[Senate Hearing 114-449]
[From the U.S. Government Publishing Office]
S. Hrg. 114-449
UNDER ATTACK: FEDERAL CYBERSECURITY AND THE OPM DATA BREACH
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JUNE 25, 2015
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC NOT AVAILABLE FOR TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
20-565 PDF WASHINGTON : 2016
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky JON TESTER, Montana
JAMES LANKFORD, Oklahoma TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire CORY A. BOOKER, New Jersey
JONI ERNST, Iowa GARY C. PETERS, Michigan
BEN SASSE, Nebraska
Keith B. Ashdown, Staff Director
William H.W. McKenna, Chief Counsel for Homeland Security
David S. Luckey, Director of Homeland Security
Gabrielle A. Batkin, Minority Staff Director
John P. Kilvington, Minority Deputy Staff Director
Matthew R. Grote, Minority Senior Professional Staff Member
Laura W. Kilbride, Chief Clerk
Lauren M. Corcoran, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Johnson.............................................. 1
Senator Carper............................................... 2
Senator Tester............................................... 15
Senator McCain............................................... 18
Senator Booker............................................... 20
Senator Ernst................................................ 23
Senator Lankford............................................. 27
Senator Sasse................................................ 30
Senator Portman.............................................. 33
Senator Ayotte............................................... 38
Prepared statements:
Senator Johnson.............................................. 49
Senator Carper............................................... 51
WITNESSES
Thursday, June 25, 2015
Hon. Katherine Archuleta, Director, Office of Personnel
Management..................................................... 5
Tony Scott, U.S. Chief Information Officer, Office of Management
and Budget..................................................... 7
Andy Ozment, Ph.D., Assistant Secretary, Office of Cybersecurity
and Communications, National Protection and Programs
Directorate, U.S. Department of Homeland Security.............. 8
Hon. Patrick E. McFarland, Inspector General, Office of Personnel
Management; accompanied by Lewis F. Parker, Deputy Assistant
Inspector General for Audits................................... 11
Alphabetical List of Witnesses
Archuleta, Hon. Katherine:
Testimony.................................................... 5
Prepared statement with attachment........................... 53
McFarland, Hon. Patrick E.:
Testimony.................................................... 11
Prepared statement........................................... 79
Ozment, Andy, Ph.D.:
Testimony.................................................... 8
Prepared statement........................................... 71
Scott, Tony:
Testimony.................................................... 7
Prepared statement........................................... 68
APPENDIX
Chart referenced by Senator Carper............................... 90
Statement submitted for the Record from National Treasury
Employees Union................................................ 91
Responses to post-hearing questions for the Record:
Ms. Archuleta................................................ 95
Mr. Scott.................................................... 107
Mr. Ozment................................................... 108
UNDER ATTACK: FEDERAL CYBERSECURITY AND THE OPM DATA BREACH
----------
THURSDAY, JUNE 25, 2015
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 9:31 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson,
Chairman of the Committee, presiding.
Present: Senators Johnson, McCain, Portman, Lankford,
Ayotte, Ernst, Sasse, Carper, McCaskill, Tester, Heitkamp,
Booker, and Peters.
OPENING STATEMENT OF CHAIRMAN JOHNSON
Chairman Johnson. This hearing will come to order.
Good morning, everyone. I have been told the Director is
running a little late, so we will get started without her.
Again, I would like to welcome all of our witnesses. I
appreciate the time you have put into preparing your testimony.
It is very informative. This is a very serious issue because
earlier this month the Office of Personnel Management (OPM),
announced that over the last year, hackers stole 4.1 million
Federal employees' personal records. Then just days later, we
learned the attack was actually far broader, involving some of
the most sensitive data the Federal Government holds on its
employees and likely many more records. It is hard to overstate
the seriousness of this breach. It has put people's lives and
our Nation at risk.
This massive theft of data may be the largest breach the
Federal Government has seen to date. But it is not the first
data breach affecting Federal agencies or even OPM.
Unfortunately, I doubt it will be the last. Our Nation is
dependent on cyber infrastructure, and that makes our future
vulnerable. But cyber threats against us are going to continue
to grow in size and sophistication.
The purpose of this hearing is to lay out the reality of
that cyber threat and vulnerability. The first step in solving
any problem is recognizing and admitting you have one. We must
acknowledge we have a significant cybersecurity problem in the
Federal Government, especially at OPM. This intrusion on OPM
networks is only the latest of many against the agency, and OPM
has become a case study in the consequences of inadequate
action and neglect.
Cybersecurity on Federal agency networks has proven to be
grossly inadequate. Foreign actors, cyber criminals, and
hacktivists are accessing our networks with ease and impunity.
While our defenses are antiquated, by comparison our
adversaries are proving to be highly sophisticated. Meanwhile,
agencies are concentrating their resources trying to dictate
cybersecurity requirements for private companies, which in many
cases are implementing cybersecurity better and cheaper.
OPM has been hacked five times in the last 3 years and has
still not responded to effectively secure its network. Today's
hearing will focus on the two most recent breaches.
We will hear from the OPM Inspector General (IG), Mr.
Patrick McFarland, that OPM has continued to neglect
information security which may have contributed to these
breaches.
We will hear from Dr. Andy Ozment about the specifics of
this attack as well as the Department of Homeland Security's
(DHS) role in Federal cybersecurity.
Mr. Tony Scott will testify about efforts on cybersecurity
across the government and the information security requirements
of Federal agencies.
Finally, we will give OPM Director Katherine Archuleta an
opportunity to explain how this happened on her watch, to let
us know who she believes is responsible, and to clarify what we
can expect from OPM going forward.
There is a bullseye on the back of USA.gov, and it does not
appear this administration is devoting enough attention to this
reality. We need leadership to develop and implement an
effective plan to stop future cyber attacks. Without effective
cybersecurity, our Nation will not be safe or secure.
Cybersecurity must be a top priority.
So, again, I want to thank the witnesses and welcome
everybody here to the hearing room. I am looking forward to the
testimony, and with that I will turn it over to our Ranking
Member, Senator Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks, Mr. Chairman. Thanks for holding
this hearing, and welcome to all of our witnesses. We
appreciate your being here and appreciate your service to our
country.
A few weeks ago, we learned of a massive data breach at the
Office of Personnel Management. Personal and financial
information for more than 4 million current and former Federal
employees may have been compromised. And if that is not bad
enough, reports now indicate that background investigation
information, some of the most sensitive personal information
the Federal Government holds, may have also been compromised,
potentially touching millions of additional lives.
This attack is deeply troubling and could have far-reaching
consequences for a great number of people. It could have a
profound impact on our national security as well.
Understandably, the public and my colleagues are upset, and
they are frustrated. They want answers, and so do I, and so do
this Committee. Before we leave here today, I want us to learn
the answers to at least four questions:
First, what went wrong?
Second, what are we doing about it?
Third, what more needs to be done?
