House Oversight and Government Reform Chairman Jason Chaffetz (R-Utah) wasted little time Tuesday before tearing into leaders of the Office of Personnel Management over a massive hack of the federal government.
Before the embattled agency’s officials had a chance to speak, Chaffetz said they were failing on the job.
{mosads}“This has been going on for a long time, and yet when I read the testimony that was provided here, we’re about to here some, ‘Hey we’re doing a great job,’” Chaffetz said, pausing.
“You’re not, it’s failing,” he added.
The OPM has been under heavy scrutiny as details continue to emerge about a mega data breach that has exposed up to 14 million people’s sensitive information.
The breach, attributed to Chinese hackers, is widely considered the worst digital theft government information of all time. Officials also said Friday that hackers had also accessed security clearance background checks for millions of military and intelligence agency personnel.
During his opening statement, Chaffetz read from several years of OPM inspector general reports, his voice rising as he described myriad security shortcomings.
The agency’s information technology defenses were “akin to leaving all the doors and windows open in your house and expecting no one will walk in and take any information,” he said.
“How wrong they were,” the chairman added.
Each year, the watchdog reviews cited insufficient IT security policies and leadership within the OPM. The agency didn’t have a comprehensive inventory of all devices and computers systems with access to its networks.
“They didn’t even know what they have!” Chaffetz said.
Eleven of the OPM’s major 47 computer systems that were supposed to be certified as secure lacked the proper security authorization, according to the inspector general’s report.
Five of those systems were within the office of the chief information officer.
“Ms. Seymore they were in your office, which is a horrible example to be setting,” Chaffetz said to Donna Seymour, OPM’s chief information officer.
In total, he added, 65 percent of the OPM’s data “sat on systems with no valid authorization.”
In her opening statement, OPM Director Katherine Archuleta acknowledged the years of deficiencies.
After being sworn in 18 months ago, Archuleta said, “I immediately became aware of vulnerabilities in our aging systems.”
She instituted an “aggressive” plan to centralize IT oversight under the chief information officer and “numerous tools and capabilities,” she said.
It was in the process of updating the agency’s cybersecurity that the massive data breach was discovered, Archuleta explained.
“But for the fact that we implemented new more stringent security tools we would have never known that malicious activity had previously [been] on that network and would not have been able to share that information for the protection of the rest of the fed government,” she said.
Chaffetz often spoke over Archuleta’s comments to ask questions about how many people had been affected by the hack, what data had been taken and who was behind it.
“Is the 14 million number wrong or accurate? How far back does it go? Does it include military personnel? Does it include contractor information?” he asked at various times.
“I would be glad to discuss that in a classified setting,” Archuleta replied multiple times.
Chaffetz then pressed Archuleta on the agency’s security protocols, particularly why OPM’s personnel data was not encrypted.
“Data information encryption is a valuable,” Archuleta started, before Chaffetz cut her off.
“Yeah it’s valuable,” he said. “We didn’t ask you to come read statements. I want to know why you didn’t encrypt the information.”
“It is not feasible to implement on networks that are too old,” Archuleta replied, adding that the agency was now working to encrypt this data.
“Well it didn’t work, so it failed,” Chaffetz said. “You failed utterly and totally.”