Katherine Archuleta, in testimony before Congress said that she realized when she assumed her post 18 months ago that the agency had huge cyber security issues.
When pressed on why the data was not encrypted, her response was that it is hard to do on systems that are that old.
However, Dr. Ozment, DHS assistant secretary for cybersecurity said that encryption would have done no good because the attackers had valid credentials – likely from social engineering (see article).
House Oversight Chairman Jason Chaffetz (R-UT) said that Archuletta and OPM CIO Donna Seymour “utterly failed” because 11 key internal OPM systems that store 65 percent of OPM’s data were not properly certified as secure. The OPM IG, apparently, has reported for the last 8 years, according to Rep. Chaffetz, that OPM’s security posture was akin to leaving the doors and windows open and hoping that no one would walk in.
During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last
Rep Chaffetz, as chair of the House Oversight Committee, should have been reading those reports. Isn’t that what oversight means? Did he do anything about it during the last 6 years or did he wait until the kaka hit the fan to take notice. Assuming his committee was “oversighting” things, they certainly read the IG’s annual reports. I don’t recall him introducing any bills increasing OPM’s funding to replace those antique systems from the 80s and 90s. In fact, I don’t recall him saying a thing on the subject. Maybe we should investigate why Chaffetz wasn’t doing his job.
This doesn’t mean that I am defending Archuletta and Seymour – there is likely enough blame to share. If you read the Ars Technica article above, you will see that things are pretty grim – much of which is laid on Congress’ doorstep for not funding and overseeing things.
OPM outsourced system administration – you know, those folks with the keys to the kingdom. One, in particular, was in Argentina. Another was in the People’s Republic of China. Who’s fault is that? Save money. The hell with security. And background checks – those are a joke too. When OPM fired USIS after they were breached, the job of doing background checks went to KeyPoint. Those investigators use their personal GMail accounts because the company doesn’t provide them with company email accounts.
Given how old most of the civilian IT infrastructure in D.C. is, it is amazing that it actually operates at all. Think about all the horror stories we have heard about FAA and IRS systems for example.
SECURITY. CONVENIENCE. COST. PICK ANY ONE. Maybe, if you are lucky, you get two. Three is not going to happen.
Archuletta probably needs to go, but fixing this mess will cost billions and if Congress is not willing to spend the money, I would discourage anyone competent from taking the job. Just my two cents.