Battered, bruised and sometimes bullied, Katherine Archuleta remains standing, or at least sitting in the director’s chair after a congressional hearing marathon into her agency’s massive cyber breakdown.
The cyber theft of personal information belonging to more than 4 million current and former federal employees left them worried and members of Congress outraged at an Office of Personnel Management (OPM) that has experienced a cascading series of embarrassing failures.
Those failings and her leadership were the target of four sometimes-contentious hearings, starting last week, that helped expose serious shortcomings in OPM’s ability to protect critical information and in its support of employees after their Social Security numbers and other personal data were pilfered.
The nightmare was disclosed two weeks ago when OPM revealed the hack. Shortly after that the agency announced that information related to the background investigations of those with security clearances also had been hit. Then on Tuesday, OPM’s inspector general released a damaging “flash audit alert” that said OPM’s “ project management approach” for its “major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure.”
Even OPM’s remedial efforts suffered serious problems. OPM informed employees it was offering credit monitoring service and identity theft insurance and provided contact information for CSID, which specializes in identity theft protection and fraud resolution. But that led to complaints from employees who had difficulty reaching CSID.
“Many affected employees and retirees are outraged by what they say is an abysmal experience with CSID… a website that crashes repeatedly, and call center contractors who can only provide canned responses to Frequently Asked Questions – if employees can even get through,” said a statement from the American Federation of Government Employees.
On Thursday, more than two dozen federal employee organizations in the Federal-Postal Coalition sent a letter to President Obama saying “federal leaders have shared woefully insufficient information with the federal workforce, retirees and the American people about the breaches.”
The coalition did not urge Archuleta’s resignation, but at least one of those groups, the National Association of Assistant United States Attorneys, called on her to “stand aside to permit new leadership to correct these failures.”
The chairmen of the House Oversight and Government Reform Committee and the Senate Homeland Security and Governmental Affairs Committee, the two panels that primarily deal with the federal workforce, are among a small group of elected officials who would like to see Archuleta replaced.
Following Thursday’s hearing by the Senate committee, Chairman Ron Johnson (R-Wis.) said removing Archuleta is the president’s call, but added: “I wouldn’t rely on her to clean up this mess. I don’t think she is qualified to do so.”
Johnson said he voted against her confirmation because “I didn’t think she was qualified for the post. There’s nothing I’ve seen in her performance in reaction to these very serious data breaches that gives me any further confidence.”
Archuleta so far has survived the inquisition, with backing from the White House. On Wednesday, Josh Earnest, President Obama’s press secretary, gave her support, saying “the administration and the President continues to believe that she’s the right person for the job.”
But if the number of individuals affected by the breach more than quadruples, as unconfirmed reports suggest is possible, that would further put her tenure at risk.
Archuleta’s inability to report the number of individuals hit in the breach has been a continuing and increasing source of exasperation for members of Congress. She dealt with that in her opening statement to Thursday’s Senate hearing, the last of the bunch.
“The number of individuals with data compromised from the personnel records incident is approximately 4.2 million, as we reported on June 4,” she said. “This number has not changed… and we are not at a point where we are able to provide a more definitive report on this issue.”
She said the reported 18 million figure “refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigations data. It is not a number that I feel comfortable, at this time, represents the total number of affected individuals.”
Archuleta also told senators about “new steps” she is taking, including the hiring of a cybersecurity adviser who will work with the agency’s chief information officer (CIO) to manage the current crisis, mitigate future incidents and ensure the security of OPM’s information technology. She again praised the leadership of Donna Seymour, OPM’s CIO, who also has been the target of resignation calls.
After Johnson expressed little confidence in OPM’s leadership during the hearing, Tony Scott, the administration’s chief information officer, came to her defense.
Under Archuleta’s leadership, Scott said, there has been a “dramatic difference” in OPM’s cyber efforts.
That difference could save her job, but it is not enough to change Johnson’s view that in the area of cyber affairs, OPM under Archuleta has a “record of failure.”