And, fourth, how can we help, the legislative branch, the
House and the Senate?
Ultimately, sustained corrective action will be needed
before we restore the public's confidence in our government's
ability to keep their personal information safe and secure. I
was encouraged to hear that the Office of Management and Budget
(OMB) recently launched a 30-day cybersecurity sprint to
further protect Federal systems from cyber attacks. That is a
good start, but I think we all agree it is not enough.
As we can see from OMB's most recent annual report card on
Federal network security--I think we have a table.\1\ There
should be a table on everybody's desk. I would just bring it to
your attention.
---------------------------------------------------------------------------
\1\ The chart referenced by Senator Carper appears in the Appendix
on page 90.
---------------------------------------------------------------------------
Senator Carper. As we can see from this table, there is a
lot of room for improvement. It should be the goal of every
agency, large and small, to be at the top of this table, not at
the bottom.
Having said that, making it to the top of the chart does
not guarantee immunity from successful cyber attacks. Too many
of the bad guys are good at what they do, and they are getting
better all the time. We have to bring our ``A'' game to the
fight every single day. As we say in the Navy, this is an all-
hands-on-deck moment.
For those agencies that continue to lag behind, there needs
to be enlightened leadership, accountability, and a commitment
to continuing improvements. One valuable cybersecurity tool
that is available to all Federal agencies is the DHS program
known as ``EINSTEIN.'' I may hasten to add it is not a panacea.
It is a system that can record, detect, and block cyber
threats. And all of us on this Committee have recently heard
about the importance of EINSTEIN after the OPM breach. The
system used cyber threat information from the OPM data breach
to uncover a similar intrusion which we may have never known
about at the Department of Interior. That is an important
discovery.
But finding out about a data breach after they occur is not
good enough. We want to be able to stop these attacks before
they can do any damage.
It is my understanding that the newest version of
EINSTEIN--we call it ``EINSTEIN 3A.'' I think the ``A'' is for
``accelerated,'' isn't it?--can do just that. Unfortunately,
today less than half of all Federal civilian agencies fall
under the protection of EINSTEIN's most advanced capabilities.
Let me add again, I recognize that this system is not
perfect. No one is saying that it is. No system is. But as my
colleagues and our staff have heard me say many times before,
if it is not perfect, let us make it better. And from
everything I have heard, EINSTEIN 3A is another important and
badly needed step toward that goal?
That is exactly why Senator Johnson and I, along with our
staff members, are working on legislation now to authorize and
improve EINSTEIN with the help of some of our witnesses. This
legislation will speed up its adoption across the government,
require use of leading technologies, and improve accountability
and oversight. I look forward to working with my colleagues on
this legislation so that we can ensure every agency is equipped
with the ever improving capabilities needed to fend off cyber
attacks in the future.
In closing, I think it is important to recognize the breach
at OPM follows a long list of major cyber attacks against the
government and, as we know, our private sector. And there are
likely more to come. To tackle a challenge this big, we do need
an all-hands-on-deck approach. What does this mean? Simply, it
means we need all the people, resources, and authorities that
we can reasonably muster to be ready to respond.
We can begin by continuing to fill the top spots in our
government agencies, something on which this agency has done,
personally, I think, a superb job. I am proud of the work that
we have done to provide the top excellent talent to help lead
the Department of Homeland Security. OPM, however, has been
without a Senate-confirmed Deputy Director for nearly 4 years.
I will say that again. The Office of Personnel Management
has been without a Senate-confirmed Deputy Director for nearly
4 years. It is not that the administration has not been
submitting the names of qualified and talented candidates for
these posts most of the time. For example, this Committee has
favorably reported out the name of Navy Admiral Earl Gay, the
President's nominee for this position at OPM, twice--once last
year and again this year. We have done our job here on this
Committee to vet him, to report him out. It is time to get him
confirmed so that the Director and the agency have the help
they need to right the ship.
Finally, we could also build on the cybersecurity
legislation we passed last year and pass new legislation like
EINSTEIN, like information sharing, like data breach. We have a
job to do, and we need to do that ourselves. It would also
fully fund agency security efforts.
These are all important steps we can take, but they will be
incredibly difficult to accomplish if we do not work together.
Thanks, Mr. Chairman. Again, thank you all for being here.
Let us have a good hearing.
Chairman Johnson. Thank you, Senator Carper.
It is the tradition of this Committee to swear in
witnesses, so if you will all stand and raise your right hand.
We will wait for the Director.
Good morning, Director. Raise your right hand. Do you swear
that the testimony you will give before this Committee will be
the truth, the whole truth, and nothing but the truth, so help
you, God?
Ms. Archuleta. I do.
Mr. Scott. I do.
Mr. Ozment. I do.
Mr. McFarland. I do.
Chairman Johnson. Thank you. Please be seated.
Good morning, Director.
Ms. Archuleta. Good morning, and I apologize.
Chairman Johnson. I know traffic can be tough in
Washington, DC, so I appreciate you being able to make it here.
If you are ready, we can start with you. Our first witness
is OPM Director Katherine Archuleta. Ms. Archuleta is the
Director of the Office of Personnel Management, a position she
has held since November 2013. Prior to serving as Director of
OPM, Ms. Archuleta was a senior policy adviser to then-
Secretary of Energy Federico Pena. Director Archuleta.
TESTIMONY OF THE HONORABLE KATHERINE ARCHULETA,\1\ DIRECTOR,
OFFICE OF PERSONNEL MANAGEMENT
Ms. Archuleta. Chairman Johnson, Ranking Member Carper, and
Members of the Committee, thank you for the opportunity to
testify before you today. I understand and I share the concerns
and frustrations of Federal employees and those affected by the
intrusion into OPM's information technology (IT) systems.
Although OPM has taken significant steps to meet our
responsibility to secure the personal data of those we serve,
it is clear that OPM needs to dramatically accelerate those
efforts. I am committed to a full and compliance investigation
of these incidents, and we continue to move urgently to take
action to mitigate the longstanding vulnerabilities of the
agency's systems.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Archuleta appears in the Appendix
on page 53.
---------------------------------------------------------------------------
In March 2014, we released our Strategic IT Plan to
modernize and to secure OPM's aging legacy system. We began
implementing the plan immediately, and in fiscal years (FY)
2014 and 2015, we directed nearly $70 million toward the
implementation of new security controls to better protect our
systems. OPM is also in the process of developing a new network
infrastructure environment to improve the security of OPM
infrastructure and IT systems. Once completed, OPM IT systems
will be migrated into this new environment from the current
legacy networks.
Many of the improvements have been to address critical
needs, such as the security vulnerabilities in our network.
These upgrades include the installation of additional
firewalls; restriction of remote access without two-factor
authentication; continuous monitoring of all connections to
ensure that only legitimate connections have access; and
deploying anti-malware software across the environment to
protect and prevent the deployment or execution of cyber crime
tools that could compromise our networks. These improvements
led us to the discovery of the malicious activity that has
occurred, and we were able to immediately share the information
so that other agencies could protect their networks.
