[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
OPM: DATA BREACH
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JUNE 16, 2015
__________
Serial No. 114-60
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
____________
U.S. GOVERNMENT PUBLISHING OFFICE
99-659 PDF WASHINGTON : 2016
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Sean McLaughlin, Staff Director
David Rapallo, Minority Staff Director
Troy D. Stock, IT Subcommittee Staff director
Jennifer Hemingway, Government Operations Subcommittee Staff Director
Sharon Casey, Deputy Chief Clerk
C O N T E N T S
----------
Page
Hearing held on June 16, 2015.................................... 1
WITNESSES
The Hon. Katherine Archuleta, Director, U.S. Office of Personnel
Management
Oral Statement............................................... 6
Written Statement............................................ 9
Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and
Communications, National Program Preparedness Directorate, U.S.
Department of Homeland Security
Oral Statement............................................... 13
Written Statement............................................ 15
Mr. Tony Scott, U.S. Chief Information Officer, Office of E-
Goverment and Information Technology, U.S. Office of Management
and Budget
Oral Statement............................................... 22
Written Statement............................................ 24
Ms. Sylvia Burns, Chief Information Officer, U.S. Department of
the Interior
Oral Statement............................................... 27
Written Statement............................................ 29
Ms. Donna K. Seymour, Chief Information Officer, U.S. Office of
Personnel Management
Oral Statement............................................... 32
Mr. Michael R. Esser, Assistant Inspector General for Audits,
Office of Inspector General, U.S. Office of Personnel
Management
Oral Statement............................................... 32
Written Statement............................................ 34
APPENDIX
ABC News-Feds Eye Link to Private Contractor in Massive
Government Hack, Submitted by Rep. Maloney..................... 76
Colleen M. Kelley-NTEU Statement for the Record.................. 79
RESPONSE Tony Scott-CIO OMB-Walberg Questions for the Record..... 83
OPM: DATA BREACH
----------
Tuesday, June 16, 2015
House of Representatives
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 10:11 a.m., in Room
2247, Rayburn House Office Building, the Honorable Jason
Chaffetz [chairman of the committee] presiding.
Present: Representatives Chaffetz, Mica, Jordan, Walberg,
Amash, Gosar, Massie, Meadows, DeSantis, Mulvaney, Walker,
Hice, Russell, Carter, Grothman, Hurd, Palmer, Cummings,
Maloney, Norton, Lynch, Connolly, Cartwright, Kelly, Lawrence,
Lieu, Watson Coleman, Plaskett, DeSaulnier, Boyle, Welch, and
Lujan Grisham.
Chairman Chaffetz. The Committee on Oversight and
Government Reform will come to order.
Without objection, the chair is authorized to declare a
recess at any time.
Mr. Cummings will be with us momentarily. Another committee
assignment is also pressing on his schedule.
Last week we learned that the United States of America may
have had what may be the most devastating cyber attack in our
Nation's history, and that this may have been happening over a
long period of time.
As we sit here this morning, there is a lot of confusion
about exactly what personal information for millions of current
and former Federal employees and workers were exposed through
the latest data breach at the Office of Personnel Management.
OPM initially reported that the personal information of
more than 4 million Federal employees was exposed during this
attack. More recent public reports suggest that the breach was
perhaps much worse than that.
It is also unclear exactly what information was exposed. We
would like to know what information was exposed, over what
period of time, and who has this vulnerability.
It would also be great to know who had conducted this
attack. And I think we need to have candor with not only the
Federal employees, but the American people as well.
The breach potentially included highly sensitive personal
background information collected through the security clearance
applications. We would like clarity on that position as well.
The loss of this information puts our Federal workforce at
risk, particularly our intelligence officers and others working
on sensitive projects throughout the globe. But we are
concerned about each and every Federal worker and the public
who has interacted with the Government and entrusted this
information with the Government. We need to understand why the
Federal Government, and OPM in particular, is struggling to
guard some of our Nation's most important information.
The fact that OPM was breached should come as no surprise
giving its troubled track record on data security. This has
been going on for years and it is inexcusable.
Each year, the Office of Inspector General reviews and
rates its respective agency's compliance with the Federal
Information Security standards. According to the last eight
years of IG reports, OPM's data security posture was akin to
leaving all the doors and windows open in your house and
expecting that nobody would walk in and nobody would take any
information. How wrong they were.
Since 2007, the OPM Inspector General rated OPM's data
security as a ``material weakness'' because the agency had no
IT policies or procedures that can come anywhere close to
something that could be used as an excuse for securing the
information.
It is unbelievable to think the agency charged with
maintaining and protecting all personal information of almost
all former and current Federal employees would have so few
information technology policies or procedures in place.
Let me just kind of read through some of the reports that
have happened through the course of the years.
This is the inspector general from fiscal year 2009: This
year we are expanding the material weakness to include the
agency's overall information security governance programs and
incorporating our concerns about the agency's information
security management structure. The continuing weakness at OPM's
information security program result directly from inadequate
governance. Most, if not all, of the exceptions we noted this
year resulted from a lack of necessary leadership, policy, and
guidance.
Go to fiscal year 2010: We continue to consider the IT
security management structure insufficient staff and the lack
of policies and procedures to be a material weakness in OPM's
IT security program.
Fiscal year 2011: We continue to believe that the
information security governance represents a material weakness
at OPM's IT security program.
Fiscal year 2012: Throughout fiscal year 2012, the OCIO,
the Office of the Chief Information Officer, continued to
operate with a decentralized IT security structure that did not
have the authority or resources available to adequately
implement new policies. However, the material weakness remains
open in this report as the agency's IT security function
remained decentralized throughout fiscal year 2012, FISMA
reporting period, and because of the continued instances of
non-compliance with FISMA requirements.
It goes on later: The OCIO's response to our draft audit
report indicated that they disagree with the classification of
the material weakness because of the program that OPM has made
with its IT security program and because there was no loss of
sensitive data during the fiscal year. But as the inspector
general pointed out, however, the OCIO's statement is
inaccurate, as there were in fact numerous information security
incidents in fiscal year 2012 that led to the loss or
unauthorized release of mission-critical and sensitive data.
They couldn't even decide and agree that they had lost the
data back in fiscal year 2012, let alone actually solve the
problem.
Go to fiscal year 2013. Again, the inspector general: The
findings of this audit report highlight the fact that OPM's
decentralized governance structure continues to result in many
instances of non-compliance with FISMA requirements; therefore,
we are again reporting this issue as a material weakness in
fiscal year 2013.
Fast forward to fiscal year 2014. This is November of 2014:
Eleven major OPM information systems are operating without
valid authorization. This represents a material weakness in the
internal control structure at OPM's IT security program.
It goes on: OPM does not maintain a comprehensive inventory
of servers, databases, and network devices. They didn't even
know what they have. They don't even know what is in the
inventory.
Program offices are not adequately incorporating known
weakness into plans of action and milestones, and the majority
of systems are 120 days overdue. OPM continues to implement its
continuous monitoring plan; however, security controls for all
OPM systems are not adequately tested in accordance with their
own policies. Not all OPM systems have conducted contingency
plan tests in fiscal year 2014. Several information security
agreements between OPM and contract operated information
systems have expired. Multi-factor authentication is not
required to access OPM systems in accordance with the OMB
memorandum.
This has been going on for a long time. And yet, when I
read the testimony that was provided here, we are about to hear
some say, hey, we are doing a great job. You are not. It is
failing.
This went on for years and it did not change. The inspector
general found that 11 of the 47 major information systems, or
roughly 23 percent, at OPM lacked proper security
authorization, meaning the security of 11 major systems was
completely outdated and unknown. Five of the 11 systems were in
the Office of the Chief Information Officer, Ms. Seymour. They
are in your office, which is a horrible example to be setting
as the person in charge of the agency's data security.
The IG only recently upgraded OPM to a ``significant
deficiency.'' In November 2014, FISMA, over 65 percent of all
systems operated by OPM reside on two of the systems without
valid authorization. Sitting on two systems, no valid
authorization, 65 percent of the information.
For any agency to consciously disregard its data security
for so long is grossly negligent. And the fact that the agency
that did this is responsible for maintaining highly sensitive
information for almost all Federal employees, in my opinion, is
even more egregious.
OPM isn't alone. A number of other agencies also suffered
breaches in the last year. This later cyber hack comes on the
heels of several data breaches across the Government, including
the Postal Service, the State Department, the Internal Revenue
Service, the Nuclear Regulatory Commission, and even the White
House.
At the same time, government is spending more and more on
information technology. Last year, across government, we, the
American people, spent almost $80 billion on information
technology, and it stinks. It doesn't work, $80 billion dollars
later. And the person in charge of security, the person who is
in charge of making sure there is authentication of our
systems, even in her own office there isn't the authorization
needed.
OPM is not alone in the blame for this failure. The Office
of Management and Budget has the responsibility for setting
standards for Federal cybersecurity practices, and it is OMB's
job to hold agencies accountable for complying and enforcing
these standards.
The Department of Homeland Security has been given the lead
responsibility for serving as the Federal Government's so-
called geek squad to monitor day-to-day cybersecurity
practices, but the technical tools that DHS has deployed to try
to protect Federal networks apparently isn't doing the job.
While DHS has developed EINSTEIN to monitor Government
networks, it only detects known intruders, proving that it is
completely useless in the latest OPM hacks.
The status quo cannot continue. We have to do better. We
are talking about the most vital information of the most
sensitive nature of the people that we care about most. The
people entrust that information to OPM, and through the years
it has been a complete and total utter failure, to the point we
find ourselves where millions of Americans are left wondering
what somebody knows about them. What are they supposed to do?
And I have read the letter that you have been sending out
to employees, and it is grossly inadequate. It is grossly
inadequate, and that is why we are having this hearing today.
We do appreciate you all being here.
I think what we are going to do now is I would like to
recognize the gentleman from Texas who is the chairman of the
subcommittee that we have on IT. We at the Oversight and
Government Reform Committee have set up a new subcommittee that
deals just with IT issues.
We are honored and pleased to have Mr. Hurd chairing that
committee, so I will now recognize the gentleman from Texas,
Mr. Hurd, for five minutes.
Mr. Hurd. Thank you, Mr. Chairman.
Not only as the head of the subcommittee, but as a former
intelligence officer who has been through background
investigation and whose information probably resides with OPM,
I am concerned.
Today's hearing is just another example of the undeniable
fact that America is under constant attack. It is not bombs
dropping or missiles launching; it is the constant stream of
cyber weapons aimed at our data. From private sector
innovations to military seekers, our enemies are attempting to
rob this Country on a daily basis, and, unfortunately, they are
succeeding.
The worst of these cyber attacks are not coming from the
caves of Afghanistan or Syria, but from air conditioned office
buildings in China, Iran, and Russian, far from battlefields.
These hackers work with impunity, knowing that their actions
have no consequences.
This is not only a question of how we can protect our
networks and data, but of how we define the appropriate
responses for digital and digital attacks. This is one of the
questions I have been asking for years and I have continued to
ask in my role as chairman of the Information Technology
Subcommittee.
It is no secret that Federal agencies need to improve their
cybersecurity posture. We have years and years of reports
highlighting the vulnerabilities of Federal agencies from
legacy systems to poor FISMA compliance. And while there have
been improvements, they have not kept pace with the nature of
the threats we are facing.
But until agency leadership takes control of these basic
cybersecurity measures, things like strong authentication,
network monitoring, encrypting data, and segmentation, we will
always be playing catch-up against our highly sophisticated and
well-resourced adversaries.
I welcome the witnesses here today and look forward to
their testimony.
Thank you, Mr. Chairman. I yield back.
Chairman Chaffetz. I thank the gentleman.
We will now recognize the gentlewoman from Illinois, the
ranking member of the subcommittee on IT, Ms. Kelly, for five
minutes.
Ms. Kelly. Thank you, Mr. Chair.
I want to thank our expert witnesses for their
participation today, and I thank the chairman and ranking
member for holding this important hearing on the OPM data
breach.
As you know, I have the privilege of serving as the ranking
member of the IT subcommittee. The issue of data breach is
something that Chairman Hurd and I are quite concerned with,
and we are looking forward to working with our colleagues to be
active in addressing this issue.
All of us here today should be quite concerned. The OPM
breach has raised significant questions about how adequately
the personnel information of government employees is stored on
government networks. We know that every day our government and
American businesses face a barrage of cyber threats.
We are reminded of many of the high-profiled breaches on
some of our Nation's most important companies, but there are
everyday cyber intrusions of our data that aren't making the
headlines. Whether it is criminals beyond our borders profiting
from fraud and identity theft, domestic competitors who steal
intellectual property to gain advantage, or hacktivists looking
to make a statement against governments, cyber crime threatens
our national security and economic prosperity.
Data breaches probably won't end any time soon, but they
are something that we can be more aggressive in addressing. As
we catch on to cyber attackers' methods, these bad actors will
look to innovate their way around newly integrated cyber
defenses. This is why we must be just as innovative. That is
why we must have a frank conversation today and prepare a
multi-front strategy to ward off and diminish the possibility
of future data breaches.
So I thank the committee and our witnesses again for this
opportunity to examine the OPM attack and, with that, I yield
back.
Chairman Chaffetz. I thank the gentlewoman.
It is our intention to hear the ranking member's, Mr.
Cummings, statement, but I think what we will do now is swear
in the witnesses, hear their statements, then we will go to Mr.
Cummings before we get to questions, if that is okay with
everybody.
I will also hold the record open for five legislative days
for any members who would like to submit a written statement.
We will now recognize our first panel of witnesses.
We are pleased to welcome the Honorable Katherine
Archuleta, who is the Director of Office of Personnel
Management; Dr. Andy Ozment, Assistant Secretary of the Office
of Cybersecurity and Communications at the National Program
Preparedness Directorate at the United States Department of
Homeland Security; Mr. Tony Scott, U.S. Chief Information
Officer of the Office of E-Government and Information
Technology at the U.S. Office of Management and Budget; Ms.
Sylvia Burns, Chief Information Officer of the United States
Department of Interior; Ms. Donna Seymour, Chief Information
Officer of the United States Office of Personnel Management;
and Mr. Michael Esser, Assistant Inspector General for Audits,
Office of The Inspector General at the United States Office of
Personnel Management.
We welcome you all.
Pursuant to committee rules, witnesses are all to be sworn
before they testify. If you will please rise and raise your
right hand.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
[Witnesses respond in the affirmative.]
Chairman Chaffetz. Thank you. Please be seated.
Let the record reflect that all witnesses answered in the
affirmative.
In order to allow time for discussion, we would appreciate
your limiting your testimony to five minutes. Again, please
limit your comments to five minutes. I will be a little bit
generous, but five minutes, if you could, and then your entire
written statement will be entered into the record.
At the conclusion of those, then we will hear from Mr.
