[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
IS THE OPM DATA BREACH
THE TIP OF THE ICEBERG?
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT &
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
July 8, 2015
__________
Serial No. 114-28
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
97-568PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR., ZOE LOFGREN, California
Wisconsin DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
MO BROOKS, Alabama ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois AMI BERA, California
BILL POSEY, Florida ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas DON S. BEYER, JR., Virginia
BILL JOHNSON, Ohio ED PERLMUTTER, Colorado
JOHN R. MOOLENAAR, Michigan PAUL TONKO, New York
STEVE KNIGHT, California MARK TAKANO, California
BRIAN BABIN, Texas BILL FOSTER, Illinois
BRUCE WESTERMAN, Arkansas
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas SUZANNE BONAMICI, Oregon
DAN NEWHOUSE, Washington ERIC SWALWELL, California
GARY PALMER, Alabama EDDIE BERNICE JOHNSON, Texas
RALPH LEE ABRAHAM, Louisiana
LAMAR S. SMITH, Texas
------
Subcommittee on Oversight
HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR., DON BEYER, Virginia
Wisconsin ALAN GRAYSON, Florida
BILL POSEY, Florida ZOE LOFGREN, California
THOMAS MASSIE, Kentucky EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
DAN NEWHOUSE, Washington
LAMAR S. SMITH, Texas
C O N T E N T S
July 8, 2015
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 7
Written Statement............................................ 8
Statement by Representative Daniel Lipinski, Ranking Minority
Member, Subcommittee on Research, Committee on Science, Space,
and Technology, U.S. House of Representatives.................. 9
Written Statement............................................ 11
Statement by Representative Barry Loudermilk, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 12
Written Statement............................................ 13
Statement by Representative Donald S. Beyer, Jr., Ranking
Minority Member, Subcommittee on Oversight, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 14
Written Statement............................................ 16
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 17
Written Statement............................................ 18
Witnesses:
Mr. Michael R. Esser, Assistant Inspector General for Audits,
Office of Personnel Management
Oral Statement............................................... 19
Written Statement............................................ 22
Mr. David Snell, Director, Federal Benefits Service Department,
National Active and Retired Federal Employees Association
Oral Statement............................................... 33
Written Statement............................................ 35
Dr. Charles Romine, Director, Information Technology Laboratory,
National Institute of Standards and Technology
Oral Statement............................................... 42
Written Statement............................................ 44
Mr. Gregory Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office
Oral Statement............................................... 50
Written Statement............................................ 52
Discussion....................................................... 78
Appendix I: Answers to Post-Hearing Questions
Mr. Michael R. Esser, Assistant Inspector General for Audits,
Office of Personnel Management................................. 96
Mr. David Snell, Director, Federal Benefits Service Department,
National Active and Retired Federal Employees Association...... 100
Dr. Charles Romine, Director, Information Technology Laboratory,
National Institute of Standards and Technology................. 105
Appendix II: Additional Material for the Record
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 112
Letter submitted by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 113
IS THE OPM DATA BREACH
THE TIP OF THE ICEBERG?
----------
WEDNESDAY, JULY 8, 2015
House of Representatives,
Subcommittee on Research and Technology &
Subcommittee on Oversight,
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 3:36 p.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barbara
Comstock [Chairwoman of the Subcommittee on Research and
Technology] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. The Subcommittees on Research and
Technology and Oversight will come to order. Without objection,
the Chair is authorized to declare recesses of the
Subcommittees at any time.
Good afternoon. Our apologies for the delay. As you saw or
heard, we were voting.
Welcome to today's hearing entitled ``Is the OPM Data
Breach the Tip of the Iceberg?'' In front of you are packets
containing the written testimony, biographies, and truth-in-
testimony disclosures for today's witnesses.
I now recognize myself for five minutes for an opening
statement.
Just over a month ago, the Office of Personnel Management
(OPM) announced a massive data breach that exposed the personal
information of over 4 million current and former federal
employees and contractors. Like thousands of my fellow
constituents and people across the country, I received a letter
from OPM informing me that my personal information may have
been compromised or stolen by criminals who are behind this
attack.
Unfortunately, the news appears to be getting worse this
week as we learn more about the reported second OPM data
breach, compromising the security of potentially 18 million
federal employees, contractors, and others who submitted
sensitive information for background checks to the government.
And sadly, the response from OPM has not inspired confidence
over the past few weeks.
Identity theft by what seems to be a foreign entity is a
very serious national security threat. They are literally, you
know, at cyber war with us, and we as leaders have to
appreciate that reality and operate in that reality.
Many of my constituents have contacted me about their fears
and concerns. It has been months since OPM discovered the
attack, and we still have too many questions and not enough
answers. As we will hear from some of our witnesses today,
federal employees have many unanswered questions. For example,
just one: Are the credit monitoring identity theft provisions
adequate? I know we've heard from people who are very concerned
about whether they are.
Most alarming to me about these breaches is that they were
launched less than 18 months after a previous severe network
assault on OPM. We know that information security incidents
reported by federal agencies has increased by 1,000 percent
since 2006, 1,000 percent increase.
For years the OPM Office of Inspector General and the U.S.
Government Accountability Office have been warning OPM
leadership of critical vulnerabilities to their information
systems. Some of the weakness and current problems were ID'd as
far back as 2007. Today, many of their recommendations for
fixing the systematic failures remain unmet.
Cyber criminals and foreign enemies are working night and
day with the latest technology to exploit every vulnerability
in our system, and it appears we're behind the times. The
United States has some of the world's best technological minds
and resources, yet our management in OPM does not appear to be
getting up to speed.
Federal employees provide their sensitive personal
information under the expectation that it is protected with all
the seriousness that it should receive. However, that trust has
now been broken and hence so many concerns.
Cybersecurity has to be a top priority in every government
agency from the top Cabinet official on down. We need an
aggressive, nimble, and flexible strategy to anticipate,
intercept, and stop these cyber attacks. Those who are engaging
in the attacks on our citizens, agencies, and companies,
whether they be nation states, adversaries, or hacktivists and
just, you know, random criminals are a reality that we'll be
living with in the 21st century and we must develop and use all
the tools and technology available to thwart them and
understand this is going to be an ongoing problem that we have
to constantly adapt to.
I want to note that we invited the OPM Chief Information
Officer Donna Seymour to testify at today's hearing. She
declined the Committee's invitation, citing other commitments,
and we will continue to be working with them and asking them
additional questions.
Today's panel of witnesses will help us better understand
the magnitude of cybersecurity challenges at OPM across the
federal government, as well as determine what steps need to be
taken to prevent future cyber attacks and the state-of-the-art
best practices to do so. And I should note that in the coming
weeks we will also be looking at a lot of the best practices
that the private sector has and other experts want to bring to
bear that will probably reflect a lot of what you are going to
be talking about today.
I appreciate the leadership of Chairman Lamar Smith on
these issues and the role the Science Committee--that they have
played in making cybersecurity research and development a
priority.
I look forward to continuing to work on the Subcommittee on
efforts to make sure the federal government is staying ahead of
our adversaries. And if officials neglected their duties or are
not the right people for the job, we also need to hold them
accountable and make sure we are doing everything to improve
the situation.
[The prepared statement of Chairwoman Comstock follows:]
Prepared Statement of Subcommittee on Research & Technology
Chairwoman Barbara Comstock
Just over a month ago the Office of Personnel Management (OPM)
announced a massive data breach that exposed the personal information
of over 4 million current and former federal employees and contractors.
Like thousands of my fellow constituents, I received a letter from
OPM informing me that my personal information may have been compromised
or stolen by the criminals behind this attack.
Unfortunately, the news gets worse this week, as we learn more
about the reported second OPM data breach, compromising the security of
18 million federal employees, contractors and others who submitted
sensitive information for background checks. And sadly the response
from OPM has not inspired confidence.
Identity theft by what seems to be a foreign entity is a very
serious national security issue. They are at cyberwar with us--do our
leaders appreciate that reality?
Many of my constituents have contacted me about their fears and
concerns. It has been months since OPM discovered the attack, and we
still have too many questions and not enough answers.
As we will hear from witnesses today, federal employees have many
unanswered questions. Just one: Are the credit monitoring identity
theft provisions adequate? Most alarming to me about these breaches is
that they were launched less than 18 months after a previous severe
network assault on OPM. We know that information security incidents
reporting by federal agencies has increased by 1000 percent since 2006.
For years the OPM Office of Inspector General and the U.S.
Government Accountability Office have been warning OPM leadership of
critical vulnerabilities to their information systems. Some of the
weakness and current problems were ID'd as far back as 2007. Today,
many of their recommendations for fixing the systematic failures remain
unmet.
Cyber criminals and foreign enemies are working night and day with
the latest technology to exploit every vulnerability in our system,
while OPM is behind the times and operating apparently at a pace with
systems designed for the last century not for the current threat. The
United States has some of the world's best technological minds and
resources, yet OPM's management is failing.
Federal employees provide their sensitive personal information
under the expectation that it is protected with all due seriousness.
However, the trust between our federal employees, contractors, and
others whose information has been compromised is damaged.
Cybersecurity must be a top priority in every government agency
from the top Cabinet official on down. We need an aggressive, nimble,
and flexible strategy to anticipate, intercept, and stop cyberattacks.
Those who are engaging in cyberattacks on our citizens, agencies,
and companies--whether they be nation states, adversaries or
hacktivists--are a reality we will be living with in the 21st century
and we must develop and use all the tools and technology available to
thwart them and understand this is an ongoing problem we have to
constantly be on top of.
I want to note that we invited the OPM Chief Information Officer
Donna Seymour to testify at today's hearing. She declined the
Committee's invitation, citing other commitments, we continue to have
questions about how and why this cyberattack occurred and the measures
that have been instituted to prevent a future attack at OPM. We will
take any necessary steps to ensure my constituents get those answers.
Today's panel of witnesses will help us better understand the
magnitude of cybersecurity challenges at OPM and across the federal
government, as well as determine what steps need to be taken to prevent
future cyberattacks, and the state of the art best practices to do so.
I appreciate the leadership of Chairman Lamar Smith on these issues
and the role the Science Committee has played in making cybersecurity
R&D a priority.
I look forward to continuing to lead the Research & Technology
Subcommittee in efforts to make sure the federal government is staying
ahead of our adversaries who are constantly developing new and
sophisticated malicious technologies.
If officials neglected their duties, or are not the right people
for the job, they must be held accountable so that proper leadership is
in place to not just meet, but anticipate and beat the next cyber
threat.
Chairwoman Comstock. So with that I will yield to the
Ranking Member, but I also ask unanimous consent to place into
the record various letters and articles that are relevant to
the hearing.
[The information appears in Appendix II]
Chairwoman Comstock. And without objection I'll now yield
to the Ranking Member.
Mr. Lipinski. Thank you, Chairwoman Comstock. I want to
thank you, Chairman Loudermilk, Chairman Smith, for holding
this hearing on the recent OPM data breach. I want to thank all
of our witnesses for being here this afternoon.
Unfortunately, major cyber attacks are happening more
frequently. Today, we're going to talk about the significant
breaches at the Office of Personnel Management. I have not
received notification, but I believe I may have been a victim
of this. But we all know that--I don't want to take away the
significance of it but it's important to note there have been
increasing number of cyber attacks in both the private and
public sector where I know I've definitely been a victim of
some of these attacks.
Several years ago, I began working on cybersecurity
legislation, the Cybersecurity Enhancement Act, with my
colleague Mr. McCall. Our legislation dealt with cybersecurity
standards, education, and workforce development. When we
started, I said that I had no doubt that threats from
individual hackers, criminal syndicates, and even other
governments would grow and evolve along with our increased use
of the internet. Unfortunately, I was right.
In February, Anthem, one of the Nation's largest health
insurance companies, announced it suffered a cyber breach that
compromised the records of 80 million current and former
customers. And just last year, there were high-profile breaches
at J.P. Morgan Chase, eBay, Target, and many others affecting
millions of people.