I want to share with the Committee some new steps that I am
taking in addition to the steps we have already taken.
First, I will hire a new cybersecurity adviser that will
report directly to me. This cybersecurity adviser will work
with OPM's Chief Information Officer (CIO) to manage ongoing
response to the recent incidents and complete development of
OPM's plan to mitigate further incidents and assess whether
long-term changes to OPM's IT architecture are needed.
Second, to ensure that the agency is leveraging private
sector best practices and expertise, I am reaching out to the
chief information security officers (CISO) at leading private
sector companies that are experiencing their own significant
cybersecurity challenges, and I will host a meeting with these
experts in the coming weeks to help identify further steps.
I believe that all Members of this Committee have received
a copy of my action plan, and in deference to time limits, I am
happy to discuss it further during the questioning.
I would like to address now the confusion regarding the
number of people affected by two recent related cyber incidents
at OPM.
First, it is my responsibility to provide as accurate
information as I can to Congress, the public, and, most
importantly, the affected individuals.
Second, because this information and its potential misuse
concerns their lives, it is essential to identify the affected
individuals as quickly as possible.
Third, we face challenges in analyzing the data due to the
form of the records and the way they are stored. As such, I
have deployed a dedicated team to undertake this time-consuming
analysis and instructed them to make sure their work is
accurate and completed as quickly as possible.
As much as I want to have all the answers today, I do not
want to be in the position of providing you or the affected
individuals with potentially inaccurate data. With these
considerations in mind, I want to clarify some of the reports
that have appeared in the press.
Some press accounts have suggested that the number of
affected individuals has expanded from 4 million individuals to
18 million individuals. Other press accounts have asserted that
4 million individuals have been affected in the personnel file
incident and 18 million individuals have been affected in the
background investigation incident. Therefore, I am providing
the status as we know it today and reaffirming my commitment to
providing more information as soon as we know it.
First, the two kinds of data that I am addressing--
personnel records and background investigations--affected
different systems in two separate but related incidents.
Second, the number of individuals with data compromised
from the personnel records incident is approximately 4.2
million, as we reported on June 4, and this number has not
changed, and we have notified these individuals.
Third, as I have noted, we continue to analyze the
background investigation as rapidly as possible to best
understand what was compromised, and we are not at a point
where we are able to provide a more definitive report on this
issue.
That said, I want to address the figure of 18 million
individuals that has been cited in the press. It is my
understanding that the 18 million refers to a preliminary,
unverified, and approximate number of unique Social Security
numbers in the background investigations data. It is not a
number that I feel comfortable at this time represents the
total number of affected individuals. The Social Security
number portion of the analysis is still under active review,
and we do not have a more definitive number. Also, there may be
an overlap between the individuals affected in the background
investigation and the personnel file incident.
Additionally, we are working deliberately to determine if
individuals who have not had their Social Security numbers
compromised but may have other information exposed should be
considered individuals affected by this incident. For these
reasons, I cannot yet provide a more definitive response on the
number of individuals affected by the background investigations
intrusion, and it may well increase from these initial reports.
My team is conducting further analysis with all speed and care,
and, again, I look forward to providing an accurate and
complete response.
Thank you for the opportunity, and I am happy to address
any questions you may have.
Chairman Johnson. Thank you, Madam Director.
Our next witness is Mr. Tony Scott. Mr. Scott is the Chief
Information Officer for the United States. He was appointed by
the President in February of this year. His previous roles
include heading VMware's global information technology group
and 5 years as chief information officer at Microsoft. Mr.
Scott.
TESTIMONY OF TONY SCOTT,\1\ U.S. CHIEF INFORMATION OFFICER,
OFFICE OF MANAGEMENT AND BUDGET
Mr. Scott. Thank you, Chairman Johnson, Ranking Member
Carper, and Members of the Committee. Thank you for the
opportunity to appear before you today. I appreciate the chance
to speak with you about recent cyber incidents affecting
Federal agencies.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Scott appears in the Appendix on
page 68.
---------------------------------------------------------------------------
As Federal CIO, I lead the Office of Management and
Budget's Office of E-Government & Information Technology, and
my office is responsible for developing and overseeing the
implementation of Federal information technology policy. But
today I want to focus on my team's role in facing our Nation's
current reality: confronting ever-evolving cybersecurity
threats.
Under the Federal Information Security Modernization Act
(FISMA) of 2014--OMB is responsible for Federal information
security oversight and policy issuance. OMB executes its
responsibilities in close coordination with its Federal
cybersecurity partners, including the Department of Homeland
Security and the Department of Commerce's National Institute of
Standards and Technology (NIST).
Last year, OMB announced the creation of a dedicated
cybersecurity unit within my office: the E-Gov Cyber Unit. The
creation of the E-Gov Cyber Unit reflects OMB's focus on
conducting robust, data-driven oversight of agencies'
cybersecurity programs, and the monitoring and improving of
governmentwide responses to major cybersecurity incidents as
well as issuing Federal guidance consistent with current and
emerging technologies and risks.
This is also the team behind the annual FISMA report which
highlights both successes and challenges facing Federal
agencies' cyber programs. In fiscal year 2015, the E-Gov Cyber
Unit is conducting oversight through CyberStat reviews and will
prioritize agencies with high risk factors as determined by
cybersecurity performance and incident data. Additionally, the
unit is driving FISMA implementation by providing agencies with
the guidance they need in this dynamic environment. One of the
top fiscal year 2015 policy priorities of the team is updating
something known as Circular A-130, which is the central
governmentwide policy document that establishes agency
guidelines on how to manage information resources, including
best practices for how to secure those resources.
As I testified before the House last week, OMB's guidance
to agencies for implementing the recently passed Federal
Information Technology Acquisition Reform Act (FITARA), was
issued, and it strengthens the role of the CIO in agency
cybersecurity, and that is an important piece.
To further improve Federal cybersecurity infrastructure and
protect systems against these evolving threats, OMB launched a
30-day cybersecurity sprint 2 weeks ago. The sprint team is
comprised of staff from OMB, National Security Council (NSC),
DHS, and other agencies. We have over 100 people involved in
this effort, and at the end of the review, we will create and
operationalize a set of action plans to further address
critical cybersecurity priorities and recommend a Federal
Civilian Cybersecurity Strategy.
In addition, immediately the 30-day sprint directs agencies
to immediately deploy priority threat-actor indicators that
have been provided by DHS to scan systems and check logs, patch
critical vulnerabilities without delay, tighten policies and
practices for privileged users, and accelerate the
implementation of multi-factor authentication, especially for
privileged users.
As I mentioned earlier, confronting cybersecurity threats
is a reality I faced during my time in the private sector and
continue facing in my new role as Federal Chief Information
Officer. Because of this, ensuring the security of information
within the Federal Government's networks and systems will
remain a core focus of mine and of the administration. We are
moving aggressively to implement innovative protections and
respond quickly to new challenges as they arise. In addition to
our efforts, we also look forward to working with Congress on
actions that may further protect our Nation's critical networks
and systems.
