The harshest blow came just after Tuesday’s hearing when Committee Chairman Jason Chaffetz (R-Utah) called for her and Donna Seymour, OPM’s chief information officer, to resign. During the hearing, Rep. Ted Lieu (D-Calif.) also complained about a “failure of leadership” and suggested OPM officials “step forward, accept responsibility, and resign for the good of the nation.”
Archuleta and Seymour were called to Capitol Hill to explain massive cyber-attacks on OPM files. Information on more than 4 million feds was compromised, including highly personal details of federal employees with security clearances.
“But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network,” said Archuleta, trying to put the best face on a bad situation.
Rather than mollifying committee members, they essentially accused her a putting lipstick on a pig. And they had plenty of ammunition from OPM’s Office of Inspector General (IG), which has repeatedly warned the agency about holes in its digital armor.
Assistant IG Michael R. Esser acknowledged OPM efforts that have “resulted in improvement in the consistency and quality of security practices for the various IT systems owned by the agency.”
But that was not sufficient to overcome the overwhelming impression that OPM did not do enough soon enough.
Although most of the IG’s audits on OPM’s information technology systems are done toward the end of the year, he said “it already appears that there will be a greater number of systems this year operating without a valid authorization.” An authorization is a thorough assessment to ensure that IT systems meet security standards.
Committee members, especially Republicans, hammered Archuleta on the IG’s finding that authorizations for 11 major systems last year “were not completed on time and were therefore operating without a valid authorization. This is a drastic increase from prior years and represents a systemic issue of inadequate planning by OPM program offices to assess and authorize the information systems that they own.”
Particularly upsetting to them was Esser’s report that the IG recommended Archuleta “consider shutting down systems that were in violation. None of the systems in violation were shut down.” Archuleta said a shutdown could have had affected the pay and benefits of federal employees.
“I think they should step down,” Chaffetz said. “They give me no confidence that they can actually solve this problem.”
Archuleta, however, apparently is not planning to go anywhere.
After the hearing, OPM’s press secretary, Sam Schumach issued a statement praising Archuleta and Seymour. “Director Archuleta is committed to finishing the important work outlined in her IT strategic plan,” he said, and “will continue to evaluate and improve security systems to make sure our sensitive data is protected to the greatest extent possible, across all networks.”
Another item on her to do list should be earning the confidence of Congress. It was not just Chaffetz and the Republicans who were upset with her performance. Archuleta and Seymour deflected questions from both sides of the room by repeatedly and excessively saying they would not answer even basic questions until a classified briefing for all members after the committee hearing.
After trying to get a yes or no answer on whether stolen Social Security numbers were encrypted (the eventual answer was no), a frustrated Rep. Stephen Lynch, a Massachusetts Democrat, said, “this is one of those hearings where I think I’m going to know less coming out of this hearing than I did when I walked in because of the obfuscation and the dancing around…
“I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are at keeping information out of the hands of Congress and federal employees,” he told Archuleta. “It’s ironic. You’re doing a great job stonewalling, stonewalling us, but hackers not so much.”
This data breach has been the biggest blow to Archuleta during her 19 months as director. Her job likely isn’t in grave danger yet, but she can’t take many more blows like those she suffered Tuesday.