Although I was happy that my bill with Mr. McCall was
enacted at the end of last Congress, there is much, much more
to do in the area of cybersecurity. Cybercrime and cyber
espionage continue to threaten our national security, our
critical infrastructure, businesses of all sizes, and every
single American. This latest data breach at OPM is just another
example of that.
In the OPM breach, millions of federal employees' personal
information has been compromised, leading to significant
concerns about how the stolen information will be used.
Additionally, since OPM conducts more than 90 percent of all
security clearance background investigations, this breach is an
example of how cyber attacks threaten our national security. We
must do better.
It'll take a collective effort in both the public and
private sector to improve cybersecurity, and I cannot emphasize
enough the importance of research into the social and
behavioral aspects in this area. Our IT infrastructure is
built, operated, and maintained by humans from the average
worker at her desktop to Chief Information Officer of a major
company or agency. Most cyber attacks are successful because of
human error such as unwittingly opening a malicious email or
allowing one's credentials to be compromised. Understanding the
human element is necessary to combat threats and reduce risks.
To set governmentwide guidelines protecting federal
information security systems, Congress passed--if I can turn my
page--an example of human error here. Congress passed the
Federal Information Security Modernization Act, or FISMA.
FISMA, which was updated at the end of last Congress, requires
federal agencies to develop, document, and implement an
agencywide information security program.
Along with being responsible for their own information
security system, the National Institute of Standards and
Technology is tasked with developing standards and guidelines
for all civilian federal information systems. Since NIST plays
a critical role in protecting our nation's information security
systems, it's important that they be part of this conversation.
I'm happy that Dr. Romine is here today to tell us more about
how NIST develops FISMA standards and how they work with other
federal agencies.
FISMA also requires annual reviews of individual agencies'
information security programs, as well as reviews of
information security policies in the implementation of FISMA
requirements governmentwide. I hope to hear from our witnesses
about the steps necessary to ensure that OPM meets FISMA
requirements, as well as how other agencies are doing in this
space.
More information security systems, both in the public and
private sector, will surely be subject to cyber attacks in the
future, and while it's impossible to completely protect the
connected information security system, we must do all we can to
protect the personal information of millions of Americans and
conduct the oversight to ensure such steps are taken. This
hearing is the beginning of a conversation on how we can do
that, and we must make sure that we follow through with action.
I look forward to our discussion this afternoon. Thank you,
and I yield back the balance of my time.
[The prepared statement of Mr. Lipinski follows:]
Prepared Statement of Subcommittee
Minority Ranking Member Daniel Lipinski
Thank you Chairwoman Comstock and Chairman Loudermilk for holding
this hearing on the recent OPM data breach. I want to thank all the
witnesses for being here this afternoon.
Unfortunately, major cyber-attacks are happening more frequently.
Today, we are going to talk about the significant breaches at the
Office of Personnel Management (OPM). Not to take away from the
significance of the OPM breach, I think it is important to note that
there have been an increasing number of cyber-attacks in both the
private and public sector.
Several years ago I began working on cybersecurity legislation, the
Cybersecurity Enhancement Act, with my colleague, Mr. McCaul. Our
legislation dealt with cybersecurity standards, education, and
workforce development. When we started, I said that I had no doubt that
threats from individual hackers, criminal syndicates, and even other
governments would grow and evolve along with our increased use of the
internet. Unfortunately, I was right.
In February, Anthem, one of the nation's largest health insurance
companies, announced that it suffered a cyber-breach that compromised
the records of 80 million current and former customers. And just last
year there were high profile breaches at JP Morgan Chase, eBay, Target,
and many others affecting millions of people.
Although I was happy that my bill with Mr. McCaul was enacted at
the end of last Congress, there is much, much more to be done in the
area of cybersecurity. Cybercrime and cyber- espionage continues to
threaten our national security, our critical infrastructure, businesses
of all sizes, and every single American. This latest data breach at OPM
is just another example of that. In the OPM breach, millions of federal
employees' personal information has been compromised, leading to
significant concerns about how the stolen information will be used.
Additionally, since OPM conducts more than 90 percent of all security
clearance background investigations, this breach is an example of how
cyber-attacks threaten our national security. We must do better.
It will take a collective effort of both the public and private
sector to improve cybersecurity, and I cannot emphasize enough the
importance of research into the social and behavioral aspects in this
area. Our IT infrastructure is built, operated and maintained by
humans, from the average worker at her desktop to the chief information
officer of a major company or agency. Most cyber-attacks are successful
because of human error, such as unwittingly opening a malicious email
or allowing one's credentials to be compromised. Understanding the
human element is necessary to combat threats and reduce risk.
To set government-wide guidelines for protecting federal
information security systems, Congress passed the Federal Information
Security Modernization Act or FISMA. FISMA, which was updated at the
end of last Congress, requires federal agencies to develop, document,
and implement an agency wide information security program.
Along with being responsible for their own information security
system, the National Institute of Standards and Technology (NIST) is
tasked with developing standards and guidelines for all civilian
federal information systems. Since NIST plays a critical role in
protecting our nation's information security systems, it is important
that they be part of this conversation. I am happy that Dr. Romine is
here today to tell us more about how NIST develops FISMA standards and
how they work with other federal agencies.
FISMA also requires annual reviews of individual agencies'
information security programs as well as reviews of information
security policies and the implementation of FISMA requirements
government-wide. I hope to hear from our witnesses about the steps
necessary to ensure that OPM meets FISMA requirements, as well as how
other agencies are doing in this space.
More information security systems--both in the public and private
sector--will surely be subject to cyber-attacks in the future. And
while it is impossible to completely protect a connected information
security system, we must do all we can to protect the personal
information of millions of Americans and conduct the oversight to
ensure such steps are taken. This hearing is the beginning of a
conversation on how we can do that and we must make sure that we follow
through with action.
I look forward to our discussion this afternoon. Thank you and I
yield back the balance of my time.
Chairwoman Comstock. Thank you, Mr. Lipinski.
And I now recognize the Chair of the Oversight
Subcommittee, the gentleman from Georgia, Mr. Loudermilk, for
his opening statement.
Mr. Loudermilk. Thank you, Chairwoman Comstock, for holding
this very important hearing on an issue that hits close to home
for you, as many--as others in this country.
I'd like to thank our witnesses for being here today in
order to help us understand what seems to be an epidemic of
cyber attacks. I look forward to discussing what needs need to
be done to prevent similar attacks from occurring in the
future.
Now, it isn't a priority, nor it should be a priority for
us just to address this because it affects some of us that are
up here, but it's because it affects the American people. And
unfortunately, this Administration has failed to provide
Americans with any level of confidence that it will adequately
protect their personal information when trusted with it.
As we have witnessed over the past few months, there has
been a concerning pattern of security breaches involving
government computer systems. This includes the recent, massive
data breach of the Office of Personnel Management disclosing
personal and official information that could potentially harm
our national security. For an Administration that touts that it
has ``prioritized the cybersecurity of federal departments and
agencies,'' we have instead witnessed a government that is
unable to properly secure its computer systems and protect
sensitive information.
The situation at OPM is exactly why the subcommittee that I
chair is looking into the collection of America's--Americans'
personal data through the HealthCare.gov website. In that
situation, it appears that Social Security numbers, dates of
birth, names, mailing addresses, phone numbers, financial
accounts information, military status, employment status,
passport numbers, and taxpayer IDs are being retained. This
information is being stored in a data warehouse that is
intended to provide reporting and performance metrics related
to the Federally Facilitated Marketplace and other
HealthCare.gov-related systems.
In the situation of the data warehouse, the Administration
never appeared to be forthright about the use and storage of
personally identifiable information on HealthCare.gov. The
Administration has yet to explain the reason for indefinitely
storing user information, particularly of the users of the
website who input their data to log in but do not end up
enrolling.
While this Administration has claimed that cybersecurity is
a priority, their actions on this and other issues regarding
protecting the American people suggests the priorities are only
lip service. From ending the Secure Cities program to storing
critical information on American citizens without their
approval or knowledge, this Administration is proving through
their actions that protecting the American people is far from
being on their list of priorities.
If that data warehouse is being protected in the same way
that OPM was protecting personal information, action needs to
be taken now to avoid putting the American people at
significant personal risk. With many Americans being forced
into the government healthcare exchange, a breach of this
system could end up having millions affected, just like the OPM
data hack.
The Government Accountability Office has included the
cybersecurity of federal information systems on its list of
high risk areas since 1997, so this isn't something new. Why,
then, are we sitting here almost 20 years later, wondering why
our federal information systems are not being adequately
secured?
In the most recent GAO High Risk Series report, it says
that ``Inspectors General at 22 of the 24 agencies cited
information security as a major management challenge for their
agency. For fiscal year 2014, most of the agencies had
information security weaknesses in the majority of five key
control categories.'' As Chairman of this subcommittee--this
Committee's Oversight Subcommittee, I want to find the truth
behind this reckless behavior that is threatening the safety
and security of the American people. These actions--or rather,
lack of actions--put the future of our nation at great risk and
must stop.
I look forward to today's hearing, which I anticipate will
inform us more about the recent OPM breach and the current
state of our federal information systems. We owe it to the
American people to ensure that their personally identifiable
information is safe and protected from cybercriminals.
And with that, Madam Chair, I yield back.
[The prepared statement of Mr. Loudermilk follows:]
Prepared Statement of Oversight Subcommittee
Chairman Barry Loudermilk
Thank you, Chairwoman Comstock, for holding this very important
hearing on an issue that hits too close to home for you as well as many
others in this country. I would like to thank our witnesses for being
here today in order to help us understand what seems to be an epidemic
of cyber-attacks. I look forward to discussing what needs to be done to
prevent similar attacks from occurring in the future.
Unfortunately, this Administration has failed to provide Americans
with any level of confidence that it will adequately protect their
personal information when entrusted with it. As we have witnessed over
the past few months, there has been a concerning pattern of security
breaches involving government computer systems. This includes the
recent, massive data breach of the Office of Personnel Management
(OPM)--disclosing personal and official information that could
potentially harm our national security. For an Administration that
touts that it has ``prioritized the cybersecurity of federal
departments and agencies,'' we have instead witnessed a government that
is unable to properly secure its computer systems and protect sensitive
information.
The situation at OPM is exactly why the Subcommittee that I Chair
is looking into the collection of Americans' personal data through the
HealthCare.gov website. In that situation, it appears that social
security numbers, dates of birth, names, mailing addresses, phone
numbers, financial accounts information, military status, employment
status, passport numbers, and taxpayer IDs are being retained. This
information is being stored in a ``data warehouse that is intended to
provide reporting and performance metrics related to the Federally
Facilitated Marketplace (FFM) and other Healthcare.gov- related
systems.''
In the situation of the data warehouse, the Administration never
appeared to be forthright about the use and storage of personally
identifiable information on HealthCare.gov. The Administration has yet
to explain the reason for indefinitely storing user information,
particularly of the users of the website who input their data to log
in, but do not end up enrolling.
If that data warehouse is being protected in the same way that OPM
was protecting personal information, action needs to be taken now to
avoid putting the American people at significant personal risk. With
many Americans being forced into the government health care exchange, a
breach of this system could end up having millions affected, just like
the OPM data hack.
The Government Accountability Office (GAO) has included the
cybersecurity of federal information systems on its list of high risk
areas since 1997, so this isn't something new. Why, then, are we
sitting here almost twenty years later, wondering why our federal
information systems are not being adequately secured? In the most
recent GAO High Risk Series report, it says that `` . . . inspectors
general at 22 of the 24 agencies cited information security as a major
management challenge for their agency. For fiscal year 2014, most of
the agencies had information security weaknesses in the majority of
five key control categories.''
As the Chairman of this Committee's Oversight Subcommittee, I want
to find the truth behind this reckless behavior that is threatening the
safety and security of the American people. These actions--or rather,
lack of actions--put the future of our nation at great risk, and must
stop.