I thank the Committee for holding this hearing and for your
commitment to improving Federal cybersecurity, and I would be
pleased to answer any questions you may have.
Chairman Johnson. Thank you, Mr. Scott.
Our next witness is Dr. Andy Ozment. Dr. Ozment is the
Assistant Secretary for Cybersecurity and Communications at the
Department of Homeland Security where he leads several of the
Department's key cyber programs. Prior to his service at DHS,
Dr. Ozment was the President's Senior Director for
Cybersecurity. Dr. Ozment.
TESTIMONY OF ANDY OZMENT, PH.D.,\1\ ASSISTANT SECRETARY, OFFICE
OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Ozment. Chairman Johnson, Ranking Member Carper,
Members of the Committee, I appreciate the opportunity to
appear before you today. Like you, my fellow panelists, and
countless Americans, I am deeply concerned about the recent
compromise at OPM, and I am dedicated to ensuring that we take
all necessary steps to protect our Federal workforce and to
drive forward the cybersecurity of the Federal Government.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Ozment appears in the Appendix on
page 71.
---------------------------------------------------------------------------
As a result, I want to focus these remarks on how DHS is
accelerating our efforts to protect Federal agencies and to
help Federal agencies better protect themselves.
To begin with, it is important to note that we are now
making up for 20 years of underinvestment in cybersecurity
across the public and the private sectors. At the same time, we
are facing a major challenge in protecting our most sensitive
information against sophisticated, well-resourced, and
persistent adversaries. This is a complex problem without a
simple solution. If an easy answer were at hand, this would not
be a national challenge.
To effectively address this challenge, our Federal agencies
need to employ defense in-depth. Consider protecting a
government facility against a physical threat. Adequate
security is not only a fence, a camera, or building locks, but
a combination of these measures that, in aggregate, make it
difficult for an adversary to gain physical access.
Cybersecurity also requires this defense in-depth, these
multiple layers of security. No one measure is sufficient.
Under legislation passed by Congress last year, Federal
agencies are responsible for their cybersecurity. To assist
them, DHS provides a common baseline of security across the
civilian government and helps agencies manage their own cyber
risk through four key efforts.
First, we protect agencies by providing a common set of
capabilities through the EINSTEIN and Continuous Diagnostics
and Mitigation program (CDM).
Second, we measure and motivate agencies to implement best
practices.
Third, we serve as a hub for information sharing.
And, fourth, we provide incident response assistance when
agencies suffer an intrusion.
In my statement this morning, I will focus on the first
area, how DHS provides a baseline of security through EINSTEIN
and CDM. I have described the other three areas in my written
Statement, and I am happy to take your questions on them.
Our first line of defense against cyber threats in the
EINSTEIN system, which protects agencies at their perimeter.
Returning to the analogy of a physical government facility that
I mentioned earlier, EINSTEIN 1 is similar to a camera at the
road onto a facility that records all traffic and identifies
anomalies in the number of cars entering and leaving.
EINSTEIN 2 adds the ability to detect suspicious cars based
upon a watchlist. EINSTEIN 2 does not stop the cars, but it
does set off an alarm. Agencies report that EINSTEIN 1 and 2
are screening over 90 percent of all Federal civilian traffic,
and they played a key role in identifying the recent compromise
of OPM data hosted at the Department of Interior.
The latest phase of the program, as Senator Carper
mentioned, is known as EINSTEIN 3A, and it is akin to a guard
post at the highway that leads to multiple government
facilities. It uses classified information to look at the cars
and compare them to a watch list, and then it actively blocks
prohibited cars from entering the facility. We are accelerating
our efforts to protect all civilian agencies et EINSTEIN 3A.
The system now protects 15 Federal civilian agencies with over
930,000 Federal personnel, or approximately 45 percent of the
Federal civilian government, with at least one security
countermeasure.
We have added EINSTEIN 3A protections to over 20 percent of
the Federal civilian government in the past 9 months alone.
During that time, and since its inception, EINSTEIN 3A has
blocked nearly 550,000 attempts to access potentially malicious
websites, which is often associated with potential theft of
agency data.
Now, EINSTEIN 3A is currently a signature-based system. It
can only block attacks or intrusions that it already knows
about. That is necessary but not sufficient. We are also
working on adding other technologies to the EINSTEIN 3A
platform that can block never-before-seen intrusions, because
EINSTEIN 3A is not just a set of existing capabilities, it is a
platform upon which we can add other capabilities.
As we accelerate EINSTEIN deployment, we also recognize
that security cannot be achieved through only one type of tool.
That is why we need defense in-depth. EINSTEIN is not a silver
bullet and will never be able to block every threat. For
example, it must be complemented with tools that monitor the
inside of agency networks. Our CDM program helps address this
challenge.
Returning again to our analogy of a government facility,
CDM Phase 1 allows agencies to continuously check the building
locks inside the facility to ensure they are operating as they
are intended to. Continuing the analogy, the next two phases
will monitor personnel on the facility to make sure they are
not engaging in unauthorized actions and will actively assess
activity across the facility to detect unusual patterns of
behavior.
We have purchased CDM Phase 1 capabilities for eight
agencies covering over 50 percent of the Federal civilian
government, and we expect to purchase these capabilities for 97
percent of the civilian government by the end of this fiscal
year.
Now, the deadlines I have just told you for both CDM and
EINSTEIN are when DHS provides a given capability. It takes
additional time, months, for agencies to each then implement
the capability for both EINSTEIN and CDM. And, of course,
agencies must supplement EINSTEIN and CDM with their own tools
appropriate to the needs of that existing agency.
I would like to conclude by noting that Federal agencies
are a rich target, and they will continue to experience
frequent attempted intrusions. As our detection methods
continue to improve, we will, in fact, detect more incidents
that are already occurring that we do not know about.
The recent breach at OPM is emblematic of this trend, as
OPM was able to detect the intrusions by implementing best
practices. We are accelerating the deployment of the tools we
have, and we are bringing cutting-edge capabilities online, and
we are asking our partner agencies and Congress to take action
and work with us to strengthen the cybersecurity of the Federal
Government.
Thank you again for the opportunity to appear before you
today, and I look forward to any questions.
Chairman Johnson. Thank you, Dr. Ozment.
Our next and last witness is Mr. Patrick McFarland. Mr.
McFarland is the Inspector General (IG) for the Office of
Personnel Management, a position he has held since 1990, making
him the longest-serving Inspector General in the Federal
Government. He has 30 years of service in law enforcement,
including 22 years at the Secret Service.
First of all, sir, thank you for your service, and we look
forward to your testimony. Mr. McFarland.
