The federal personnel chief said Tuesday that she does not believe “anyone is personally responsible” for the massive hack of federal employee data and security clearance files and instead blamed the breach on old computer systems and the hackers themselves.
“We have legacy systems that are very old,” Katherine Archuleta, director of the Office of Personnel Management, told Senate lawmakers at a hearing on the intrusion. “It’s an enterprise-wide problem. I don’t believe anyone is personally responsible.”
She then told Sen. Jerry Moran (R-Kan.), who pressed her repeatedly to take responsibility for failing to shore up the agency’s computer security, that the attackers are the ones to blame.
“If there’s anyone to blame, it’s the perpetrators,” Archuleta said. “Their concentrated, very well-funded efforts to come into our system are what we’re concerned about.”
Her comments before lawmakers on the Senate Appropriations Committee were the first public pushback against a growing chorus of lawmakers, federal employees — and today, presidential candidate Jeb Bush — who have called on Archuleta to resign following the intrusion. She still has the support of President Obama, the White House said last week, but she is coming under increasing scrutiny as many of the 4.2 million active and former federal workers who’ve been affected by the attack say OPM has fumbled its response.
“So to date you don’t consider anyone at OPM to be personally responsible [for the attack]?” Moran asked her. “Or is this simply a problem with the system and no one in particular is responsible?”
Archuleta responded, “I’m as angry as you are that this has happened at OPM. But cybersecurity is the responsibility of all of us.”
Asked to address the growing complaints about long hold times and other customer service problems with the private contractor OPM hired to offer victims of the hack credit monitoring and other security protections, Archuleta said her agency is “demanding from our contractor that they improve their services.”
“I am as angry as you are about that,” she told Sen. John Boozman (R-Ark.), chairman of the committee’s financial services and general government panel. “I want to be sure they are doing everything they can to improve those wait times. Employees should not have to experience that.”
CSID, which operates three call centers and is sending notifications to employees, is a subcontractor of Winvale, which won a $21 million contract this month to notify victims of the data breach that their employment information, from Social Security numbers to life insurance beneficiaries, may be compromised. A Winvale spokesman has said CSID is adding staff at its call centers, but offered no details about the expansion and whether taxpayers are footing the bill.
Archuleta also appeared to open the door to expanding the 18 months of credit monitoring OPM is offering, especially now that millions of additional employees, contractors and former employees will be notified soon that the personal details of background check forms for security clearances also were compromised.
Eighteen months “is an industry best practice,” she said. “We are examining that to see what the range of options may be.”
Archuleta said she is “working very hard on correcting decades of inattention” to weak computer security at her agency, and credited her efforts to add new security defenses for discovering the breach in the first place. But the OPM’s inspector general described a history of failures by the agency to take basic security steps.
She said the agency has added firewalls and a better authentication process for remote access and that it is adding more secure ways to encrypt data. A new data center network is expected to be completed by the end of this fiscal year.
Michael Esser, assistant inspector general for audit, testified that numerous recommendations to modernize aging systems and improve the security of modern ones have not been followed. He noted that a number of the systems that were breached in the hack disclosed in June were actually not “legacy systems,” but modern ones.
“They have made strides to improve some of the issues we’ve reported, but that said, there are a number of longstanding issues,” Esser said.
A former federal chief technology officer at the IRS and Department of Homeland Security who was called to testify as a cybersecurity expert said the breach was bound to happen, given OPM’s failure to update its cyber security.
“I think it’s an outcome that could be expected,” said Richard Spires, now chief executive officer at Resiliant Network Systems. “If I had walked in there as a CIO and I saw the lack of protections for very sensitive data, the first thing we would have been working on is how do we protect that data? That’s where the focus needs to shift.”