I look forward to today's hearing, which I anticipate will inform
us more about the recent OPM breach and the current state of our
federal information systems. We owe it to the American people to ensure
that their personally identifiable information is safe and protected
from cybercriminals.
Chairwoman Comstock. Thank you, Chairman Loudermilk.
And I now recognize the Ranking Member of the Subcommittee
on Oversight, the gentleman from Virginia, my colleague Mr.
Beyer, for his opening statement.
Mr. Beyer. Thank you, Madam Chair. And thank you, Chairs
Comstock and Loudermilk, for holding this hearing today,
incredibly timely and--because, you know, earlier today
obviously New York Stock Exchange, United Airlines, the Wall
Street Journal all suffering from computer glitches that has
disrupted their computer networks. And whether this turns out
to be intentional or whether--or not, it certainly highlights
the potential vulnerabilities of our digital dependence. And
today's hearing obviously is about Office of Personnel
Management.
Deterring, detecting, and defending against the multitude
of online threats that constantly lurk in the cyberspace domain
is a critical issue for federal agencies and the federal
government and the private sector alike. Last year alone,
federal agencies reported nearly 70,000 individual computer
security incidents to the U.S. Computer Emergency Readiness
Team, or CERT. During the same time period, October 1, 2013, to
September 30, 2014, nonfederal entities reported more than
570,000 incidents and many other incidents are potentially not
identified or even not reported at all. Cyber threats are
constant, they're evolving, they're very sophisticated, and
many pose serious distress to companies, agencies, and
individuals.
The two recent data breaches at OPM are particularly
important to me and to my constituents. Representing a
Congressional District just outside the Nation's capital, many
of my constituents are federal employees who may have had their
personal data compromised as a result of these intrusions. One
of those attacks is believed to have compromised the personal
information of more than four million people and the other, up
to 14 million people. And I'm particularly troubled that the
data that was reportedly accessed included not just the
personnel files but the security files of our defense, homeland
security, and intelligence community employees. This could
potentially jeopardize the financial security, personal safety,
and ultimately the secrets that are entrusted to help protect
the Nation.
While the facts of this case are still being unraveled,
including the motive for the attack, the identity of the
perpetrators and the potential damage they may have caused, we
should understand, too, that the federal government is not
alone in being the victim of cyber attacks. In the past year
hundreds of millions of personal records have been compromised
by hackers targeting J.P. Morgan Chase, eBay, Home Depot,
Target, and other private companies. I seem to receive a new
credit card or debit card about every 6 weeks from my bank with
a note telling me that the card has been compromised yet again.
When I was in Switzerland, a State Department computer was
hacked in one year, the Defense Department the next. The
newspapers blamed China and Russia. Still, the OPM was
significant and I'm particularly impacted--concerned about the
impact this has on the morale of a federal workforce that
recently has endured, through no fault of their own, a
government shutdown, forced furloughs, staffing cuts, pay
freezes. These government employees now have the added insult
of a breach of their personal data.
Agency heads should also be mindful and accommodating of
the impact of federal employees who need time off to mitigate
the fallout from this hack. And I encourage OPM to communicate
with all agencies to ensure that workers are accommodated so
they can visit their banks, Social Security offices, creditors
in order to deal with the repercussions of the breach.
I know every time I get a new card, I get four or five
people that don't get paid because the card numbers change and
then they call and--I know it upsets my wife terribly.
I'm also concerned that the reports of this attack suggest
it may have been the result of individuals with ties to foreign
entities and that particularly a private company working for
the government as a security contractor may have been the weak
link in the chain of events that led to the successful attack.
We're making steady, slow progress in fortifying our cyber
defenses from potential attack. According to OMB's annual
report on FISMA sent to Congress in February, there's been
monitoring--improvement in federal agencies implementing
continuous monitoring of their networks and the authentication
of their users, for instance, but these results are not good
enough. I know everyone on the panel here is interested in
learning what we can do to strengthen the system as quickly as
possible, as strongly as possible, recognizing that we're never
going to have 100 percent security, that the creative hackers,
ever younger, will figure out additional ways around it. How
can we create the very best advice on closing cybersecurity
holes if and when they exist and then augmenting our security
defenses against them?
So I very much look forward to your testimony and your
advice, and Madam Chair, I yield back.
[The prepared statement of Mr. Beyer follows:]
Prepared Statement of Subcommittee on Oversight
Minority Ranking Member Donald S. Beyer, Jr.
Thank you Chairs Comstock and Loudermilk for holding this hearing
today. I believe this is an important hearing and I look forward to
hearing from our witnesses. I believe this is an important and timely
hearing. Earlier today it was reported that the New York Stock
Exchange, United Airlines and Wall Street Journal are all suffering
from a ``computer glitch'' that has disrupted their computer networks.
Whether this event is determined to be intentional or not it highlights
the potential vulnerability of our digital dependence. Today's hearing,
however, is about another computer incident at the Office of Personnel
Management or OPM.
Deterring, detecting and defending against the multitude of on-line
threats that constantly lurk in the cyberspace domain is a critical
issue for the federal government and private sector alike.Last year
alone federal agencies reported nearly 70,000 individual computer
security incidents to the U.S. Computer Emergency Readiness Team or
CERT. During the same time period, from October 1, 2013 to September
30, 2014, non-Federal entities reported more than 570,000 incidents and
many other incidents are potentially not identified and others not
reported at all.
Cyber threats are constant and evolving, some are very
sophisticated and many pose serious distress to companies, agencies and
individuals. The two recent data breaches of the Office of Personnel
Management (OPM) are particularly important to me and my
constituents.Representing a congressional district just outside the
nation's Capital many of my constituents are federal employees who may
have had their personal data compromised as a result of these
intrusions. One of those attacks is believed to have compromised the
personal information of more than 4 million individuals and the other
is suspected to have compromised the data of as many as 14 million
people. I am particularly troubled that the data that was reportedly
accessed included not just the personnel files but the security files
of our defense, homeland security and intelligence community employees.
This could potentially jeopardize their financial security, personal
safety and ultimately the secrets they are entrusted to help protect
for our Nation.
While the facts of this case are still being unraveled, including
the motive for the attack, the identities of the perpetrators and the
potential damage they may have caused, we should understand too that
the federal government is not alone in being victim to cyberattacks. In
the past year, hundreds of millions of personal records have been
compromised by hackers targeting JP Morgan Chase, Ebay, Home Depot and
other private companies.
Still, the OPM breach was significant. I am concerned for the
personal and professional impact of this breach on our dedicated
federal workforce, particularly those involved in the national security
arena. It should not be understated the impact this has on the morale
of a workforce that has recently endured--through no fault of their
own--a government shutdown, forced furloughs, staffing cuts, and pay
freezes. These government employees now have the added insult of a
breach of their personal data.
Agency heads should also be mindful and accommodating of impacted
federal employees who need time off to mitigate the fallout from the
hack. I encourage OPM to communicate with all agencies to ensure
workers are accommodated so that they can visit their banks, Social
Security offices, and creditors in order to deal with the repercussions
of the breach.
I am also concerned that reports of this attack suggest it may have
been the result of individuals with ties to foreign entities and I am
concerned that it appears a private company working for the government
as a security contractor may have been the weak link in the chain of
events that ultimately led to a successful attack.
The federal government is making steady, but slow progress in
fortifying our cyber defenses from potential attack. According to the
Office of Management and Budget's (OMB's) annual report on the Federal
Information Security Management Act (FISMA) sent to Congress in
February there has been improvement in federal agencies implementing
continuous monitoring of their networks and the authentication of their
users, for instance. But the results are still not good enough. Federal
Agencies need to do a better job meeting the IT security criteria
demanded by compliance with FISMA and they need to apply the cyber
security standards recommended by the National Institute of Standards
and Technology (NIST) to their networks. At the same time, Congress and
the public need to realize that no matter how well protected an Agency
or private entity is that they will never be 100-percent secure and
that data breaches are bound to occur in the future.
I hope our witnesses can help provide us with advice on closing
cyber-security holes when and where they exist and augmenting our
security defenses against them.
With that I yield back.
Chairwoman Comstock. Thank you, Mr. Beyer. And thank you
for your leadership on this, too, and being upfront on it.
I now recognize the Chairman of the full committee, Mr.
Smith.
Chairman Smith. Thank you, Madam Chair.
Today's hearing highlights the latest and, so far, the most
extensive cybersecurity failure by a federal agency, the theft
of millions of federal employee records from the Office of
Personnel Management.
National defense in our digital age no longer just means
protecting ourselves against enemies who attack with
traditional weapons. It now means protecting America from those
who launch cyber attacks against our computers and networks,
invading our privacy and probably endangering lives.
But it is about much more than solely the invasion of
privacy or the burden to our economy. This is a national
security concern, as these breaches expose information about
members of our military and employees of national security
agencies.
A number of federal agencies guard America's cybersecurity
interests. Several are under the jurisdiction of the Science
Committee. These include the National Science Foundation, the
National Institute of Standards and Technology, the Department
of Homeland Security's Science and Technology Directorate, and
the Department of Energy. All of these agencies support
critical research and development to promote cybersecurity and
set federal standards. However, it is clear that too many
federal agencies like OPM fail to meet the basic standards of
information security, and no one is being held accountable.
Last year audits revealed that 19 of 24 major federal
agencies failed to meet the basic cybersecurity standards
mandated by law. And yet the Administration has allowed
deficient systems to stay online. What are the consequences
when a federal agency fails to meet its basic duties to protect
sensitive information? So far it seems the only people
penalized are the millions of innocent Americans who have had
their personal information exposed. It will be some time before
we know the full extent of the damage to personal and national
security caused by the OPM breach of security. But we do know
that it is critical that we prevent further attacks on
America's cyber systems.
The federal government failed in its responsibility to keep
sensitive and personal information secure, and Americans
deserve better. The Science Committee will continue its efforts
to support the research and development essential to strengthen
our Nation's cyber defenses. We will also continue to demand
better answers from OPM on the extent of this breach.
The Director of the Office of Personnel Management recently
testified: ``I don't believe anyone (at OPM) is personally
responsible.'' That is not believable. In fact, it's an insult
to the American people who pay her salary. The government
should be accountable to the people, and this committee will
continue to demand answers about who is responsible for failing
to keep Americans' sensitive information secure. I hope we can
use lessons learned from the OPM breach to help find solutions
to prevent the next attack.
I look forward to hearing from our witnesses today and I'll
yield back.
[The prepared statement of Chairman Smith follows:]
Prepared Statement of Committee Chairman Lamar S. Smith
Thank you Madam Chair. Today's hearing highlights the latest and so
far the most extensive cybersecurity failure by a federal agency - the
theft of millions of federal employee records from the Office of
Personnel Management (OPM).
National defense in the digital age no longer just means protecting
ourselves against enemies who attack with traditional weapons. It now
means protecting America from those who launch cyber-attacks against
our computers and networks, invading our privacy and probably
endangering lives.
But it is about much more than solely the invasion of privacy or
the burden to our economy. This is a national security concern as these
breaches expose information about members of our military and employees
of national security agencies.
A number of federal agencies guard America's cybersecurity
interests. Several are under the jurisdiction of the Science Committee.
These include the National Science Foundation, the National Institute
of Standards and Technology, the Department of Homeland Security's
Science and Technology Directorate, and the Department of Energy.
All of these agencies support critical research and development to
promote cybersecurity and set federal standards. However it is clear
that too many federal agencies like OPM fail to meet the basic
standards of information security--and no one is being held
accountable.
Last year audits revealed that 19 of 24 major federal agencies
failed to meet the basic cybersecurity standards mandated by law. And
yet the Administration has allowed deficient systems to stay online.
What are the consequences when a federal agency fails to meet its
basic duties to protect sensitive information? So far it seems the only
people penalized are the millions of innocent Americans who have had
their personal information exposed.
It will be some time before we know the full extent of the damage
to personal and national security caused by the OPM breach of security.