TESTIMONY OF THE HONORABLE PATRICK E. MCFARLAND,\1\ INSPECTOR
GENERAL, OFFICE OF PERSONNEL MANAGEMENT; ACCOMPANIED BY LEWIS
F. PARKER, DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS
Mr. McFarland. Thank you. Chairman Johnson, Ranking Member
Carper, and Members of the Committee, my name is Patrick
McFarland. I am the Inspector General of the Office of
Personnel Management. Thank you for inviting me to testify
today at the hearing regarding the IT security audit work
performed by our office.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. McFarland appears in the Appendix
on page 79.
---------------------------------------------------------------------------
I am accompanied by Lewis Parker, my Deputy Assistant
Inspector General for Audits, who, with your permission, may
assist in answering any technical questions you may have.
OPM has a long history of systemic failures to properly
manage its IT infrastructure which may have ultimately led to
the breaches we are discussing today.
First I would like to discuss some of the findings from our
annual audits under the Federal Information Security Management
Act. We have identified three general areas of concern, which
are discussed in detail in my written testimony. They are:
One, information security governance. This is the
management structure and process that form the foundation of a
successful security program. It is vital to have a centralized
governance structure. OPM has made improvements in this area,
but we still have some concerns.
Two, security assessments and authorizations. This is a
comprehensive assessment of each IT system to ensure that it
meets the applicable security standards before allowing the
system to operate. Our 2014 FISMA audit found that 11 of OPM's
47 systems were operating without a valid authorization.
Three, technical security controls. OPM has implemented a
variety of controls to make the agency IT system more secure.
However, these tools must be used properly and must cover the
entire IT environment. We are concerned that they do not.
The second issue I would like to briefly discuss is the
Flash Audit Alert that I issued last week. In 2014, OPM began a
massive project to overhaul the agency's IT environment by
building an entirely new infrastructure called ``the Shell''
and migrating all of its systems to that Shell from the
existing infrastructure. We have two serious concerns with how
the project is being implemented.
First, OPM is not following proper IT project management
procedures and, therefore, does not know the true scope and
cost of this project. The agency never prepared a project
charter or conducted a feasibility study or even identified all
of the applications that will have to be moved from the
existing IT infrastructure to the new Shell environment.
Further, the agency did not prepare the mandatory major IT
business case, formerly known as the ``Exhibit 300.'' This
document is an important step in the planning of any large-
scale IT project as it forces the agency to conduct a detailed
cost-benefit analysis as well as a risk evaluation, among other
things. OPM apparently believes this is simply an
administrative exercise. We disagree. Because OPM has not
conducted these very basic planning steps, it does not know the
true cost of the project and cannot provide an accurate
timeframe for completion. OPM has estimated that this project
will cost $93 million; however, that amount includes only
strengthening the agency's current IT security posture and the
creation of a new Shell environment. It does not include the
cost of migrating all of OPM's 50 major IT systems and numerous
sub-systems to the Shell. This migration will be the most
costly and complex phase of this project.
Even if the $93 million figure was an accurate estimate,
the agency does not have a dedicated funding stream for the
project. Therefore, it is entirely possible that OPM could run
out of funds before completion, leaving the agency's IT
environment more vulnerable than it is now.
The second major point discussed in the alert relates to
the use of a sole-source contract. OPM has contracted with a
single vendor to complete all of the multiple phases of this
project. Unless there is a specific exception, Federal
contracts are supposed to be subject to full and open
competition. However, there is an exception for compelling and
urgent situations.
The first phase of this project, which involves securing
OPM's IT environment, was indeed such a compelling and urgent
situation. That phase addressed a crisis, namely, the breaches
that occurred last year. However, later phases, such as
migrating the applications to the new Shell environment, are
not urgent. Instead, they involve work, that is essentially a
long-term capital investment. OPM has indicated that the
contract for the migration phase has not been awarded. We have
not been provided documentation that OPM is soliciting bids
from other contractors for this work, even though this work is
supposedly underway. This supports our concern that the current
vendor's contract covers all phases of this project.
It may sound counterintuitive, but OPM must slow down and
not continue to barrel forward with this project. The agency
must take the time to get it right the first time to determine
the scope of the project, calculate the costs, and make a clear
plan about how to implement this massive overhaul. OPM cannot
afford to have this project fail.
I fully support OPM's efforts to modernize its IT
environment and the Director's long-term goals. However, if it
is not done correctly, the agency will be in a worse situation
than it is today, and millions of taxpayer dollars will have
been wasted.
Thank you.
Chairman Johnson. Thank you, Mr. McFarland. I would like to
start my questioning with you.
Looking back at your audits, under the Federal Information
Security Management Act, if we just start with fiscal year
2009, you do not have to go much further than the first or
second page of the executive summary to understand that
security of the IT systems has been a problem.
In your November 5, 2009, report, you report ``lack of
adequate information security governance activities in
accordance with legislative and regulatory requirements.''
In your November 10, 2010, report, you say, ``We also
expanded the material weaknesses related to IT security
policies to include concerns with the agency's overall
information security governance and its information security
management structure.''
In your November 2011 report, you say, ``We continue to
believe that information security governance represents a
material weakness in OPM's IT security program.''
November 5, 2012--and this is actually pretty troubling
because in the audit, the Office of Chief Information Officer
(OCIO) response to your draft audit report indicated that they
disagreed with the classification of the material weakness
because of the progress that OPM had made with its IT security
program and because there was no loss of sensitive data during
the fiscal year. However, the OCIO's statement is inaccurate as
there were, in fact, numerous information security incidents in
fiscal year 2012 that led to the loss or unauthorized release
of mission-critical or sensitive data. In other words, in the
2012 report, the Office of Chief Information Officer was in a
State of denial.
November 21, 2013, second page of the report, it says,
``OPM's decentralized governance structure continues to result
in many instances of noncompliance with FISMA requirements;
therefore, we are again reporting this issue as a material
weakness for Fiscal Year 2013.''
In 2014, probably the best thing you can say in terms of
improvements is the material weaknesses related to information
security governance has been upgraded to a significant
deficiency due to the planned reorganization of OCIO. And,
again, I am highly concerned about this flash audit. On the
Infrastructure Improvement Project, your conclusion: ``As a
result, there is a high risk that this project will fail to
meet the objectives of providing a secure operating environment
for OPM's systems and applications.'' You go on to say: ``In
our opinion, the project management approach to this major
infrastructure overhaul is entirely inadequate and introduces a
very high risk of project failure.''
It is pretty clear that the security of the IT system has
been a problem, a material problem for quite some time. Now,
when Director Archuleta came before this Committee in this
Senate for confirmation, in her written answers to our
questions, she said, ``If confirmed as Director of OPM,
improved management of OPM's IT, including proper security and
data management, will be one of my top priorities. I will work
with OPM's CIO and IG to ensure that adequate measures are in
place to protect this vital information.''
Mr. McFarland, has Director Archuleta ever met with you
specifically to discuss the results of your FISMA audits?
