Lack of numbers, lack of confidence

WASHINGTON  — The head of the federal government’s personnel management declined to tell the Senate Homeland Security and Governmental Affairs Committee the total number of people affected by repeated data breaches at her agency or who perpetrated the attacks. 

As many as 18 million Americans who are employees or former employees of the federal government have had their personal information stolen from the Office of Personnel Management by hackers, likely based in China, say federal officials, including the FBI and the Director of National Intelligence. But at a hearing Thursday, the agency’s director, Kathleen Archuleta, would not provide the committee with any figure above 4.2 million, the number her agency already has acknowledged, or admit where the attack came from. 

Sen. Ron Johnson (R-Wis.), chairman of the committee, expressed concern that Archuleta’s agency, which holds information on most federal employees and conducts security screenings for many, is not attentive enough to security issues. “Cybersecurity on federal agency networks has proven to be grossly inadequate,” he said in his opening remarks. “The OPM has been hacked five times in the past three years, and it still has not responded to effectively secure its network.” 

Johnson noted that Archuleta promised the committee before her confirmation that she would work closely with the agency’s official watchdog, the inspector general, to resolve serious problems with cybersecurity pointed out year after year in inspector general audits. But the chairman uncovered that she had not done so in the year since the first hack under her watch. 

“Has Director Archuleta ever met with you specifically to discuss the results of your (cybersecurity) audits?” Johnson asked Inspector General Patrick McFarland. 

“No, sir,” said McFarland. He testified that he meets with Archuleta monthly on other matters, “But we have not sat down, the director and I, regarding this.” 

Johnson, who earlier had read aloud from inspector general audits dating back to 2009 detailing cybersecurity weaknesses at the OPM, expressed frustration with Archuleta’s apparent lack of interest in hearing from McFarland. “I don’t expect perfection,” Johnson said later in the hearing, “but I’m looking for people to prioritize. I’m looking at people’s actions that they took. And the fact that the director did not meet with the inspector general to specifically discuss these IG reports, the fact that she has not yet met with FBI director (James) Comey on these very serious issues — it really gives me pretty great pause in terms of having confidence that the current management team in OPM really is up to the task.” 

He then asked McFarland “Do you really have confidence in the management team of OPM that they are going to be able to solve this problem when they have shown such a lack of attention and priority to this issue and — and let’s face it — a record of failure now?” 

“Based on what we’ve found: No,” replied McFarland.   

Also testifying was U.S. chief information officer, Tony Scott, and Department of Homeland Security’s assistant secretary in the office of cybersecurity and communications, Andy Ozment. 

The chairman’s opening statement can be found here

The full hearing video can be seen here