But we do know that it is critical that we prevent further attacks on
America's cyber systems.
The federal government failed in its responsibility to keep
sensitive and personal information secure, and Americans deserve
better.
The Science Committee will continue its efforts to support the
research and development essential to strengthen our Nation's cyber
defenses. We will also continue to demand better answers from OPM on
the extent of this breach.
The Director of the Office of Personnel Management recently
testified: ``I don't believe anyone (at OPM) is personally
responsible.'' That is not believable. In fact, it's an insult the
American people who pay her salary.
The government should be accountable to the people, and this
Committee will continue to demand answers about who is responsible for
failing to keep Americans' sensitive information secure.
I hope we can use lessons learned from the OPM breach to help find
solutions to prevent the next attack. I look forward to hearing from
our witnesses today and yield back.
Chairwoman Comstock. Thank you, Mr. Chairman.
And if there are Members who wish to submit additional
opening statements, your statements will be added to the record
at this point.
Now at this time I would like to introduce our witnesses.
Michael Esser is the Assistant Inspector General for Audits at
the Office of Personnel Management. In this role, Mr. Esser is
responsible for overseeing audits of OPM's information systems.
Prior to joining the office in 1991 he worked in northern
Virginia as a CPA. Mr. Esser holds a bachelor of science degree
in accounting and a master's degree in business administration
from George Mason University.
Our second witness today is David Snell, Director of the
Federal Benefits Service Department for the National active and
Retired Federal Employees Association, which represents some
300,000 active and retired federal employees and their spouses.
Before joining there, Mr. Snell worked for nearly three decades
at OPM ending his career there as Chief of Retirement Benefits
Branch. He holds a bachelor of science degree from George Mason
University. We have a theme here. Great university.
Our third witness today is Dr. Charles Romine, Director of
the Information Technology Laboratory at the National Institute
of Standards and Technology. This program develops and
disseminates standards for security and reliability of
information systems, including cybersecurity standards and
guidelines for federal agencies like OPM. Dr. Romine has
previously served as a Senior Policy Analyst at the White House
Office of Science and Technology Policy and as a Program
Manager at the Department of Energy's Advanced Scientific
Computing Research Office. Dr. Romine received his bachelor's
degree in mathematics and his Ph.D. in applied mathematics from
the University of Virginia.
Today's final witness is Dr. Gregory--let me get this
right--Wilshusen. Okay. Mr. Wilshusen is the Director of
Information Security Issues at the U.S. Government
Accountability Office. Prior to joining GAO in 1997, Mr.
Wilshusen was a Senior Systems Analyst at the Department of
Education. He received his bachelor's degree in business
administration from the University of Missouri--I guess the
non-Virginia university here--and his master of science in
information management from George Washington University, close
enough.
In order to allow time for discussion, please limit your
testimony to five minutes. Your entire written statement will
be made part of the record.
I now recognize Mr. Esser for five minutes to present his
testimony.
TESTIMONY OF MR. MICHAEL R. ESSER,
ASSISTANT INSPECTOR GENERAL FOR AUDITS,
OFFICE OF PERSONNEL MANAGEMENT
Mr. Esser. Chairwoman, Chairman, Ranking Members, and
Members of the Committee, good afternoon. My name is Michael
Esser and I am the Assistant Inspector General for audits at
the U.S. Office of Personnel Management. Thank you for inviting
me to testify at today's hearing on the IT security work done
by my office at OPM.
OPM has a long history of systemic failures to properly
manage its IT infrastructure, which may have ultimately led to
the recent data breaches. We are pleased to see that the agency
is taking steps to improve its IT security posture but many
challenges still lay ahead.
To begin, I would like to discuss some of the findings from
our annual audits under the Federal Information Security
Management Act, known as FISMA. We have identified three
general areas of concern which are discussed in detail in my
written testimony.
The first area is information security governance. This is
the management structure and processes that form the foundation
of a successful security program. It is vital to have a
centralized governance structure. OPM has made improvements in
this area but it is still working to recover from years of
decentralization.
The second area is security assessments and authorizations.
This is a comprehensive assessment of each IT system to ensure
that it meets the applicable security standards before allowing
the system to operate. Our 2014 FISMA audit found that 11 of
OPM's 47 major systems were operating without a valid
authorization. Because of actions taken by the CIO in April
2015 we expect this number to more than double by the end of
fiscal year 2016.
The third area is technical security controls. OPM has
implemented a variety of controls to make the agency's IT
systems more secure. However, these tools must be used properly
and must cover the entire IT environment. Our FISMA audit last
year found that they were not.
These areas represent fundamental weaknesses in OPM's IT
security program that have been reported to the OPM Director,
OMB, and the Congress for many years. The fact that these
longstanding issues were allowed to continue for so long
without being taken seriously raises questions about the
inherent effectiveness of the original FISMA legislation and
implementing guidelines.
Since 2002 the IGs have been reviewing their agencies'
information security programs, but the reporting guidelines
from OMB were focused on compliance with specific security
areas and lacked perspective on the overall effectiveness of
the agency's program.
The FISMA Modernization Act of 2014 shifts the focus from
review and compliance to assessing effectiveness of security
controls. In addition, a new maturity model approach to
evaluating the state of agencies' continuous monitoring
programs was introduced in this year's FISMA reporting
instructions for OIGs. These new developments should go a long
way toward improving the IT security programs of federal
agencies. OMB and DHS should also work toward making the OIG
FISMA reporting metrics more reflective of the current risks
and threats and further adopting the maturity model approach
for other reporting domains.
I would also like to take a moment to discuss e-QIP, the IT
system that OPM uses to collect information related to federal
background investigations. Just last week, OPM disabled the
system due to serious vulnerabilities detected in the design of
the database and public facing website. While we agree with the
actions taken, OPM has known about vulnerabilities in the
system for years but has not corrected them. During the 2012
security assessment and authorization process for e-QIP, an
independent assessor identified 18 security vulnerabilities
which still remain open and unaddressed today. We believe this
is an example of the importance of the security assessment
process and also of OPM's historical negligence of IT security
in general.
Moving forward, OPM is undertaking a massive infrastructure
improvement project which, when completed, should significantly
improve the agency's IT security posture. However, we
identified several concerns related to OPM's failure to follow
proper project management processes and the agency's use of a
sole-source contract. These are discussed in more detail in my
written testimony.
We fully support OPM's modernization efforts but we are
concerned that if this project is not done correctly, the
agency will be in a worse situation than it is today and
millions of taxpayer dollars will have been wasted.
Thank you for your time and I'm happy to answer any
questions.
[The prepared statement of Mr. Esser follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you.
And I now recognize Mr. Snell for five minutes to present
his testimony.
TESTIMONY OF MR. DAVID SNELL, DIRECTOR,
FEDERAL BENEFITS SERVICE DEPARTMENT,
NATIONAL ACTIVE AND RETIRED FEDERAL
EMPLOYEES ASSOCIATION
Mr. Snell. Thank you. Good afternoon and thank you for
inviting me to testify. I appreciate the opportunity to express
NARFE's views regarding the recent data breaches at the Office
of Personnel Management, OPM. We are deeply concerned over the
failure of the federal government to protect its personnel
computer systems and the devastating impact the recent breaches
of these systems may have on national security, as well as on
the financial and personal security of millions of current and
former federal employees.
Let me be clear. The potential consequences of these
breaches are severe. The personal records obtained through the
data breaches include the highly personal and sensitive
information of millions of current and former employees and
even applicants for federal employment. The extent of the
breaches is enormous, likely reaching beyond 18 million
individuals.
Possession of the information contained in the Standard
Form 86, a 120-page security clearance form containing an
applicant's life history, could give our enemies the means to
attempt to corrupt or blackmail government employees and
compromise military and intelligence secrets. Moreover, it
could make public servants vulnerable to grave risks to their
personal security and that of their families and loved ones.
While the perpetrators of this act bear the obvious and
primary fault in this matter, the federal government, including
both the Administration and Congress, has an obligation to do
its best to protect the sensitive information its employees and
job applicants are required to disclose as a condition of
employment. It failed to meet that obligation.
Despite explicit warnings by Inspectors General since 1997,
OPM failed to put in place adequate safeguards for both its
aged and newer computer systems. This permitted the theft of
massive amounts of personally identifiable information. Even
now, the current OPM Inspector General issued a flash audit of
OPM's plans to improve its data security and found them to have
``a very high risk of project failure.''
Our government has failed its employees. It is imperative
to act swiftly and ensure an incident of this magnitude does
not repeat itself. The Congressional oversight and response,
including this hearing, is a good start, but we need continued
vigilant efforts to improve the federal government's
information technology and data security for the future.
The federal government, including both the Administration
and Congress, now has an obligation to remedy to the best of
its ability what has transpired. This should have started with
effective communication with federal employees, retirees, and
others affected by the breaches and the organizations that
represent them. Unfortunately, communications has fallen short
of expectations. While OPM has provided notice to those
affected by the breach announced June 4 and has communicated
with organizations in that regard, it has thus far failed in
its basic duty to inform individuals affected by the second and
more troubling breach announced June 12 and continues to fail
to answer many important questions about both breaches. The
failure of OPM to safeguard personal information should not be
compounded by deflecting questions.
Our written testimony details many of the questions we are
still seeking answers to regarding the details of exactly what
data has been accessed. The federal community and everyone
affected by the data have been--data breach deserves answers to
these questions.
In addition, to better communication, the federal
government should provide lifetime credit monitoring and
additional identity theft insurance. The 18 months of credit
monitoring offered by OPM is woefully inadequate. The depth of
personal information exposed is enormous and the threat to
individuals extends way beyond 18 months. It is only fair to
provide financial protection in line with the threat that has
been posed. Furthermore, Congress should appropriate funds
necessary to provide this protection.
The question posed in the title of this hearing ``Is This
the Tip of the Iceberg?'' is a valid one. While I cannot answer
that, I will say I certainly hope not. The recent breaches
should be a wake-up call to this country and its leaders about
the dangers of cyber terrorism and the critical need to protect
our government's core functions. Let's make sure this isn't the
tip of the iceberg but rather the last time our federal
government has to deal with cybersecurity breach that threatens
the financial security of its employees.
Thank you again for the opportunity to share our views.
[The prepared statement of Mr. Snell follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Mr. Snell.
And now, Dr. Romine, for five minutes for your testimony.
TESTIMONY OF DR. CHARLES ROMINE, DIRECTOR,
INFORMATION TECHNOLOGY LABORATORY,
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Dr. Romine. Chairwoman Comstock, Chairman Loudermilk,
Ranking Member Lipinski, Ranking Member Beyer, and Members of
the Subcommittees, I'm Dr. Charles Romine, Director of the
Information Technology Laboratory at NIST. Thank you for the
opportunity to appear before you today to discuss our
responsibilities for assisting federal agencies with
cybersecurity.
NIST has worked in cybersecurity with federal agencies,
industry, and academia since 1972. Our role, to research,
develop, and deploy information security standards and
technology to protect information systems against threats to
the confidentiality, integrity, and availability of information
and services was strengthened through the Computer Security Act
of 1987, broadened through the Federal Information Security
Management Act of 2002 or FISMA, and reaffirmed in the Federal
Information Security Modernization Act of 2014.
NIST carries out its responsibilities under FISMA through
the creation of a series of Federal Information Processing
Standards, or FIPS, and associated guidelines. Under FISMA
agencies are required to implement those FIPS. To further
assist agencies, NIST provides management, operational, and
technical security guidelines covering a broad range of
cybersecurity topics.
NIST has a series of specific responsibilities in FISMA
to--of particular relevance to today's hearing were addressed
by NIST and published as FIPS 199, the standard for security
categorization of federal information and information systems;
and FIPS 200, which sets the minimum security requirements
based on the categorization identified using FIPS 199.