Mr. McFarland. No, sir.
Chairman Johnson. Do you meet with her regularly?
Mr. McFarland. I meet with her at least once a month.
Chairman Johnson. To what extent have you ever discussed
the material problems with the security of the IT systems of
OPM?
Mr. McFarland. The memorandum in front of me is dated June
17 from us to the Director, and it spells out the Flash Audit
Alert with a lot of information in it, and that was presented
to her office. One week prior to that, we made sure that the
chief of staff had a copy to help the flow of information for
us. But we have not sat down, the Director and I, regarding
this. We have not heard back other than last Tuesday when we
received the response to our Flash Audit Alert.
Chairman Johnson. So do you believe that her statement that
she would work with OPM's CIO and IG to ensure that adequate
measures are in place to protect this vital information, do you
believe she has fulfilled that commitment?
Mr. McFarland. Well, I do not believe she has fulfilled
that commitment specifically with me, but I would assume--and
it may be right, may be wrong--that her explanation entails the
CIO's involvement with our office.
Chairman Johnson. Well, here is the problem. We have had
three material breaches under her watch. In March 2014, the
Chinese breached OPM looking for background investigations,
and, of course, the subject of this hearing is the two most
recent breaches.
Director Archuleta, do you believe you have fulfilled that
commitment that you made to this Committee and this Senate that
you will work with OPM's IG to ensure that adequate measures
are in place to protect this vital information?
Ms. Archuleta. I believe I am fulfilling that commitment,
sir. With regard to the strategic plan that I promised in the
confirmation, is that we have moved toward that, and your
concerns about governance are exactly right. There was not a
governance structure, and it was--one of the first things I did
was to hire a capable and qualified CIO.
Chairman Johnson. My time is running out. Why have you not
met with the Inspector General who is tasked with these audits
and has given you a lot of--has basically laid out the problem
for you. Why have you not met and discussed this problem with
the Inspector General?
Ms. Archuleta. Thank you. We do meet on a monthly basis,
and----
Chairman Johnson. But not to talk about this IT security
situation.
Ms. Archuleta. The agenda----
Chairman Johnson. Which was going to be a top priority of
your term.
Ms. Archuleta. Yes. The agenda is set by the IG, and he has
been very helpful in identifying issues throughout the agency.
With regard to the Flash Audit, my staff and his staff are
meeting on Tuesday. We have not had a meeting since his release
of the Flash Audit, but he and I will followup first with
staff, and then we have a meeting together. We have not, as Mr.
McFarland indicated, had the opportunity to meet yet, but I am
sure it was his intention and always my intention that we would
sit down and discuss this, as we have with all other issues.
Chairman Johnson. Have you spoken to the President about
this breach?
Ms. Archuleta. Yes, I have spoken to the President.
Chairman Johnson. When?
Ms. Archuleta. It was----
Chairman Johnson. About this breach, about the most recent
breach of the 4.1 million to possibly 18 million records.
Ms. Archuleta. I did brief the President on this, and he
has made it repeatedly clear that cyber threats are one of his
most serious economic and national security challenges as we
face the Nation, and he has in his administration pursued a
comprehensive strategy, including the appointment of Tony
Scott, boosting our defenses in government, and sharing more
information. He has also directed the establishment of a Cyber
Intelligence Center and called on the Congress to pass
legislation.
Chairman Johnson. OK. When did you speak with the President
about this?
Ms. Archuleta. Approximately 2 weeks ago.
Chairman Johnson. Do you understand the full gravity of the
risk to this Nation, the risk to people's lives, government
officials that are trying to protect this Nation, because of
the release of this information?
Ms. Archuleta. Of course I do. I am as upset as you are
about this. And that is why we have worked from day one to set
in place the steps that had not existed there before, and I
think--and if you notice in the plan that I sent you, we have
taken significant steps toward that. But we are looking at
nearly 30 years of a legacy system and no improvements prior to
the time that I got there--not none, but not enough.
And so as you look at the improvements we have made,
certainly we have made important steps, but we need to make
more, and that is why we are asking Congress for their support.
Chairman Johnson. OK. Senator Carper.
Senator Carper. I am going to yield my time at this point
to Senator Tester, who needs to go to an Appropriations
Committee markup.
OPENING STATEMENT OF SENATOR TESTER
Senator Tester. Thank you. Thank you, Mr. Chairman. Thank
you, Tom Carper. Thank you very much. I appreciate that.
Director Archuleta, was the cause of the initial breach
because of the compromised credential of an employee of a
contractor, KeyPoint Government Solutions?
Ms. Archuleta. My colleagues would be very much more able
to respond to that, but, yes, the first issue was a use of
credential----
Senator Tester. A compromised credential?
Ms. Archuleta. A compromised credential.
Senator Tester. You would agree with that?
Mr. Ozment. Yes, sir, I would agree with that.
Senator Tester. Thank you.
Director Archuleta, do you plan to continue OPM's
relationship with KeyPoint?
Ms. Archuleta. Yes, sir. We have found that they have
responded to all other remediation efforts that we have asked
them to perform.
Senator Tester. So it would be fair to say that you believe
KeyPoint is able to keep its data and credentials secure at
this point?
Ms. Archuleta. Yes, sir, I do believe that that is true.
They have made important strides.
Senator Tester. OK. IG McFarland, in your estimation has
KeyPoint sufficiently updated its access to its systems to
ensure that its data and credentials are secure?
Mr. McFarland. We do not know that at this time.
Senator Tester. Who would know that?
Mr. McFarland. I would hope the CIO would know it.
Senator Tester. OK. Has OPM updated their systems to ensure
that data and credentials are secure, IG McFarland?
Mr. McFarland. I believe, yes, they have been working on
the tactical aspect of the infrastructure, which is to update
the present environment.
Senator Tester. Do you feel that their systems are secure
at this point?
Mr. McFarland. No, I do not feel that they are secure at
this point.
Senator Tester. OK. IG McFarland, based on what you know so
far, do you believe that OPM should continue its relationship
with KeyPoint?
Mr. McFarland. I would have to have more information. I
would not be able to answer that right now.
Senator Tester. OK. Director Archuleta, as part of your
testimony, you also include recommendations to improve
cybersecurity at OPM, and, clearly, in these recommendations
you call on Congress for additional support in order to
accelerate upgrades for OPM's IT infrastructure. Director, as a
part of this additional support, are you requesting funding for
additional IT software developers and IT support personnel?
Ms. Archuleta. We are very much focused on the additional
money to improve our security. Yes, it is the primary reason
for the request for additional funds.
Senator Tester. OK. And so who have you made that request
to?
Ms. Archuleta. We are in the process of developing that
request. We hope to have it to you by the end of this week, and
we are working very closely with OMB on that.
Senator Tester. And do you have any idea how much that will
be?
Ms. Archuleta. I do not have the idea right now, sir, but I
think there has been an initial number that we are focused in
on, and I would be glad to get that to you by the end of this
week.
