Members of the House Committee on Oversight and Government Reform ripped officials from the Office of Personnel Management and the Department of Homeland Security Tuesday in the wake of one of the biggest hacks in American history.
OPM Director Katherine Archuleta spent most of the hearing dodging questions about the amount of information leaked, what that information entails and why the agency ignored multiple inspector general reports that labeled OPM’s IT systems as woefully outdated on security.
Rep. Jason Chaffetz, R-Utah, the committee’s chairman, described OPM as “grossly negligent,” adding that its security position was comparable to “opening all the doors and windows and hoping nobody would walk in.”
“We’re about to hear testimony that you’re doing a good job,” Chaffetz said at the start of the hearing. “You’re not! You’re failing!”
Any time a committee member tried to press Archuleta for answers, she deferred, claiming she would answer the majority of questions in a classified briefing held Tuesday afternoon. Neither Archuleta nor OPM Chief Information Officer Donna Seymour could confirm the number of current and former federal employees who have been affected by the two breaches, but they admitted that most of the information taken, including Social Security numbers, was not encrypted due to the legacy systems on which the information was stored.
Seymour and DHS Assistant Secretary for Cybersecurity and Communications Andy Ozment did highlight how Einstein, DHS’ intrusion detection and prevention system, helped OPM discover the breach, leading to OPM immediately instituting two-factor authentication for remote access and tightening other network user permissions.
Those fixes did little to placate Chaffetz, who was indignant after Michael R. Esser, an assistant investigator general at OPM, rattled off a number of problems he discovered in OPM systems stretching back to 2007.
“The IG has been warning you since 2007, and you made a conscious decision not to do that,” Chaffetz said to Archuleta. “You kept vulnerabilities open, the information was vulnerable and hackers got it.”
Rep. Ted Lieu, D-Calif., called for someone either to resign or be fired.
“When there is a culture problem, we should send a signal to others that it’s unacceptable and leadership has to resign,” Lieu said.
Rep. Will Hurd, R-Texas, chairman of the committee’s IT subcommittee, said it’s time for the federal government to increase the speed at which agencies are putting modern security systems in place.
“We got to stop thinking about this like we have years to solve the problem,” Hurd said “We don’t. We should be thinking about this in days.”
Officials from OPM and DHS, along with Federal CIO Tony Scott, told committee members there will never be a complete fix to guard against cyber attacks, but they are working to create new programs as fast as possible.
“There’s very sophisticated attackers out there, there is not one silver bullet,” Scott said.
However, when members pressed for answers on how those systems will be put into place at OPM or why those programs weren’t already working, Archuleta said she’d answer the questions during the classified hearing. That did not sit well with Rep. Stephen Lynch, D-Mass.
“You’re doing a great job stonewalling us — hackers, not so much,” Lynch said.