WASHINGTON – Senators grilled Office of Personnel Management Director Katherine Archuleta Thursday on details of the fallout from her agency’s massive data breach.
“Do you understand the full gravity?” Chairman Ron Johnson, R-Wisc., asked Archuleta at a Senate Homeland Security hearing on cybersecurity. “It’s hard to overstate the seriousness of this breach. OPM has been hacked five times in the last three years, and has still not responded to effectively secure its networks.”
Earlier this month, OPM, the human resources agency for the federal government, announced that 4.2 million current and former government employees had been affected by a breach of personnel records databases containing Social Security numbers, birthdates and addresses.
OPM is still conducting an investigation on another related cyber intrusion affecting background forms of people with security clearance. These forms contain a wealth of sensitive data, such as mental health and sexual history, as well as information about friends, spouses, family members and interactions with foreign nationals. The cause of this breach is still unclear.
Andy Ozment, assistant secretary for cybersecurity and communications for the Homeland Security Department, said it’s possible, if unlikely, that hackers were able to manipulate the security background information, including the addition or removal of derogatory information.
Earlier this month, FBI director James Comey estimated that 18 million people were affected by this second breach including those who applied for federal jobs but never actually worked for the government.
Archuleta said she did not feel comfortable confirming that 18 million represents the total number of individuals affected.
But she said. “It may well increase from these initial reports.”
Archuleta skirted questions about OPM’s timeline for producing a total number of individuals affected, or what the agency would do to protect those affected from tax fraud.
On Thursday, Archuleta said she will hire a new cybersecurity expert to report directly to her. She said she plans to meet in upcoming weeks with private sector cybersecurity experts to discuss best practices.
In the wake of the breach, the Office of Management and Budget launched a 30-day review team to analyze and recommend federal cybersecurity strategies.
Throughout the hearing, Archuleta reiterated that improvements at OPM led to the discovery of the breaches.
“You are responsible,” said Sen. John McCain, R-Ariz.,, to Archuleta. “I must say, I’ve seen a lot of performances, and yours’ ranks as one of the most interesting.”
“Do you think you should stay in your current position?” McCain pressed. Archuleta said she has been “working hard.”
OPM Inspector General Patrick McFarland raised new concerns in a recent audit on OPM’s management of infrastructure improvement.
The inspector general said Thursday OPM has ignored his recommendations for risk assessment. In the agency’s rush for damage control, he said proper project management procedures, like creating a business plan, were not followed.
“It may sound counterintuitive, but OPM must slow down and get it right the first time. OPM cannot afford to have this project fail,” McFarland said.
“That is a significant failure,” said Joni Ernst, R-Iowa. “That something as simple as a business plan cannot be produced for this is a failure.”
When asked to clarify whether the attacks are, in fact, over, given that it has taken months for the agency to detect previous ongoing breaches, Archuleta was unable to provide a clear answer.
“We’re trying really hard,” Archuleta said.
“That’s not the same as having knowledge the attacks are over,” said Sen. Ben Sasse, R-Neb.