Senator Tester. OK. You talked about gleaning some of the
information out of private sector cybersecurity. Are you going
to--you said that you were going to--in your opening
testimony--I do not want to put words in your mouth, but what I
heard was that you were going to go to the private sector to
find out some methods that they utilized?
Ms. Archuleta. Yes. The issue of cybersecurity----
Senator Tester. And if that is correct, just say----
Ms. Archuleta. Yes, it is correct.
Senator Tester. Are you going to the financial industry?
Ms. Archuleta. We will be going throughout the industry,
and financial, I am sure, will be part of that, sir, yes.
Senator Tester. OK, because they are getting attacked
literally every night.
Ms. Archuleta. Yes.
Senator Tester. And they seem to be doing a reasonable job
at this point in time of fending those attacks off.
Ms. Archuleta. That is the type of expertise we will want
to know about and learn about.
Senator Tester. OK. Many times the private sector offers
employees in software development and IT pretty damn generous
benefits and pay. Yet at the Federal Government, we have had to
endure Government shutdowns. In recent years, we have seen
threat after threat cutting retirement, threat to cut wages,
not exactly what I would say good recruiting and retention
efforts.
How is OPM addressing recruiting problems, not only in your
supplemental request for dollars but in general?
Ms. Archuleta. Thank you for that question, sir. I have
actually been working very closely and had several
conversations with the private sector that faces this same
problem. The need for cybersecurity experts and, frankly, IT
experts is one that both the public and public sector are in
great need of, and we are working together with them and also
working with our internal partners in all of the agencies to
determine ways through hiring flexibilities, recruiting
flexibilities and salary flexibilities to bring these
individuals in.
What we have found is that there is a great deal of
interest in public service, and this is something that we are
focused in on, and the recruitment of individuals both at the
Millennials and mid-career.
Senator Tester. OK. This is for either you, Mr. Scott, or
Mr. Ozment. Which one of you said that this is due to an
underinvestment in cybersecurity over the last 10 years? Was
that you, Mr. Ozment?
Mr. Ozment. That was me, sir.
Senator Tester. OK. So we are sitting here on this side of
the dais. Some of us are appropriators, but we are all
concerned about national security. Who should we be listening
to about where we need to make those investments?
Mr. Ozment. Ultimately you need to listen to each agency
and their CIO because they know their environment best. I know
that what we have come forward, the Department of Homeland
Security, in our budget request for my organization, also
supports governmentwide security programs, and we need a
combination of those governmentwide programs and individual
agencies.
Senator Tester. Do we have a plan like that currently? Do
we have a governmentwide program for cybersecurity that
actually--the way I visualize it in my head, it actually has
tentacles out to each agency?
Mr. Ozment. We have a number of documents that in
combination lay out our governmentwide approach, in part
influenced by the recent passing of the FISMA modernization in
December 2014. And so those documents in aggregate lay out the
approach that we are taking.
Senator Tester. Is that effective? I mean, is the
infrastructure effective to do what we need to do? Or do we
have to add to--do you understand what I am asking?
Mr. Ozment. I do. There is always a balance between
spending your time writing documents and spending your time
doing the actual work.
Senator Tester. That is true.
Mr. Ozment. I think we are at a point right now where we
have--a lot of guidance has been issued. There has been a lot
of focus on how we move forward. I think we are at the point
now where we need to focus on the execution.
Senator Tester. All right. Thank you all for your
testimony.
Thank you, Mr. Chairman, especially you, Mr. Vice Chairman.
Chairman Johnson. Chairman McCain has got to be somewhere
else. We are going to let him go next, if that is OK, Senator
Booker? OK. Senator McCain.
OPENING STATEMENT OF SENATOR MCCAIN
Senator McCain. Thank you, Mr. Chairman. I thank Senator
Booker for his indulgence.
Ms. Archuleta, the New York Times stated, ``While Mr. Obama
publicly named North Korea as the country that attacked Sony
Pictures Entertainment last year, he and his aides have
described the Chinese hackers in the government records case
only to Members of Congress in classified hearings. Blaming the
Chinese in public could affect cooperation on limiting the
Iranian nuclear program and tensions with China's Asian
neighbors.''
Are you ready to state, since it has been in all public
periodicals, that it was China responsible for this hacking?
Ms. Archuleta. I think that that would be----
Senator McCain. That is a pretty simple answer. Are you
ready to say that it was Chinese hacking or not?
Ms. Archuleta. I would have to defer to----
Senator McCain. So the answer is no?
Ms. Archuleta [continuing]. My colleagues at State. I would
defer to my colleagues at State to respond to that.
Senator McCain. So the answer is no, you will not--even
though it is all in public knowledge that it was China, you are
not ready to tell this Committee that you know that it was
China that was responsible for the hacking. Is that true?
Ms. Archuleta. OPM is not responsible for attribution. We
rely on our colleagues to talk about that.
Senator McCain. Your committee--your business is to track
and to respond to hacking, and--well, I would like to go back
to the issue--you said you did not know where the figure of 18
million Social Security numbers came from. This is a Wall
Street Journal article. ``A senior Federal Bureau of
Investigations (FBI) official interjected, said it was based on
her agency's own data, these people said, of 18.2 million.''
Are you ready to acknowledge that the FBI's number of 18.2
million is accurate?
Ms. Archuleta. As I stated in my opening remarks, sir, I do
not believe that that is an accurate number, and I will not
give an accurate----
Senator McCain. So the FBI is giving us incorrect
information?
Ms. Archuleta. I do not have an understanding of where they
assumed that 18 number, but I will tell you----
Senator McCain. Have you met with the FBI?
Ms. Archuleta. My associates have met with the FBI----
Senator McCain. Your associates have, but you have not.
Ms. Archuleta. No, sir, I have not met with the FBI.
Senator McCain. Why wouldn't you, when there is a clear
situation here of an allegation by the most respected law
enforcement agency in America of 18.2 million. You are alleging
that it is 4 million. Wouldn't you sit down with the Director
of the FBI and say, ``Hey, the American people need to know,
especially those 14 million between 4 and 18 million that may
have been breached? ''
Ms. Archuleta. As the head of the agency, I have many
people who are working in a number of different issues. This is
an important question that you have asked me, and since the
time that number----
Senator McCain. I guess my question, again, is: Why
wouldn't you sit down with the FBI people and find out where
they got their information so----
Ms. Archuleta. There are many----
Senator McCain [continuing]. You can corroborate it or deny
it?
Ms. Archuleta. My colleagues have met with the FBI, and----
Senator McCain. But you have not.
Ms. Archuleta. No.
Senator McCain. It does not rise to your level of
attention. I see.
Now, what about the hundreds of millions of prescription
drug claims and health records OPM holds to detect fraud in the
Federal Employee Health Benefits Program (FEHBP)? Are those at
risk?
Ms. Archuleta. The enrollment forms are part of the data,
and as I said in my statement, again, we are analyzing the data
right now.
