WASHINGTON — On Thursday, the Senate Homeland Security and Governmental Affairs Committee held a hearing to consider Beth F. Cobert to be director of the Office of Personnel Management. Below is Chairman Johnson’s opening statement as submitted for the record:
Good morning and welcome.
Today we are considering the nomination of Beth F. Cobert to be Director of the Office of Personnel Management (OPM).
Last year, the OPM gained worldwide attention when it was learned the agency suffered two major data breaches at the hands of a foreign government. These breaches, the most recent of five breaches at the OPM since 2012, resulted in the loss of highly sensitive information of 22.1 million Americans and the fingerprints of 5.6 million people. Meanwhile, hackers had also targeted data and user credentials at the OPM’s contractors, KeyPoint and USIS, and other federal agencies, such as the IRS.
The national security consequences of these breaches are unprecedented — risking Americans’ lives and our access to essential intelligence for generations to come. As we are well aware, this cyber hack is not something credit monitoring and 10 years of identity theft protection can cure.
Following the breaches at the OPM and the IRS, the committee held oversight hearings to determine how such immense cyberthefts could have occurred. One thing was made clear: The administration was not doing enough to protect Americans’ most sensitive information. For example, we know from the inspector general that the OPM was operating many of its information technology systems without the appropriate security protections. We also know that the OPM unintentionally stopped one of the cyberattacks when it deployed multifactor authentication at the agency.
It is impossible to say whether cybersecurity tools such as encryption and multifactor authentication would have stopped the cybertheft altogether, but they are essential security protections that should have been in place. The discovery that agencies did not have these protections and others prompted me to write legislation with Ranking Member Carper that requires federal agencies to improve their cybersecurity. That legislation, the Federal Cybersecurity Enhancement Act, is now law. Among other things, it requires agencies to encrypt sensitive data, use multifactor authentication for high-risk accounts, limit access to those who need it, and implement a federal intrusion detection and prevention system called EINSTEIN.
But Congress should not have to tell agency heads that they are responsible for protecting Americans’ most sensitive data. That responsibility should be obvious. Unfortunately, that has not been the case.
In part as a result of the breaches, last month the White House announced it would be shifting responsibility for securing background investigations data from the OPM to the Department of Defense, revealing a continuing lack of confidence in the OPM’s ability to keep civil servants’ data secure. I agree with that decision. Unfortunately this move comes too late to protect the 22.1 million Social Security numbers already lost, and it risks waste and unnecessary duplication. Despite the proposed move of background investigation data to Defense Department computer systems, the OPM appears to be moving forward with a $93 million information technology modernization project largely to protect background investigation data that it will no longer hold. Meanwhile, the DOD is requesting $95 million to improve its computer systems to protect the same data. The Inspector General has also voiced concerns about the OPM information technology modernization project because the OPM did not thoroughly plan the project before awarding contracts and beginning work.
Federal employees who dedicate their careers to public service should have confidence that the government will protect their most sensitive data. The government owes them — and all Americans — that much. Clearly existing protections are not sufficient and major changes are necessary, not just at the OPM but across the federal government.
I know that Ms. Cobert takes these concerns seriously, and I appreciate how cooperative she and her staff have been with the committee’s oversight efforts. Today’s hearing will provide members of the committee an opportunity to speak with Ms. Cobert about her plans to address these issues and others in more detail.
By working together we can and will make things better. I thank Ms. Cobert for her willingness to take on this important role. I hope that, when confirmed, she will continue to be responsive to the committee’s requests and engage collaboratively in this partnership.