NIST created baselines for these minimum security
requirements based on three levels determined in accordance
with FIPS 199: low, moderate, and high. For example, at a high
categorization, FIPS 199 states that ``the loss of
confidentiality, integrity, or availability could be expected
to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or
individuals.''
Examples of controls included in the associated baselines
then cover a range of requirements for a lifecycle of security.
For example, security awareness and training, contingency
planning, access control, system disposal, and incident
response. Once a baseline is established, NIST provides
guidance to agencies to assist in determining that the baseline
is adequate to meet their risk-based requirements.
An agency may need to enhance a given baseline to address
local risks, the agency's mission, and technical
infrastructure. For example, an agency with a real-time
monitoring system such as workstations in air traffic control
or critical patient monitoring systems might not want to use a
timed password-locked screensaver to mitigate security issues
for unattended workstations. Instead, a guard or site
surveillance system might be more appropriate to support the
mission and still meet the intent of the baseline.
Establishing a sound security baseline is not the end of
security for an agency. NIST provides standards, guidelines,
and tools for agencies to test and assess their security and
continuously monitor their implementation and new risks. The
authorization of a system by a management official is an
important quality control under FISMA. By authorizing a system,
the manager formally assumes responsibility for operating a
system at an acceptable level of risk to the agency operations
or individuals.
Under FISMA, NIST does not assess ,audit, or test agency
security implementations. Congress recognized that placing such
responsibilities on NIST would impede its ability to work with
federal agency and private-sector stakeholders to develop
standards, guidelines, and practices in the open, transparent,
and collaborative manner that Congress intended.
NIST's statutory role as the developer but not the enforcer
of standards and guidelines under FISMA have ensured NIST's
ongoing ability to engage freely and positively with federal
agencies on the implementation challenges and issues they
experience in using these standards and guidelines. NIST is
committed to continue to help agency officials address their
responsibilities under FISMA to understand and mitigate risks
to their information and information systems that could
adversely affect their missions.
We recognize that we have an essential responsibility in
cybersecurity and in helping industry, consumers, and
government to counter cybersecurity threats. Active
collaboration within the public sector and between the public
and private sectors is the only way to effectively meet this
challenge leveraging each participant's roles,
responsibilities, and capabilities.
Thank you for the opportunity to testify today on NIST's
work in federal cybersecurity and I would be happy to answer
any questions that you may have.
[The prepared statement of Dr. Romine follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. Thank you, Doctor.
And I now recognize Mr. Wilshusen for five minutes to
present his testimony.
TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,
INFORMATION SECURITY ISSUES,
U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Dr. Wilshusen. Chairman Comstock, Chairman Loudermilk,
Ranking Members Lipinski and Beyer, and Members of the
Subcommittees, thank you for the opportunity to testify at
today's hearing.
The recent OPM data breaches affected millions of federal
employees. However, OPM is by no means the only agency to
suffer data breaches or face challenges securing its computer
systems and information. The number of information security
incidents both cyber and non-cyber reported by federal agencies
continues to rise, increasing from about 5,500 in fiscal year
2006 to over 67,000 in fiscal year 2014. Similarly, the number
of incidents involving personally identifiable information more
than doubled in recent years to over 27,000 in fiscal year
2014. These incidents illustrate the need for stronger
information security controls across the federal government.
Today, I will discuss several cyber threats to federal
systems, cybersecurity challenges facing federal agencies, and
governmentwide initiatives aimed at improving cybersecurity.
Before I begin, if I may, I'd like to recognize members of
my team who are instrumental in developing my statement and
some of the work underpinning it. With me today is Larry
Crosland, an Assistant Director who led this body of work. I
also want to recognize Brad Becker, Lee McCracken, Chris
Businsky, Scott Pettis, who also made significant
contributions.
Madam Chairwoman, Mr. Chairman, the federal government
faces an array of cyber-based threats to its computer networks
and systems. These threats include both targeted and untargeted
attacks from a variety of sources, including criminal groups,
hackers, disgruntled insiders, and foreign nations. These
sources vary in terms of their capabilities, willingness to
act, and motives, which can include seeking monetary gain or
pursuing an economic, political, or economic advantage.
In the grip of these threats, most federal agencies face
challenges securing their systems and networks. Agencies
continue to have shortcomings in assessing risks, developing
and implementing security controls, and monitoring results. For
example, 19 of 24 agencies covered by the Chief Financial
Officers Act reported that information security weaknesses were
either significant deficiency or material weakness for
financial reporting purposes. And the Inspectors General at 23
of these agencies cited information security as a major
management challenge for their agency.
Agencies also need to provide better oversight of the
security their contractor operator systems. Five of six
agencies we reviewed did not consistently assess their
contractors' information security practices and controls,
resulting in security lapses.
Even with effective controls, security incidents and data
breaches can still occur. Agencies need to react swiftly and
appropriately when they do. However, seven agencies we reviewed
had not consistently implemented key operational practices for
responding to data breaches involving personal information. GAO
and agency IGs have made hundreds of recommendations to assist
agencies in addressing these and other challenges. Implementing
these recommendations will help strengthen agencies' ability to
protect their systems and information.
DHS and the Office of Management and Budget have also
launched several governmentwide initiatives to enhance
cybersecurity. One such initiative is requiring stronger
authentication of users through the use of personal identity
verification, or PIV cards. However, OMB recently reported that
only 41 percent of agency user accounts at 23 civilian agencies
required PIV cards for accessing agency system's.
Another initiative, the National Cybersecurity Protection
System is intended to detect and prevent malicious network
traffic from entering federal civilian networks. GAO is
presently reviewing the implementation of this system. Our
preliminary observations indicate that the systems intrusion
detection and prevention capabilities may be useful but are
also limited.
While governmentwide initiatives hold promise for
bolstering the federal cybersecurity posture, no single
technology or set of practices is sufficient to protect against
all cyber threats. A multilayered defense in-depth strategy
that includes well-trained personnel, effective and
consistently applied processes, and appropriate technologies is
needed to better manage cyber risks.
This concludes my oral statement. I'd be happy to answer
your questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairwoman Comstock. I thank the witnesses for their
testimony and for your expertise and work on this over quite a
long time.
I would like to remind Members that the Committee rules
limit our questioning to five minutes and I now recognize
myself for five minutes of questions.
A Washington Post editorial from this past Sunday, July 5,
they said the OPM Director knew as well as anyone how sensitive
the data was, yet the door to her agency was apparently left
ajar. Thieves walked out with an intelligence goldmine. This
was an unforgivable failure of stewardship that should lead to
firings for incompetence.
Mr. Esser, to your knowledge has OPM reprimanded or fired
any official over this failure to protect its employees' most
sensitive data?
Mr. Esser. I'm not aware of any.
Chairwoman Comstock. Are you aware of any discussions to
that effect?
Mr. Esser. No, I haven't heard any.
Chairwoman Comstock. Okay. Thank you.
And, Mr. Snell, really thank you for being here and
representing so many people not just here in our metropolitan
area but all across the country because this impacts our
contractors, our federal employees, so it's important for
people to understand that this is really a nationwide breach
and, you know, you're representing people who are aware of this
but there's still many more that aren't. Could you tell us what
some of their concerns and unanswered questions are and how you
think additional things that might be helpful for the employees
and from what you've heard that we might ask for to help answer
the questions that you've been getting from people?
Mr. Snell. Thank you. I'd be glad to. A lot of the folks we
hear from are members as well as others. Their main concern is
trust and trust in what they get. The information came to many
of them through email. The email address was not a government
email address. It was a .com address. They didn't know whether
to open it, they didn't know what to do with it. They had
little information. Many people have received letters. Those
people don't have internet. They didn't--they weren't able to
access the frequently asked questions and the explanations that
the Office of Personnel Management had available out there. And
so they were left in the dark.
They didn't know if they called the number, if they
contacted anybody if they could ever trust them, so we have a
lot of distrust out there. A lot of folks are scared obviously.
They don't know what's going happen. Some folks who have not
been notified that their records were compromised are
wondering, you know, were my records compromised? Can I trust
the fact that I didn't get notice or is this another, you know,
problem? So those are the questions, those are the concerns
that we hear from our members both current federal employees
and retirees.
Chairwoman Comstock. Thank you. I appreciate that and we
look forward to continuing to work with you on identifying any
of those and how we can help answer their questions.
I was wondering, maybe a question for all of you, what kind
of things, if someone has had their information breached or
compromised, what should they be on the lookout for now? What
would be an unusual type of situation that should raise the
antenna and say this might be something I need to pay attention
to? Can you think of some scenarios just so that people can get
an idea of what they have to be on the lookout for?
Dr. Wilshusen. Sure. I'll start it off. First of all,
individuals who believe their information may have been
compromised or been notified that it has been should certainly
check their credit reports to see if there have been any new
credit accounts or charges that they're unaware of that may
have cropped up, and certainly that's probably one of the basic
things that individuals should do. They should also know that
they are entitled to receive a free credit report from each of
the three credit reporting agencies on an annual basis and
that's something that one should do on a regular basis annually
is to check each--credit reports from each of those
organizations.
Indeed, if they do receive the letter, as I have, is to
also check to see about subscribing to the service that OPM is
offering through their contractor because they, too, will
provide--or supposed to provide anyway--some surveillance on
the part of the individual.
Chairwoman Comstock. Okay.
Mr. Snell. I would add to that--and those are excellent
suggestions. I would add to that that any statement they get
regarding any other benefits they get from any other company or
government entity such as Social Security, if there's something
that has changed without their knowledge, they should report
that right away. We had one member who found out his address on
his Social Security payments had changed without his
authorization. Being this close to the events of the breaches,
of course, that member was concerned that this had been
connected. But we did report it to OPM. The OPM folks had
looked into it and decided that it was a separate incident. But
still, any kind of changes like that, people should look into.
Chairwoman Comstock. Okay. And one other thing I was
wondering, should--a lot of people don't know what's
necessarily in their personnel file. Have people asked you
about possibly having copies of their personnel file, having
copies of their background check? Because, you know, if
something starts coming up, you don't necessarily know what's
in your background check, right, or even your personnel file
even though you fill it out. Particularly with the background
checks, those people aren't going to have any idea what people
have said, right?
Mr. Snell. Right. We haven't heard from anybody--any of our
members with that particular request so--
Chairwoman Comstock. Okay. Thank you. And I now turn over
to questions from Mr. Lipinski.
Mr. Lipinski. Thank you. I want to get down to the big
question and what--in terms of what we should do moving forward
here. It's not acceptable for these data breaches to occur at
OPM, anywhere else in the government, or in the private sector.
We know--okay, we accept--we know that they can happen but I
sometimes feel like there's not enough done not just in the
public sector but the private sector to prevent these.
So my question is how do we make FISMA effective? I
understand, as Dr. Romine said, that NIST, for good reason,
only sets the standards; they're not the enforcer. So who
should be, who can be the enforcer when it comes to the federal
government? And I want to--just want to try to figure this out
so that we can get someone so we know who's accountable, who
can be held accountable, and who has the responsibility. So,
Mr. Esser, what would you recommend?
Mr. Esser. Well, one possibility is OMB. I mean we--as an
IG office we audit, we report, and we identify, you know, areas
of weakness but that's as far as our authority extends. We have
no enforcement authority. Those reports go eventually to OMB
and that could potentially be one area of enforcement.
Mr. Lipinski. Dr. Romine, do you have any recommendations?
Dr. Romine. No, I think that's right. The oversight
function, as it currently is set up under FISMA, I think is OMB
with more recently DHS providing assistance to agencies to meet
their obligations under FISMA. So I think that's the right
answer.
Mr. Lipinski. Mr. Wilshusen, do you have anything to add?
Dr. Wilshusen. Yeah, I would agree to same extent that both
of the other witnesses mentioned, but I would also just like to
point out that under law both under the FISMA 2002 and FISMA
2014 it is clearly the responsibility of the head of each
agency to implement the appropriate information security
protections to reduce the risk and magnitude of harm that could
occur should information or information systems be compromised
through unauthorized access, use, disclosure, modification,
destruction, and disruption. And so clearly in terms of
responsibility it's the head of agencies--each agency head to
make that happen.
