Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM Director Rejects Blame for BreachPanel Chair Laments 'No Clear Lines of Accountability'
The director of the Office of Personnel Management says neither she nor anyone else at OPM should be held personally responsible for a data breach of agency computers in which the personal information of millions of current and former government employees was stolen.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Testifying before the Senate Appropriations Financial Services and General Government Subcommittee on June 23, OPM Director Katherine Archuleta blamed the perpetrators of the breach - which many believe to be hackers tied to the Chinese government - for the cyber-intrusion.
"I don't' think anyone is personally responsible," Archuleta said, responding to a question from Sen. Jerry Moran, R-Kansas, on whether she or any OPM official should be held accountable for the breach. "I believe that we are working as hard as we can to protect the data of our employees because that's the most important thing we can do. I take it very seriously. I'm angry as you are that this has happened to OPM, and I'm doing everything I can to move as quickly as I can to protect the systems."
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
No Clear Lines of Accountability
The subcommittee's chairman, John Boozman, R-Ark., lamented in his opening remarks that it's unclear who is responsible for ensuring IT security within OPM and other federal agencies. "Lots of people are involved," he said, "but often no clear lines of accountability are drawn."
Though she didn't mention the Chinese, Archuleta characterized the perpetrators as "well-funded, focused, aggressive" and said they breached not only OPM systems but those of other federal government agencies.
Archuleta also blamed the breach on OPM's legacy systems that could not incorporate modern security protection tools, which she inherited on Nov. 4, 2013, when sworn in as OPM director. "We have legacy systems that are very old and oftentimes we have to test to be sure that we can even add those security protection systems [tools] into the legacy systems," Archuleta said.
Michael Esser, OPM assistant inspector general for audits, in his testimony agreed that problems existed in securing legacy systems, but added a caveat: "While this is true in many cases, and many of OPM's systems are mainframe-based, some systems that were impacted by the breaches are, in fact, more modern systems for which most of the technical improvements necessary to secure them could be accomplished."
Fragmented System Hard to Protect
In audits, Esser pointed out numerous problems with OPM's IT security, including the failure to certify some systems as secure as required by federal law. But he credited OPM leaders for implementing an improved security governance structure that has resulted in improved security practices. "Although we are optimistic that these improvements will continue, it is apparent that the [OPM Office of Chief Information Officer] continues to be negatively impacted by years of decentralized security governance, as the technical infrastructure remains fragmented and therefore inherently difficult to protect," he testified.
The tone of the Senate hearing was cordial and non-confrontational, unlike last week's hearing before the House Oversight and Government Reform Committee, when several lawmakers said Archuleta should resign because of the breach (see Lawmakers Lambaste OPM Chief Over Hack). At Tuesday's Senate hearing, Moran neither pressed the matter with Archuleta nor angrily attacked her when she declined to take personal responsibility for the breach.
Extemporaneous, Not Rote, Responses
During that earlier Oversight Committee hearing, Archuleta read from prepared statements in response to representatives' questions about the breach, stirring the ire of Oversight Committee Chairman Jason Chaffetz, R-Utah. "We didn't ask you to come read statements," Chaffetz said at the June 16 hearing.
In contrast, at the June 23 Senate subcommittee session, Archuleta referred to notes, but her answers to senators' questions were extemporaneous.
Archuleta isn't done dealing with Congress. She's scheduled to appear later this week before the House Oversight and Government Reform Committee again as well as the Senate Homeland Security and Governmental Affairs Committee.