A top House Republican Tuesday called on the government’s personnel chief and her chief information officer to resign after saying that she “failed utterly and totally” to prevent the massive hack that exposed the personal data of 4.2 million active and former employees.
“Those two had an opportunity to right the ship…they did not get it done, and there should be consequences,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told reporters after a contentious hearing on the cyberattack. Office of Personnel Management Director Katherine Archuleta and the agency’s chief information officer, Donna Seymour, were grilled for almost three hours by angry lawmakers from both parties.
“If we want a different results, we’re going to have to have different people,” Chaffetz said as he walked down a hallway of the Rayburn House Office Building moments after the hearing ended. Our colleague Joe Davidson was there.
The comments capped a serious of tense exchanges between Archuleta and House Democrats and Republicans, many of whom represent districts with thousands of federal employees. Lawmakers noted that OPM was warned repeatedly by the agency’s inspector general to make computer security upgrades, but took too long.
“Your systems were vulnerable,” Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, said in an testy exchange with Archuleta, at a hearing on the data breach.
“The data was not encrypted,” Chaffetz said, raising his voice as he tried to understand what exactly was hacked and whether the attack could have been avoided.
The inspector general “recommended you make changes,” Chaffetz said. “You didn’t. The information was vulnerable, and the hackers got it. I want to know why.”
The agency’s watchdog recommended last year that OPM consider shutting down computer security systems that were particularly vulnerable to hackers.
Inspector General Patrick McFarland found that 11 major OPM systems were operating without the agency’s certification that they met security standards. Auditors recommended to Archuleta that OPM consider shutting down those systems.
She said the recommendation came “after the adversaries were already in our network,” a reference to a previous data breach. She said she is working hard to upgrade the agency’s information security weaknesses.
“The recommendations are ones we take very seriously,” Archuleta said. She also said some of OPM’s databases are too old to successfully encrypt.
OPM officials said that even if the data had been encrypted, the hackers would have worked around it and gotten through.
Rep. Elijah Cummings (D-Md.), the oversight committee’s top Democrat, accused a former OPM contractor, USIS, of “obstructing” the committee’s work. He noted that Chaffetz had invited USIS to testify at the hearing. “But last night they refused,” Cummings said. “Just like they have refused repeated requests for information over the past year” about a breach of USIS networks that resulted in the compromise of sensitive security clearance information.
Cummings wanted to know whether the intruders — reportedly Chinese government hackers — gained access to OPM’s networks using information stolen from USIS, or from another contractor named Keypoint. “Given the history of noncompliance at USIS, I believe this [testifying on the Hill] may be one of the only ways to obtain the information we’re seeking,” he said.
Chaffetz pressed OPM for more answers on what information is contained in the hacked databases, which include personnel files spanning 30 years and a separate database containing information on background checks for security clearances.
He wanted to know whose data was compromised. Did it include employees from the Central Intelligence Agency? The military? Federal contractors?
Archuleta declined to answer him, saying lawmakers would learn more in a classified briefing Tuesday afternoon that will be closed to the public.
Chaffetz said some of the information should be made public.
“Can you assure the federal workers that you’re going to implement all the recommendations” to shore up IT security, Rep. Mark Meadows (R-N.C.) asked Archuleta. He then interrupted her when she tried to say that the agency was making the changes a high priority.
“I assume that means no,” Meadows said.
Seymour, OPM’s chief information officer, said the data in the background investigations database could span an employee’s lifetime. Investigators still haven’t figured out how many of those employees had their data taken because it’s an old system, with many agencies contributing, she said.
Toward the end of Tuesday’s hearing, a lawmaker asked Archuleta if anyone at her agency had been fired for not putting computer security upgrades in place before the hack.
“No,” she answered.
Ellen Nakashima contributed to this story.
This post has been updated.