Mr. Lipinski. Is there anything more that you recommend
that we do? As you said, FISMA has been updated but is there
anything more that should be done with, you know, that Congress
should do with FISMA? Does anyone have any recommendations for
anything further?
Dr. Wilshusen. Well, I would just say first that I think
Congress did--went quite a distance in terms of modernizing
FISMA to include clarifying their roles and responsibilities
for information security across the federal government,
particularly with assigning responsibilities to the Department
of Homeland Security, who has now responsibility for assisting
and overseeing to an extent implementation security controls at
the federal agencies.
It also recognizes the need for new types of security
controls and procedures to be put in place such as continuous
monitoring, continuous diagnostics and mitigation, which is
another type of control set that, if effectively implemented,
could assist agencies in better protecting their systems,
identifying their risk, and addressing the key vulnerabilities
first.
Mr. Lipinski. Okay. Mr. Esser, did you want to add
something?
Mr. Esser. Yeah. I agree with Mr. Wilshusen, and I think
from our viewpoint, the FISMA Modernization Act of 2014 went a
long ways toward improving the situation, changing our reviews
from more of a compliance check of a yes or a no, do they
have--or do they do security controls testing to an
effectiveness test of how good are those tests and moving
towards continuous monitoring and the mature model that is
being put in place. So we think continuing to move along that
path is the right direction.
Mr. Lipinski. Anyone else have anything to add?
Good. All right. Thank you very much. I yield back.
Chairwoman Comstock. Thank you.
And I now recognize Mr. Loudermilk.
Mr. Loudermilk. Thank you, Madam Chair.
Mr. Wilshusen, as I mentioned in my opening statement, the
situation we have at OPM is exactly why my subcommittee is
investigating the collection of America's personal data through
HealthCare.gov. In September 2014, the GAO came out with a
report noting that HealthCare.gov's data warehouse system MIDAS
did not have an approved Privacy Impact Assessment that
included a thorough analysis of privacy risks. Given that MIDAS
is processing personally identifiable information and appears
to have--indefinitely storing that information, how important
is it to have an approved privacy impact statement for--or
assessment for MIDAS?
Dr. Wilshusen. I think it's vitally important because in
that it helps the agencies to identify not only the privacy
risks associated with that particular system but also
alternatives and the controls that should be in place to better
protect and help protect that information.
Mr. Loudermilk. Thank you.
Dr. Wilshusen. And we recommended--we also noted that not
only had CMS not effectively implemented--or designed a policy
impact assessment for MIDAS but for other systems connected
with HealthCare.gov.
Mr. Loudermilk. Do you know if an assessment is done since
the September report?
Dr. Wilshusen. We just received information from--we
actually made a recommendation that in their Privacy Impact
Assessment that they assess these privacy risks and today we
believe that recommendation is still open----
Mr. Loudermilk. So do they----
Dr. Wilshusen. --and not fully implemented by----
Mr. Loudermilk. They have not--is that concerning?
Dr. Wilshusen. Well, we believe they should do that, yes.
Mr. Loudermilk. Okay. When you looked into the MIDAS system
as part of the HealthCare.gov review, was it known to you that
personally identifiable information of individuals who signed
up on the HealthCare.gov website would be indefinitely stored?
Dr. Wilshusen. It was known that initially the CMS
officials indicated that personally identifiable information
may not be stored and it--but then they acknowledged that it
would be and it was because of that acknowledgement that
personally identifiable information would be stored in MIDAS,
that the need for assessing those privacy risks is important as
part of a Privacy Impact Assessment.
Mr. Loudermilk. Okay. So the fact that they indicated that
they intended to store this PII information is really what
catapulted this assessment, the need for the assessment? Is
that what you're saying?
Dr. Wilshusen. Right. Any new development or system should
have a Privacy Impact Assessment if personally identifiable
information is going to be collected, stored, or disseminated
through that system.
Mr. Loudermilk. Is it normal for the federal government to
store PII information on websites or information obtained
through websites?
Dr. Wilshusen. I would say that that is normal for agencies
to store personally identifiable information, some of which may
be obtained through a website, but we--I have not looked at
that specifically with regard to collection of information
through websites.
Mr. Loudermilk. Okay. I appreciate that. Also, GAO has
listed the security of our federal cyber assets on its high-
risk list since 1997. It's been almost 20 years. Does it remain
on the high-risk list to this day because of evolving threats
to federal information systems or is it because federal
agencies have not been able to learn how to properly protect
these systems?
Dr. Wilshusen. I would say both----
Mr. Loudermilk. Okay.
Dr. Wilshusen. --because certainly there's an inherent risk
to agency systems because of the evolving threats and just the
complexity of the systems that agencies develop and operate
because many--much of the software that agencies use have
vulnerabilities in it, some discovered, some undiscovered. But
at the same time it's incumbent upon federal agencies to
implement the appropriate security controls to mitigate those
risks to--at a cost-effective and acceptable level. And we
found that agencies have not consistently implemented
agencywide information security programs to mitigate that risk
effectively.
Mr. Loudermilk. Is it because of--it's a lack of priority
for a lot of these agencies?
Dr. Wilshusen. In some cases it might be but it's also in
other cases I believe it's just to the fact that there are a
number of actions that agencies just haven't really taken that
they need to take such as installing patches on a timely manner
and assuring that known vulnerabilities are ameliorated in a
timely manner.
Mr. Loudermilk. Can you tell me who's ultimately
accountable for the cybersecurity of our federal government?
Dr. Wilshusen. Accountable or responsible? You know, I have
to say in terms of at least for federal agencies, the agency
head is responsible for implementing effective security
controls and that's under law under FISMA. At the same time in
terms of accountable that's harder to measure because to my
knowledge it's difficult to see what accountability mechanisms
are in place to assure that individuals are effectively
securing systems. That could be done through personnel
performance expectations, but in terms of individuals being
held to account for that is somewhat uncertain.
Mr. Loudermilk. I see I'm out of time. One quick question
if I may, Madam Chair.
Chairwoman Comstock. We're just tight because we're going
to have votes.
Mr. Loudermilk. Okay.
Chairwoman Comstock. We want to squeeze everybody in.
Mr. Loudermilk. On a scale grading like elementary school A
to F, our federal cybersecurity, how do you grade it?
Dr. Wilshusen. D.
Mr. Loudermilk. D minus from the way I hear that?
Dr. Wilshusen. I'll go with D because in many respects
there are improvements within federal information security and
some of the initiatives but it's getting to the effective
implementation of those security controls and the--some of the
initiatives. Over time, consistently, that's been proved
challenging.
Mr. Loudermilk. Thank you very much. Thanks to all the
panel.
Chairwoman Comstock. Thank you.
I now recognize Mr. Beyer for five minutes.
Mr. Beyer. Thank you, Madam Chair.
Mr. Snell, do you know how long it takes to have a negative
report, a so-called derogatory report on your credit report
drop off?
Mr. Snell. [Nonverbal response.]
Mr. Beyer. Okay. Well, six to eight years. I only bring
that up because it's a long time.
Mr. Snell. It is a long time.
Mr. Beyer. And I want to bring--call attention to something
that you mentioned in your written report where you say ``the
federal government should offer identity theft insurance,
should offer credit monitoring services for the lifetime of
anyone affected, and increase the amount of identity theft
insurance provided in certain circumstances. Unlimited coverage
may be required.'' I just want all of us to highlight that
because this is I think really an initiative that we can bring
as Democrats and as Republicans on Oversight to this issue.
Mr. Snell. Well, thank you.
Mr. Beyer. So thank you for bringing that up because it--by
the way, the other rhetorical question, do you know how long it
takes them to fix something that's wrong on a credit report,
which is like impossible? So----
Mr. Snell. It's a nightmare.
Mr. Beyer. Yes.
Mr. Esser, your testimony was pretty devastating, all the
things that didn't get fix that were identified year in and
year out within OPM. And I'm just baffled by it. Do you have
any idea why? Is this a series of CIOs who didn't respond? Is
it a series of Directors, Democrat, Republican administrations
that didn't respond? Does any of it come back to us on Congress
because we didn't allocate the resources necessary, the
hardware, the software, the staffing to make all this happen?
For example, you mentioned in there that OPM has decided they
needed a legacy system. With legacy systems, you couldn't go
back and tinker with them one by one; you had to do an
overhaul. Help us understand this lack of leadership and lack
of action on something that you guys as Inspectors General had
clearly identified.
Mr. Esser. I would have to guess it's a combination of
factors. Certainly, there's been, you know, different directors
and different CIOs during the time period that we've reported
material weaknesses in IT security. You know, so, you know, if
you look at the current Director, she wasn't there when this
all started. The current CIO wasn't there when this all
started. But at the same time there's been current issues that
we've reported that, you know, they also haven't gotten
addressed in a timely fashion that we would like to see them
addressed.
Resources I think is always an issue but it's not the sole
answer. I think sometimes we feel like things that we report
don't get the attention that they should get. We've had, you
know, weaknesses that have been outstanding for, you know,
years and years and years and that just shouldn't be.
Mr. Beyer. All right. Well, thank you. Thank you, Mr.
Esser.
Dr. Romine, did I say that right?
Dr. Romine. [Nonverbal response.]
Mr. Beyer. On NPR this morning they were talking about the
difficulty that our military and our intelligence units are
having with ISIS encrypting messages between their potential
recruits. Can we use this encryption for federal government
data?
Dr. Romine. I don't know what encryption they're using but
we do have access to strong encryption, and in fact NIST in my
laboratory has been in the encryption space for decades now
starting with the original DES, Data Encryption Standard, that
was developed through NIST.
We certainly recognized--our guidance provides input that
encryption is a very powerful tool for securing information.
It's not the only one in the arsenal but it is a very effective
one and often not very costly. And so I think certainly it's an
avenue for protecting the data.
Mr. Beyer. You know, I know you're not responsible for the
private sector and it seems that you clearly have developed
some very thoughtful guidelines and protocols for how the
federal government should work. Do you have any sense of
whether the federal government leads or lags the private sector
in terms of cybersecurity, data encryption, all the things
we're talking about today?
Dr. Romine. So I think there are bright spots in both
cases. I mean I think there are--it's uneven in the private
sector just as it's uneven in the federal government as well. I
will say that the guidelines and the standards that we issue
that are principally intended for the federal government are
often picked up by the private sector because of the quality of
those guidelines and standards. And in fact we depend on the
private sector to participate and provide us with input. We
have a multiphase comment period for almost all of our
guidelines so that we get the best minds in the private sector
and public sector to contribute.
Mr. Beyer. Thank you.
Madam Chair, I yield back.
Chairwoman Comstock. Thank you.
I now recognize Mr. Johnson for five minutes.
Mr. Johnson. Thank you, Madam Chairman. And, gentlemen,
thank you for joining us today.
I--you know, cybersecurity and the kind of attack that we
saw on OPM I think--and I believe I read it here somewhere
earlier today--is just the tip of the iceberg. As a 30-year IT
professional myself, I firmly understand that as long as
computers are working off of 1s and 0s, the bad guys are going
to be out there trying to get in. And the battle space is huge
and our ability to protect it is going to require constant
vigilance. It's not a problem that has--it's not a race that
has a finish line because as soon as we get to one point, the
goalposts are moved and the game strategy changes.
And I spent a lot of my time helping to educate and inform
those that will listen so that we understand. But this is a big
issue and communications and computing technologies are
foundational to our economy and to virtually every industry
that supports our economy, including our own national security.
So it's a really big issue.
Mr. Esser, the OPM Director has stated that some of OPM's
network systems are so old that it has been difficult if not
impossible to upgrade and encrypt them. How credible is that
explanation and how many of the OPM systems that were hacked
were these old legacy systems versus more modern ones capable
of encryptions and upgrades?