Cummings with his opening statement and we will go to questions
from there.
So, with that, we will now recognize Ms. Archuleta, the
Director of the Office of Personnel Management, and you are now
recognized for five minutes.
WITNESS STATEMENTS
STATEMENT OF THE HONORABLE KATHERINE ARCHULETA
Ms. Archuleta. Chairman Chaffetz, Ranking Member Cummings,
and members of the committee, I am here today to talk to you
about two successful intrusions into OPM's systems and data.
But first I want to deliver a message to Federal employees,
retirees, and their families. The security of their personnel
data is of paramount importance. We are committed to full and
complete investigation of these incidents and are taking
actions to mitigate vulnerabilities exposed by their
intrusions.
When I was sworn in as Director 18 months ago, I recognized
that in order to build and manage an engaged, inclusive and
well-trained workforce, that we would need a thorough
assessment of the state of information technology at OPM. I
immediately became aware of vulnerabilities in our aging legacy
systems and I made the modernization and the security of our
network one of my top priorities.
Government and non-government entities are under constant
attack by evolving and advanced persistent threats and criminal
actors. These adversaries are sophisticated, well-funded, and
focused. These attacks will not stop. If anything, they will
increase.
Within the last year, we have undertaken an aggressive
effort to update our cybersecurity posture, adding numerous
tools and capabilities to our networks. As a result, in April
of 2015, an intrusion that predated the adoption of these
security controls was detected. We immediately contacted the
Department of Homeland Security and the FBI, and together with
these partners, initiated an investigation to determine the
scope and the impact of the intrusion. In May, the interagency
incident response team concluded that the exposure of personnel
records had occurred, and notifications to affected individuals
began on June 8th and will continue through June 19th.
As part of our ongoing notification process, we are
continuing to learn more about the systems that contributed to
individuals' data potentially being compromised. These
individuals were included in the previously identified
population of approximately 4 million individuals and are being
appropriately notified. For example, we have now confirmed that
any Federal employee from across all branches of government
whose organization submitted service history records to OPM may
have been compromised, even if their full personnel file is not
stored on OPM's system.
During the course of the ongoing investigation, the
interagency incident response team concluded later in May that
additional systems were likely compromised. This separate
incident, which also predated deployment of our new security
tools and capabilities, remains under investigation by OPM and
our interagency partners.
However, there is a high degree of confidence that systems
related to background investigations of current, former and
prospective Federal Government employees and those for whom a
Federal background investigation was conducted may have been
exfiltrated. While we have not yet determined its scope or its
impact, we are committed to notifying those individuals whose
information may have been compromised as soon as practicable.
Throughout these investigations, we have provided regular
updates to congressional leadership and the relevant committees
of these incidents. But for the fact that we implemented new,
more stringent security tools, we would have never known that
malicious activity had previously existed on that network and
would not have been able to share that information for the
protection of the rest of the Federal Government.
In response to these incidents and working with our
partners at DHS, we have immediately implemented additional
security measures to protect sensitive information and to take
steps toward building a simplified, modern, and flexible
network structure. We continue to execute on our aggressive
plan to modernize OPM's platform and bolster security tools.
Our 2016 budget request includes an additional $21 million
above 2015 funding levels to further the support of the
modernization of our IT infrastructure, which is critical to
protecting data from the persistent adversaries we face. This
funding will help us sustain the network security upgrades and
maintenance initiated in fiscal year 2014 and fiscal year 2015
to improve our cyber posture, including advanced tools such as
database encryption, stronger firewalls, storage devices, and
masking software. The funding will also support the redesign of
OPM's legacy network.
Thank you for this opportunity to testify today and I am
happy to address any questions you may have.
[Prepared statement of Ms. Archuleta follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Dr. Ozment.
STATEMENT OF ANDY OZMENT
Mr. Ozment. Chairman Chaffetz, Ranking Member Cummings, and
members of the committee, I appreciate the opportunity to
appear before you today.
Like you, my fellow panelists, and countless Americans, I
am deeply concerned about the recent compromise at OPM. I am
personally dedicated to ensuring that we take all necessary
steps to protect our Federal workforce and to drive forward the
cybersecurity of the entire Federal Government.
Director Archuleta and my written statement both spoke to
the facts of the OPM incident, so I want to focus my remarks on
how DHS is accelerating our efforts to protect the Federal
Government.
This morning I will discuss how the Department of Homeland
Security is protecting civilians, Federal agencies, and helping
those agencies better protect themselves.
Under legislation passed by this Congress last year,
Federal agencies are responsible for their own cybersecurity.
However, DHS provides a common baseline of security across the
civilian government and helps agencies better manage their
cyber risks through four key efforts. First, we protect
agencies by providing a common set of capabilities through the
EINSTEIN and Continuous Diagnostics and Mitigation, or CDM,
programs. Second, we measure and motivate agencies to implement
best practices; third, we serve as a hub for information
sharing. Finally, we provide incident response assistance when
agencies suffer a cyber intrusion.
I will focus this morning on the first area, how DHS
provides a baseline of security across the Federal Government
through EINSTEIN and CDM. I have described the other three
areas in my written statement and am happy to take your
questions on them.
Our first line of defense against cyber threats is the
EINSTEIN system, which protects agencies at the perimeter. A
useful analogy is that of a physical government facility. In
this analogy with the physical world, EINSTEIN 1 is similar to
a camera at the entrance to the facility that records the
traffic coming and going, and identifies anomalies in the
number of cars.
EINSTEIN 2 adds the ability to detect suspicious cars based
upon a watch list and to alert security personnel when a
prohibited vehicle is identified. EINSTEIN 2 does not stop
cars, but it does set off an alarm.
EINSTEIN 1 and 2 are fully deployed in screening
approximately 90 percent of all Federal civilian traffic, all
of the traffic that goes through trusted Internet connections.
The latest phase of the program, known as EINSTEIN 3A, is
akin to a guard post at the highway that leads to multiple
government facilities. EINSTEIN 3A uses classified information
to look at the cars and compare them with a classified watch
list. It then actively blocks prohibited cars from entering the
facility.
We are accelerating our efforts to protect all civilian
agencies with EINSTEIN 3A. The system now covers 15 Federal
civilian agencies, with over 930,000 Federal personnel, which
is approximately 45 percent of the civilian government, and
those are protected with at least one of two security
countermeasures. That is about double the coverage we had just
nine months ago.
During this time, EINSTEIN 3A has blocked over 550,000
attempts to access potentially malicious Web sites, which is
one of our two countermeasures. EINSTEIN played a key role in
identifying the recent compromise of OPM data at the Department
of Interior.
As we accelerate EINSTEIN deployment, we also recognize
that security cannot be achieved through only one type of tool.
EINSTEIN will never be able to block every threat. For example,
it must be complemented with systems and tools to monitor
inside agency networks. Our CDM program addresses this
challenge.
Returning to our analogy of a government facility, CDM
Phase 1 allows agencies to continuously check building locks
and security cameras to ensure they are operated as intended.
Continuing the analogy, the next two phases will monitor
personnel in the facility to ensure they are not engaged in
unauthorized activity, and it will assess activity across the
facility to detect unusual patterns.
We have provided CDM Phase 1 capabilities to eight
agencies, covering over 50 percent of the Federal Government,
and we expect to cover 97 percent of the Government by the end
of this fiscal year.
Now, the deadlines I have just told you are when DHS will
provide a given capability. It will take a few additional
months for agencies to fully implement their side of both
EINSTEIN and CDM once they are available. And, of course,
agencies must supplement EINSTEIN and CDM with additional tools
appropriate to their needs.
I would like to conclude by noting that Federal agencies
are a rich target and will continue to experience frequent
attempted intrusions. This problem is not unique to the
government. As our detection methods continue to improve, we
will in fact detect more incidents, incidents that are already
occurring and we just didn't know it yet.
The recent breach of OPM is emblematic of this trend, as
OPM was able to detect the intrusion by implementing
cybersecurity best practices recommended by DHS. We are facing
a major challenge in protecting our most sensitive information
against sophisticated, well resourced, and persistent
adversaries.
Further, the entire Nation is now making up for 20 years of
under-investment in our Nation's cybersecurity in both the
public and private sectors. In response, we in the government
are accelerating the deployment of the tools we have and are
bringing cutting-edge capabilities online, and we are asking
our partner agencies and Congress to take action and work with
us to strengthen the cybersecurity of Federal agencies.
Thank you again for the opportunity to appear today, and I
look forward to any questions.
[Prepared statement of Mr. Ozment follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Mr. Scott, you have a very impressive background. Your
joining the Federal Government is much appreciated. We look
forward to hearing your testimony. You are now recognized for
five minutes.
STATEMENT OF TONY SCOTT
Mr. Scott. Thank you, Chairman Chaffetz, Ranking Member
Cummings, members of the committee. Thank you for the
opportunity to appear before you today. And I appreciate the
opportunity to speak with you about recent cyber incidents
affecting Federal agencies.
I would like to start by highlighting a very important
point, which has been mentioned already and of which I am sure
you are aware. Both state and non-state actors who are well
financed, highly motivated, and persistent are attempting to
breach both government and non-government systems every day,
and these attempts are not going away. They will continue to
accelerate on two fronts, first, the attacks will become more
sophisticated and, second, as we remediate and strengthen our
own practices, our detection capabilities will improve. But
that means we have to be as nimble, as aggressive, and as well-
resourced as those who are trying to break into our systems.
Confronting cybersecurity threats on a continuous basis is
our Nation's new reality, a reality that I faced in the private
sector and am continuing to see here in my new role as Federal
Chief Information Officer.
As Federal CIO, I lead the Office of Management and
Budget's Office of E-Government and Information Technology. My
office is responsible for developing and overseeing the
implementation of Federal information technology policy. And
even though my team has a variety of responsibilities, I will
focus today's remarks on cybersecurity.
Under the Federal Information Security Modernization Act of
2014, most of us know this as FISMA, OMB is responsible for
Federal information security oversight and policy issuance. OMB
executes its responsibilities in close coordination with its
Federal cybersecurity partners, including the Department of
Homeland Security and the Department of Commerce National
Institute of Standards and Technology.
As I mentioned in front of this committee in April, OMB
also recently announced the creation of the first ever
dedicated cybersecurity unit within my office. This is the team
that is behind the work articulated in the fiscal year 2014
FISMA report which highlighted both the successes and
challenges facing Federal agencies' cybersecurity programs.
In fiscal year 2015, the E-Gov Cyber Unit is targeting
oversight through CyberStat reviews, prioritizing agencies with
high risk factors as determined by cybersecurity performance
and incident data. My colleagues will fully address the recent
cyber incidents affecting the Office of Personnel Management,
known as OPM.
In terms of the role of OMB, my office monitors very
closely all reports of incidents affecting Federal networks and
systems. We use these reports to look for trends and patterns,
as well as for areas where our government-wide processes,
policies, and practices can be strengthened. We then update our
guidance and coordinate with other agencies to ensure that that
guidance is implemented.
As you heard from me last week, the recently-passed Federal
Information Technology Acquisition Reform Act, known as FITARA,
and our guidance associated with that legislation strengthens
the role of the CIO in agency cybersecurity.
In this case, OPM notified OMB in April 2015 of an incident
affecting data in transit in its network. OPM reported that
they were working closely with various government agencies on a
comprehensive investigation and response to this incident. We
have been actively monitoring the situation and have engaged in
making sure that there is a government-wide response to the
events that OPM.
To further improve Federal cybersecurity infrastructure and
to protect systems against these evolving threats, OMB launched
a 30-day Cybersecurity Sprint last week. The Sprint will focus
on two areas: first, an interagency team is creating a set of
action plans and strategies to further address critical
cybersecurity priorities; second, agencies were directed to
accelerate efforts to deploy threat indicators, patch critical
vulnerabilities, and tighten policies and practices for
privileged users, and to dramatically accelerate implementation
of multi-factor authentication.
In closing, I want to underscore a critical point I made at
the beginning of this testimony: both State and non-State
actors are attempting to breach government and non-government
systems in a very aggressive way. It is not going to go away,
and we are going to see more of it. Ensuring the security of
information on Federal Government networks and systems will
remain a core focus of the Administration as we move
aggressively to implement innovative protections and response
to new challenges as they arise. In addition to the actions we
are taking, we also look forward to working with Congress on
legislative actions that may further protect our Nation's
critical networks and systems.
I thank the committee for holding this hearing and for your
commitment to improving Federal cybersecurity. I would be
pleased to answer any questions you may have.
[Prepared statement of Mr. Scott follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Ms. Burns, you are now recognized for five minutes.
STATEMENT OF SYLVIA BURNS
Ms. Burns. Thank you. Good morning, Chairman Chaffetz,
Ranking Member Cummings, and distinguished members of the
committee. My name is Sylvia Burns and I am the Chief
Information Officer for the U.S. Department of the Interior. I
appreciate the opportunity to testify regarding DOI's efforts
to secure and protect agency, customer, and employee data in
the wake of recently discovered cyber intrusion.
Additionally, we appreciate having had the opportunity to
provide a classified briefing on the cyber intrusion for
members of your committee staff and other congressional staff
on May 21st, 2015.
Cyber intruders executed very sophisticated tactics to
obtain unauthorized access to OPM data hosted in a DOI data
center which contained sensitive personally identifiable
information. The incident was and remains under active
investigation. At present, the effort has not discovered
evidence that any data other than OPM data was exfiltrated.
DOI has initiated a major planning effort to address short,
medium and long-term remediation to strengthen our security
protections and reduce risks to the Department, our employees,
our customers, and our partners. DOI takes the privacy and
security of this data very seriously.
In April, DHS's U.S. Computer Emergency Readiness Team, US-
CERT, informed DOI about a potential malicious activity which
was later determined to be a sophisticated intrusion on DOI's
network. DOI immediately began working with US-CERT, the FBI,
and other Federal agencies to initiate an investigation and
determine what information may have been compromised. DOI
allowed DHS and the other investigating agencies immediate
access to the DOI computer systems and DOI dedicated people to
support the investigation.
Although there is evidence that the adversary had access to
the DOI data center's overall environment, today the
investigation has not discovered evidence that any data other
than OPM data was exfiltrated. However, the investigation
remains ongoing.
Concurrent with the investigation, DOI immediately
initiated a major planning effort to address short, medium and
long-term remediation to strengthen our cybersecurity
protections. We undertook those efforts in the context of other
cybersecurity improvements which were already underway pursuant
to the Department's commitment to the Administration's
cybersecurity cross-agency priority goals, as well as DHS's CDM
program. We have now accelerated our work on preexisting
efforts while devising and implementing new security measures
in consultation with the investigating agencies with the
expertise related to this particular threat.
