IAPP published a summary of the hearings on Capitol Hill regarding the OPM breaches. The revelations certainly explain the mess, but also continues to raise the question about where Congress has been over the last 6 years. It is certainly OK to beat up OPM management, but I don’t see Congress taking any of the heat that they should be taking.
So, what does the article say (see article)?
- While OPM admits that 4+ million people’s information was compromised as a result of the first breach, they are unwilling to say how many people were affected by the second breach.
- After intense interactions, Katherine Archuleta, director of the OPM would only admit that they have records on 32 million people. The reason that she is being so cagey – besides the fact that they are still trying to figure out what was taken – is that if the SF86s and related data from security clearance background checks were taken, the number of people affected could be 100 million. This is due to the fact that people have to provide information on relatives, employers, references, friends, neighbors, etc. For every one SF86, it could affect 10-30+ other people. For most of these people, there is significantly less information than for the applicant, but still, there is information. And, if the investigators notes were hacked, then all bets are off. Comments made by people under threat of being put in jail if the did not cooperate and who were told that what they said to investigators was confidential, is now in the wild. If certain information becomes public and the source of the information also becomes public, careers could be ruined and, I assume, lawsuits could be filed against the people who made the statements.
- The OPM Inspector General said that they had a “suitcase” of concerns and said OPM’s response to the incidents were “dangerous”. I would think Congress should have been asking OPM to explain what they were doing to fix the problems and what assistance and funding they needed to fix them for years, but until now, Congress hasn’t done anything.
- The IG said, in no uncertain terms, that what they are doing now will fail – that they are rushing through projects, not doing the basics, not focusing on doing it right. Logic would say that Congress should tell OPM to slow down, to show Congress a plan, to bring their experts who are designing the fixes to Congress to explain what they are doing. But Congress is doing none of this.
- The IG also said that they are frustrated by the amount of time it takes OPM to provide answers to their questions and when they do get the answers, eventually, the answers are total crap.
- Magically, the OPM was able to contract with an outsource vendor in less than 48 hours to handle the breach notification service. Not exactly the amount of time you expect it to take to do a thorough, well planned evaluation and strategy. The answer that Congress got about how this happened was, in my opinion, smoke and mirrors.
- Archuleta admitted that credentials from vendor KeyPoint were used in the attack and that the Keypoint contract was still in force – even though USIS’s contract was terminated after they were breached.
- I said the other day that the OPM was using systems developed in the 1980s. Apparently I was wrong. Archuleta admitted that a COBOL based system developed in 1959 is still in use. To put that in different terms, that would be sort of like building today’s skyscrapers with rollers and pulleys rather than excavators and cranes.
- The House committee clearly wants Archuleta gone – they blatantly said so – and while that is probably what needs to happen, firing her will make zero difference until and unless Congress does it’s job. Just this week, Congress punted, yet again, on spending money to fix the problem. Unfortunately, this is not a surprise.
This story will continue to unfold, but unless the pressure stays on Congress, it will go back into the dark recesses of the Washington bureaucracy.