Congress held its first hearing Tuesday to investigate the massive hack and data theft from the U.S. Office of Personnel Management disclosed by the administration last week, which compromised the personal information of millions of federal employees.
The House Committee on Oversight and Government Reform held the first of what will likely be a number of hearings Tuesday morning to hear testimony from OPM administrators on the hack.
“This has been going on for years and it is inexcusable,” House Oversight Committee Chairman Jason Chaffetz said in his opening statement. “According to the last eight years of [inspector general] reports, OPM’s data security posture is akin to leaving all the doors and windows open in your house and expecting nobody would walk in and nobody would take any information.”
Chaffetz pointed to an OPM IG report from 2007 describing the agency’s data security as “a material weakness,” and additional reports from 2009 to 2014 elaborating on the increased threat posed by those and other subsequently identified information security weaknesses.
Those include 11 major systems of the OPM’s 47 systems, or 23 percent, which the IG said “lacked proper security authorization,” and were “completely outdated and undone,” according to Chaffetz. Five of those offices reside within the office of OPM Chief Information Officer Donna Seymour, the official charged with ensuring data security at OPM. As of November 2014, more than 65 percent of all programs operated by OPM resided on two of the systems without valid security authorization.
“This has been going on for a long time, and yet when I read the testimony that was provided here, we’re about to hear, ‘Hey, we’re doing a great job,'” Chaffetz said. “You’re not! It’s failing! This went on for years, and it did not change.”
“For any agency to disregard its data security for so long is grossly negligent. The fact that the agency that did this is responsible for maintaining highly sensitive information for almost all federal employees, in my opinion, is even more egregious.”
Despite spending 80 billion on information technology last year, Chaffetz said the state of cybersecurity across the government is unacceptable, and pointed to a number of recently reported hacks at the White House, State Department, U.S. Postal Service, IRS and the Nuclear Regulatory Commission.
“It stinks! It doesn’t work!” Chaffetz said. “Through the years, it has been a complete and total, utter failure.”
According to officials, the personal information — including Social Security numbers, birthdays, and other background information — of 4.2 million employees was compromised in the hack. Some expect that number could reach the 14 million mark over the course of the investigation, and include not only current and former federal employees, but federal contractors as well.
A further disclosure from investigators Friday acknowledged a second security breach at OPM, exposing the information of millions of security clearance-wielding defense and intelligence agency federal employees. Investigators suspect China is involved in both incidents, though the evidence in the second breach is less clear.
Included in such security clearance applications are the most intimate details of federal employees’ lives, including disclosures about histories with drugs, alcohol and sexual relationships — information often sought by foreign governments to use as blackmail in coercing federal employees to become informants.
“I sought advice from some of the nation’s top information security experts in private business and government,” Maryland Rep. Elijah Cummings, the ranking Democrat on the committee, said in his opening statement about his past efforts to secure Americans’ data. “These experts warn that we cannot rely primarily on keeping the attackers out. We need to operate with the assumption that the attackers are already inside.”
In a heated exchange between Chaffetz and director of the OPM Katherine Archuleta, the chairman asked the director why she failed to heed a warning from the agency inspector general to shut down servers deemed cyber-vulnerable last year, and why those servers, which contain data on federal employees dating back to 1985, weren’t encrypted.
“Data information encryption is a valuable –” Archuleta began.
“Yeah it’s valuable, why wasn’t it?” Chaffetz interrupted. “We didn’t ask you to come read statements, I want to know why you didn’t encrypt the information.”
“An adversary possessing proper credentials can often decrypt data,” Archuleta said. “It is not feasible to implement on networks that are too old.”
Some of those networks include “legacy systems” too outdated to implement contemporary security standards, according to Archuleta. The director added shutting down the systems would have meant halting critical OPM functions, including providing benefits to retired employees.
Archuleta and others on the panel testified security measures like encryption weren’t implemented because officials speculated they could have been decrypted in the event of an intrusion anyway, and that encryption wouldn’t have protected the data that was stolen. The director said since the hack, OPM has implement tw0-factor authentication for accessing OPM systems.
“Okay well it didn’t work, so you failed. You failed utterly and totally,” Chaffetz said. “The inspector general was right. Your systems were vulnerable. The data was not encrypted, it could be compromised, they were right last year. They recommended it was so bad that you shut it down, and you didn’t. And I want to know why.”
“There are many responsibilities we have with our data,” Archuleta said. “And to shut down the system, we need to consider all of the responsibilities we have with the use of our systems.”
Other committee members shared Chaffetz’s skepticism of Archuleta’s judgement and reasoning behind the decision to leave the systems operational, despite years of warning from the IG.
“This is one of those hearings where I think I am going to know less coming out of this hearing than I did when I walked in, because of the obfuscation and dancing around that we’re all doing here,” Massachusetts Democratic Rep. Stephen Lynch told the panel, many of whom deferred answering questions until a classified briefing on the Hill later Tuesday.
“As a matter of fact, I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress.”
Archuleta insisted she and the IG were working “to the best of our ability” to implement the IG’s recommended changes.
“That’s what frightens me Mrs. Archuleta — this is the best of your ability,” Virginia Republican Rep. Mick Mulvaney told Archuleta.
“In national security, it’s got to be zero tolerance,” California Democratic Rep. Ted Lieu told the panel. “When you have a culture problem, as we have had here, in the past when agency’s have had this, leadership resigns or they’re fired.”
“I’m looking here today for a few good people to step forward, accept responsibility, and resign for the good of the nation.”