Activities underway include working with DHS to scan for
specific malicious indicators across the entire DOI network. As
part of DHS's binding operational directive, we are identifying
and mitigating critical IT security vulnerabilities for all
internet-facing systems, and at the direction of the Secretary
and Deputy Secretary we are doing the same for all of DOI's IT
systems. This includes systems that are for DOI's internal use
as well as systems for the public and non-DOI users.
We are acquiring and implementing new capabilities that
will help us to detect and respond quickly to new intrusions.
We continue to meet with interagency partners to learn about
their activities and leverage their knowledge to make
additional improvements to our cybersecurity posture at DOI. We
are fully enabling two-factor authentication for all users.
DOI's existing long-term plan includes several agency-wide
strategic initiatives, including continuing our commitment to
DHS's CDM program. We are almost done implementing hardware and
software asset management, and we will be adding new
capabilities for application whitelisting, network access
control, and dashboarding functionality to provide a
comprehensive view of the Department's security posture.
We are strengthening DOI's cybersecurity and privacy
workforce so that we have knowledgeable and experienced people
to address current and future threats facing the agency. We are
designing and implementing increased network segmentation so
that, if an intrusion occurs within one component of our
network, we can better limit the extent of the exposure. We are
evaluating data protection technologies, such as information
rights management, for potential future investments.
Again, DOI takes the privacy and security of its data very
seriously. We are committed to supporting and continuing the
investigation regarding the incident affecting OPM data.
Furthermore, we will continue to be an active participant in
the ongoing efforts by the Federal Government to improve our
Nation's overall cybersecurity posture.
Chairman Chaffetz, Ranking Member Cummings, and members of
the committee, this concludes my prepared statement. I would be
happy to answer any questions that you may have.
[Prepared statement of Ms. Burns follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Ms. Seymour, you are now recognized for five minutes.
STATEMENT OF DONNA K. SEYMOUR
Ms. Seymour. My remarks were included with the Director.
Thank you for having me here today, Chairman Chaffetz and
Ranking Member Cummings, and I will be happy to answer
questions.
Chairman Chaffetz. Mr. Esser, you are now recognized for
five minutes.
STATEMENT OF MICHAEL R. ESSER
Mr. Esser. Chairman Chaffetz, Ranking Member Cummings, and
members of the committee, good morning. My name is Michael R.
Esser. I am the Assistant Inspector General for Audits at U.S.
Office of Personnel Management.
Thank you for inviting me to testify at today's hearing on
the IT security audit work performed by the OPM Office of the
Inspector General.
Today I will be discussing OPM's long history of systemic
failures to properly manage its IT infrastructure, which we
believe ultimately led to the breaches we are discussing today.
There are three primary areas of concern that we have
identified through our audits during the past several years:
information security governance, security assessment and
authorization, and technical security controls.
Information security governance is the management structure
and processes that form the foundation of a successful security
program.
For many years, OPM operated in a decentralized manner,
with the agency's program offices managing their IT systems.
The agency's CIO had ultimate responsibility for protecting
these systems, but often did not have the access or control to
do so. The program office staff responsible for IT security
frequently had no IT background and performed this function in
addition to their other full-time roles.
As a result of this decentralized structure, many security
controls remained unimplemented or untested, and all of our
FISMA audits between 2007 and 2013 identified this as a serious
concern.
However, in 2014, OPM took steps to centralize IT security
responsibility with the CIO. This new structure has resulted in
improvement in the consistency and quality of security
practices at OPM. Although we are optimistic about these
improvements, it is apparent that the OCIO is still negatively
impacted by years of decentralization.
The second topic is security assessments and authorization.
This is a comprehensive assessment of each IT system to ensure
that it meets the applicable security standards before allowing
the system to operate.
OPM has a long history of issues related to system
authorization as well. In 2010 and 2011 we noted serious
concerns in this area, but, after improvements were made,
removed it as an audit concern in 2012.
However, problems with OPM system authorizations have
reappeared. In 2014, 21 OPM systems were due to receive a new
authorization, but 11 were not authorized by year-end.
Recently, the OCIO has temporarily put authorization efforts on
hold while it modernized OPM's IT infrastructure in response to
security breaches, and so it is likely that the number will
increase. While we support the effort to modernize systems, we
believe that authorization activities should continue.
The third topic relates to OPM's use of technical security
controls. OPM has implemented a variety of controls and tools
to make the agency's IT systems more secure. However, such
tools are only helpful if they are used properly and cover the
entire technical infrastructure. We have concerns that they are
not.
For example, we were told that OPM performs vulnerability
scans on all computer servers using automated scanning tools.
Although OPM was performing the scans, our audit also found
that some were not done correctly and that some servers were
not scanned at all.
One significant control that is lacking altogether is the
requirement for PIV credentials for two-factor authentication
to access information systems. We also determined that OPM does
not have an accurate centralized inventory of all servers and
databases. Even if all OPM security tools were being used
properly, OPM cannot fully defend its network without a
comprehensive list of assets.
In closing, it is clear that even though security
responsibility is now highly centralized under the OCIO, the
recent security breaches indicate that OPM still has
significant work to do to identify all of the assets and data
that it is tasked with protecting and then take the steps to do
so.
Thank you for your time, and I am happy to answer any
questions you may have.
[Prepared statement of Mr. Esser follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
We now recognize the ranking member, Mr. Cummings of
Maryland, for five minutes.
Mr. Cummings. Thank you very much, Mr. Chairman.
The recent cyber attack against the Office of Personnel
Management is the latest in a series of aggressive attacks
against our Nation in both the public and private sectors.
I want to put up a slide that lists some of the most
significant breaches over the past few years.
[Slide shown.]
Mr. Cummings. Anthem, 80 million people; JPMorgan, 76
million people; Target, 70 million people; OPM, at least 4
million so far. Then there was the Postal Service, Sony
Pictures, and USIS. This is not a comprehensive list by any
means.
Ladies and gentlemen, when you see this list, the picture
is clear: the United States of America is under attack.
Sophisticated cyber spies, many from foreign countries, are
targeting the sensitive personal information of millions,
millions of Americans. They are attacking our government, our
economy, our financial sector, our healthcare system, and
virtually every single aspect of our lives.
For more than two years I have been pressing for our
committee to investigate these cyber attacks, so I thank the
chairman for holding today's hearing, and I hope we will hold
similar hearings on many of these other attacks as well.
With respect to the attack against OPM, my primary concern
is who was targeted, government workers, and what foreign
governments could do with this information. I have several
questions for OPM.
How many Federal employees were indeed affected? What kind
of information was compromised? And what steps are being taken
to help these employees now? I also want to know how these
attackers got inside of OPM's networks.
Last year, cyber attackers penetrated the networks of USIS
and Keypoint, two contractors that perform background checks
for security clearances on behalf of OPM.
One of the most critical questions we have today is, did
these cyber attackers gain access to OPM's data systems using
information they stole from USIS or Keypoint last year. Did
they get the keys to OPM's network from one of its contractors?
Mr. Chairman, I asked you to invite both Keypoint and USIS
representatives here to testify today. You agreed to invite
USIS, but last night they refused, just as they have refused
repeated requests for information over the past year. They did
not offer someone else they thought would be appropriate; they
simply refused.
I do not say this lightly, Mr. Chairman, but I believe USIS
and its parent company may now be obstructing this committee's
work. We have suggested previously that the committee hold a
transcribed interview. Given the history of noncompliance at
USIS, I believe this may be one of the only ways to obtain the
information we are seeking.
Mr. Chairman, over the past two years I have also been
pressing to investigate ways to better protect personal
information that belongs to the American people: their
financial records, their medical records, their credit card
information, their Social Security numbers, and a host of other
information they want to keep secure.
I sought advice from some of the Nation's top information
security experts in private business and government. These
experts warn that we cannot rely primarily on keeping the
attackers out. We need to operate with the assumption that the
attackers are already inside. They are already there.
Last week, one of the world's foremost cybersecurity firms,
Kaspersky Labs, was penetrated in a cyber attack, and,
according to FireEye, one of the companies my staff spoke with,
the average amount of time a hacker remains undetected is more
than 200 days. That is a lot of time.
Obviously, we need strong firewalls and other defenses to
keep attackers out. But experts recommend much more aggressive
measures to wall off or segregate data systems to minimize the
impact of inevitable data breaches in the future. Practices
like data masking, redaction and encryption must become the
norm rather than the exception.
Finally, we need to remember who the bad guys are here.
They are not U.S. companies or Federal workers who are trying
to keep our information safe. The bad guys are the foreign
nations and other entities behind these devastating attacks.
According to law enforcement officials, North Korea, China,
Russia, and Iran are the most advanced persistent threats to
this Nation's cybersecurity. So, as we move forward today, I
want to caution everyone that as much as we want to learn about
this attack, we have to do so in a responsible way. A lot of
the information about the attack is classified, and the last
thing we want to do is give our enemies information or
compromise active law enforcement investigations.
We are having a classified briefing for members at 1:00
p.m. today, so I encourage everyone to attend.
As I close, Mr. Chairman, I want to thank you again for the
bipartisan approach that you have taken on this issue, and I
hope we can continue to investigate these and other breaches to
identify common threats against our Country and the best ways
to counter them.
With that, I yield back.
Chairman Chaffetz. Thank you.
I now recognize myself for five minutes.
Ms. Archuleta, my question for you is, how big was this
attack? How many Federal workers have been compromised? We have
heard 4 million, we have heard 14 million. What is the right
number?
Ms. Archuleta. During the course of the ongoing
investigation into the cyber intrusion of OPM, the compromise
of personnel records of current and former Federal employees
that we announced last week, that number is approximately 4.2
million. In addition, in the investigation of that breach, we
discovered, as I mentioned in my testimony, an additional OPM
system was compromised, and these systems included information
based on the background investigations of current, former, and
prospective Federal Government employees, as well as other
individuals.
Because different agencies feed into OPM background
investigation systems in different ways, we are working with
the agencies right now to determine how many of their employees
were affected. We do not have that number at this time, but we
will get back to you once we have more information.
Chairman Chaffetz. What is your best estimate? Is the 14
million wrong or accurate?
Ms. Archuleta. As I said before, we do not have an estimate
because this is an ongoing investigation.
Chairman Chaffetz. How far back does it go? You are talking
about former employees, current employees, and potential
employees, so how far back does this information go that was in
your system?
Ms. Archuleta. Thank you for that question, Mr. Chaffetz. I
would have to respond again because it is an ongoing
investigation----
Chairman Chaffetz. It has nothing to do with impeding an
investigation. You should know what information you have and
what you don't. So this is not going to slow down any
investigation. People have a right to know. The employees have
a right to know. How far back does your information and
database go that was compromised?
Ms. Archuleta. The legacy systems date back to 1985, but I
do not----
Chairman Chaffetz. So anything that is 1985----
Ms. Archuleta. No, sir, that would not be correct.
Chairman Chaffetz. You don't know. Does it include military
personnel?
Ms. Archuleta. As I said, this is an ongoing investigation.
Chairman Chaffetz. It is a yes or no question. Does it
include military personnel?
Ms. Archuleta. I would be glad to discuss that in a
classified setting.
Chairman Chaffetz. Does it include contractor information?
Ms. Archuleta. Again, I would be glad to discuss that in a
classified setting.
Chairman Chaffetz. There is nothing classified as to what
information this includes. Does it include CIA personnel?
Ms. Archuleta. I would be glad to discuss that in a
classified setting.
Chairman Chaffetz. Does it include anybody who has filled
out SF 86, the Standard Form 86?
Ms. Archuleta. The individuals who have completed an SF 86
may be included in that, and we can provide additional
information in a classified setting.
Chairman Chaffetz. Why wasn't this information encrypted?
Ms. Archuleta. The encryption is one of the many tools that
systems can use. I will look to my colleagues at DHS for their
response.
Chairman Chaffetz. No, I want to know from you why the
information wasn't encrypted. This is personal, sensitive
information; birth dates, Social Security numbers, background
information, addresses. Why wasn't it encrypted?
Ms. Archuleta. Data information encryption is valuable----
Chairman Chaffetz. Yeah, it is valuable. Why wasn't it?
Ms. Archuleta.--and is an industry best practice. In fact,
our cybersecurity framework promotes encryption as a key
protection method.
Chairman Chaffetz. Why didn't you----
Ms. Archuleta. Accordingly, OPM does utilize encryption----
Chairman Chaffetz. We didn't ask you to come read
statements. I want to know why you didn't encrypt the
information.
Ms. Archuleta. An adversary possessing proper credentials
can often decrypt data. It is not feasible to implement on
networks that are too old. The limitations on encryptions are
effectiveness is why OPM is taking other steps such as limiting
administrator's accounts and requiring multi-factor
authentication.
Chairman Chaffetz. Okay, well, it didn't work, so you
failed. Okay? You failed utterly and totally. So the inspector
general, November 12th, 2014, we recommend that the OPM
director consider shutting down information systems that do not
have current and valid authorization, and you chose not to.
Why?
Ms. Archuleta. I appreciate the report by the IG. We work
very closely with our IG and take very seriously----
Chairman Chaffetz. Okay, but he had a very serious
recommendation to shut down the system. That is how bad it was.
And you said no.
Ms. Archuleta. I would like to turn that over to my
colleague.
Chairman Chaffetz. No, I would like you to answer that
question. It says we recommend that the OPM director consider
shutting it down. Your response back from the Office of Chief
Information Officer, ``The IT program managers will work with
the ISSOs to ensure that OPM systems maintain current ATOs and
that there are no interruptions to OPM's mission operation.''
Basically, you said no.
The inspector general was right. Your systems were
vulnerable. The data was not encrypted. It could be
compromised. They were right last year. They recommended, it
was so bad, that you shut it down, and you didn't, and I want
to know why.
Ms. Archuleta. There are many responsibilities we have with
our data, and to shut down the system we need to consider all
of the responsibilities we have with the use of our systems.
Chairman Chaffetz. So you made a conscious decision knowing
that it was vulnerable, that all these millions of records of
Federal employees was out there? The inspector general pointed
out the vulnerability and you said no, we are not making a
change.
Ms. Archuleta. As the director of OPM, I have to take into
consideration all of the work that we must do. It was my
decision that we would not, but continue to develop the system
and making sure that we have the security within those systems.
Chairman Chaffetz. And did you do that? You didn't. You
didn't, did you? That didn't happen, did it?
Ms. Archuleta. The recommendation to close down our systems
came after the adversaries were already in our network.
Chairman Chaffetz. When did they get in network?
Ms. Archuleta. It was as a result of our security systems
that we were able to detect this intrusion.
Chairman Chaffetz. When did they get into the system?
Ms. Archuleta. We detected the intrusion in April.
Chairman Chaffetz. Of?
Ms. Archuleta. Of 2015.
Chairman Chaffetz. But in November 2014 you didn't know if
they were in there, did you?
Ms. Archuleta. No, we did not. We did not have the security
systems installed at that time. It was because we were able to
add those security systems that we were able to detect.
