Esser said an independent security assessment of the electronic background investigation system called e-QIP in September 2012 and discovered 18 different vulnerabilities to intruders.
“The assessment indicated there are vulnerabilities OPM has been aware of and has not addressed today,” he told lawmakers.
His testimony before two panels of the House Committee on Space, Science and Technology capped weeks of criticism Esser and his colleagues in the inspector general’s office have made to lawmakers that OPM was unprepared for a cyberattack and failed for years to take basic steps to strengthen its computer security.
The e-QIP system will be down for at least several weeks as OPM patches a “vulnerability” it says it discovered after the cyberattack, which potentially exposed the security clearance database and the personnel files of at least 4.2 million current and former federal employees.
In a blog post on the OPM site, Director Katherine Archuleta notified agencies of the temporary suspension of e-QIP on June 29 this way:
“The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.”
But Esser told lawmakers the statement was skirting the truth.
“OPM’s official statement on this issue claims that the agency is acting proactively by shutting down the e-QIP system,” he said in written testimony for Wednesday’s hearing, which was not attended by Archuleta or the agency’s chief information officer.
“However, the current security review ordered for this system is a direct reaction to the recent security breaches,” he wrote. “In fact, the e-QIP system contains vulnerabilities that OPM knew about, but had failed to correct for years. “
The 18 security vulnerabilities the watchdog found in 2012 were scheduled to be remedied by September 2013, “but still remain open and unaddressed today,” Esser said.
OPM is expected to announce this week the number of employees whose sensitive background investigation information either was accessed by the hackers or taken directly, and what steps it plans to protect the employees.