Modern field guide to security and privacy

Lawmakers slam OPM for 'grossly negligent' approach to data security

At a Congressional hearing Tuesday, Office of Personnel Management officials testified about plans to bolster digital defenses in the wake of hacks that exposed millions of sensitive records about government officials.

AP Photo/Cliff Owen
Office of Personnel Management Director Katherine Archuleta testified on Capitol Hill on Tuesday before the before the House Oversight and Government Reform Committee.

Top Office of Personnel Management officials were called before a Congressional hearing Tuesday to answer tough questions about lax data protections and the agency's repeated failures to heed warnings about network security dating back to 2007.

"For any agency to consciously disregard its data security for so long is grossly negligent," said Rep. Jason Chaffetz (R) of Utah, chairman of the House Oversight and Government Reform Committee.

He said the agency's security efforts have been "akin to leaving all the doors and windows open in your house and expecting that no one would walk in and nobody would take any information."

The hearing took place just days after news surfaced that the OPM suffered a second hack on top of the one revealed earlier this month. Together, the breaches have compromised personal information of at least 4.2 million current and former federal employees, as well as an unspecified amount of files pertaining to background checks. 

Lasting more than three hours, the hearing revealed that even more detailed information than previously thought was among the compromised files. According to OPM officials, job assignments, performance ratings, date of birth, and place of birth were included in the Standard Form 86, the intake forms that were stolen. Because the information was unencrypted, the attackers could use the data immediately. The Associated Press has reported as many as 14 million people could be affected. 

Representative Chaffetz called it one of the worst data breaches in US history.

The breach was initially discovered in April, but had likely begun four to five months prior, said OPM Director Katherine Archuleta, who was appointed 18 months ago. She said that victims whose information was taken during the breach will be notified by June 19.

Among the information stolen was personnel files including Social Security numbers, medical provider information, personally identifying information, and personnel files. During the investigation into that breach, the second hack was discovered. Compromised information in that breach included background checks of current and former employees that date back as far as 1985. The scope of the second breach is still under investigation.

Officials at the hearing would not comment on whether information on military personnel, contractors, or CIA employees was included in the breach, saving that conversation instead for a classified meeting that followed Tuesday's hearing.

Still, officials did admit that none of the information compromised in the two breaches was encrypted. When asked why, Ms. Archuleta said OPM’s networks are too old to handle encryption.

"It is not feasible to implement on networks that are too old," she said. “The limitations on encryption’s effectiveness is why OPM is taking other steps such as limiting administrators’ accounts and requiring multifactor authentication."

But that rational didn't make much sense to Lenore Blum, a professor of computer science at Carnegie Mellon University.

"What are these, computers made in the '50s they still have around?" Prof. Blum said. "I can’t imagine that the government computers are that old."

According to Blum, as long as the computers that OPM uses are made after 1990, they should be able to support some kind of encryption software, of which participants at the hearing were largely in favor.

"Practices like data masking, redaction, and encryption must become the norm rather than the exception," said Rep. Elijah Cummings (D) of Maryland. 

Tuesday's hearing also included officials from the Department of Homeland Security, Office of Management and Budget, Department of the Interior, and Inspector General.

While much of the discussion focused on what OPM can do to improve security, significantly better forms of network protections may not come for "years and years," said Tony Scott, chief information officer of the Office of Management and Budget.

Despite spending nearly $80 billion in data security this past year, Archuleta said her department will be requesting an additional $21 million in the 2016 budget to modernize their current information technology structure.

The hearing did not confirm the suspected Chinese origin of the hackers, though several members of Congress suggested the hack has been traced back to China.

Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability."

"That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability."

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.