Chairman Chaffetz. So you detected the system? It wasn't a
software provider? You found it yourself?
Ms. Archuleta. OPM detected the intrusion.
Chairman Chaffetz. So The New York Times and the others who
wrote that were wrong?
Ms. Archuleta. That is correct.
Chairman Chaffetz. Two more questions, with your indulgence
here. How many people have received letters?
Ms. Archuleta. There is a rolling number as we work from
the first date of notification, January 8th, we will complete
the notification to 4.2 million by June 19th. I am sorry I
don't have the exact number as of today. I would be glad to get
that information for you.
Chairman Chaffetz. One last question, with everybody's
indulgence here.
Ms. Archuleta, there was a data breach at OPM in July of
2014, okay? This is what you said about Ms. Seymour. In
December, I was very fortunate to bring Donna Seymour, from the
Department of Defense, onboard. She has great experience with
the IT world and has brought her talents to OPM. It was because
of her leadership and her dedicated employees that we were able
to make sure that none of this personal identifiable
information was compromised.
This was July of 2014. You cited her and the data breach as
making sure that none of the personal identifiable information
got out the door. Now that it has been hacked, are you going to
give her that same amount of credit?
Ms. Archuleta. I do give her that same amount of credit,
sir. When I began my tenure as the Director of OPM, one of my
first priorities was to develop an IT strategic plan and to
develop the important pillar of cybersecurity within our
systems. We have worked very hard since that time, and as we
update these legacy systems it is important that we recognize
that there is a persistent and aggressive effort on the part of
these actors to not only intrude in our system, but systems
throughout government and, indeed, in the private sector.
Chairman Chaffetz. Well, you have completely and utterly
failed in that mission if that was your objective. The
inspector general has been warning about this since 2007. There
has been breach after breach. He recommended shutting it down
last year and you, you made a conscious decision to not do
that. You kept it open. The information was vulnerable and the
hackers got it.
I don't know if it was the Chinese, the Russians, or
whoever else, but they have it, and they are going to prey upon
the American people. That is their goal and objective, and you
made a conscious decision to leave that information vulnerable.
It was the wrong decision. It was in direct contradiction to
what the inspector general said should happen, and he had been
warning about it for years.
Ms. Archuleta. I would note that in the IG's report that he
acknowledges the fact that we have taken important steps in
reforming our IT systems. Advanced tools take time.
Chairman Chaffetz. So what kind of grade would you give
yourself? Are you succeeding or failing?
Ms. Archuleta. Cybersecurity problems take decades.
Chairman Chaffetz. We don't have decades. They don't take
decades.
Ms. Archuleta. I am sorry, cybersecurity problems are
decades in the making. The whole of government is responsible,
and it will take all of us to solve the issue and continue to
work on them. My leadership with OPM is one that instigated the
improvements and changes that recognized the attack.
Chairman Chaffetz. I yield back.
I recognize the ranking member, Mr. Cummings, for as much
time as he wants.
Mr. Cummings. Thank you very much, Mr. Chairman.
Ms. Seymour, this data breach is particularly concerning
because the individuals who were targeted were government
employees and the suspected attackers are foreign entities. I
am concerned that this breach may pose a national security
threat.
According to a statement from OPM, the personal information
of approximately 4 million current and former Federal employees
was compromised in this breach. What can you tell us about the
type of personal information that was compromised in this
breach?
Ms. Seymour. Thank you for the question, sir. The type of
information involved in the personal records breach includes
typical information about job assignments, some performance
ratings, not evaluations, but performance ratings, as well as
training records for our personnel. The information involved in
the background investigations incident involves SF 86 data, as
well as clearance adjudication information.
Mr. Cummings. So, Social Security numbers?
Ms. Seymour. Yes, sir. Social Security number, date of
birth, place of birth; typical PII that would be in those types
of files.
Mr. Cummings. Ms. Seymour, it was reported on Friday that,
in addition to this breach, hackers had breached highly
sensitive information gathered in background investigations of
current and former Federal employees. Is that true?
Ms. Seymour. Yes, sir, that is.
Mr. Cummings. Do you know how far back that goes?
Ms. Seymour. No, sir, I don't. The issue is that these are
longitudinal records, so they span an employee's career. So I
do not know what the oldest record is.
Mr. Cummings. So it is possible that somebody could be
working for the Federal Government for 30 years and that their
information over that 30 years could have been breached?
Ms. Seymour. Yes, sir, these records do span an employee's
career.
Mr. Cummings. So what can you tell us about the type of
information that may have been compromised in the second
breach?
Ms. Seymour. I believe that that would be a discussion that
would be better had in our classified session this afternoon,
sir.
Mr. Cummings. Thank you. I am going to come back to you.
Dr. Ozment, these suspected cyber spies from a foreign
state went after sensitive detailed information about Federal
employees. What could they do with this information? I am
talking to you, yes.
Mr. Ozment. Ranking member, I am going to have to defer
that question to the intelligence community, who will be a
participant in our classified briefing this afternoon at 1:00.
Mr. Cummings. All right.
Experts advise taking steps to mitigate damage from cyber
spying attacks by using tools such as data segmentation, data
masking, and encryption; and the chairman asked about
encryption. I know from past OPM testimony before the committee
that OPM has been a leader in deploying those tools.
Now, Ms. Seymour, it is kind of hard to understand how
cyber spies could have accessed more than 4 million records if
you were using those tools to the fullest. Ms. Archuleta has a
lot of faith and confidence in you, as the chairman just
stated. Can you explain what happened?
Ms. Seymour. Thank you, Mr. Cummings, for the question. A
lot of our systems are aged, and implementing some of these
tools take time, and some of them we cannot even implement in
our current environment. That is why, under Director
Archuleta's leadership, we have launched a new program where we
are building a new environment, a new architecture, a modern
architecture that allows us to implement additional security
features.
In our legacy environment, we have installed numerous
technologies, and that is how we discovered this breach in the
first place. So we are shoring up what we have today, and then
we are building for the future so that we can become more
secure and provide these types of protections to our data and
our systems.
Mr. Cummings. Well, in the meantime, if we are going to
collect and we are going to store sensitive personal
information, we must make it unusable to our adversaries, if
they are cyber spies, are able to steal it. Would you agree?
OPM, as well as American businesses, have to do a better job of
protecting sensitive information. Would you agree, ma'am?
Ms. Seymour. Yes, sir.
Mr. Cummings. Now, Ms. Seymour, do you have the tools now
to do that? Are you trying to tell us you don't?
Mr. Seymour. OPM has procured the tools, both for
encryption of its databases, and we are in the process of
applying those tools within our environment. But there are some
of our legacy systems that may not be capable of accepting
those types of encryption in the environment that they exist in
today, and that is why it is important for us to focus very
aggressively, very proactively on building out that new
architecture so that, in the future, we will be able to
implement those tools for all of our databases.
Mr. Cummings. Now, when you talk about the future, I mean,
what are you talking about? Are you talking about three months,
three years?
Ms. Seymour. We began our program after the March 2014
incident. We worked very closely with our interagency partners
to devise a very aggressive and very comprehensive plan. We
have been implementing that plan since then. We are delivering
what we call our shell, which is the new architecture, we are
delivering that this fall and we will begin looking at our
business systems applications and how we can migrate those into
the new architecture.
Mr. Cummings. Ms. Seymour, this is the question: We are
collecting data right now. There is people's data that is out
there. And I am talking about, in the meantime, where are we?
In other words, I know you are trying to do some things, but
that doesn't make Federal employees feel pretty good. It
doesn't make me feel good.
So tell me more. Are you saying that we are just vulnerable
and we don't know when we are going to be able to deploy the
types of systems that you just talked about?
Ms. Seymour. No, sir. We have done a number of things.
Mr. Cummings. I am not talking about what you have done. I
am talking about what is going on today.
Ms. Seymour. That is exactly what I am offering, sir.
Mr. Cummings. All right.
Ms. Seymour. We have implemented two-factor authentication
for remote access to our network. That means that without a PIV
card or some other type of device that our users cannot log
into our network remotely. We have implemented additional
firewalls in our network. We have tightened the settings of
those firewalls. We have reduced the number of privileged users
in our account and we have even further restricted the access
privileges that those users have.
We have made a number of other steps to increase the
security of our existing network. We began that work back last
March and it has continued, and we continue to work with DHS
and our agency partners to test those systems and make sure
that they are working appropriately.
Mr. Cummings. Now, Mr. Esser, the Office of Inspector
General conducted an audit in 2014, the chairman was talking
about this, of OPM's information security programs and found
several weaknesses. Can you briefly identify what those
weaknesses were that you found?
Mr. Esser. Yes, sir. The most critical weaknesses that we
identified in our FISMA report from 2014 were the continued
information security governance problems that have existed
since 2007, the decentralization of the controls over systems.
That, however, is an area that is certainly close to being
improved to a full extent.
Another area of weaknesses were the security assessments
and authorization, which is each system that OPM owns should go
under an assessment every three years and be authorized for
usage. We identified 11 systems at the end of 2014 that had not
been authorized that were due to be authorized.
The technical security controls was another big area that
we identified. While OPM has implemented a number of strong
tools and is improving in that area, our concern is that some
of those tools were not being used properly and that they do
not have a complete and accurate inventory of databases and
servers that those tools should be applied against.
Mr. Cummings. So the chairman asked Ms. Archuleta a
question of how she thought she'd done. Based upon that, what
grade would you give?
Mr. Esser. I don't know that I could give a grade.
Mr. Cummings. So of all the things that you just stated,
there are certain things that were not done, is that right?
Mr. Esser. Yes, sir.
Mr. Cummings. Did any of them lead to this breach, the
things that were not done?
Mr. Esser. I don't know the exact details of how this
breach occurred, so I really can't answer that question.
Certainly there are a lot of weaknesses at OPM that they are in
the process of trying to address.
Mr. Cummings. And last, but not least, do you have a silver
bullet to address this issue, sir?
Mr. Esser. No, sir, I do not. There are very sophisticated
attackers out there and there is no one silver bullet I think
that can be applied that will prevent these types of things
from happening.
Mr. Cummings. You heard me asking Ms. Seymour about the
fact that we are constantly collecting information, and it
seems as if we are just vulnerable and that there are certain
areas that we may not be able to defend ourselves in. Is that
an accurate statement?
Mr. Esser. Certainly, there are a lot of things that can be
done to make our systems more secure. Is there something that
can be done to make them impenetrable? Not that I am aware of.
Mr. Cummings. Thank you very much.
Chairman Chaffetz. I now recognize the gentleman from
Michigan, Mr. Walberg, for five minutes.
Mr. Walberg. Thank you, Mr. Chairman. I appreciate the
witnesses being here.
This morning we have certainly heard that there is no
silver bullet, and I don't think we expected the answer to be,
yes, there is a silver bullet. We are concerned that, knowing
what has been going on, having clear evidence that hackers have
been attempting for quite some time and then, at least those of
us here who trust on agencies and people like yourselves who
know the issues, that some more efforts could have been
successful in stopping the most recent attacks.
We have heard today that networks aren't compartmentalized,
segmented, in certain cases encrypted; that with the recent
attacks, exterior perimeter has been breached, the attacker
often remains undetected for months. That is concerning. As a
result of that, able to exploit vulnerabilities within the
networks without passing through, and this is most concerning
to me, additional inspection or security measures.
So, Mr. Scott, as I understand, in the private sectors
there have been shifts towards zero trust model. Ultimately,
given OMB's role in setting metrics for agencies, my question
is can you tell me, tell us what OMB is doing to set IT
security metrics to limit the number of workloads, application
tiers to the networks?
Mr. Scott. Thank you for the question.
I think there are a number of things that I would point to
in addition to the measures that you just talked about. The
first one is to share across the Federal Government not only
the lessons learned from OPM, but what we see from other
attacks, whether successful or not, private and public, and
make sure that all agencies are up to speed with the latest
information on the methods of attack, the tools that are used,
and so on.
Mr. Walberg. That is a weakness right now, is what you are
telling me, that that is not happening?
Mr. Scott. It has been historically. The ability for the
Government and the private sector to share information has been
a hindrance in our ability to thwart these things.
But I will say that the specific measure that you
mentioned, the segmentation and zero trust, is something that
is more easily applied to very modern architectures. It is not
as easily applied to some of the oldest and old legacy systems
that we have. And I think that is going to be a challenge for
all agencies where the architecture itself just doesn't lend
itself to the application of certain technologies.
The best answer, I think, in terms of what we have and
where we go is a model that we are promoting and encouraging
across the agencies, which is defense in depth. It is a number
of different measures to that if one thing doesn't work, you
have the next layer that helps; and if that doesn't work, you
have the next layer. And zero trust is applicable in some of
those environments and, frankly, is very difficult or
impossible to apply in others.
Mr. Walberg. How far are we from that?
Mr. Scott. I would say years and years comprehensively. But
one of the things that we are working on right now is
prioritizing based on the highest value assets that the Federal
Government has so that we are going after the most valuable
stuff first and make sure that is protected the best way we
can.
Mr. Walberg. Ms. Seymour, with the millions of current and
former Federal employees, a lot of them in my district, that
sign on to do the work that we give to them, we appreciate the
work, it is not something they make up. We ask them to do the
Federal jobs that the agencies, the departments that they work
under have been asked to do. They don't expect that their life
will be compromised, their history will be compromised, their
records be compromised.
When did OPM begin letting victims know of the breach and
the risk to their identities?
Ms. Seymour. Thank you for your question, sir. I too am a
Federal employee and very concerned about this matter; it is
grave and serious, so I appreciate that.
We began notifying personnel on June 8th, and will continue
to make those notifications through June 19th. That is for the
personnel records security incident that we have.
We have not yet been able to do the analysis of the data
that is involved with the background investigations incident.
That is ongoing, and as soon as we can narrow the data that is
involved in that incident, we will make appropriate
notifications for that one as well.
Mr. Walberg. Okay. Thank you.
Chairman Chaffetz. Thank you. I thank the gentleman.
I now recognize the gentlewoman from New York, Mrs.
Maloney, for five minutes.
Mrs. Maloney. I want to thank the chairman and ranking
member for calling this hearing, and all of our panelists for
your public service.
As one who represents the city that was attacked by 9/11,
we lost thousands on that day and thousands more are still
dying from health-related causes from that fateful day. But I
consider this attack, I call it an attack on our Country, a far
more serious one to the national security of our Country.
I would like to ask Mr. Ozment from Homeland Security,
would you characterize this as a large-scale cyber spying
effort? That is what it sounds like to me. What is it?
Mr. Ozment. I think to speak to whether or not this was a
spying effort, we would have to talk to any understanding of
who the adversaries were and what their intent was, and I think
that is a conversation better reserved for a couple of hours
from now.
Mrs. Maloney. Do you believe it is a coordinated effort?
