Katherine Archuleta, director of the Office of Personnel Management, appeared before the House oversight committee Tuesday to discuss a security breach at the agency believed to have affected the personal data of millions of current and former federal employees.
It did not go well for her.
The three-hour hearing, which began with a withering critique of OPM's IT vulnerabilities, quickly spiraled into a full-on confrontation with an agitated Congress, ending with a call for her resignation.
The personal information of millions of government workers is believed to have been compromised through two colossal intrusions that U.S. officials have attributed to Chinese hackers. The second breach, discovered only after a response team began investigating the first, captured data included in the background checks of government employees seeking a security clearance, and those who have sought it in the past. The information stolen in the second breach included social security numbers, financial and travel histories, as well the contacts of family, friends, neighbors, and foreign acquaintances.
The theft is the largest U.S. government data breach in history. And members of the House Committee on Oversight and Government Reform grilled Archuleta and OPM Chief Information Officer (CIO) Donna Seymour at length Tuesday seeking an explanation.
Chairman Jason Chaffetz began the hearing by discussing the OPM's failure to correct the security vulnerabilities catalogued in a series of inspector general reports dating as far back as 2007. The OPM data breach "should come as no surprise given its troubling track record with cybersecurity," Chaffetz said, comparing the OPM's data protections to those of a house with all its doors and windows open.
Michael Esser, the assistant inspector general for audits within the OPM, testified that the agency has a long history of failing to achieve IT security standards. Archuleta acknowledged the inspector general's criticisms even as she defended the OPM, citing the many competing priorities she has to contend with as an executive and the new security measures she has overseen. Seymour, her CIO, praised the agency's efforts to raise its cyberdefenses but also emphasized the OPM's outdated IT systems that present security and data challenges. The "cybersecurity issues that the government is facing is a problem that has been decades in the making due to a lack of investment in federal IT systems," Archuleta said.
When pressed, Archuleta said the initial breach of personnel files affected 4.2 million federal employees, though she admitted it may have affected more. The scope and nature of the second breach, of security clearance information, has not been shared with the public or with members of Congress. Archuleta and Seymour could not provide factual details of the intrusion, including how many employees were affected, when the cyberattacks began, or the exact contents of the information stolen. They cited an ongoing investigation into the second breach and, at various times, offered to answer the lawmakers' questions in a classified hearing taking place Tuesday afternoon.
Archuleta declined to answer in public whether the data of military personnel or CIA operatives was compromised. But she did admit that the social security numbers of federal employees had not been encrypted, and are therefore accessible to the hackers behind the breach.
Many lawmakers questioned Archuleta on the OPM's failure to encrypt social security numbers, a security practice considered to be a basic safeguard. At one point Archuleta argued that adversaries can sometimes decrypt protected data, which is why the OPM utilizes additional security tools. Representatives took exception with this point, and said her argument was a weak excuse for the data breach. Rep. Steve Russell described Archuleta's point on decryption as "baffling."
The oversight committee has been an outspoken critic of the Obama administration's efforts to create loopholes around the mass adoption of encryption. The FBI maintains that encryption backdoors installed on consumer devices will help facilitate criminal investigations and counterterrorism.
Democrats and Republicans on the congressional panel were equally appalled by Archuleta's responses. Several lawmakers complained of her obfuscation, the lack of seriousness with which her agency is handling the breach, and her failures of leadership. "I wish that you were as strenuous and hardworking in keeping information out of the hands of hackers as you are with keeping information out of the hands of Congress," said Rep. Stephen Lynch.
Against criticisms that the OPM has been slow to respond to the hack, Archuleta said her team is working "24/7" to resolve the breach. Though, in the eyes of lawmakers, she appeared too ready to congratulate her office for catching the second breach, which was only made possible by getting hit by the first attack and installing more stringent security tools. "You failed utterly and totally," Rep. Chaffetz said.
Archuleta and Seymour said that since the breach, the OPM has worked hard to bolster security. Their efforts include the use of two-factor authentication, masking and segmenting data, and restricting the number of privileged users who can access the OPM network.
Rep. Ted Lieu saw in this latest breach more proof of "a culture problem of civilian leadership not understanding we are in a cyber war." He also noted his disappointment with Archuleta for not apologizing to federal workers. After lambasting the OPM for its negligence and incompetence, Lieu dropped the hammer, calling for some members of the agency's leadership to step down.
"Frankly, when it specifically comes to OPM, I do not believe we can have any confidence in the agency's handling of these attacks until someone in the senior leadership ranks accepts responsibility for inadequate cybersecurity at their agency and resigns," Lieu told BuzzFeed News.
After the hearing, Chaffetz echoed Lieu's call and pointed it directly at Archuleta and Seymour. "Those two had an opportunity to right the ship. They were given strong recommendations for a number of years, but they didn't get it done. There should be consequences. If we want a different result, we're going to have to have different people. I think it's time for them to resign. And if they don't, I think the president should fire them."
The full implications of the data breach remain unclear, as do the identities of the perpetrators. Security experts say that the stolen information could be used to blackmail U.S. intelligence operatives, or, more simply, be used to commit credit fraud. Which federal employees have had their information compromised is still unknown, though the OPM says it will continue to notify federal workers of the breach through June 19.