OPM Cybersecurity Protocol Questioned During Senate Hearing; Calls for Archuleta's Resignation Continue
The U.S. needs to invest in technologies that not only prevent cyberattacks from occurring, but also quickly detect an intrusion to allow a faster containment and remediation, U.S. Chief Information Officer (CIO) Tony Scott said Thursday during a Senate Homeland Security Committee hearing on the two Office of Personnel Management (OPM) breaches that were announced this month. The breaches put people’s lives and the nation’s security at risk, said Chairman Ron Johnson, R-Iowa. OPM has been hacked at least three times in the past five years, Johnson said. The U.S. has to recognize it has a “significant” cybersecurity problem, he said. Ranking member Thomas Carper, D-Del., said the breach required “all hands on deck.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
OPM Director Katherine Archuleta, who was confirmed by the Senate Homeland Security Committee to perform her current function at OPM, testified for the third time this week that OPM needs additional funds to rapidly accelerate its overhaul of the agency’s IT infrastructure to mitigate long-standing vulnerabilities. Department of Homeland Security Cybersecurity and Communications Assistant Secretary Andy Ozment said the Einstein 3 A system used by OPM discovered the intrusion to its system but said a strong cybersecurity defense requires multiple layers of protection.
During her confirmation hearing, Archuleta had said she would work with the OPM CIO and Inspector General to ensure OPM’s systems were protected. OPM IG Patrick McFarland said Archuleta meets with him once a month, but has never discussed the inadequacies the IG found and shared with OPM in multiple audit reports. Archuleta said she believed she was fulfilling her commitments as OPM director and said the IG sets the agenda for the meetings. The OPM IG’s staff is to meet with Archuleta’s staff on Tuesday. Archuleta said that after she talks to her team, she will have a meeting with McFarland shortly after Tuesday.
The credentials of an employee for OPM contractor KeyPoint were compromised, which led to the breach of OPM’s system and background investigation information being compromised for what the FBI estimates to be around 18 million Americans, several senators mentioned during Thursday’s hearing. KeyPoint was breached in December 2013, Ozment said. Archuleta said KeyPoint has updated its systems and she plans to continue a working relationship with KeyPoint because the company believes it can keep federal employees’ data and credentials secure.
McFarland said he wasn’t sure if KeyPoint’s systems had been updated sufficiently and wasn’t able to comment on whether OPM should continue working with KeyPoint. He also raised concern about OPM’s inability to produce a copy of a business plan known as Exhibit 300 for capital assets and recommended OPM not rush into overhauling its system.
Another OPM contractor, USIS, was breached in April 2013 and about 2,600 individuals had their security clearance information stolen, Ozment said. U.S. CIO Scott said he'd investigate whether the Defense Department was better equipped to store the background investigation data. Sen. Ben Sasse, R-Neb., asked why questions about sexual history were stored on OPM’s database.
Sen. John McCain, R-Ariz., asked Archuleta if she was ready to tell the American public that the Chinese were behind the hacking. Archuleta deferred on McCain’s question, saying her colleagues at the State Department, who weren't present, should answer. McCain questioned Archuleta’s inability to say who was responsible for the intrusion when her business is to track and respond to hacking, and raised concerns that Archuleta hasn't met personally with the FBI following the network intrusions. Archuleta said she wasn't comfortable with the FBI estimates that 18 million background investigations were compromised and said OPM would release a number when her team brings her a number that's accurate and that she has confidence in.
OPM is unaware of any other efforts that breached the system, but thwarts more than 10 million attacks each month, Archuleta said. But the adversaries had access to OPM’s system that gave them the ability to change information in background investigations, including changing the outcome of a clearance investigation, and adding or removing derogatory information, Ozment said. Whether changes were made is a question best answered by the intelligence and law enforcement communities, Ozment said.
OMB recently launched a 30-day cybersecurity sprint team to review cybersecurity efforts within federal agencies, Scott said. At the end of the review, the group will create operational action plans to address further cybersecurity priorities, he said. In the meantime, Scott recommended Congress pass the Cybersecurity Information Sharing Act (CISA) and not allow exceptions to the Federal Information Technology Acquisition Reform Act (FITARA). Ozment seconded Scott’s recommendation Congress pass CISA and that Congress pass authorization legislation surrounding Einstein security software. McFarland added FITARA and the Federal Information Security Management Act should have “more teeth” to hold those with delinquent cybersecurity scores accountable.