They appear to be attacking health records, employment records,
friendship, family, whole backgrounds. It seems to be a large
sphere of information not only from the Government, but private
contractors, individuals; and sometimes it appears targeted
towards Americans who may be serving overseas in sensitive
positions. But would you consider this a coordinated effort?
Can you answer that or is that classified?
Mr. Ozment. Thank you, Representative. I would defer that
question to the classified briefing.
Mrs. Maloney. Okay. Thank you.
Mr. Ozment. But what I would say, if you are willing, is
that----
Mrs. Maloney. I will be at the 1:00 meeting. Thank you.
Now, I want to refer to this article, and I would like to
place it in the record. I think it is an important one; it came
from ABC News.
If I could put it in the record.
Chairman Chaffetz. Without objection, so ordered.
Mrs. Maloney. It reports that there seems to be looking at
and gathering information on an SF 18 form, which is a Standard
Form 18, which is required for any employee seeing classified
security clearances, so that would be people in important
positions in our Government. And I won't ask any questions on
it, I will just wait until later at this classified briefing,
but I am extremely disturbed.
This article also points out that it is not only
individuals that they are going after; they are going after
contractors and those that serve the Government. It mentions in
other reports Lockheed Martin, where they went after their
secure ID program.
Is that true, Mr. Ozment?
Mr. Ozment. I can't speak to whether any adversaries have
gone after specific private sector companies.
Mrs. Maloney. Okay. All right. Then we won't get into that.
But other press reports said that there was Northrop
Grumman, L3, that they were hit by cyber attacks, and other
Government contractors. Now, one that probably hit Congress is
one in 2013, where the FBI warned that a group called Anonymous
hacked into the U.S. Army, Department of Energy, Department of
Health and Human Services, and many agencies by exploiting a
weakness in Adobe systems.
Now, I have the Adobe system in my office, so that means
they could have hacked into my office, and probably every other
congressional office.
Then they talk about going into healthcare. They go into
the Blue Cross Blue Shield system of all the Federal employees.
So it seems like they want a comprehensive package on certain
millions of Americans, many of whom are serving our Country, I
would say at negotiating tables in Commerce, State Department,
probably Defense, and every other aspect of American life and
the world economy.
But, Mr. Scott, you have been before this committee before
and you announced you were going to review the agencies'
cybersecurity programs to identify risks and implement gaps. I
wonder if you could report on what you learned from this review
and any specific changes in cybersecurity policies, procedures,
or guidance. If you can report on that. Or that may be
classified too. But anything you can share with us on what you
have been doing to act to build some firewalls?
Mr. Scott. Sure. Well, thank you for the question.
So we are conducting regular CyberStat reviews with each of
the agencies, and it is along the key lines of many of the
topics we have talked about here: two-factor patching,
minimizing the number of system administrators; all of the I
will call hygiene factors that we think lead to good
cybersecurity.
Mrs. Maloney. My time has expired, but anything you want to
give to the committee in writing, we would appreciate it. Thank
you.
Mr. Scott. We would be happy to do so. Thank you.
Chairman Chaffetz. I thank the gentlewoman.
I ow recognize the gentleman from North Carolina, Mr.
Meadows, for five minutes.
Mr. Meadows. Thank you, Mr. Chairman.
Ms. Archuleta, let me come to you. You have been in your
current position since 2013, is that correct?
Ms. Archuleta. I was sworn in in November 2013.
Mr. Meadows. So in 2013 you, according to your testimony,
made cyber security the highest priority. I think that is how
you opened up your testimony, that the security of Federal
employees was your highest priority. Is that correct?
Ms. Archuleta. Yes, sir.
Mr. Meadows. All right. So help me reconcile, then, if it
is your highest priority, how, when the most recent IG's report
that came out that took security from being a material weakness
is how it was characterized before you got there, to
significant deficiency, how would you reconcile highest
priority and significant deficiency as being one and the same?
Ms. Archuleta. Thank you for your question.
As I mentioned earlier, one of the first things that we
did, or I did, for OPM was to develop, within 100 days, an IT
strategic plan, and the issues that the IG just mentioned, in
terms of IT governance and IT leadership, as well as IT
architecture, IT agility, IT data, and IT cybersecurity, were
all strong components of this IT plan; and the IG recognized
those steps and the strategic plan that we developed.
Mr. Meadows. But he did recognize it.
I only have five minutes, so I can't let you just ramble on
with all of these things. So let me ask you how, if he
recognized that, would he still characterize it as significant
deficiencies?
Ms. Archuleta. As we were instituting the improvements that
we were making, he was also, at the same time, conducting his
audit. His audit was conducted in the summer of 2014, when we
were beginning to implement our strategic plan, and the IG has
continued to work with us and we have taken his recommendations
very seriously.
Mr. Meadows. You have taken them seriously, so have you
implemented all of them? Yes or no? Just yes or no.
Ms. Archuleta. We have implemented many of them and are in
the process of implementing others.
Mr. Meadows. So have you implemented all of those?
Ms. Archuleta. As I said, sir, I have implemented many of
them and continue to work----
Mr. Meadows. So you will implement all of them?
Ms. Archuleta. We are looking at each of those
recommendations very seriously.
Mr. Meadows. Not looking. Will you implement? Can you
assure the Federal workers that you are going to implement all
the recommendations that the IG recommended to you, yes or no?
Ms. Archuleta. We are working very closely with the IG to--
--
Mr. Meadows. I will take that as a no.
All right, so let me go on further, then, because I am very
concerned that here we have not even notified most of the
Federal employees. We have known about it. They continue to not
be notified, and yet here you are saying that you have
different priorities. Because when Chairman Chaffetz asked you
about why did you not shut it down, you said, well, OPM has a
number of other responsibilities. Is that correct? That was
your answer to Chairman Chaffetz.
Ms. Archuleta. We house a variety of data, not just data on
employee personnel files. We also house health care data; we
employ other records, and the result----
Mr. Meadows. So what you are saying is it was better that
you supplied that and put Federal workers at risk versus making
it, according to your words, the highest priority to make sure
that the information was not compromised. If it is your highest
priority, why didn't you shut it down like Mr. Chaffetz asked
and like was recommended? Why didn't you shut it down?
Ms. Archuleta. In our opinion, we were not able to shut it
down in view of all of the responsibilities we hold at OPM. We
do take seriously----
Mr. Meadows. So, in your opinion, protecting Federal
workers then could not have been your highest priority, because
there were competing, I guess, priorities, and you said it was
better that you continued on with the others versus protecting
the Federal workforce.
Ms. Archuleta. As I said, the recommendations that the IG
gave to us are ones that we take very seriously, sir. I don't
want to characterize that we didn't. In fact, we did take them
in ongoing conversations.
Mr. Meadows. Okay. There is a quote that says what we
occasionally have to look at, no matter how beautiful the
strategy, we have to occasionally look at the results. And the
results here are pretty profound that we have security risks
all over. And I would encourage you to take it a little bit
more serious and, indeed, make it your highest priority.
I yield back. Thank you, Mr. Chairman.
Chairman Chaffetz. Thank the gentleman.
Now recognize the gentleman from Massachusetts, Mr. Lynch,
for five minutes.
Mr. Lynch. Thank you, Mr. Chairman.
I want to thank our panel for your help.
I want to associate myself with the remarks of the ranking
member and the chairman today, which doesn't always happen.
Chairman Chaffetz. Duly noted.
Mr. Lynch. I would like to ask unanimous consent if I might
enter into the record the remarks of Colleen M. Kelly, National
President of the National Treasury Employees Union, and also a
letter from J. David Cox, who is the President of the American
Federation of Government Employees, AFL-CIO.
Chairman Chaffetz. Without objection, so ordered.
Mr. Lynch. I want to also read the first three paragraphs.
This is a letter from the president of the American Federation
of Government Employees, AFL-CIO, J. David Cox, to the
Honorable Katherine Archuleta.
It says, Dear Honorable Archuleta, I am writing in
reference to the data breach announced by the Office of
Personnel Management. And this was dated last week. In the days
since the breach was announced, very little substantive
information has been shared with us, despite the fact that we
represent more 670,000 Federal employees in departments and
agencies throughout the executive branch.
OPM has attempted to justify the withholding of information
on the breach by claiming that the ongoing criminal
investigation restricts your ability to inform us of exactly
what happened, what vulnerabilities were exploited, who was
responsible for the breach, and how damage to affected
individuals might be repaired and compensated.
Based on sketchy information that OPM has provided, we
believe that the central personnel data file was the targeted
database and that the hackers are now in possession of all
personnel data for every Federal employee, every Federal
retiree, and up to 1 million former Federal employees. We
believe the hackers have every affected person's Social
Security number, military record, veteran status, address,
birth date, job and pay history, health insurance, life
insurance, email, pension information, age, gender, race, union
status, and a lot more.
Worst of all, we believe the Social Security numbers were
not encrypted, a basic cybersecurity failure that is absolutely
indefensible and outrageous.
So, Ms. Archuleta, were the Social Security numbers
encrypted?
Ms. Archuleta. OPM is in the process of----
Mr. Lynch. Ms. Archuleta, is that an I don't know?
Ms. Archuleta. I don't believe that the Social Security----
Mr. Lynch. Can we just stick to a yes or no?
You know what, this is one of these hearings where I think
I am going to know less coming out of this hearing than I did
when I walked in because of the obfuscation and the dancing
around that we are all doing here.
Matter of fact, I wish that you were as strenuous and hard
working at keeping information out of the hands of hackers as
you are keeping information out of the hands of Congress and
Federal employees. It is ironic. You are doing a great job
stonewalling us, but hackers not so much.
So were the Social Security numbers encrypted, yes or no?
Ms. Archuleta. No, they were not encrypted.
Mr. Lynch. There you go. There you go. Now we are getting
somewhere.
That is pretty basic, though. That is pretty basic,
encrypting Social Security numbers.
So all this happy talk about these complex systems we are
going to come up with, you are not even encrypting people's
Social Security numbers. That is a shame.
Let me ask you about this Standard Form 86. Now, for those
of you, obviously you know that Standard Form 86 is what we
require employees to fill out if they are going to receive a
security clearance. So these are people who have sensitive
information. And we drill down on these folks. This is a copy
of the application. It is online if people want to look at it;
it is 127 pages online.
And we ask them everything; what kind of underwear they
wear, what kind of toothpaste. I mean, it is a deep dive. And
that is for a good reason, right? Because we want to know, when
people get security clearance, that they are trustworthy. There
is information here if you have ever been arrested; your
financial information is in here. There is a lot of information
in this form.
They hacked this. They hacked this. They got this
information on Standard Form 86. So they know all these
employees and everything about them that we ask them in the
Standard Form 86.
Isn't that right, Ms. Seymour?
Ms. Seymour. I believe that is a discussion that would best
be held until this afternoon, sir.
Mr. Lynch. That is probably a yes.
Like I say, I think you have to be honest with your
employees, and I think that, in order to protect them, we need
to let them know what is going on, because they have the email
addresses in here as well, several, your first, your second,
your third email address; and all that information is out
there. So we need to be a little bit more, not a little bit
more, we need to be more forthcoming with our own employees.
These are people who work for us, and a lot of them deserve a
lot more protection than they are getting right now from the
United States Government and from the Office of Personnel
Management.
I see my time has expired. I appreciate the indulgence of
the chairman and I yield back.
Chairman Chaffetz. I thank the gentleman.
Now we recognize the gentleman from South Carolina, Mr.
Mulvaney, for five minutes.
Mr. Mulvaney. Thank you, Mr. Chairman.
Many of us are often uncomfortable asking questions in this
type of setting, because obviously we don't want to ask
questions the answers to which should be kept confidential. So
I encourage you in advance, if I ask you something that we
should talk about in a different setting, that is an acceptable
answer.
But I sort of feel like in Mr. Lynch in that I don't know
if I get my hands around exactly what we are learning. So let's
start with this. I am going to follow up on a question that Mr.
Meadows asked of Ms. Archuleta, which is, he asked you if you
were going to implement all of the IG's recommendations. You
said you were working with the IG.
Whether or not that was a yes or no answer, I agree with
Mr. Meadows, probably closer to no, so let me address it like
this. Can you name for me some of the IG recommendations that
you are pushing back against or that you are not interested in
implementing?
Ms. Archuleta. I don't have the specific recommendations in
front of me, and I would be very glad to come back and talk
about that.
Mr. Mulvaney. Okay.
Ms. Archuleta. But what I would like to say, sir, is that
as we look at the recommendations by the IG, we work with him
so that he can fully understand where we have moved in our
security efforts and also to understand his observations. And
that is the normal audit process and we continue to go through
that with him and update him on a regular basis.
Mr. Mulvaney. And we get IGs in here all the time and that
makes perfect sense. What bugs me, Ms. Archuleta, is that back
in the end of 2014 they recommended, in fact, it was their
third recommendation, that all active systems in OPM's
inventory have a complete and current authorization. Your
response to that was saying, ``We agree that it is important to
maintain up to date and valid ATOs for all systems, but we do
not believe that this condition rises to the level of a
material weakness.''
Do you believe that your opinion on that has changed since
November of 2014, Ms. Archuleta?
Ms. Archuleta. I appreciate all of the information and the
recommendations that the IG has given us, and we will continue
to work with him----
Mr. Mulvaney. I didn't ask you that. Do you still believe
now, knowing what you know now, that that condition did not
rise to the level of material weakness?
Ms. Archuleta. Sir, we are working with a legacy system.
Mr. Mulvaney. I didn't ask you that, Ms. Archuleta.
Ms. Archuleta. As to the recommendations that he has made
to us, we are working through those to the best of our ability.
Mr. Mulvaney. That is what frightens me, Ms. Archuleta,
that this is the best of your ability.
Let me see if I can just get some summary information here
as I go back and try to explain to folks back home. I have
heard that it was just people in the executive branch. I open
this to anybody who might be able to answer this. Are we still
saying that the only people whose data was exposed were folks
who worked within the executive branch of Government?
Ms. Seymour. Sir, this is an ongoing investigation, and as
we uncover new information we are happy to share it with you.
Mr. Mulvaney. Right.
Ms. Seymour. We are not necessarily restricted to the
executive branch because there are people who work in the
executive branch today who worked in the legislative branch----
Mr. Mulvaney. And I got that notice, Ms. Seymour. I got the
notice and it says if you work in the executive branch or you
have ever worked in the executive branch, then there is a
chance they got your data, but if you have never worked for the
executive branch, then you don't have to worry.
Are you still comfortable with that statement?
Ms. Seymour. No, sir. This is an ongoing investigation and
we are learning new facts every day.
Mr. Mulvaney. And that is a fair answer. Now, the original
number we heard publicly was 4 million. Is it still 4 million?
I have heard 14 today a couple times. What is the current
estimate of the number of current or previous employees who
have been affected?
