USIS, the embattled Falls Church contractor, on Friday pushed back against criticism that it didn’t do enough to prevent a massive cyberattack and accused the federal government of neglecting to share information that might have helped it detect the intrusion earlier.
Responding to Rep. Elijah E. Cummings (D-Md.), who had demanded answers about the attack, an attorney for USIS wrote in a letter obtained by The Washington Post that the company acted quickly and responsibly once it detected the breach.
In May, a month before the intrusion was detected, IT security personnel from the Office of Personnel Management examined USIS’s network security and said it met or exceeded requirements, the company said. But OPM officials failed to tell the company that the agency itself had recently suffered a cyberattack, which made it “impossible for USIS to learn from the OPM attack and be ‘better prepared,’ ” wrote the attorney, James DeGraw.
For years, USIS performed the bulk of the federal government’s background checks for security clearances. After the breach, OPM canceled its contracts, forcing the company to shutter that portion of its business.
USIS said it sought to work closely with OPM after the breach. But DeGraw wrote that “no meaningful partnership will ever exist if the U.S. government response to cooperation is to punish and shut down organizations that, like so many government agencies, happen to fall victim to a cyber attack.”
A spokesman for OPM said the decision not to renew the company’s contract “took into account a variety of factors and was not solely based on the breach of USIS’s network. OPM followed applicable cybersecurity protocols and all contractual and legal obligations in responding to the breach of its network.”
USIS had been under fire before the computer breach, which potentially exposed the personal information of thousands of government employees. It was accused in a whistleblower lawsuit, joined by the Justice Department, of “flushing,” or submitting 665,000 background checks that were not fully complete. And it remains under criminal investigation in connection with that alleged activity.
“The letter from USIS raises more questions than it answers,” Cummings said in a statement. “USIS fails to provide answers to questions I posed regarding the extent of personal information about federal workers compromised in the breach. USIS tries to blame the government for its own deficiencies, which is ironic coming from a company that stands accused of massive fraud against U.S. taxpayers in a $1 billion suit brought by the Department of Justice.”
Members of Congress had questioned why OPM would work with a company accused of defrauding the government. When the breach occurred, the pressure continued to mount on the company, which had conducted background checks for National Security Agency leaker Edward Snowden and Navy Yard shooter Aaron Alexis.
In September, Cummings, the ranking Democrat on the House Oversight and Government Reform Committee, said he wanted to subpoena USIS’s chief executive, accusing the company of being unresponsive in the wake of the cyberattack.
Last month, Cummings demanded answers from USIS’s parent company as to why the contractor’s “data protections were not as robust as the government’s protections or why USIS was not better prepared.”
But in Friday’s letter, USIS said that it detected the intrusion itself in June. It notified OPM “within 30 minutes” and hired a top computer forensic and security firm, Stroz Friedberg, to “leave no stone unturned” as it investigated the attack and helped USIS prevent it from happening again, the letter said.
Those remediation efforts were successful, the company said. “No cyber-attacker activity has been detected within USIS systems by any person,” the letter said.
USIS also purchased new equipment for all of its field workers “at substantial cost” before OPM declined to renew the contracts, valued at about $250 million annually.
The termination of the contracts on Sept. 30 had a devastating effect on USIS, which at one point employed about 3,000 workers in its investigations division. And it marked a stunning downfall for a company that was spun out of the federal government in an unprecedented privatization plan during the Clinton administration in the mid-1990s.
When OPM announced it would not renew the contracts, some members of Congress cheered, saying the alleged “flushing” of security checks was a threat to national security.
But many companies, including contractors, have been hacked without such ramifications, USIS said.
“Instead of receiving assistance from government partners in addressing the cyber-attack or in further bolstering the security of its systems, as is routinely done for other government contractors, the government chose to completely abandon the USIS background investigations business,” the letter said.