleman (D-NJ) asked. KeyPoint CEO Eric Hess said they’re all still active. The IG’s McFarland backed the OPM’s decision to stay with KeyPoint, and Archuleta said the company has taken a number of security mitigation steps since their incident last year.
Rep. John Carter (R-TX) pointed out that, since 2008, the OPM has spent $577 million on IT but was still using COBOL programming developed in 1959. “Yes,” Archuleta admitted, “We are working with a legacy system developed in 1959.”
Though Archuleta stated the perpetrators are to blame for the breaches, several lawmakers Wednesday want leadership change at the agency.
“If Ernst & Young did your audit and they said you have a high cybersecurity risk, the board of directors would be held accountable for criminal activity,” said Rep. Will Hurd (R-TX). Likewise, Rep. Barbara Comstock (R-VA) said, “When Target had this problem, it wasn't just the chief information officer who lost their job, it was the CEO.”
Chairman Chaffetz, however, directly called for the resignation of OPM leadership.
“I don’t believe you,” he told Archuleta. “I think you’re part of the problem. That hurricane has come and gone and blown this building down. I think it’s time for you to go.”
To Seymour, he said, “I think you’re in over your head. This is as big as it gets. A new team needs to be brought in.”
A Federal Times post defends the work of Archuleta and her team. She'll continue to answer Congressional questions Thursday, while her fate, as well as that of Seymour's, remains to be seen.
If you want to comment on this post, you need to login.