Ms. Seymour. Approximately 4 million is the number that we
are making notifications of today. We continue to investigate,
especially in the background investigations incident, so that
we can understand that data and begin to make notifications
there as well.
Mr. Mulvaney. All right, I have a question. I don't think
it has been asked yet. I think it is for Mr. Ozment or whoever
else understands the IT systems.
When we used to do this in the private sector, we used to
differentiate between someone who had hacked into our system
and someone who actually stole something form us, because there
are two levels of involvement there.
So I guess my question to you, Mr. Ozment, is have you been
able yet to make the distinction between just where the hackers
were and they had access and things were exposed, and where
possibly they actually downloaded data.
Mr. Ozment. Thank you, Representative.
That is an important distinction and one that we spend a
lot of our investigative time examining. For the personnel
records, the approximately 4.2 million records, the incident
response team, led by DHS but with interagency partners, has
concluded with a high probability that that data was
exfiltrated, meaning that it was removed from the network by
the adversary who took it. And we are continuing to investigate
the information related----
Mr. Mulvaney. Very briefly, Mr. Ozment. I appreciate that.
I don't mean to cut you off and I wish we had more time to do
that. Let me ask this one question. I heard about the data. I
heard Mr. Lynch ask about the Social Security numbers. It
sounds like that might have been exfiltrated. Health data. Do
we collect health data on our employees?
Ms. Archuleta, if I come to work for you or for the
Government, do I give you my health records?
Ms. Archuleta. Not your health records, but the information
regarding your health carrier is the information that we
receive and who you would include in the----
Mr. Mulvaney. Okay, so it is not----
Ms. Archuleta. No, not your health----
Mr. Mulvaney. So it is not specific medications, it is not
specific conditions.
Ms. Archuleta. No.
Mr. Mulvaney. It is just who my health insurance company
is.
Ms. Archuleta. Exactly.
Mr. Mulvaney. Thank you, Mr. Chairman.
Chairman Chaffetz. I thank the gentleman.
We now recognize the gentleman from Virginia, Mr. Connolly,
for five minutes.
Mr. Connolly. Thank you, Mr. Chairman.
You know, what is so jarring about this hearing is that
sort of in bloodless and bureaucratic language we are talking
about the compromise of information of fellow Americans and,
from the Federal employee point of view, the most catastrophic
compromise of personal information in the history of this
Country. Social Security records.
Ms. Archuleta, you mentioned that not health information,
but health carrier. That is a roadmap to other information
hackers can get.
Security clearances. Security clearances are deeply
personal and often involve, do they not, Ms. Seymour,
unconfirmed negative information, even rumors. I think so-and-
so has a drinking problem. That gets in that report even if it
is not confirmed. Is that not correct?
Ms. Archuleta. Sir, I am not a Federal investigator and I
am not familiar with all of the precise data that is in those.
Mr. Connolly. Well, let me confirm for you. It was a
rhetorical question, really. It is correct.
How do we protect our employees? Dr. Ozment, when I heard
your testimony, it almost sounded like you were saying is that
the good news here is we detected the hack. But the object here
isn't effective detection, though that is part of the process;
it is prevention and preemption to protect our citizens,
including Federal employees.
You talked about EINSTEIN and you championed its merits.
Was EINSTEIN in place at OPM when this hack occurred?
Mr. Ozment. Sir, I share your deep concern about the loss
of this information and agree that that is a terrible outcome.
Mr. Connolly. A terrible outcome?
Mr. Ozment. Absolutely. As a Federal employee whose
information is itself a part of this database, I feel----
Mr. Connolly. It might even be personally devastating, Dr.
Ozment, not just a terrible outcome.
Mr. Ozment. That is correct, sir.
What I would tell you on this is that EINSTEIN was critical
in this incident. As OPM implemented their new security
measures and detected the breach----
Mr. Connolly. Was EINSTEIN in place at the time of this
breach?
Mr. Ozment. EINSTEIN 1 and 2 have been in place at OPM.
EINSTEIN 3 is not yet available for OPM.
Mr. Connolly. Okay, I only have two minutes. I want to
understand your answer. So did it successfully detect a breach
had occurred?
Mr. Ozment. It did not detect the breach that OPM caught on
their own networks, because just as the cyber threat
information sharing legislation we are focused on acknowledges,
you first have to have the threat information. EINSTEIN 1, once
we had that threat information, we used EINSTEIN 1 and 2 to
detect a separate breach that we were then able to work.
Mr. Connolly. I am sure every Federal employee who had his
or her information compromised is comforted by your answer, Dr.
Ozment.
Ms. Archuleta, what was the time gap between discovering
there had been a breach and the actual breach itself?
Ms. Archuleta. We discovered the breach in April of 2015.
Mr. Connolly. This year. And when did t he breach occur?
Ms. Archuleta. We suspected it happened earlier in 2014.
Mr. Connolly. So some time late last year?
Ms. Archuleta. Yes, sir.
Mr. Connolly. Okay. So whoever were the hackers, presumably
an agency of the Chinese government, according to published
reports confirmed by U.S. officials, it is not a classified
piece of information. The details of it may be, but our
Government, I believe, has confirmed, without attribution, in
public records that it was a systematic effort by the People's
Liberation Army, which has been notorious for hacking all over
the West, that got its hands on this data.
So they had four months in which to do something with this
data, is that correct, maybe five?
Ms. Archuleta. I can't make a comment on attribution.
Mr. Connolly. I didn't ask you to. I just asked whether
they had four or five months to do something with this data.
Ms. Archuleta. The period between when we believe the
breach occurred and our discovery, yes.
Mr. Connolly. All right.
I am going to, real quickly, if the chairman allows, ask
Mr. Scott one last question. The head of CERT, the director of
CERT says if the agency implemented three steps, we could
prevent about 85 percent of breaches.
And I am going to hold in abeyance new investments and new
technology because Ms. Seymour talks about legacy systems, and
I had always hoped that the Chinese didn't know how to hack
into COBOL. But that is a different matter.
Okay, the three things are minimize administrator
privileges; two, utilize application whitelisting; and, three,
continuously patch software, which, interestingly, does not go
on.
Would you just comment? What is your professional take on
those three recommendations?
Mr. Scott. I think those recommendations are great, and
there are a number of other things as well, some of which I
have talked about today. I think the one point I would make is
there is no one measure that you could say that is going to
prevent all attacks or even prevent an attack. It is really
defense in depth is your best measure, and that is what we are
really looking at emphasizing.
Mr. Connolly. Thank you, Mr. Chairman.
Chairman Chaffetz. Thank you.
We now recognize the gentleman from North Carolina, Mr.
Walker, for five minutes.
Mr. Walker. Thank you, Mr. Chairman.
I certainly agree with my colleague from Virginia in his
description this is a catastrophic compromise.
Ms. Archuleta, it appears that OPM did not follow the very
basic cybersecurity best practices, specifically such as
network segmentation and encryption of sensitive data. Should
the data have been encrypted? Can you address that?
Ms. Archuleta. At that time, the data was not encrypted,
and as Dr. Ozment has indicated, encryption may not have been a
valuable tool in this particular breach. As I said earlier, we
are working closely to determine what sorts of additional tools
we can put into our system to prevent further breaches.
Mr. Walker. You said may not have been. But that didn't
answer the question should have been encrypted and could that
have been another line of defense?
Ms. Archuleta. I would turn to my colleagues from DHS to
determine the use of encryption, but I will say that it was not
encrypted at the time of the breach.
Mr. Ozment. I would note that if an adversary has the
credentials of a user on the network, then they can access data
even if it is encrypted, just as the users on the network have
to access data, and that did occur in this case, so encryption
in this instance would not have protected this data.
Mr. Walker. I want to delve a little further in just a
moment, but let me ask this.
Ms. Archuleta, what consequences should CIO's face for
failing to meet such a baseline of cybersecurity standard on
their networks? May I hear your thoughts on that?
Ms. Archuleta. I believe that the CIO is responsible for
the implementation of a solid plan and I believe that my CIO
has been doing that. We are working with a legacy system that
is decades old, and we are using all of our financial and human
resources to improve that system. Cybersecurity is a
government-wide effort and we all must work together to improve
the systems that we have government-wide.
Mr. Walker. I am not sure that the American people are
content with the pace of how we are all working together.
I want to speak a little bit to EINSTEIN. I have heard
several different comments today regarding it and my question
is even if EINSTEIN is a necessary component to effectively
defending the system, I believe the private sector is really
already moving on this kind of technology. Is that a fair
question? And what is the DHS doing to keep pace with its
attackers? Dr. Ozment?
Mr. Ozment. EINSTEIN is absolutely a necessary, but not
sufficient, tool for protecting department and agency networks.
As Mr. Scott has noted several times, we need a defense in
depth strategy. We are supplementing EINSTEIN with continuous
diagnostics and mitigations at the agencies, and we are also
looking with EINSTEIN at taking what is currently a signature
focus system and adding capabilities to let it detect
previously unknown intrusions.
But as you do that you also receive more false positives.
In other words, you receive more indications that an intrusion
occurred even if it did not occur. So we have to do that
carefully so we are not overwhelmed by essentially bad data.
Mr. Walker. And it seems to be that you are more excited or
more confident in the EINSTEIN, what is it, 3A version? Is that
going to be more solid as far as keeping the attackers out?
Mr. Ozment. EINSTEIN 3A will be a step forward. It uses
classified information and is modeled on a similar Department
of Defense program. It is still a signature-based program, but
it will rely upon classified information obtained from the
intelligence community to help us detect adversaries and block
them.
Mr. Walker. And I even heard you earlier say something
about how even that system needs to be supplemented with
others, is that correct?
Mr. Ozment. That is correct. Again, no single system here
will solve this problem.
Mr. Walker. And there lies my problem, because even on the
DHS's own Web site, when talking about EINSTEIN 3, it says it
``prevents malicious traffic from harming networks.''
Now, if that is not all-inclusive, should not we be
understanding that before today's hearing? Why are we just now
getting this information that this may not be enough to prevent
such, as we said earlier, catastrophic compromise?
Mr. Ozment. I can't speak to the web page you are referring
to, but I can say that we have been very consistent and I have
been very consistent in all my interactions with Congress to
highlight that we do need to a defense-in-depth strategy and
that no one tool will solve all of our problems.
Mr. Walker. And who is responsible for posting this
information on the Web site of the DHS?
Mr. Ozment. We will look into that and get back to you,
sir, and make updates as necessary.
Mr. Walker. Thank you, Mr. Chairman. I yield back.
Chairman Chaffetz. Thank you.
Now recognize the gentleman from Pennsylvania, Mr.
Cartwright, for five minutes.
Mr. Cartwright. Thank you, Mr. Chairman.
I thank the chairman and the ranking member for calling
this hearing.
Director Archuleta, I know there have been much bigger data
breaches than this one, but I am concerned, and I share the
sentiments of Mr. Connolly from Virginia. This is extremely
troubling. We are talking about 4 million-plus Federal workers,
people who dedicate their entire careers, indeed, their entire
lives, to our Country, and now their personal information has
been compromised through absolutely no fault of their own.
If I understand your testimony, the personal information of
about 4 million current and former employees was potentially
compromised, and I want to ask you, as your investigation
continues, do you believe that that number is going to be
bigger than 4 million?
Ms. Archuleta. Thank you for your question. In my opening
statement I described two incidences.
Mr. Cartwright. No, it is a yes or no question, or I don't
know.
Ms. Archuleta. No. Because of the two incidents, the first
incident is 4.2 million, and an ongoing investigation led us to
understand that the Federal investigative background checks----
Mr. Cartwright. You know what I mean when I say it is a yes
or no question, right?
Ms. Archuleta. Yes, sir.
Mr. Cartwright. Okay. Do you think it could be more than
4.2 million?
Ms. Archuleta. Yes, sir.
Mr. Cartwright. Okay.
Now, Ms. Seymour, let me turn to you for some more detailed
responses.
Your IT professionals discovered the breach in April and
also, as Mr. Connolly mentioned, they believe the hack may have
begun back in December, am I correct in that?
Ms. Seymour. Yes, sir, it began in 2014.
Mr. Cartwright. Now, something else happened in December of
2014; OPM's contractor, Keypoint, revealed that it was targeted
in an earlier cyber attack. Now, this is the contractor that
does the majority of your agency's background check
investigations, am I correct in that?
Ms. Seymour. They do a number of our background
investigations, sir. I am not sure of the numbers.
Mr. Cartwright. And in that case the attack against
Keypoint was successful; personal information was, in fact,
compromised, correct?
Ms. Seymour. Yes, sir.
Mr. Cartwright. On Friday, ABC News issued a report
entitled ``Feds Eye Link to Private Contractor in Massive
Government Hack.'' This article says this, ``The hackers who
recently launched a massive cyber attack on the U.S.
Government, exposing sensitive information of millions of
Federal workers and millions of others, may have used
information stolen from a private government contractor to
break in to Federal systems.'' The article goes on, ``The
hackers entered the U.S. Office of Personnel Management, OPM's
computer systems after first gaining access last year to the
systems of Keypoint Government Solutions.''
It continues, ``Authorities, meanwhile, believe hackers
were able to extract electronic credentials or other
information from within Keypoint systems and somehow use them
to help unlock OPM systems, according to sources. The hackers
then rummaged through separate segments of OPM systems,
potentially compromising personal information of not only the 4
million current and former Federal employees.''
Ms. Seymour, I know we are having our classified briefing
later, and I thank you for coming to that, but can you comment
on these reports? Did these hackers actually get what they
wanted in the previous attack against OPM's contractor,
Keypoint, so they could then go after OPM itself?
Ms. Seymour. I believe that is a discussion that we should
have in a classified setting, sir.
Mr. Cartwright. Fair enough.
Now, we know that OPM's other contractor, USIS, was also
breached last year and that its information was also
compromised. Can you tell us if those hackers got information
in the USIS breach that they were then able to use in the
attack against OPM?
Ms. Seymour. Again, that is a discussion we should have
later, sir.
Mr. Cartwright. I understand. I certainly don't want you to
disclose classified information here.
Let me close by asking a final question to the whole panel,
and I will let each of you answer. Federal agencies and private
companies are only as strong as their weakest link. Last year
we saw breaches of two contractors, Keypoint and USIS. Now we
have reports that these hackers are getting into OPM
information because of what they learned in those hacks.
Agencies have leverage over their contractors using the
provisions in the contracts and the billions of taxpayer
dollars that they pay out to the company, so I want to ask each
of you how can agencies use that leverage to improve
cybersecurity practices of contractors so that they do a better
job of safeguarding the information that they are entrusted
with.
Go ahead, right on down the line, starting with you, Ms.
Archuleta.
Ms. Archuleta. What we can do with the contractors that we
engage is to make sure that they have the security systems that
match the Federal Government's and that they are using the same
sort of types of systems.