Mr. Esser. I don't have an exact count of how many are
legacy systems and how many are modern. There is a lot of
credibility to what she says. There are old systems at OPM that
it is difficult to bring into the modern area of security, not
that it can't be done but it can be difficult. But our
understanding is that at least a few of the systems that were
hacked are more modern systems that certainly, you know, modern
encryption techniques and other security techniques could have
been implemented on.
Mr. Johnson. Right. Okay. Well, a complete overhaul of the
existing IT infrastructure at OPM could take years, right? Do
you believe that there are intermediate steps OPM could take to
address security needs in the short-term?
Mr. Esser. There are and they have taken some of those
steps. They've--
Mr. Johnson. What are those? Can you enumerate some of
them?
Mr. Esser. Well, when the initial breach took place in 2014
and they began working on tightening up their systems, they
went into what they call a tactical phase of immediately
remediating some of the high security problems they had. And so
we're fully in favor of everything they've done related that.
You know, things like, you know, requiring more two-factor
authentication. They're not fully there but they're working on
it so they have taken steps to tighten up systems in that
respect.
Mr. Johnson. Okay. Dr. Romine and Mr. Wilshusen--do I have
that right?
Dr. Wilshusen. Close enough. It's Wilshusen.
Mr. Johnson. Wilshusen, okay. I apologize. Johnson is
pretty easy for everybody so I don't ever have that problem.
Sorry.
Dr. Romine and Mr. Wilshusen, do you agree? Are there
things that can be done in the near term? Are there more things
that can be done in the near term?
Dr. Romine. Well, certainly from the perspective of the
NIST guidelines and FISMA guidelines that we issue I think we
put those out as a means of reducing the susceptibility of the
system to hack. Nothing is 100 percent secure but I think
following those guidelines is the most effective way that I can
think of to protect the systems.
Mr. Johnson. Mr. Wilshusen?
Dr. Wilshusen. And I would agree with both what Dr. Romine
and Mr. Esser said. One thing that comes to mind, too, is based
on what's been reported by the Office of Management and Budget
as it relates to OPM is that, as of the end of fiscal year
2014, OPM had only implemented the use of personal identity
verification cards or strong authentication for one percent of
its user accounts. My understanding is that they're making
progress now to improve that but certainly having strong
authentication, using multifactor authentication for user
accounts would be one area that it seems that OPM could improve
on and may be working on that now.
Mr. Johnson. Okay. Well, gentlemen, thank you very much and
I've exhausted my time.
Madam Chair, I yield back.
Chairwoman Comstock. Thank you.
I now recognize Ms. Bonamici.
Ms. Bonamici. Thank you very much, Madam Chair. Thanks to
the Chairs and Ranking Members for this important conversation
and thanks to the witnesses who are here. I wish we each had
five hours instead of five minutes because there are so many
questions.
So I wanted to start, Mr. Snell, you mentioned the issues
and the challenges with notification and communication, and
this is something that I want to recognize both in the public
and private sector has been a challenge. And of course with the
number of current and former federal employees, it's my
understanding that the FISMA requirement requires notice to
affected individuals provided as expeditiously as practicable
and without unreasonable delay. So those are obviously terms
that are not concrete depending on the circumstances. I just
bring this up to recognize the importance of communicating with
people who are victims of the data breaches. And it's not just
an issue in the federal arena either, in the private sector as
well.
I want to go back to the point that was made about
encryption. It's my understanding that Estonia, even though
it's a small country, had a significant data breach in 2007 and
has really come around and is now considered one of the
countries that does the best job of protecting data. Granted
it's a smaller--much smaller population but they do make--heavy
use of encryption. And they also have focused on educating the
workforce.
And I also serve on the Education Committee and I wanted to
ask about the--whether we are really educating people who will
be able to be the people who are preventing as well as
understanding how we need to do this both psychologically and
technically. So do we need to improve cybersecurity education?
Are there enough opportunities for the workforce? Do we have
the people we need out there to be able to do these jobs? I'll
start with Mr. Wilshusen.
Dr. Wilshusen. Well, I think certainly improving the
cybersecurity understanding and awareness on the part of the
public at large, which I believe you're referring to, as well
as with the federal workforce, is going to be very important to
address these cyber threats that consistently evolve and are
becoming more sophisticated over time. And certainly having an
awareness of that and what types of controls and activities one
should engage in and should not engage in should be certainly
on the minds and--of everyone because each individual
potentially could be the weak link in--which results in some
sort of a computer compromise.
Ms. Bonamici. That's a great point. And in your testimony
you have this whole chart about the common adversaries and you
list hackers and I have to say I'm a little confused as I go
visit schools and the high schools are having these hack-a-
thons and they're considered positive things. So is hacker a
negative connotation or is it a positive or is it--depends on
who the hacker is? It's a little confusing.
Dr. Wilshusen. I guess it depends on what they're doing
with their hacking. You know, if they're so-called white
hackers, you know, but in terms of--it's good to know how
hackers and particularly those individuals with malicious
intent----
Ms. Bonamici. Right.
Dr. Wilshusen. --operate, what types of tools they use,
how--their modus operandi if you will in order to understand
how to protect against them. And so it's important to know that
and certainly one of the things that information security
professionals do is penetration testing and to see whether or
not any organization's information security controls are
effective in keeping out hackers who may use similar type of
techniques.
Ms. Bonamici. Terrific. And I wanted to ask, I guess, each
of you. Can you talk a little bit about your--what are your two
or three top recommendations for improving practices generally,
not necessarily just for the federal government. Mr. Esser,
what would be your top two or three recommendations?
Mr. Esser. I mean one of the things I would go back to is
the two-factor authentication to strengthen security. It's
really necessary to implement that and not just that but I mean
there's all kinds of different things that need to be
implemented, and the key I think is having, you know, security
Defense in Depth I think is the term that's used.
Ms. Bonamici. Terrific. And I want to make sure the others
get--and I'm almost out of time.
Mr. Snell, do you have a couple of----
Mr. Snell. No, that's not my strength so I'll----
Ms. Bonamici. Dr. Romine?
Dr. Romine. Sure. I would echo, I think, that proper
identity management is a key driver. I think it can be really
beneficial. Good use of encryption is good for preserving the
integrity or at least the confidentiality of data, so I would
just maybe add those two.
Ms. Bonamici. And Mr. Wilshusen?
Dr. Wilshusen. I would say one is addressing patches or
installing critical patches and remediating known
vulnerabilities. U.S. CERT recently came out with a technical
alert that said if you address these top 30 targeted
vulnerabilities, that would address up to 85 percent of the
targeted vulnerabilities that are currently being used. The
other thing would be improved detection and prevention
capabilities because regardless of how well you protect your
systems, it's likely you still may be subject to attack from
unknown vulnerabilities.
Ms. Bonamici. Thank you so much. I see my time is expired.
I yield back. Thank you.
Chairwoman Comstock. Thank you. And I would just take
privilege to note, I know when I was visiting schools that also
do the hacking and training them, you know, that--it's a great
growth area for kids to get engaged in and get educated on
because there's going to be lots of jobs for them in this area.
And I know somebody who works in the business so they tell
their clients if we can't hack into your system, you shouldn't
hire us to protect your system because that's part of what
their job is to constantly be looking for the next attack,
right? So that's--thank you.
I now recognize Mr. Abraham for five minutes.
Dr. Abraham. Thank you, Madam Chair.
I guess first I'll express my disappointment for the Chief
Information Officer Ms. Seymour not--or declining our
invitation to come speak here. It's my understanding that she
has extensive involvement in preparing this system. Might I
suggest that if OPM had put extensive involvement in preventing
this, we might not even be having this hearing. So just that as
a statement.
Mr. Wilshusen, I'm going to start with you. Has the federal
government's response to this breach in your opinion been
sufficient?
Dr. Wilshusen. Well, one of the responses--and I can't
necessarily speak specifically to OPM, but more broadly
speaking, as you may know, the federal CIO issued an initiative
or a proclamation known as the 30-day Cybersecurity Sprint, and
indeed, you know, to the extent that that 30-day sprint raises
awareness and invigorates activity towards addressing these
basic security requirements included in the sprint such as
installing critical patches, assuring deploying multifactor
authentication, and other--resolving known vulnerabilities,
that's important. And to the extent that that gets done, that's
a positive.
But where it may become detrimental if after this 30 days,
which expires on Sunday, by the way, that the agencies and the
federal government relaxes and thinks, okay, we've accomplished
our goal, I think that's a mistake because cybersecurity and
implementing effective security is not a sprint; it's a
marathon. And it's something that needs to be going on a
continuous basis. And the fact of just going back to--possibly
going back to the status quo, which only led to the conditions
that resulted in the need for a 30-day sprint.
So I would say it raised awareness. Agencies may be taking
actions to improve their security, but that needs to continue
in perpetuity.
Dr. Abraham. And I'll follow up with you, Mr. Wilshusen.
Knowing what you know about the cybersecurity or lack thereof
of all our federal agencies, would you entrust any of your
sensitive information with any of these agencies?
Dr. Wilshusen. In some cases I have no choice because my
information is at other agencies through security clearances
and the like and through our tax systems and issuing tax
returns, and so, yes, I do entrust personal information to
agencies and that's why it's important and incumbent upon those
agencies to adequately protect information that the American
taxpayers, the American public entrust to it.
Dr. Abraham. And it's my understanding that the GAO tracks
the history of these breaches. How does this OPM recent breach
compare or where does it rank in the history of the other
government breaches as far as the tracking is concerned?
Dr. Wilshusen. Well, in terms of the like number of
individuals affected by this breach--
Dr. Abraham. Right.
Dr. Wilshusen. --it's among the top. You know, a few years
ago back I think in 2005, 2006 there was a data breach at the
Department of Veterans Affairs in which the hard drive was
stolen from an employee's--from their home but that contained
the personally identifiable information of 26, 27 million
veterans and current service members. But that hard drive was
ultimately found and determined not to have been--the
information was determined not to have been disclosed. So
that--this particular breach ranks right up near the top I
would say.
Dr. Abraham. Mr. Esser, you said in your testimony that the
OPM leadership has been--has not been forthright about the
claim of proactively shutting down the e-QIP system. Can you
tell us how long the OPM has known about these vulnerabilities
to that particular one system?
Mr. Esser. There was a security assessment and
authorization done on the e-QIP system in September of 2012
which identified 18 vulnerabilities. I do not know if those
vulnerabilities are related to the reason that the system was
shut down last week but it certainly indicates that there has
been vulnerabilities that OPM has been aware of and has not
addressed even to date.
Dr. Abraham. Okay. Thank you.
Madam Chair, I'll yield back.
Chairwoman Comstock. Thank you, Mr. Abraham.
Ms. Esty.
Ms. Esty. Thank you, Madam Chair. I want to thank you and
Chairman Loudermilk and Ranking Members Lipinski and Beyer for
holding today's extremely important hearing. And as we've--as
has already been noted, with three other breaches having been
noted today in the private sector, it's very much on all of our
minds.
Our national and personal security depends on a strong
cybersecurity infrastructure, and the recent breaches that have
been disclosed with OPM are to me particularly disturbing when
I look at the security clearance records that could have been
compromised. No credit check is going to make up for the risk
to not just personal security but our nation's security for
every individual who went through or was consulted as part of
that system.
So I'd like you to think and maybe get back to us on what
sort of protection and advice do we give on the national
security front, on the security breach aspect because that is
very different than your personal information to raid your bank
account. That's a risk of grave concern for this country, which
we haven't really discussed today.
It seems to me a number of issues have been raised and I
want to quickly tick them off and then focus on the last. We
need to understand the extent of vulnerability and that's been
discussed at some length. The accountability for what's
happened also been raised by other Members. And I want to focus
on the last two, our capacity to address these issues in the
future. That's a question in part of resources and that's been
mentioned, both personnel resources--and Representative
Bonamici raised an issue she and I share a grave concern and
interest in, encouraging young people to pursue these fields
and making sure we have enough capacity on both the private
sector side and the public sector side. Is it a priority issue?
