Beth Cobert, nominated by President Barack Obama to be the next director of the Office of Personnel Management, pledged Thursday to make cybersecurity her highest priority if confirmed by the Senate to head the beleaguered agency.
“Focusing on cybersecurity, protecting OPM’s systems and data, and providing services to the individuals who were affected [by the agency’s cyber breaches] has been my highest priority since joining OPM. It will remain my highest priority if confirmed,” Cobert told the Senate Committee on Homeland Security and Government Affairs during a hearing Thursday on her confirmation, despite the host of human resources and personnel responsibilities she would also face in the position — essentially the chief human capital officer of the federal government.
Throughout the relatively tame rounds of questioning, during which she garnered noticeably favorable responses from both sides of the aisle, Cobert repeatedly emphasized her intent to shore up OPM’s IT modernization and information security in the wake of breaches of the agency’s personnel and background check systems. The breaches exposed the personally identifiable information of 22.1 million former and current federal employees, as well as security clearance applicants and those close to them.
Her main priority, Cobert said, is to help OPM continually strengthen “its cyber defenses and IT systems in face of today’s evolving threats by focusing on technology, people and process.”
Despite the favorable atmosphere of the hearing, though, her path to confirmation appears a bit more bumpy elsewhere — with potential opposition in both chambers, although only Senators get a vote.
Sen. David Vitter, R-La., is threatening to block Cobert’s confirmation until she responds to his questions about a contentious ruling OPM issued in 2013 on how the Affordable Care Act applies to members of Congress. Vitter charges that OPM essentially exempted lawmakers from the ACA rules, and wants more information about how that decision was made. Cobert briefly discussed the issue with the committee, but she said she was unfamiliar with it because the rules were enacted long before her tenure at OPM began.
In the House of Representatives, Rep. Jason Chaffetz, R-Utah, issued a subpoena to Cobert Wednesday for documents his committee has requested but never received that he says are integral to its investigation of the OPM breaches. Several on the Senate committee mentioned that a subpoena from a congressional committee is typically a last-resort effort, necessary when an official is not cooperating.
Sen. James Lankford, R-Okla., asked if the agency’s relationship with the House committee might be “toxic” and a sign of things to come with his own committee. Cobert maintained, however, that they “have been working very actively to be responsive to their requests for information. We’ve had multiple hearings; we’ve had multiple briefings,” adding that the amount of effort OPM, as such a small agency, has put into cooperating with lawmakers has taken “a real commitment of resources.”
Because she arrived at the agency post-breach and has done a demonstrative job restoring the integrity of OPM’s IT systems, Cobert has, in large part, avoided the unrelenting scrutiny that her predecessor, Katherine Archuleta, and current colleagues have faced. That remained true Thursday. Still, Cobert continued to drive home the point that cybersecurity must be taken more seriously by her agency and the federal workforce as a whole to avoid issues like those breaches at OPM in 2014.
“As the world of cybersecurity is changing, as we recognize the nature of these threats, we all need to change the way we interact, the way we use systems at work and at home,” she said when asked about a 2014 Federal Labor Relations Authority decision to require collective bargaining before agencies can block federal employees’ access to personal email.
“What I think is important for every agency to do is recognize what needs to change in the way they operate, what needs to change in the way their employees operate, to make sure systems are secure. At OPM, for example, I cannot access my personal Gmail account from my OPM computer. That’s the way a lot of threats come in.”
Cybersecurity, of course, ties into the agency’s larger $93 million plan for IT modernization and build-out of a “shell system,” which has received criticism on Capitol Hill and within the OPM Office of the Inspector General. With the resignation of OPM IG Patrick McFarland, a zealous watchdog and intense critic of the modernization, the committee worried the powers-that-be at OPM may let modernization slip further into the miasma of mismanagement McFarland’s office reported in a flash audit last year, declaring it had “a very high risk of … failure.”
Calling it “work that’s important and needs to be done carefully,” Cobert said she’s been meeting with McFarland regularly since her very first day to make sure the IT modernization is done properly, looking at it differently since the breach. “We needed to understand what we learned from that context and how to incorporate it,” she said. OPM will also re-evaluate the plan in the context of the administration’s recently announced decision to hand off the background check and security clearance investigation process to a new National Background Investigation Bureau.
“We are continuing to work that plan, and we are continuing to have an ongoing dialogue with the inspector general about it, and … I am committed, if confirmed, to continue to make sure we have a thoughtful plan, we have a plan that will deliver results, and we have a plan that will deliver security and that will be a smart use of the taxpayers’ dollars,” Cobert testified.
She added, “We are committed to make sure that we are spending the IT dollars in a responsible way. We’re working on spending them in a more modular way than has been done in the past, making sure that each element delivers results as it goes, that we’re going to have tangible evidence that work is being effective.”
Cobert also agreed with Sen. Claire McCaskill, D-Mo., to give regular updates on the modernization’s progress.
The committee will meet again Feb. 10, according to its agenda for that day, to further discuss and likely to vote on Cobert’s confirmation.