Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Lawmakers Lambaste OPM Chief Over HackOPM Director Archuleta Offers Mostly Rote Responses at Hearing
An exasperated chairman of the House Oversight Committee faulted the director of the Office of Personnel Management for not embracing an inspector general recommendation to shutter unauthorized IT systems that hackers eventually breached, exposing the personal information of at least 4.2 million current and former federal workers.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"The inspector general was right; your systems were vulnerable, the data was not encrypted," Rep. Jason Chaffetz, R-Utah, scolded OPM Director Katherine Archuleta at a June 16 hearing on the breach. "They recommended that you shut it down, and you didn't, and I want to know why."
The IG, in a 2014 audit, recommended that Archuleta shutter systems that did not acquire valid authorizations required by the Office of Management and Budget. Later in the hearing, Archuleta explained that she didn't order the systems' shutdown because of other agency priorities, such as assuring retirees received their benefits and that employees got paid.
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
Chaffetz chaired the hearing that delved into two OPM breaches revealed earlier this month - and believed to have been conducted by the Chinese government - that exposed the personally identifiable information such as Social Security numbers as well as information employees provided the government when they sought security clearances, material some experts speculate could help Chinese espionage efforts.
Chaffetz Scolds Archuleta
At several points in her response to lawmakers' questions, including on the failure of OPM to encrypt employee data, Archuleta didn't provide specific answers, and instead read from prepared remarks. That brought an incensed response from Chaffetz: "We didn't ask you to come read statements. I wanted to know why you didn't encrypt the information."
Later, Department of Homeland Security cybersecurity leader Andy Ozment explained that encryption would not have protected the breached data because the hackers likely stole the security credentials of a government employee with access to the sensitive information. "If an adversary has the credentials of a user on the network, they can access data even if it were encrypted, just as the users on the network have access to the data," testified Ozment, DHS assistant secretary for cybersecurity and communications. "It did occur in this case. Encryption would not have protected the data."
The witnesses - who included OPM CIO Donna Seymour, OPM Assistant Inspector General Michael Esser and Federal CIO Tony Scott - often deferred answering lawmakers' questions about details of the breach, saying they would respond in a secret session with the committee held later in the day.
Call for Resignations
The frustration of committee members with OPM witnesses was bipartisan. Rep. Ted Lieu, D-Calif., complained that OPM officials never said "I'm sorry" to government workers whose most personal information was exposed. Saying OPM deserves competent, new leaders, he added: "I'm looking here today for a few good people to step forward, accept responsibility and resign for the good of the nation."
Absent from the hearing was a representative from former OPM contractor U.S. Investigation Services, itself a victim of a breach, which the ranking member of the committee - Rep. Elijah Cummings, D-Md. - wanted to testify. Cummings wanted to know if the hackers gained access to the OPM system using information stolen from USIS and another contractor, Keypoint Government Solutions. Both companies had offered security clearance services to the government.
Seymour, the OPM CIO, told the committee that the agency has yet to determine exactly how many employees had their data exposed because the hacked background database system uses antiquated, legacy computers that pull data from other agencies. Some estimates have put that figure at 14 million. She also said exposed background files could contain a lifetime worth of information about employees.
Einstein Did Not Detect Breach
During the hearing, Ozment explained that the Einstein 1 and 2 detection systems, which only can detect known signatures, were in place during the breach, but did not detect the cyber-attack. OPM administrators, monitoring the network, noticed malicious activity in April, and then informed DHS. Archuleta said the hackers were believed to have first breached the OPM system late last year.
After discovering the breach, Ozment said DHS developed a signature for that particular threat, and used Einstein 2 to look back in time for other compromises across the federal civilian government. He said that DHS loaded the same threat information into the more advanced Einstein 3A intrusion protection system to block potential threats using the same signature from damaging federal networks.