I want to be sure that I understand your question. The
contractors that we employ as individuals or as companies
Mr. Cartwright. The contractors as companies.
Ms. Archuleta. In our contracts with the companies, we are
now working to make sure that they are adhering to the same
standards that we have in Federal Government, as outlined in
our rules.
Mr. Cartwright. Dr. Ozment?
Mr. Ozment. Representative, DHS, for its own contract, as
one example, has been working to build in additional
cybersecurity requirements. I would also point you to the
FedRAMP effort, government-wide effort to establish a baseline
of cybersecurity requirements for cloud contractors to the
Government.
Mr. Cartwright. Mr. Scott?
Mr. Scott. Yes. I think as my colleague, Anne Rung, and I
testified last week, we also are strengthening the Federal
contract procurement language and creating contract language
that any agency can use as a part of their standard contracts.
Mr. Cartwright. Thank you.
Ms. Burns?
Ms. Burns. I think it is about beefing up the security
clauses in all contracts so that they cover the full extent of
what we need, and then doing the monitoring and follow-up that
you need to do to ensure that the contractors are adhering to
those clauses of the contract.
Mr. Cartwright. Right.
Ms. Seymour?
Ms. Seymour. I agree with everything that my colleagues
have put forth, but I will add that site inspections are also
important, and those are some of the things that we do at OPM
with our contractors, as well as continuous monitoring. Looking
at a system every third year is not ample. That is not a best
practice and we need to move more towards looking at different
security controls at different intervals of time.
The other option that we do use is our IG also does
inspections of our contractor companies.
Mr. Cartwright. Mr. Esser?
Mr. Esser. I agree with what the other witnesses stated.
Like Ms. Seymour just said, we, as the IG, go out and we do
audits of contractors, health insurance companies, the
background investigation companies, as well. So we can be used
and see ourselves in that role.
Mr. Cartwright. Mr. Chairman, I thank you for your
indulgence. I also want to note that USIS was invited here
today, but refused----
Chairman Chaffetz. I appreciate the gentleman. You are
almost three minutes over time. We have classified that we have
to go to and we have members that still have an effort.
Mr. Cartwright. Yield back.
Chairman Chaffetz. Thank you. Appreciate it.
I now recognize Mr. Russell from Oklahoma for five minutes.
Mr. Russell. Thank you, Mr. Chairman.
I am baffled by all of this. Upon receipt or upon your
appointment of the directorship of OPM, Director Archuleta had
stated that she was committed to building an inclusive
workforce. Who would have thought that that would have included
our enemies.
In this testimony here today, we heard statements that we
did not encrypt because we thought they might be able to
decrypt or decipher. That is just baffling to me.
There was another statement I heard earlier today that said
had we not established the systems, we would never have known
about the breach. That is tantamount to saying if we had not
watered our flower beds, we would have never seen the muddy
footprints on the open windowsill.
I mean, this is absolute negligence that puts the lives of
Americans at risk, and also foreign nationals that interact
with these Americans. Of particular concern are the SF 86
forms, of which I am very familiar, with my background prior to
coming to Congress.
We had Sean Gallagher from Ars Technica, who summed it up
probably best. He said that this breach was a result of
inertia, a lack of internal expertise, and a decade of neglect.
Director Archuleta, why did you not shut down 11 of the 21
systems that had no security assessment and authorization?
Ms. Archuleta. Sir, as I mentioned before, there are
numerous priorities that go into employee safety and security,
including making sure that our retirees receive their benefits
or that our employees get paid. There are numerous
considerations that we had to----
Mr. Russell. Would one of those considerations be
encrypting Social Security numbers? I mean, does it take a
degree in IT in cybersecurity to encrypt Social Security
numbers? I didn't think so.
Did your cybersecurity strategic plan including leaving
half of OPM's systems without protection when you formulated
it? Was that part of the plan?
Ms. Archuleta. No, sir.
Mr. Russell. Then why was it not made a priority?
Ms. Archuleta. The systems that the IG referred to in our
plan, those systems that he recommended that we shut down, he
recommended that we shut them down because they were without
authorization. All of our systems are now authorized and they
are operating.
I have to say that we are looking at systems that are very,
very old, and we can take a look at encryption and other steps
that could be taken, and certainly we are doing that, but as we
look at this system, we are also having to deal with decades
of----
Mr. Russell. Well, I understand that, but I also understand
there is an old saying we had in the military: poor is the
workman who blames his tools. Missions can be accomplished even
with what you have, and measures could have been done had this
been made a priority. What I see now is why did OPM have no
multi-factor authentication for users accessing the system from
outside OPM? There was no multi-faceted means. If they get into
the system, they have free rein, is that correct?
Ms. Archuleta. We have implemented multiple factors. Ms.
Seymour has mentioned multi-factor authentication with our
remote users and are working now.
Mr. Russell. And when was that put in place, before or
after the breach?
Ms. Archuleta. This began in January of 2015.
Mr. Russell. Okay. So stolen credentials could still be
used to run free in the system, is that correct?
Ms. Archuleta. Prior to the time of the two-factor
authentication, obviously, it takes time to implement all of
these tools. I am as distressed as you are about how long these
systems have gone neglected when they have needed much
resources, and it is in my administration that we have put
those resources to it. We have to act quickly, which we are
doing, and we are also working with our partners across
government.
As I said before, cybersecurity is an issue that all of us
need to address across the Federal Government.
Mr. Russell. Was a priority made to these outside systems
that were most vulnerable that would allow this type of free
run?
Ms. Archuleta. I am sorry, sir, would you repeat the
question?
Mr. Russell. Was a priority made to these outside accessing
systems to OPM's database that once they get in them they have
a free rein, a free run?
Ms. Archuleta. Yes, it was a priority, sir, but as I said
before, legacy system, it takes time.
Mr. Russell. It didn't take our enemies time.
Thank you, Mr. Chairman. I yield back.
Chairman Chaffetz. I thank the gentleman.
Now recognize the gentleman from California, Mr. Lieu, for
five minutes.
Mr. Lieu. Thank you, Mr. Chairman.
Director Archuleta, under your watch, last March, OPM
database containing the crown jewels of American intelligence
was breached. This year the same exact database was breached. A
third database containing over 4 million Federal employees'
data unencrypted was breached.
The IG has said that at OPM your technology systems are
either materially weak or seriously deficient, and my question
to you, just a very simple yes or no, is do you accept
responsibility for what happened?
Ms. Archuleta. I accept responsibility for the
administration of OPM and the important role of our IT systems
in delivering the services, and I take very seriously my
responsibilities in overseeing the improvements to a decades-
old legacy system.
Mr. Lieu. I don't really quite know what that means. I
asked for a yes or no. But that is fine, you have answered it.
I am going to reserve the balance of my time to make a
statement. Having been a member of this oversight committee,
and as a computer science major, it is clear to me there is a
high level of technological incompetence across many of our
Federal agencies. We have held hearings where it showed that
Federal agencies couldn't procure, implement or deploy IT
systems without massive bugs or massive cost overruns.
We have held hearings where at least one Federal agency, in
this case the FBI, had a fundamental misunderstanding of
technology, where they continue to believe they can put in back
doors to encryption systems just for the good guys and not for
hackers, which you cannot do. We had over 10 federal data
system breaches last year.
So there is a culture problem and there is a problem of
civilian leadership not understanding we are in a cyber war.
Every day we are getting attacked in both the public and
private sector. The U.S. military understands this; that is why
they stood up an entire cyber command. But until our civilian
leadership understands the gravity of this issue, we are going
to continue having more data breaches.
Let me give you some examples of this culture problem. You
have heard today there was unencrypted Social Security numbers.
That is just not acceptable. That is a failure of leadership.
Look at the various IG reports over the years showing
material weaknesses and then look at last year's IG report,
page 12, that says as of November of last year, OPM had not yet
done a risk assessment. That is ridiculous, especially since
you knew in March your system was breached. That is a failure
of leadership. And this goes beyond just OPM.
Now, Mr. Scott, you have only been here a few months, so
you are going to get a pass on this, but I want to know why was
it that it wasn't until last Friday that agencies were ordered
to put in basic cybersecurity measures? Why wasn't this done
last year? Why wasn't this done years before? There is a
failure of leadership above that of OPM.
And when there is a culture problem, what have we done in
the past? Especially in the area of national security, you
can't have the view that, oh, this is legacy system, oh, we
have these excuses. In national security it has to be zero
tolerance. That has to be your attitude. We can't have these
breaches.
The CIA can't go around saying, you know, every now and
then our database of spies is going to get breached. That
cannot happen.
And when you have a culture problem, as we have hard here,
in the past, when agencies have had this, leadership resigns or
they are fired. At the DEA, leadership left. We had this happen
at the Secret Service; we had this happen at the Veterans
Administration. And we, as a government, do that for two
reasons: one is to send the signal that the status quo is not
acceptable. We cannot continue to have this attitude, where we
make excuse after excuse.
You know, I have heard a lot of testimony today. The one
word I haven't heard is the word sorry. When is OPM going to
apologize to over 4 million Federal employees that just had
their personal data compromised? When is OPM going to apologize
to the Federal employees that had personally devastating
information released through the SF 86 forms? I haven't heard
that yet.
And when there is a culture problem, we send a signal to
others that the status quo is unacceptable and leadership has
to resign. Another reason we do that is because we want new
leadership in that is more competent.
So I am looking here today for a few good people to step
forward, accept responsibility, and resign for the good of the
Nation. I yield back.
Chairman Chaffetz. I thank the gentleman. Well said.
Now recognize the chairman of the IT subcommittee, Mr.
Hurd, of Texas, for five minutes.
Mr. Hurd. Thank you, Mr. Chairman.
It is my hope that every agency head and every CIO of these
agencies are listening or watching or will read the testimony
after this event, and that the first thing they do when they
wake up tomorrow is pull out the GAO high risk report that
identifies areas that they have problems with, they read their
own IG report and start working to address those remediations.
I have been at this job for 21 weeks, similar to Mr. Scott,
and one of the things you hear from people, they are frustrated
with their Government. Intentions are great.
Ms. Archuleta, you said at the beginning that the security
of Federal employee is paramount. I believe you believe that,
but the execution has been horrific. Intentions are not enough.
We have to have execution. And this is the thing that scares
me.
So my question, let's start with you, Ms. Archuleta. Did
the hackers use a zero day vulnerability to get into your
network?
Ms. Archuleta. I think that would be better answered in a
classified setting.
Mr. Hurd. Well, if it was a zero day vulnerability, I hope
everybody has been notified of this zero day; not only the
Government, but the private sector. We shouldn't be keeping
secret a zero day vulnerability.
I know a little something about protecting secrets; I spent
almost my adult life in the CIA doing that. This is something
that we need to get out. What I have read is that EINSTEIN did
detect the breach after the appropriate indicators of
compromise was loaded into it.
So my question is how long did, in Federal Government, did
somebody have access to these indicators of compromise and why
did it take however much that time to get it into EINSTEIN's
system, and has that been promoted to every other agency that
is using EINSTEIN 2?
Mr. Ozment. Representative, OPM, once they implemented
their security measure and discovered this breach, gave us the
indicators of compromise immediately and we loaded it into
EINSTEIN immediately. That is, we loaded it into EINSTEIN 2 to
both detect and we looked back through history to see if any
other traffic back in time had indicated a similar compromise.
That is how we found an intrusion into OPM related to this
incident that led to our discovery of the breach of the
personal records.
We also put it into EINSTEIN 3 so that agencies covered by
EINSTEIN 3 would be protected against a similar activity moving
forward. And then we held a call with all the Federal CIOs and
disseminated these indicators to them and asked them to search
their networks for these indicators.
Mr. Hurd. Has that been done?
Mr. Ozment. That has been done.
Mr. Hurd. Okay.
Ms. Seymour, you talk about legacy systems and the
difficulty of protecting those. What are some of those legacy
systems and what programming software is used to develop those
systems?
Ms. Seymour. These are systems, sir, that have been around
for going close to 25, 30 years.
Mr. Hurd. So it was written by COBOL?
Ms. Seymour. COBOL systems. One of the things I would like
to offer is that Director Archuleta and I actually were brought
here to solve some of these problems.
Mr. Hurd. When did you start your job?
Ms. Seymour. In December of 2013.
Mr. Hurd. And why did we wait to implement two-factor
authentication until after the attack?
Ms. Seymour. We have not waited, sir.
Mr. Hurd. So two-factor authentication was being deployed
prior?
Ms. Seymour. These are two decades in the making. We are
not going to solve them all in two years. And if we continue--
--
Mr. Hurd. See, what is where I disagree with you, okay?
Again, we have to stop thinking about this that we have years
to solve the problem. We don't. We should be thinking about
this in days.
Ms. Archuleta, how much overtime have you signed off on
since this hack, of people that are dealing with the
compromise?
Ms. Archuleta. My CIO team works 24/7.
Mr. Hurd. So if I walk into your building at 8 p.m. at
night, there are going to be people drinking Red Bull, working
furiously in order to solve this problem?
Ms. Archuleta. I am very proud of the employees that are
working on this issue, and they have been working 24/7.
Mr. Hurd. Mr. Scott, you have inherited a mess, my man, and
we are looking to you, and whatever this committee can do to
help you to ensure things like this doesn't happen, to ensure
that these agencies and the CIOs of the agencies are
implementing the recommendations of the IG, the recommendations
of the GAO, we are here to do that. And we are going to
continue to drag people up here and answer these questions,
because that is our responsibility.
I recognize that you are not going to stop anybody from
penetrating your network. But how quickly can you identify
them, can you quarantine them, and can you kick them off the
network? Those are the three metrics we should be using about
the health of our systems, and we are woefully inadequate.
I yield back the time I do not have. Thank you, sir.
Chairman Chaffetz. Thanks.
Mr. DeSantis, of Florida, is now recognized for five
minutes.
Mr. DeSantis. Thank you, Mr. Chairman.
Ms. Archuleta, in your testimony you said, and I think this
is the direct quote, ``we have now confirmed that any Federal
employee from across all branches of Government whose
organization submitted service history records to OPM may have
been compromised, even if their full personnel file was not
stored on OPM's system.''
What do you mean by service history?
Ms. Archuleta. Their careers. They may have been in a
different position earlier than perhaps as they move around
Government, so it may be someone whose current job would not be
in the system, but because of their service history their
information would be dated back, and it is for retirement
purposes.
Mr. DeSantis. Okay, so a potentially broader breach.
I tell you, an SF 86, I remember filling that out when I
was a young officer in the Navy, and it is by far the most
intrusive form that I have ever filled out. It took me days. I
had to go do research on myself to try to figure out. And it is
not just that you are doing a lot of personal and sensitive
data about the individual applicant, the SF 86 asks about
family members, it asks about friends, spouse, relatives, where
you have lived, who you knew when you lived in these different
places. It also asks you to come clean about anything in your
past life.
