House oversight Chairman Jason Chaffetz told the director of the office that manages federal employees that she has “completely and utterly failed” in a Tuesday hearing and later called on her to resign.
The hearing on the recent discovered hacking into the Office of Personnel Management featured bipartisan condemnations of OPM director Katherine Archuleta and calls for reform.
“I’m looking here today for a few good people to come forward, accept responsibility, and resign for the good of the nation,” Democratic Rep. Ted Lieu from California said.
The systems that were hacked dated back to 1985, and Archuleta said she wouldn’t disclose whether military, CIA or contractor information was stolen, and would only provide that information in a classified setting.
Information including Social Security numbers of more than four million federal employees was not encrypted by the OPM. The office’s inspector general had recommended in 2014 that the director shut down systems that didn’t have current and valid authorization, but Archuleta chose not to shut them down.
Regarding Archuleta’s success in deterring hackers, Chaffetz scolded her, saying, “Well, you have completely and utterly failed in that mission if that was your objective.
“The inspector general has been warning about this since 2007, he recommended shutting it down last year,” he continued. “You made a conscious decision to leave that information vulnerable, it was the wrong decision, it was in direct contradiction to what the inspector general said should happen.”
Chaffetz told reporters after the hearing that Archuleta and OPM chief information officer Donna Seymour should resign.
Lieu talks about a culture problem with the civilian side of federal government with ten federal data breaches having occurred in the past year.
“There is a problem of civilian leadership understanding we are in a cyber war,” Lieu said, adding, “until our civilian leadership understands the gravity of this issue we are going continue to having more data breaches.”
Dating back to 2007, OPM policies and procedures were marked as material weaknesses in audit reports.
“We have significant concerns regarding the overall quality of the information security program at OPM,” a 2009 audit report from the Office of the Inspector General stated.
“These concerns are rooted in the lack of adequate information security governance activities in accordance with legislative and regulatory requirements,” the report stated. “Specifically the agency has not fully documented information security policy and procedures or established appropriate roles and responsibilities.”
In a July 2014 memorandum from Patrick McFarland, inspector general of the Office of Personnel Management, wrote, “We determined that no OPM cloud-based systems are currently using FedRAMP approved CSPs.”
“Failure to comply with FedRAMP requirements increases the risk that information systems’ security controls will not be adequately tested, which could lead to a data breach and the loss or corruption of sensitive federal data,” McFarland wrote.
The OPM’s Chief Information Officer, though, pushed against these recommendations. “The available FedRAMP material on cloud computing [consists] of procedures and templates which typically would not be added to a security policy. We will review the FedRAMP Material and make a determination how best to incorporate [it] into OPM security procedures.”
Among the possibly stolen information are the SF-86 forms, which are used for security clearances. This 127-page form is exhaustive, and details a variety of information about applicants, including negative personal information.
Democratic Rep. Stephen Lynch of Massachusetts accused the director of hiding information from investigators. “I wish that you were as strenuous and hard-working at keeping information out of the hands of hackers, as you are keeping information out of the hands of Congress and federal employees,” Democratic Rep. Stephen Lynch of Massachusetts remarked to the director.
Rep. Gerry Connolly from Virginia was clearly distraught about the seriousness of the hack. “What’s so jarring about this hearing is … we’re talking about the compromise of information of fellow Americans and from the federal employee point of view the most catastrophic compromise of personal information in the history of this country,” he said.
The witnesses from OPM remarked that only in a classified hearing would they wish to disclose information regarding the attribution of the cyberattack. (Related:Hack Into Government Systems Went Undetected For Over A Year)