“The federal employee should have confidence in our IT systems,” Cobert said, ignoring a Subway sandwich in her office conference room two days before the June 4 anniversary of the announcement. “We have made huge strides. We have a lot of great tools in place. … I am confident in the systems. My data was stolen in the breach just like many other people’s. I am a customer of the identity-theft protection services.”
During an interview and in a subsequent email, Cobert outlined a number of actions OPM has taken to strengthen cybersecurity, including:
- Deploying “two-factor strong authentication” for all network users
- Implementing a continuous monitoring program for all IT systems
- Creating and hiring a cybersecurity adviser position that reports to the OPM director
- Establishing an agency-wide centralized IT security workforce under a newly hired chief information security officer
- Modifying the OPM network to limit remote access exclusively to government owned-computers
- Deploying new cybersecurity tools, including software that prevents malicious programs and viruses on OPM networks
- Implementing a system that automatically stops sensitive information, such as Social Security numbers, from leaving the network unauthorized
- Enhancing cybersecurity awareness training with emphasis on Phishing emails and other attacks.
These efforts have been noted in Congress, where members were harshly critical of OPM a year ago. Even Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, now has good things to say about the agency and its current leadership. He was fierce in his denunciations of Archuleta and Donna Seymour, the former agency chief information officer, whose resignation Chaffetz demanded along with Archuleta’s. Seymour resisted until she finally resigned in February, just before another Chaffetz hearing.
“The most important and significant change was personnel,” Chaffetz said. “Beth Cobert is a breath of fresh air and she gives me a great deal of confidence that they will ultimately solve this problem.”
But the problem isn’t solved yet.
A May report from the Office of Inspector General (IG) offered a sobering view of OPM’s information-technology improvement program. Here is some of what the report said:
- “OPM has still not performed many of the critical capital project planning practices required by the Office of Management and Budget”
- “We are even more concerned than ever about the lack of disciplined capital planning processes”
- “Because OPM’s lifecycle cost estimates are unsupported and probably significantly understated, there is a high risk that future budgets will continue to be inadequate to complete the Project”
Cobert said the agency agrees with the bulk of the IG’s recommendations for development of a more comprehensive information technology modernization plan. “We are very much aligned with the IG,” she said.
The whodunit question remains unanswered, at least publicly.
Based on his classified briefings, Chaffetz said the theft probably wasn’t related to a “business scam.” He would not elaborate.
Rep. Gerald Connolly (D-Va.) said, “We still don’t know what the Chinese hackers, presumably Chinese hackers, who succeeded in this breach intend to do with that data.”
While the work on the IT system continues, services to protect the identity and credit of employees have been in place for months. One of the two breaches hit some 4 million people, about a quarter of whom have signed up for identity-protection and credit-monitoring services. A much larger breach involved 21.5 million people and more than 11 percent of them have enrolled for services. There is considerable overlap among the two groups, leaving the total affected at about 22 million.
OPM says the sign up rate for services is much greater than the industry standard. Out of 22 million affected, only 6,800 problems like identity or credit theft have been reported, according to OPM. There is no way to know, according to press secretary Sam Schumach, if those cases are directly related to the OPM breaches.
The agency is “actively working” to extend the identity theft insurance to $5 million and identity and credit monitoring services from three to “the 10 years that was also approved by Congress,” Cobert told a House hearing last month.
Connolly said it will take “years of monitoring and I hope proactive protections, credit-wise, identity-wise and otherwise for unwitting victims of this breach.”
Cobert’s “first obligation,” he added, is “to protect those who are innocent victims of this breach.”
“I think she is seized with this mission in a way, maybe, previous management was slow to come to.”