So, to me, people have said that this is crown jewels
material in terms of potential blackmail. So this is a very,
very serious breach.
My question for Ms. Archuleta, were cabinet level officials
implicated in this breach?
Ms. Archuleta. Sir, this type of information would be
better discussed in a classified setting.
Mr. DeSantis. Understood. What about people in the military
and intelligence communities?
Ms. Archuleta. As I mentioned earlier, I believe that this
is something that we could respond to in a classified setting.
Mr. DeSantis. Okay. So you don't disagree with my
characterization of the SF 86 and that the compromise, let's
just say theoretical if you don't want to say what actually
happened here, that that is a major, major breach that will
have ramifications for our Country?
Ms. Archuleta. As I said, we will discuss this with you in
the classified setting.
Mr. DeSantis. Okay. SF 86 forms also require applicants to
list foreign nationals with whom they are in close contact, so
that means China now has a list, for example, of Chinese
citizens worldwide who are in close contact with American
officials. They can, and will, obviously us that information
for espionage purposes.
So what are the security implications of that type of
information falling into enemy hands? That could be for
anybody.
Mr. Ozment. Sir, that is a question that we will discuss in
the hearing this afternoon.
Mr. DeSantis. Okay. Now, some reports say that not only
were the hackers pursuing information on Federal employees, but
also password and encryption keys that could be used for trade
secret theft and espionage. And I guess you will have more to
say about that in a classified setting, but at least for this
forum can you say that that is a significant risk; that is not
the type of information that we would want the enemy to have
and it can, in fact, be very damaging, correct?
Mr. Ozment. Again, sir, we are going to defer discussion on
that until the classified briefing in a few minutes.
Mr. DeSantis. Okay. And I get that and I will be there and
I will listen intently. But it really concerns me because this
is really a treasure trove for our enemies, potentially. And
the fact that this system was hacked and we didn't even know
about it for a long time, that is really, really troubling.
If you ask people if they want to serve in these sensitive
positions and they think that by filling out these forms they
are actually going to put themselves or their family
potentially at risk because the Government is not competent
enough to maintain that secretly, that is a major problem as
well. So the information can be used against the Country, then
you are also, I think, going to have a chilling effect on
people wanting to get involved if we don't get a handle on
this.
So I look forward to hearing from the witnesses in a
classified setting and I yield back the balance of my time.
Chairman Chaffetz. Thank you.
Now recognize the gentleman from Alabama, Mr. Palmer, for
five minutes.
Mr. Palmer. Thank you, Mr. Chairman.
Ms. Seymour, does the employee exposure extend only to
those who filled out Standard Form 86, or does it include
others as well?
Ms. Seymour. Our investigation is ongoing, sir.
Mr. Palmer. Well, ma'am, apparently it does, because I have
two employees who have never filled out a Standard Form 86, and
they have a letter from you informing them of the possibility
that their data may have been compromised. So I will ask you
again, and it is a yes or no, does it extend beyond the people
who filled out an SF 86?
Ms. Seymour. My answer to that is yes, sir. There are two
incidents that we have come here to talk with you today.
Mr. Palmer. Why didn't you answer yes to start with?
Ms. Seymour. Because you were talking about SF 86s, sir.
Mr. Palmer. No. I made it clear. I asked you, did the
exposure extend beyond those who filled out SF 86, and you said
the investigation was ongoing. Apparently, you have
investigated enough to send a letter to employees who didn't
fill out those forms, so thank you for your yes answer.
In your judgment, Ms. Archuleta, how likely is it that the
hackers were able to access these personnel files through an
employee account?
Ms. Archuleta. Sir, we will be able to discuss that with
you during the classified session.
Mr. Palmer. Well, let me be a little bit more specific. Are
you familiar with The Wall Street Journal article that
indicated that it was possible that the breach occurred through
personal email accounts, because employees were using the
Federal system and that early in 2011 the Immigration and
Customs Enforcement agency noticed a significant up-tick in
infections and privacy spills, and they asked for a directive
or they put out a directive that Federal employees could not
use the Federal system to access their personal emails? But the
American Federation of Government Employees filed a grievance
with the federal arbitrator claiming that that was something
that needed to be bargained and needed to be part of the
collective bargaining agreement.
The arbitrator dismissed ICE's security arguments in 75
words, claiming that the law didn't give the Federal agencies
exclusive discretion to manage the IT systems, so ICE wasn't
able to shut that off. Do you have any comment on that?
Ms. Archuleta. No, sir. Again, those are issues that we
will be able to discuss in the classified hearing.
Mr. Palmer. Well, it is being discussed in The Wall Street
Journal.
I think for now, since we need to head to the hearing, I
will yield the balance of my time.
Thank you, Mr. Chairman.
Chairman Chaffetz. I thank the gentleman.
Now recognize the gentleman from Georgia, Mr. Hice, for
five minutes.
Mr. Hice. Thank you, Mr. Chairman.
Mr. Esser, what are the risks that are associated with not
having a valid system authorization?
Mr. Esser. Well, the risks are evident that not having a
valid authorization essentially could be a symptom of weak
controls over operating systems and applications, and lead to
things such as a breach.
Mr. Hice. Okay. With all the things that we are talking
about here today, Ms. Seymour, you were obviously fully aware
of these risks and OPM was aware of these risk?
Ms. Seymour. Yes, sir, I was aware of these reports.
Mr. Hice. Okay.
Now, I kind of hate going back to this because it has come
up several times already today, but still I am waiting for an
answer. The inspector general put out his report last November
expressing great alarm, recommending that OPM consider shutting
down the systems because of the risks that you knew about, Ms.
Archuleta knew about, and yet these recommendations were
ignored.
Now, I am going to come back to you with this because,
quite frankly, Ms. Archuleta has tried to dodge this question
and dance all around it. I want to come straight up with you.
Why were those recommendations not followed?
Ms. Seymour. Two reasons, sir. One is an authorization to
operate is merely the documentation of the security controls of
a system and their effectiveness. That does not mean simply
because you don't have an authorization that those tools don't
exist.
The other effort is, as the IG was doing its audit, we were
taking all of those vulnerabilities into play. We had already
developed a security plan that we were in the process of
implementing, and the IG admits in their report that we were in
the process of implementing many of those controls.
Mr. Hice. Did the plan that you were in process of
implementing work? Obviously, it didn't. Would shutting it down
have worked?
Ms. Seymour. The controls that we put in place allowed us
to stop the remote access to our network, and they also allowed
us to detect this activity that had occurred prior to the IG
report.
Mr. Hice. But the vulnerability was still there and your
plan failed.
Ms. Seymour. There are vulnerabilities in every system.
What we do is a risk management process, sir, where we look at
the vulnerabilities as well as the business that we must
conduct.
Mr. Hice. Mr. Esser, let me come back to you. Currently,
what are the consequences of owners of OPM IT system?
Currently, what are the consequences now if they operate
without a valid authorization?
Mr. Esser. There are essentially no consequences. We report
that in our FISMA audits, but other than that there are no
official sanctions in place. It is something that gets
publicized, and that is the extent.
Mr. Hice. So it sounds to me like this thing is still not
being taken seriously. If there are no consequences for
operating without authorization, why in the world are we still
operating without authorization? Or is that occurring?
Ms. Seymour. Sir, I have extended the authorizations that
we had on these systems. Because we put a number of security
controls in place in the environment, we have increased the
effectiveness of the security around those systems.
Mr. Hice. But there are no consequences for not operating
on a system with authorization, so how seriously are you taking
it?
Ms. Seymour. There are consequences.
Mr. Hice. What are they?
Ms. Seymour. Those consequences are if you aren't doing the
assessments, documenting them, while that is evidence that
those assessments have been done, the assessments themselves
are more important; the scanning of the network, the tools that
are in place.
Mr. Hice. That is not the consequences. What are the
consequences? You said there are consequences. I want to know
what they are.
Ms. Seymour. The consequences that we have are we report to
OMB on a quarterly basis about the status of our security and
our network.
Mr. Hice. That doesn't sound like consequences; that sounds
like just reporting that you are required to do anyway. There
are no consequences involved in those reports.
Mr. Esser, again, are there measures that need to be taken
to get the whole thing up to the standard it ought to be? I
mean, is there anything that you would recommend?
Mr. Esser. Yes. Yes. We do recommend that the CIO, the
agency take the steps that in a lot of cases they are beginning
to take. The centralization of the IT governance is well along
the way. What they also need to do is get a full inventory of
the assets that they are responsible for protecting.
The shell project that Ms. Seymour has alluded to earlier
is also something that we support. We also have some concerns
about the way the project has been started and managed, but
overall we support the idea behind the shell project.
Chairman Chaffetz. We appreciate the gentleman.
We now recognize the gentlewoman from New Mexico, Ms. Lujan
Grisham, for five minutes.
Ms. Lujan Grisham. Thank you, Mr. Chairman. Thank you for
having this important hearing.
I want to thank the panel for taking this conversation and
these questions so seriously.
In New Mexico, we are one of the States that has one of the
largest percentage or per capita Federal employees in the
Country, in the top five, so I have 50,000 Federal employees in
my home State, and I am on their side by being incredibly
concerned about this and, quite frankly, many other data
breaches.
The growing sophistication, frequency, and the impact on
both public and private entities by cyber attacks continue to
be a very serious threat. In fact, two days after my first
election, one of the key briefings by one of the national labs
which is in my district on Kirkland Air Force Base is the
continuing growing concern with cybersecurity issues and their
aggressive responses both to be proactive as much as they can
and to appropriately be reactive once you have an identifiable
breach.
Given the data breach at OPM and at Home Depot and at
Target, Anthem, it is clear to me that not only does the
Federal Government have a role in protecting Federal employees
and the information that you have, but we have a role in
working to protect the public in general from these serious and
continuing series of cyber attacks.
But I recognize also that this is a very challenging effort
and that there is not a simple solution. If there was, we could
stop this hacking altogether and have the magic bullet. And as
much as I want you to do that, I don't want to minimize the
fact that I recognize that that is more difficult to say than
do. No, it is easy to do; it is not so easy to do. But my
concerns are growing given that even the best in the Country
are facing significant cyber attacks, including Kaspersky Lab,
who we are relying on for innovative and appropriate
technologies to implement.
So given that diatribe and given all the questions that you
have had about accountability, about the serious nature, here
is really my question. The Federal Government is not known for
being, and I mean no disrespect by this, but just stating the
facts, it is not a proactive, very reactive body just by the
nature of how large it is, how broad our mission is, and how we
are dependent on whatever the resources are and the priorities
are at any given time.
Given that climate and the role to protect the general
public and your role to protect Federal employee information,
what can you do that is different, that puts you in a position
to be much more proactive, particularly given the nature of
cyber attacks? Quite frankly, they have already hacked in as
you are making the next modifications.
Anyone on the panel. Mr. Scott, that may be a question that
is primarily for you, but I would be interested in anybody's
response.
Mr. Scott. Sure. I can think of several things in the short
run that actually we already have underway, but probably long-
term the biggest thing is to double down on replacing these
legacy sort of old systems that we have. One of the central
problems here is you have old stuff that just was not designed
or built in an era when we had these kinds of threats, and it
is, in some cases, very, very hard to sort of duct tape and
band aid things around these systems.
It doesn't mean there is nothing you can do, but
fundamentally it is old architectures that need to be replaced
and security needs to be designed into the very fabric of the
architecture of the hardware, the software, the networks, the
applications. And the faster we can do that, the faster we are
on a better road.
Ms. Lujan Grisham. And given your role to do that in
Federal Government, I am not clear today what percentage of
legacy systems and old architecture platforms that we are still
operating under and which departments are more at risk than
others. What is the time frame for getting that done and what
is a reasonable course for this committee to take to make sure
we have accountability in Federal Government to move forward
exactly in that effort?
Mr. Scott. Well, I think the first thing is we are going to
be very transparent with you in terms of the OMB reports in
terms of where we are at on that journey as we go through our
work over the course of the year. Several of the members of
this committee have said they are going to pay very close
attention to that, which I encourage.
Chairman Chaffetz. The gentleman will suspend.
Our time is so tight to our 1:00 o'clock briefing. We would
like a full and complete answer. There will be questions for
the record and we will continue to follow up, and I hope you
understand.
Mr. Scott. Be happy to.
Chairman Chaffetz. We need to give time to Mr. Grothman
from Wisconsin, who is now recognized for five minutes.
Mr. Grothman. I am glad we have established that the
Federal Government is not a proactive, reactive body. It is
something for us to always remember, no matter what bill moves
around here. It is something to remember about the Federal
Government.
But be that as it may, the first question I have for you
guys, this is kind of a significant story here. Just out of
curiosity, just to see how the Federal Government operates, has
anybody lost their job over this or have there been any
recriminations in that regard?
Ms. Archuleta. No, sir.
Mr. Grothman. Okay. Next question, I don't care who answers
it. As I understand, it took months for the State Department to
root out the Russian hackers in their unclassified systems.
Now, apparently the Chinese hackers are known for leaving
behind time-delayed malware. Do we know for sure that these
people are out of the system by now or could they still be
poking around?
Mr. Ozment. Representative, we have a joint interagency
team led by DHS, with participation by the FBI and National
Security Agency, who have worked with OPM and the Department of
Interior on this incident. They have accessed that they have
fully removed the adversary from these networks, but it is
extremely difficult to have 100 percent certainty in these
cases.
Mr. Grothman. Okay, so it could be, but you think probably
out.
Mr. Ozment. Yes, sir.
Mr. Grothman. Okay. Final question. Apparently there are
rumors that people are now selling some of these files. Is this
a threat or do we know if it is going on? And if it is going
on, are we doing anything to counter that?
Mr. Ozment. Sir, I think that the impact and such are
questions better suited for the classified briefing we are
about to have.
Mr. Grothman. Okay. I yield the remainder of my time.
Chairman Chaffetz. Thank you.
I want to thank the panelists and everybody that is here. I
think you understand, on a bipartisan basis, how seriously we
take this situation.
To those Federal employees who are affected, one of the
things that should come out is that in the letter, the very end
of the letter, if you receive one of these letters, it does
note that the Office of Personnel Management is not going to
call you. They are not going to contact you to provide
additional information. There will be some very bad actors that
are going to try to take advantage of this bad situation and
exploit it for their own personal gain. They have already done
that. They are going to do it again and there are going to be
others that are going to try to do that.
To all of our Federal employees, please do not fall victim
yet again to somebody who is going to send you an email or make
a call and try to prey upon you further. It was noted in the
letter. It is worth noting here from the pulpit.
Again, we look forward to the 1:00 classified briefing. We
are going to have to hustle.
The committee now stands adjourned. Thank you.
[Whereupon, at 12:50 p.m., the hearing was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]