Do we need to have different prioritization?
But the last issue I'd really like you to respond to is how
do we move to a continuous monitoring or effectiveness model
from what we've had, which is a compliance model? It seems to
me we have a real challenge. Congress enacts laws. Laws are
about compliance. They are snapshots in time that reflect our
knowledge and technical capabilities. But as we've all
discussed here today, these are evolving risks, and the moment
we stick a pin in the butterfly and pin it down, it will change
by the time we finish pushing that pin in.
So if you could discuss a little bit what can we do on the
Congressional side and what can the agencies due to move to a
mindset that is much more nimble and that is in a continuous
mode because that's going to be both what our hard and software
look like but also our mindset about what compliance actually
means.
Dr. Wilshusen. I'll take first stab if you don't mind.
Well, one is an initiative that's already underway within
the Department of Homeland Security as it relates to continuous
diagnostics and mitigation, the extent to which DHS is
providing tools that are available for agencies to implement
this capability. Our work at the Department of State before
this initiative was established showed that there are benefits
to monitoring the security posture of an organization on a
continuous basis, but there are also a number of challenges
associated with that, some technological, some management and
operational.
But certainly that's one area that can be done and indeed
Congress in the passage of the Federal Information Security
Modernization Act of 2014 recognized the need for continuous
monitoring and identified that as one of the areas that
agencies should be focusing on in securing their systems. And
so that's one part of it.
But you're right, I totally agree. The need for assessing
and monitoring the effectiveness of security controls needs to
be done on a continuous monitoring basis because threats change
every day, the computing environment changes is very dynamic,
and new vulnerabilities are being identified each time.
Dr. Romine. If I may, I'd like to spotlight two things that
NIST is doing that address two of your issues. One is we house
the program office for the National Initiative for
Cybersecurity Education, which is an interagency activity that
I think is making great strides in addressing the workforce
issue that you brought up.
And the second is under Executive Order 13636 NIST engaged
the private sector and other stakeholders in a year-long effort
to develop what turned into the cybersecurity framework for
improving the cybersecurity of critical infrastructures. And
although that was the focus, it has turned out that that report
that we developed the framework is a model I think for
establishing or improving a cybersecurity approach whether it's
in the private sector or the public sector or other areas. It's
a very dynamic approach that involves, you know, a development
of maturity along the lines of--analogous to a maturity model
and so I think that could be really beneficial.
Chairwoman Comstock. Okay. Thank you.
Ms. Esty. I see my time is expired.
Chairwoman Comstock. We want to be able to squeeze in our
last two folks here.
Mr. Palmer, I recognize you for five minutes.
Mr. Palmer. Thank you, Madam Chairman.
We've talked about Defense in Depth and the hardware but I
want to talk about the individuals involved.
Dr. Wilshusen, OPM and the Department of Homeland Security
officials stated that the attackers who reached OPM's systems
may have been aided by user credentials that were obtained or
stolen from one of OPM's contractors. Andy Ozment testified
before the Oversight Committee that part of this breach may
have occurred through social engineering. I want to know in
your opinion what agencies can do to ensure that their IT
contractors are effectively protecting federal systems and
information? I mean I fully get it that we need to completely
overhaul our hardware and software, but that alone in the
context of Defense in Depth will not secure the system.
Dr. Wilshusen. I wholeheartedly agree. The oversight of
contractors and their information security practices over
systems that they operate on behalf of the federal government
or operate to process information on behalf of the federal
government is really critical to assure that--agencies need to
assure that that information is being adequately protected. And
that requires that they go in and assess or have an independent
assessor evaluate the security controls and assure that they're
being operated effectively and efficiently and that indeed the
requirements for information security are expressed to the
contractor either through contractual instruments or other
mechanisms to assure that they know what is required to help
protect those systems.
And another point you raised in terms of--was the stolen
user credentials that might have been used to help promote or
facilitate the attack on OPM, one of the things that could help
there is having multifactor authentication, which would help to
either prevent or at least raise the bar significantly for that
attacker to be able to use compromised credentials. And that
wasn't in place in all places throughout OPM.
Mr. Palmer. Well, it's even worse than that. Dr. Ozment--it
wasn't in his testimony but in an interview--talked about the
fact that one of the contractors working with OPM was based in
Argentina and was working with two people who were Republic of
China nationals. I mean how do we let something like that
happen? I mean with the amount of cyber assault--I visited a
facility that monitors these cyber attacks and you can
literally see them being launched. There were 700 and something
cyber attacks launched from Russia with 10 minutes. China was a
distant second.
How is it that we would not be aware that we had people
foreign-based involved in this and particularly a couple of
Chinese nationals?
Dr. Wilshusen. I guess I'm not familiar with that
particular situation so I don't know if I can really comment to
that, so----
Mr. Palmer. But I think you would agree, though, that
that's a pretty egregious oversight or failure to exercise
oversight over our systems?
Dr. Wilshusen. I think it's important that agencies
understand who has access to their systems and are accessing
their systems and that kind of gets back to the identity
management area that we--the panel spoke about earlier. So that
certainly is one specific point to that.
Mr. Palmer. Mr. Snell, I want to ask you something here.
Mr. Abraham brought up the fact that Ms. Seymour did not want
to testify before this committee. When she testified before the
Oversight Committee, I asked her if the breach was limited only
to people who filled out the Standard Form 86, the security
background check, because that was I think the position that
OPM had taken. It turns out that it extends beyond that. Two of
my staff who have never filled out an SF 86, who have never
served in the executive branch, both got letters telling them
that their personal data had been compromised.
Do you have an idea of how broad this is and does it extend
beyond current federal employees to retired employees? Is it
possible that it would extend to civilians who have national
security clearances?
Mr. Snell. That's entirely possible. We don't have
firsthand information. We only know what's being reported out
of OPM and it's not very much. It's not very helpful what
they're reporting as far as numbers but it's entirely--and it
has been I think in the media mentioned that it could be
contractors, as well as federal employees, former employees,
people who are no longer in the federal government. So I'd have
to turn that back over to the Office of Personnel Management to
come forth with information letting us know exactly who the
victims of these breaches are.
Mr. Palmer. Madam Chairman, I yield the balance of my time.
Thank you.
Chairwoman Comstock. Thank you.
And I now recognize five minutes for Mr. Tonko.
Mr. Tonko. Thank you, Madam Chair.
The--being a former federal employee, Mr. Snell, what are
the kinds of communication that you would like to see happen?
Mr. Snell. Well, in a situation like this I would like to
see the communication be sent via letter with OPM agency seal
on it so that the individuals would be able to at least feel
confident that this is an official U.S. Government notice. And
that kind of--I know it's not efficient in today's email world
and all of that, but in a case like this where we have the
credibility issue as to who do you trust, who do you don't
trust, I think a letterhead--OPM letterhead or an agency
letterhead would have gone a lot further to helping folks
believe what they're getting is bona fide. So I like that like
that kind of communication.
Mr. Tonko. Thank you.
And Mr. Esser, the review here that was done would
obviously involve the private sector, right, with contractors
serving the federal government with some of the reinforcement
here? How--was there any review done of that private sector
element?
Mr. Esser. I'm not sure I understand what review you're
referring to.
Mr. Tonko. Well, just with the outcome that we had in the
situation, were contractors reviewed in this situation that
served the federal agencies?
Mr. Esser. I'm sorry. I guess I still don't quite
understand the question. What review are you referring to?
Mr. Tonko. Just the malfunctioning that occurred. As we
look over the situation and try to determine where the
weaknesses in the system are, what--is there a role that the
contractors to the system might have played here or that could
have been better collaboration involved in this system? Were
there any recommendations that you could make in that regard?
Mr. Esser. If--I mean we in the IG office, when we do our
reviews, certainly there's contractor-operated systems at OPM
and we look at those the same way we look at the agency-
operated systems. I mean there's a number of contractors that
are working at OPM and likely at many other agencies as well.
They, I believe, are treated the same way as federal employees
in how we conduct our reviews.
Mr. Tonko. And in those reviews was there a need for better
collaboration in this whole process where there could have been
perhaps a stronger partnership with those efforts?
Mr. Esser. I don't believe we reported any issues in that
area.
Mr. Tonko. And to any of you on the panel, when we look at
a situation like this, is there a concern for the amount of
available resources to an agency to prevent any of this
activity? Is it a function of lack of resources or how those
resources have been shared? Would any of you comment on, you
know, weak investment or falling short in the resources we
require?
Dr. Wilshusen. You know, broadly speaking, not just talking
to OPM but across the federal government, many of the security
control deficiencies and weaknesses that we identified during
our audits are more of an information security management
process more than a lack of resources in terms of implementing
effectively and consistently across an agency its own defined
and developed policies and procedures.
For example, one basic control is just installing patches
on a timely manner, particularly those that have been rated as
critical. Agencies often have policies that state they need to
be installed within a certain period of time, usually within a
week or a couple weeks, but we find that sometimes those
patches are not being installed for months and sometimes over
years. So, in part it's a management issue to make sure that
these key security control issues and controls are being
effectively implemented.
There are also resource implications as well. In some cases
it may be important for agencies to implement new technologies
or tools, particularly with respect to installing intrusion
detection capabilities within their networks to identify those
types of vulnerabilities or cyber attacks or intrusions that do
inevitably occur.
Mr. Tonko. Thank you very much. I see my time is out. Thank
you, Madam Chair.
Chairwoman Comstock. Thank you. And we do have a vote now
and so I just want to thank the witnesses for their very
valuable testimony today. Sorry we had to sandwich it in
between our votes because I know myself and my colleagues could
spend a lot more time talking with you about this and will be
talking with you and asking for any guidance that you can give
us with your expertise. So we very much appreciate you coming
before us.
The record will remain open for two weeks for additional
comments and written questions from the Members.
And so the witnesses are excused and we thank you again for
your expert testimony. And this hearing is adjourned.
[Whereupon, at 5:19 p.m., the Subcommittees were
adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
Responses by Mr. Michael R. Esser
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. David Snell
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Dr. Charles Romine
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
Prepared statement of Committee Ranking Member
Eddie Bernice Johsnon
Thank you Chairwoman Comstock and Chairman Loudermilk for holding
this hearing on the recent OPM data breach.
Even though we will continue to learn more details about the
breach, we already know that millions of Americans' personal
information was compromised. This number includes current and retired
federal employees as well as the family members, friends, and co-
workers of federal employees.
There are valid concerns about hackers using this data for criminal
purposes. Additionally, since security clearance background
investigation information was compromised, there are also serious
national security concerns.
It is frustrating to learn that OPM knew that they had serious
information security systems problems long before this breach. Although
addressing their information security systems is a top goal of the new
OPM leadership, it is clear that action should have been taken years
ago.
Federal computer information systems are guided by FISMA. In this
risk management approach, agencies evaluate the type of data in their
systems, determine what level of controls are needed, and put together
a plan to adequately protect their data.
Although NIST is responsible for drafting the standards used by the
agencies, they do not oversee the program and are not responsible for
enforcing agency compliance with FISMA.
Instead of picking on one federal agency, it is my hope that we can
use this data breach as a starting point for addressing federal
cybersecurity more broadly. What is working? What is not? What
mechanisms need to be in place to better protect individuals' personal
information on our federal systems?
I want to end by saying that any conversation about federal
cybersecurity must include a discussion about resources. It would be
irresponsible for us to mandate additional cybersecurity measures that
federal agencies must take without providing them with additional
resources.
Cybersecurity will always be about managing risks. No information
security system, whether public sector or private sector, can be
completely protected. And unfortunately the question is, when, not if a
system will get hacked. Therefore, we must ensure that we have the
appropriate policies and oversight in place to help federal agencies
protect their data, and that we have provided federal agencies with the
resources they need to do the job effectively.
I want to thank the witnesses for their testimony and I yield back
the balance of my time.
Letter submitted by Representative Barbara Comstock
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]