House Oversight Faults OPM Leadership in Data Breach Probe Report
House Oversight Committee Chairman Jason Chaffetz, R-Utah, urged federal agencies Wednesday to implement “zero trust” policies for verifying users accessing agencies' IT systems in the wake of the Office of Personnel Management data breaches revealed in 2015. Such policies are “one of the things I like to think the private sector figured out a long time ago,” he said. Two separate hacks of OPM's systems resulted in the theft of the personally identifiable information of more than 21 million people, including personnel files and fingerprints. House Oversight criticized OPM's leaders and policies for the breach, saying in a report released Wednesday the agency “failed to prioritize cybersecurity and adequately secure high-value data.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Chaffetz said House Oversight will soon issue a report criticizing the federal government's use of cellsite simulators, also known as StingRays. Chaffetz repeatedly has criticized the use of StingRays and filed the Stingray Privacy Act (HR-3871) in November to codify existing DOJ and Department of Homeland Security guidance on the use of the simulators (see 1511030015). Citizens would be “shocked at what your federal government is doing to gather your personal information,” Chaffetz said at an American Enterprise Institute event on the OPM breaches. The federal government's use of StingRays is problematic given the federal government's problems with following internal cybersecurity practices, Chaffetz said. “They can't keep it secure,” he said. “That's the point.” The federal government “isn't doing the basics and they want to collect more data,” Chaffetz said.
OPM cybersecurity failures significantly predate the breaches, with its inspector general warning as early as 2005 about its security vulnerabilities, House Oversight said. “The long-standing failure of OPM's leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the inspector general, represents a failure of culture and leadership.” OPM Director Katherine Archuleta and agency Chief Information Officer Donna Seymour resigned after publicity of the hacks. The first known “adversarial access” to OPM's network occurred in July 2012, and the first true data breach occurred in November 2013, the committee said in a timeline. OPM expelled one hacker from its systems in May 2014 but was unaware of the other hacker until 2015, House Oversight said.
The report is as much a warning to other agencies' CIOs to improve their cybersecurity practices as it is an examination of OPM breaches, Chaffetz said. The OPM breaches are a “defining moment, and it is up to you, -- the community of federal chief information officers -- to determine how the country will respond,” House Oversight said. Multifactor identification or even two-factor identification processes would have prevented hackers from using stolen credentials to access OPM systems, it said.
OPM didn't install purchased monitoring software from cybersecurity firm Cylance until after breaches, House Oversight said. The committee separately faulted OPM for continuing to use software demonstrated by CyTech without paying for it, noting in a letter to GAO that OPM's failure to pay CyTech is a violation for the Anti-Deficiency Act. “So much malware was found” via the Cylance and CyTech software “that it was said to have lit up like a Christmas tree,” Chaffetz said. “The Alarm didn't sound until the damage was done.”
House Oversight recommended federal agencies adopt the zero-trust verification model and prioritize modernization of legacy IT assets. Agencies' CIOs should become more empowered to improve cybersecurity practices and be held more accountable for their agencies' cybersecurity performance, House Oversight said. The committee recommended federal agencies improve their recruitment and training of cybersecurity specialists, and reduce their use of Social Security numbers on federal systems. Chaffetz noted his concerns about the Department of Education's use of SSNs and other personally identifiable information across its approximately 180 databases, particularly given the department's cybersecurity challenges.
House Oversight Democrats sought to blame the OPM data breaches partially on inadequate rules for federal contractors, via a staff memo Wednesday. “Today’s Republican staff report reaches conclusions that are contrary to the facts we found during our investigation,” said House Oversight ranking member Elijah Cummings, D-Md., in a news release. “Investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed.”