5th OPM Hack Hearing Presents Yet Another Unanswered Question
No "credit check" can offset the risks to national security of compromised security clearance records.
By the fifth congressional hearing on a wide breach of U.S. personnel information disclosed in early June, some of the usual witnesses were running out of new things to say, while some just plain didn't show up.
Office of Personnel Management Chief Information Officer Donna Seymour, who has made two public Capitol Hill appearances in recent weeks, was invited to the House Science and Technology subcommittee session but lawmakers said she told them she had other commitments to attend to.
The hearing, which took place Wednesday afternoon, marked Government Accountability Office auditor Gregory Wilshusen's second round on the Hill, yet he had a new observation to offer: The federal government has earned a "D" in data protection, he said.
The GAO director of information security issues would not go so far as to give a "D-", he said, because the Obama administration has good ideas.
"In many respects there are improvements within federal information security -- some of the initiatives -- but it is getting to the effective implementation of those security controls and some of the initiatives over time, consistently that's proved challenging," Wilshusen said.
Several years ago, for example, the White House required all agency login systems be upgraded by October 2011 to require two-step verification, with a personal code and a smart card, to help overcome the weak password problem.
According to the White House, at the end of September 2014, "OPM had only implemented the use of personal identity verification cards, or strong authentication, for 1 percent of its user accounts," said Wilshusen, referring to the smart cards. OPM Director Katherine Archuleta, at one of the recent hearings, said stolen password data was used to break into the personnel files.
On Wednesday, there was at least one question -- aside from the ubiquitous, "How many individuals total are affected by the OPM breaches?" -- that will have to wait for another hearing.
OPM officials have said attackers might have hacked a system of records on government and industry personnel who filled out self-disclosure forms to see classified material, which essentially amount to confessions about their bad habits, compromising information on their loved ones and a host of other intimate information.
"No credit check is going to make up for the risk to not just personal security, but our nation's security for every individual who went through or was consulted as part of that system,” committee member Rep. Elizabeth Esty, D-Conn., said. "What sort of protection and advice do we give on the national security front, on the security breach aspect, because that is very different than your personal information [being used] to raid your bank account. That's a risk of grave concern for this country which we haven't really discussed today."