Katherine Archuleta, director of the Office of Personnel Management, appeared before the House oversight committee Tuesday to discuss a security breach at the agency believed to have affected the personal data of millions of current and former federal employees.
It did not go well for her.
The three-hour hearing, which began with a withering critique of OPM’s IT vulnerabilities, quickly spiraled into a full-on confrontation with an agitated Congress, ending with a call for her resignation.
The personal information of millions of government workers is believed to have been compromised through two colossal intrusions that U.S. officials have attributed to Chinese hackers. The second breach, discovered only after a response team began investigating the first, captured data included in the background checks of government employees seeking a security clearance, and those who have sought it in the past. The information stolen in the second breach included social security numbers, financial and travel histories, as well the contacts of family, friends, neighbors, and foreign acquaintances.
The theft is the largest U.S. government data breach in history. And members of the House Committee on Oversight and Government Reform grilled Archuleta and OPM Chief Information Officer (CIO) Donna Seymour at length Tuesday seeking an explanation.
Chairman Jason Chaffetz began the hearing by discussing the OPM’s failure to correct the security vulnerabilities catalogued in a series of inspector general reports dating as far back as 2007. The OPM data breach “should come as no surprise given its troubling track record with cybersecurity,” Chaffetz said, comparing the OPM’s data protections to those of a house with all its doors and windows open.
Michael Esser, the assistant inspector general for audits within the OPM, testified that the agency has a long history of failing to achieve IT security standards. Archuleta acknowledged the inspector general’s criticisms even as she defended the OPM, citing the many competing priorities she has to contend with as an executive and the new security measures she has overseen. Seymour, her CIO, praised the agency’s efforts to raise its cyberdefenses but also emphasized the OPM’s outdated IT systems that present security and data challenges. The “cybersecurity issues that the government is facing is a problem that has been decades in the making due to a lack of investment in federal IT systems,” Archuleta said.
When pressed, Archuleta said the initial breach of personnel files affected 4.2 million federal employees, though she admitted it may have affected more. The scope and nature of the second breach, of security clearance information, has not been shared with the public or with members of Congress. Archuleta and Seymour could not provide factual details of the intrusion, including how many employees were affected, when the cyberattacks began, or the exact contents of the information stolen. They cited an ongoing investigation into the second breach and, at various times, offered to answer the lawmakers’ questions in a classified hearing taking place Tuesday afternoon.
Archuleta declined to answer in public whether the data of military personnel or CIA operatives was compromised. But she did admit that the social security numbers of federal employees had not been encrypted, and are therefore accessible to the hackers behind the breach.
Many lawmakers questioned Archuleta on the OPM’s failure to encrypt social security numbers, a security practice considered to be a basic safeguard. At one point Archuleta argued that adversaries can sometimes decrypt protected data, which is why the OPM utilizes additional security tools. Representatives took exception with this point, and said her argument was a weak excuse for the data breach. Rep. Steve Russell described Archuleta’s point on decryption as “baffling.”
Click here to read more.
SOURCE: Buzzfeed News, Hamza Shaban