Lawmakers slam OPM for 'grossly negligent' approach to data security

At a Congressional hearing Tuesday, Office of Personnel Management officials testified about plans to bolster digital defenses in the wake of hacks that exposed millions of sensitive records about government officials.

Top Office of Personnel Management officials were called before a Congressional hearing Tuesday to answer tough questions about lax data protections and the agency's repeated failures to heed warnings about network security dating back to 2007.

"For any agency to consciously disregard its data security for so long is grossly negligent," said Rep. Jason Chaffetz (R) of Utah, chairman of the House Oversight and Government Reform Committee.

He said the agency's security efforts have been "akin to leaving all the doors and windows open in your house and expecting that no one would walk in and nobody would take any information."

The hearing took place just days after news surfaced that the OPM suffered a second hack on top of the one revealed earlier this month. Together, the breaches have compromised personal information of at least 4.2 million current and former federal employees, as well as an unspecified amount of files pertaining to background checks. 

Lasting more than three hours, the hearing revealed that even more detailed information than previously thought was among the compromised files. According to OPM officials, job assignments, performance ratings, date of birth, and place of birth were included in the Standard Form 86, the intake forms that were stolen. Because the information was unencrypted, the attackers could use the data immediately. The Associated Press has reported as many as 14 million people could be affected. 

Representative Chaffetz called it one of the worst data breaches in US history.

The breach was initially discovered in April, but had likely begun four to five months prior, said OPM Director Katherine Archuleta, who was appointed 18 months ago. She said that victims whose information was taken during the breach will be notified by June 19.

Among the information stolen was personnel files including Social Security numbers, medical provider information, personally identifying information, and personnel files. During the investigation into that breach, the second hack was discovered. Compromised information in that breach included background checks of current and former employees that date back as far as 1985. The scope of the second breach is still under investigation.

Officials at the hearing would not comment on whether information on military personnel, contractors, or CIA employees was included in the breach, saving that conversation instead for a classified meeting that followed Tuesday's hearing.

Still, officials did admit that none of the information compromised in the two breaches was encrypted. When asked why, Ms. Archuleta said OPM’s networks are too old to handle encryption.

"It is not feasible to implement on networks that are too old," she said. “The limitations on encryption’s effectiveness is why OPM is taking other steps such as limiting administrators’ accounts and requiring multifactor authentication."

But that rational didn't make much sense to Lenore Blum, a professor of computer science at Carnegie Mellon University.

"What are these, computers made in the '50s they still have around?" Prof. Blum said. "I can’t imagine that the government computers are that old."

According to Blum, as long as the computers that OPM uses are made after 1990, they should be able to support some kind of encryption software, of which participants at the hearing were largely in favor.

"Practices like data masking, redaction, and encryption must become the norm rather than the exception," said Rep. Elijah Cummings (D) of Maryland. 

Tuesday's hearing also included officials from the Department of Homeland Security, Office of Management and Budget, Department of the Interior, and Inspector General.

While much of the discussion focused on what OPM can do to improve security, significantly better forms of network protections may not come for "years and years," said Tony Scott, chief information officer of the Office of Management and Budget.

Despite spending nearly $80 billion in data security this past year, Archuleta said her department will be requesting an additional $21 million in the 2016 budget to modernize their current information technology structure.

The hearing did not confirm the suspected Chinese origin of the hackers, though several members of Congress suggested the hack has been traced back to China.

Moving forward, Archuleta assured the committee that OPM would continue to improve their cybersecurity efforts and work on the recommendations given by the Inspector General "to the best of our ability."

"That’s what frightens me, Mrs. Archuleta," said Rep. Mick Mulvaney (R) of South Carolina, "that this is the best of your ability."