Encryption of data likely wouldn’t have prevented the cyber attack on federal employee records at the Office of Personnel Management, given the age and outdated nature of the government’s computer systems, according to Katherine Archuleta, OPM director, who testified this week at a hearing of the United States House of Representatives’ Oversight and Reform Committee.
During the hearing, federal lawmakers focused on the failure of OPM to secure the Social Security numbers of workers in every level of federal employee, highlighting Archuleta’s comments that “any federal employee from across all branches of government, whose organization submitted service history records to OPM, may have been compromised.”
Representatives grilled Archuleta for an extended period of time, commenting that the Inspector General had repeatedly recommended more stringent controls for OPM, as well as shutting down some of the systems due to vulnerabilities. The OPM director declined to do so, determining that it didn’t rise to the level of a “material weakness.”
“You have completely and utterly failed, if that was your objective,” stated Committee Chairman Jason Chaffetz of Utah. During his opening statement, the representative noted, “The breach potentially included highly sensitive personal background information collected through security clearance applications. The loss of this information puts our federal workforce at risk, particularly our intelligence officers and others working on sensitive projects around the globe.”
Archuleta noted that 4.2 million federal employees have been notified, but the full scope of the breach has not been determined.
Other representatives were bewildered by comments Archuleta made about opting not to take additional security measures when recommended.
“’We did not encrypt because we thought they might have been able to decrypt,’” said Rep. Steve Russell of Oklahoma, quoting the OPM director. He called it “absolute negligence that puts the lives of Americans at risk.” He also cited comments from Ars Technica as saying that the OPM breach occurred due to “inertia, lack of expertise, and a decade of neglect.”
Archuleta – and the Department of Homeland Security’s NPPD Office of Cybersecurity & Communications Assistant Secretary Andy Ozment — explained that many federal agencies, with the assistance of DHS, have begun the process of improving cybersecurity.
“I want to emphasize that cyber security issues that the government is facing is a problem that has been decades in the making, due to a lack of investment in federal IT systems and a lack of efforts in both the public and private sectors to secure our internet infrastructure,” said Archuleta. “We discovered these intrusions because of our increased efforts in the last eighteen month to improve cyber security at OPM, not despite them.”
DHS’s Ozment stated that additional legislation is needed to allow fuller improvement of systems.
For lawmakers, however, the advances made do not represent enough of a step forward, despite the self-detection of the intrusion. Rep. Russell queried why OPM didn’t implement multi-factor authentication for outside users in the system as well as other upgrades.
“It takes time,” Archuleta responded.
“Well, it didn’t take our enemies time,” Russell commented.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
