Office of Personnel Management Director Katherine Archuleta was hit with tough questions at a House committee hearing on Tuesday. Despite all of the questions and finger pointing at the hearing, many federal employees will likely be left without good answers to questions they probably have about the security of their personal data.
House Oversight and Government Reform Committee chairman Jason Chaffetz (R-UT) hit Archuleta with a stern and very direct line of questioning in which he tried to determine why OPM didn’t encrypt the data in its database, where the investigation currently stands, and why the system was not shut down when an inspector general report recommended in November of 2014 that OPM shut its systems down because of too many security vulnerbitlites.
Chaffetz cited the IG report and noted that Archuleta made a conscious decision at that time to leave the systems online despite the recommendation to shut them down. He asked her why she made this decision several times before getting a straight answer to which Arhculeta ultimately replied, “There are many responsibilities we have with our data, and to shut down the system we need to consider all of the responsibilities we have with the use of our systems. As the director of OPM, I have to take into consideration all of the work that we must do. It was my decision that we would continue to develop the system and making sure that we have the security within those systems.” Chaffetz then asked, “And did you do that?! You didn’t, did you?” Archuleta then said, “The recommendation to close down our systems came after the adversaries were already in our network,” referring to the breach from last year. She also added that media reports about how the latest breach was detected were wrong, saying that OPM discovered it rather than a software provider.
Chaffetz repeatedly asked Archuleta why the stored data were not encrypted. When pressed, she finally responded that it is not feasible to implement encryption on systems that are too old and mentioned other steps OPM is taking to protect its data such as multi-factor authentication.
With regards to these new efforts, ranking member Elijah Cummings (D-MD) told Donna Seymour, OPM’s chief information officer, that the things she said OPM is ultimately planning to put into place to secure their computer systems doesn’t make federal employees feel very good and wants to know where the agency currently stands with its security. Seymour said that OPM has implemented two factor authentication for access to its network, added additional firewalls and tightened their settings, reduced the number of privileged users who have access, and even further restricted those users’ levels of access.
When asked how many total federal employees were impacted, Archuleta said the breach announced last week impacted 4.2 million current and former employees, but in light of discovering that an additional OPM system was also compromised, she does not have an accurate estimate of how many more employees are impacted because the investigation is ongoing. She also said that she did not have a count of how many impacted individuals had received letters from OPM but would get the figures for the Committee.
When asked if the compromised data include military personnel, contractor information, or CIA employees, Archuleta repeatedly responded, “I would be glad to discuss that in a classified setting.” Chaffetz replied that there is nothing classified as to what type of information is included and was visibly frustrated by her refusal to reply, but lawmakers will apparently be briefed more fully on details of the data breach that will not be made available to the public.
In the written testimony she provided for the hearing, Archuleta blamed the security problems the government is facing on a lack of funding and said her agency needs more money for the security upgrades it is working on adding. During the hearing, she also said as OPM updates its systems, it is important to recognize there is a persistent effort to breach not only OPM’s systems, but also others throughout government and noted that one of her first priorities when she began as OPM director was to develop an IT strategic plan and to develop cybersecurity within the agency’s systems. Chaffetz responded to this statement from Archuleta by telling her, “You have completely and utterly failed in that mission if that was your objective.”
After the hearing, Chaffetz called on Archuleta and Seymour to resign over the situation.
The video above contains the footage from the committee hearing.
