Chaffetz details where OPM went wrong, warns about future

The House oversight committee's Jason Chaffetz (R-Utah) delivered an indictment of OPM's security and the protracted federal procurement process.

Shutterstock image: breached lock.

Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, released a detailed report on the chronology of the Office of Personnel Management hack that exposed more than 21 million personnel records.

During a Sept. 7 presentation at the American Enterprise Institute in Washington, he said the "most concerning things" were the repeated warnings about OPM's weaknesses and the idea that such a breach was preventable.

Chaffetz pointed to a series of inspector general reports dating back to 2005 that almost annually lamented OPM's insufficient cybersecurity protocols, and he criticized former OPM CIO Donna Seymour for "thwarting and misleading" the watchdogs.

The report criticizes OPM's response to the first signs of intruders on its network.

"Swifter action by OPM to harden the defenses of its IT architecture could have prevented or mitigated the damage that OPM's systems incurred," the report states.

OPM Acting Director Beth Cobert said the report "does not fully reflect where this agency stands today."

"While we disagree with many aspects of the report, we welcome the committee's recognition of OPM's swift response to the cybersecurity intrusions and its acknowledgement of our progress in strengthening our cybersecurity policies and processes," she wrote in a Sept. 7 blog post.

A memo by staffers on the Democratic side of the committee said the breach was due in part to compromised credentials used by OPM's IT contractors and that Chaffetz’s report "fails to adequately address federal contractors and their role in cybersecurity."

In a series of committee hearings, Chaffetz has called for the resignations of senior OPM leaders on several occasions. Former OPM Director Katherine Archuleta resigned in July 2015, followed by Seymour's resignation in February 2016.

In addition, Chaffetz denounced OPM for not implementing multifactor authentication. Only 1 percent of users were required to have personal identity verification cards to access OPM systems, and 11 systems did not have active authorities to operate, he said.

The U.S. Computer Emergency Readiness Team discovered that "OPM was under sustained attack for at least as far back as 2012," he added, and the two attackers who penetrated the system were "likely connected and possibly coordinated."

After the hackers breached OPM's system, Chaffetz said immediate action, including shutting the system down, could have "seriously limited the adversaries' ability to move around the network."

Because of OPM's failure to monitor network activity, "we'll never know everything that was stolen," he added.

When OPM hired a company to diagnose the intrusions, "so much malware was found in the tool, it was said to be lit up like a Christmas tree," Chaffetz said.

He placed some of the blame on the cumbersome federal acquisition process. "It is not swift, it is not effective, it is not efficient, and in the world of cybersecurity, it will sometimes be generations after a new technology has actually come and gone," he said.

Chaffetz advocated using a "zero trust" approach to security on federal networks, which centers on the idea that users inside the network are no more trustworthy than users outside the network.

"Federal agencies, particularly CIOs, must recognize they're on the front line of vital information," he said. "We're taking people and we're dumbing them down" to 1960s technology and coding languages.

Chaffetz also made a veiled reference to the White House's proposal for a revolving fund to support IT modernization projects outside the traditional appropriations process.

"The Obama administration has spent more than $600 billion on IT...so don't tell me we're $3 billion from solving this," he said. "There's no just turning this ship around in a couple of months...but that's why" drawing attention to cybersecurity is a starting point.