The head of an agency that suffered a massive data breach found an advocate in federal Chief Information Officer Tony Scott Thursday.
When Office of Personnel Management Director Katherine Archuleta came to her job and appointed a chief information officer, there was “a dramatic difference” in the agency’s efforts to bolster its IT systems, Scott told lawmakers. Scott expressed confidence in Archuleta’s ability to help the agency recover.
“I worry in this particular case … that there’s a chilling effect” for anyone considering a leadership role in government, he testified during a hearing before the Senate Homeland Security and Governmental Affairs Committee.
It was perhaps welcome words for Archuleta, who has spent the last three days in as many hearings getting pummeled by lawmakers for not doing more to avert the breach.
But committee Chairman Sen. Ron Johnson, R-Wis., hit back. He cited the flash audit conducted by OPM’s inspector general following the hack that found the “approach for this major infrastructure overhaul is entirely inadequate.”
“That doesn’t give me much confidence in the management team that’s implementing that,” Johnson said.
On June 4, news broke that a hack to OPM’s systems exposed more than 4 million records. Then, later this month, the agency discovered another attack on systems holding background check data. OPM has been coy about releasing numbers from the subsequent attack, though media outlets have reported it impacted 18 million people.
Archuleta gave lawmakers details on the second group Thursday.
“The 18 million refers to the preliminary approximate number of unique Social Security numbers. It comes from one of the comprised systems,” she said. Though, she cautioned the number was incomplete, adding, “It is one system among several and the number has not been cross checked against the other relevant systems.”
Archuleta reiterated plans to hire a cybersecurity adviser and work with private industry to bolster the agency’s security. She also said her agency intends to submit an updated funding request to Congress by the end of the week.
“We are re-evaluating our fiscal year 2016 needs,” Archuleta said. She added that the office is not requesting supplemental funding for this fiscal year.
During the hearing, Andy Ozment, assistant secretary for the Department of Homeland Security’s Office of Cybersecurity and Communications, emphasized the need for more agencies to use the latest version of the agency’s intrusion detection system, called Einstein. OPM was not using that version of Einstein when its systems became compromised.
Despite Scott’s confidence in Archuleta, Patrick McFarland, inspector general of the Office of Personnel Management, was less than optimistic about the ability of OPM’s management team to follow through on the agency’s security objectives. As the agency moves forward on plans to overhaul its system, McFarland urged caution.
“It may sound counterintuitive, but OPM must slow down and not continue to barrel through with this project,” he said.