The director of the Office of Personnel Management testified Tuesday that she believes no one is personally to blame for the recent cyber attacks on her agency that compromised the sensitive information of millions of federal employees.
“I don’t believe anyone is personally responsible” for the two hacks on the agency’s systems, OPM Director Katherine Archuleta said Tuesday. She did, however, say the cybersecurity weaknesses were exacerbated by “decades of lack of investment in the systems we inherited when I came in.”
Testifying before the Senate Appropriations Committee’s Financial Services and General Government Subcommittee, the director said cybersecurity is a responsibility that falls on every federal employee. She said the breaches mark an opportunity to address the problem governmentwide.
“This is an enterprisewide problem and cybersecurity is the responsibility of all of us,” Archuleta said. “That is why, with [U.S. Chief Information Officer] Tony Scott’s assistance and with his efforts, we’re going to address this on an enterprisewide basis, as well as at OPM.”
This month, OPM announced that a database of more than 4 million current and past federal employees’ personnel records had been compromised. Later, news broke about a second breach involving a database of security clearances. Archuleta couldn’t give details on the number of federal employees whose information was compromised in both attacks — recent reports claim totals as high as 18 million.
Testifying with Archuleta, Michael Esser, OPM’s assistant inspector general for audits, said OPM is not an outlier when it comes to its security vulnerabilities. Looking back at the agency’s annual Federal Information Security Management Act reports, Esser said OPM struggled to authorize its systems, as required by the law. FedScoop reported recently that other agencies have received poor marks on their FISMA reports.
“We’ve been seeing breach after breach this year,” Esser said. “It would not surprise me to see more.”
Subcommittee Chairman Sen. John Boozman, R-Ark., agreed that the OPM hacks suggest deeper, systemic issues around government, asking the witnesses “How many headlines of serious data breaches will it take to implement the steps necessary to protect ourselves?”
Richard Spires, former CIO at the Department of Homeland Security and the IRS who now serves as CEO of Resilient Network Systems Inc., told the subcommittee that what happened at OPM was “an outcome that could be expected” given what he knows of OPM’s FISMA issues and its outdated infrastructure.
Since the breaches, Archuleta said OPM has worked rapidly to meet the mandates of FISMA and follow past recommendations of its Office of the Inspector General. Still, she said, “even if there had been 100 percent FISMA compliance, there’s no guarantee” the hacks wouldn’t have occurred.
But, if there’s anyone to blame, Archuleta said, “it’s the perpetrators,” adding that’s she’s “very angry” and takes the attack “very seriously.” Many officials briefed on the hacks have said China is responsible, though it has officially denied any involvement.
“Their concentrated, very well-funded, focused, aggressive efforts to come into our system — not only to our system, but as my colleagues suggested across the whole enterprise — is something we’re concerned about, and one we’re working on with our colleagues,” Archuleta said. “We’re going to take every step we can at OPM to continue to protect. That’s why we’re trying to move out of a legacy system.”
Archuleta credited her agency’s $93 million IT modernization efforts with detecting the massive breaches, saying OPM might not have found the vulnerabilities if not for infrastructure changes made in the last 18 months.
While Esser agreed, he said lapses in management best practices of the project’s development has his office worried the project will follow in OPM’s “long history of systemic failures to properly manage its IT infrastructure, which we believe may have ultimately led to the breaches we are discussing today,” he said. The inspector general’s office performed a “flash audit” in response to the hacks that found “serious concerns” with the project. Moreover, some of the systems affected, he added, had been redesigned in the modernization project. It was not just the legacy systems that were compromised, he said.
Last week, several members of the House Committee on Oversight and Government Reform called on OPM leadership to resign. “When there is a culture problem, we should send a signal to others that it’s unacceptable and leadership has to resign,” said Rep. Ted Lieu, D-Calif.
Tuesday’s hearing marks the first of several Archuleta is scheduled to appear at this week.