Lawmakers rip OPM's 'failure'

"You failed, utterly and totally."

That was the blunt message that Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform committee, delivered -- and many of his fellow lawmakers echoed -- to senior civil servants at a June 16 hearing on the massive breach of the Office of Personnel Management.

"This has been going on for years, but when I read the testimony that's been prepared, we're about to hear, 'But we're doing a good job!'" Chaffetz exploded. "You're not, it's failing!"

The committee did not take kindly to the nuanced, defensive remarks offered by OPM Director Katherine Archuleta and the other senior officials who offered testimony, especially as they denied some of the more surprising allegations coming out of the debacle -- the possibility that as many as 14 million people were compromised in the breach, and that a small business discovered the malware on OPM's systems -- and claimed OPM had been aggressively updating its cybersecurity posture.

OPM can't answer all the questions

"I would be happy to discuss that in a classified session," was Archuleta's stock response to many questions, at one point leaving her sounding a bit like a certain taciturn NFL running back.

Was the breach part of a coordinated foreign effort to undermine U.S. security? Classified.

Were cabinet-level employees and military personnel exposed in the breach? Classified.

Did hackers gain access to OPM's systems by hacking OPM contractors, or did they perhaps access the system through employee email accounts? Classified, and classified.

The committee was scheduled to hold a classified hearing on the OPM breach following the public session.

Archuleta also declined to give an estimate of how many individuals' personally identifying information (PII) may have been exposed. She stood by OPM's estimate that 4.2 million current and former federal employees were exposed in an initial breach, but could not say how many individuals might have been exposed in a second breach that compromised highly sensitive background check information.

A memo distributed by OPM on June 15 and obtained by FCW pointed federal employees to the Federal Trade Commission's Identity Theft Clearinghouse if they suspect their information was being misused following that second breach, which was disclosed June 12.

The memo said that beyond the initial OPM breach disclosed June 4, OPM "has recently discovered" more systems had been compromised that contain data from background investigations of current, former, and prospective federal government employees, as well as other individuals that underwent a federal background investigation.

OPM said it is working with the Department of Homeland Security and the FBI to determine the number of people affected by that separate intrusion. The agency said it will notify those individuals whose information may have been compromised "as soon as practicable."

Private sector thrown under the bus

During the hearing, feds took aim at the private sector and OPM doubled down on its assertion that CyTech Services did not discover the breach when it detected malware on OPM's systems.

Ranking Democrat Elijah Cummings of Maryland opened his remarks by questioning why representatives from the previously hacked USIS were not at the hearing, and several congressmen questioned whether the December hack of KeyPoint Government Solutions, a background check investigator contractor for OPM, may have given hackers the "keys" they needed to access OPM networks.

OPM CIO Donna Seymour referred the latter question to the classified briefing.

Archuleta repeated the assertion that, despite reporting to the contrary, it was OPM, not the Virginia small business CyTech Services, which discovered the breach.

"So the New York Times and others who wrote [that CyTech had detected the breach] were wrong?" Chaffetz queried.

"That is correct," Archuleta responded.

CyTech issued a statement June 15 confirming it had detected malware on OPM's systems on April 21, 2015, but the service-disabled-veteran-owned small business noted it couldn't say whether OPM already knew of the breach. OPM had maintained it discovered the breach itself sometime in April 2015, but OPM spokesperson Sam Schumach told FCW he couldn't provide the exact date of discovery.

Security measures that failed -- and those that wouldn't have worked?

Andy Ozment, assistant secretary in the Homeland Security Department's Office of Cybersecurity and Communications, admitted that the hacked OPM data -- including Social Security numbers -- was not encrypted, but he said that in this particular hack, encryption would not have made a difference.

"Encryption in this case would not have protected the data," he said, explaining that hackers accessed files with user privileges so they would have viewed them plainly as authorized users would have, encryption or no.

On Einstein, DHS's perimeter security system, Ozment noted that the system had failed.

"Security cannot be achieved through only one type of tool," he said. "Einstein is a perimeter system, but it will never be able to block every threat."

Comparing Einstein 1 and 2 to security cameras on a building, Ozment said Einstein 3A -- currently being rolled out -- acts more like a gatekeeper scanning "cars on the highway" and actively blocking unauthorized traffic from even approaching the system/building.

IG ignored?

"In the FY 2007 FISMA report, we identified a material weakness related to the lack of IT security policies and procedures," OPM Assistant Inspector General Michael Esser said in his prepared testimony. "In FY 2009, we expanded the material weakness to include the lack of a centralized security management structure necessary to implement and enforce IT security policies."

And Esser noted that each OPM program office had to fend for itself when it came to cybersecurity.

"The program office personnel responsible for IT security frequently had no IT security background and were performing this function in addition to another full-time role," he testified. "As a result of this decentralized governance structure, many security controls went unimplemented and/or remained untested, and OPM routinely failed a variety of FISMA metrics year after year."

He also noted OPM's lack of a centralized server and database inventory.

"Even if the [advanced cybersecurity] tools I just referenced were being used appropriately, OPM cannot fully defend its network without a comprehensive list of assets that need to be protected and monitored," Esser wrote.

Lawmakers hammered the administration officials for refusing to shut down OPM systems after numerous IG reports identified key weaknesses, and noted that in fiscal 2014, 11 out of 21 OPM systems were operating without a valid security assessment and authorization.

Archuleta and others responded that cybersecurity has been a top priority, but that fixing broken processes takes time.

'Essentially no consequences'

U.S. CIO Tony Scott touted his 30-day "Cybersecurity Sprint" and OPM's Seymour noted aggressive security improvements have taken place since the breach, but Congress remained unimpressed on a bipartisan basis.

"It is clear to me that there is a high level of technological incompetence across federal agencies," said Rep. Ted Lieu (D-Calif.). In past failures of this magnitude, he noted, leadership has resigned or been fired to send a message that "the status quo is not acceptable."

"When there is a culture problem ... leadership has to resign," he said. "What I'm looking for is a few good people to accept responsibility and resign for the good of the nation."

None of the witnesses offered themselves as tribute.

"Has anyone lost their job over this?" Rep. Glenn Grothmann (R-Wis.), asked Archuleta.

After a grueling three hours in which she was often rebuked for not giving yes-or-no answers, Archuleta finally responded with a one-word answer, and it wasn't the one the members had been seeking: "No."

Esser noted that there were "essentially no consequences" for operating systems without proper authorizations, as OPM had done leading up to the breach. And while OPM's Seymour argued there were consequences, she couldn't provide a specific example.

Archuleta also defended OPM's security challenge in her written testimony.

"In an average month, OPM, for example thwarts 10 million confirmed intrusion attempts targeting our network," she noted. "These attacks will not stop -- if anything, they will increase."

She also gave herself and her agency credit for their efforts.

"We discovered these intrusions because of our increased efforts in the last eighteen month to improve cyber security at OPM, not despite them," she said.

Mark Rockwell contributed to this story.