Senator McCain. You will not tell the Committee----
Ms. Archuleta. It does not----
Senator McCain [continuing]. Whether they are at risk or
not?
Ms. Archuleta. I will share with you that we are analyzing
this data to see the scope of the impact of this breach.
Senator McCain. Mr. McFarland, your office has been warning
OPM about the vulnerability of its data for years. How were
these warnings received by the agency, and why were they
apparently ignored until it was too late?
Mr. McFarland. Well, I do not know why they were ignored,
but they certainly----
Senator McCain. But they were ignored.
Mr. McFarland. Yes, they were ignored, in my estimation.
Senator McCain. So they just received it, sort of like Ms.
Archuleta received the information from the FBI. It probably
may not have risen to the level of her interest.
Now, Ms. Archuleta, you made an interesting statement. You
told the Senate Appropriations Committee Tuesday that no one at
OPM is personally to blame for the data breach. However, you
told the House panel Wednesday, ``I hold all of us responsible.
That is our job at OPM to protect the data.'' In other words,
everybody is responsible, so nobody is responsible. But you are
responsible, and I wonder whether you think--since you said,
``I hold all of us responsible,'' do you think you should stay
in your present position?
Ms. Archuleta. Senator, I have been working hard from day
one to correct decades of neglect, and I----
Senator McCain. Ignoring the----
Ms. Archuleta [continuing]. Continue to----
Senator McCain. Ignoring Mr. McFarland's warnings.
Ms. Archuleta. I have been here for 18 months, sir, and I
have worked very hard. I think we have taken great strides not
only within OPM and in partnership throughout government,
cybersecurity is an enterprise effort in this administration,
and I work closely with them. I am committed to continuing to
do that.
Senator McCain. Well, unfortunately, you were not committed
to heeding the warnings of Mr. McFarland, apparently, at least
according to his assessment.
I guess my final question is, which I am sure you will
probably obfuscate: When will the American people know, when
will they know the extent of this penetration which has
violated the privacy of, at least in the estimation of the FBI,
18 million people?
Ms. Archuleta. Thank you for that question, and as I stated
earlier, we are working as rapidly as we can. I have a team
that is working--that is devoted to this----
Senator McCain. And you have no----
Ms. Archuleta [continuing]. But I will be--I----
Senator McCain. And you have no estimate for the Committee
as to when this----
Ms. Archuleta. When I know that the number is accurate,
that is the time.
Senator McCain. But you cannot tell us when you would----
Ms. Archuleta. When I know the number is accurate.
Senator McCain. But you cannot tell us when.
Ms. Archuleta. When they bring me an accurate----
Senator McCain. I see.
Ms. Archuleta [continuing]. And I have confidence in that
number.
Senator McCain. Ms. Archuleta, I must say that I have seen
a lot of performances. Yours ranks as one of the most
interesting.
I yield back.
Chairman Johnson. Thank you, Chairman McCain.
Because Senator Booker did yield, I will let you go before
Senator Ernst.
OPENING STATEMENT OF SENATOR BOOKER
Senator Booker. Thank you very much. These days it is
surprising to see somebody letting New Jersey go before Iowa.
[Laughter.]
Senator Ernst. It is OK.
Senator Booker. Ms. Archuleta, I understand that the OPM
Inspector General recommended the shutdown of OPM's IT
infrastructure system before we knew about the hacks. Did you
follow the IG's guidance? And if not, why?
Ms. Archuleta. I did not follow his guidance because I had
to make a very conscious and deliberate decision as to the
impact of the shutdown of those systems. I would have had to
shut down the processing of the annuity checks to retirees. I
would have had to shut down the system that does background
investigations for the Federal Aviation Administration (FAA) or
for the Transportation Security Administration (TSA). It would
have meant that those individuals and the needs that those new
hires and the services they would provide would not have been
able to be provided.
I made a conscious decision that we would move forward with
this, but would make improvements as rapidly as possible, and
we have done that. And the opportunity to work with the IG, I
would say, is one that I feel is an important part of
everything that we think about, but I also know that I have
responsibility in many areas across OPM.
Senator Booker. OK. Mr. Scott, you are America's Chief
Information Officer. It is obviously a very important and big
task, and I want to ask you very specifically: Do you believe
Ms. Archuleta and Donna Seymour are equipped to lead the
efforts to shore up OPM's cybersecurity in the wake of these
attacks? Do you believe that their leadership is capable of
dealing with this tremendous trial?
Mr. Scott. I do, sir, and I have spent time on the ground
with the teams that are in OPM doing the work, both from DHS
and the OPM teams. They are working really hard and doing the
right things. I have talked to them about the leadership that
they are getting from both Director Archuleta and Donna
Seymour, and they tell me that they are very supportive of the
efforts and the leadership that they see there. And the one
comment I would make is I think we need to be careful about
distinguishing fire starters from fire fighters in this
particular case, and they have my full support.
Senator Booker. And you have a tremendous professional
background. You understand the field not only in the private
but the public sector. Given you know what you know going on
around the country and meeting these attacks that are
happening, frankly, the incredible nature of attacks going on
on dozens of companies that are all name brands, things we have
seen in the media, given that whole field, do you think she is
the person equipped to do the job, as you say, of firefighting?
Mr. Scott. Yes, sir, and I have been impressed with the
deployment of the additional tools. I would say, the work that
is going on in OPM right now would serve as a template and a
model for work that other agencies need to do as well. We are
learning on this across the whole Federal Government, and one
of the goals of my office is to take all those lessons learned
and apply them broadly across the Federal Government, working
with my colleagues in DHS and elsewhere. We have to learn from
this, and we have to be much faster as a Federal Government in
responding to what is a very rising and fast rising and fast
morphing set of threats. This is not a small challenge.
Senator Booker. I appreciate that.
Ms. Archuleta, there have been at least two instances of
OPM systems being hacked. Could you just explain please how the
first and second breaches occurred, what steps you have taken
to prevent a future breach, and what have you done to protect
the dedicated public servants who have been affected by this
breach?
Ms. Archuleta. Certainly. Thank you for that question. The
first breach occurred in April to the employee personnel
records. As a result of the investigation around that, we found
the second breach later. The forensic part of it I think my
colleague Andy Ozment would be better able to respond to, but
since that time, we have instituted even more security measures
into our system, and at this time we are unaware of any other
efforts to come into the system. And we are obviously
monitoring that constantly 24/7 through our center.
Senator Booker. And if you can answer this question
quickly, Dr. Ozment will have a chance to add to that question.
But there have been much pointed questions toward you about the
discrepancies between the numbers. The first attack, everyone
was consistent. We knew what those numbers were. This attack,
they are not being consistently reported, as has been pointed
out by my colleagues, and we are having these varying numbers.
Can you just explain why that is, hopefully leaving about 20
seconds of my 90 seconds----
Ms. Archuleta. Yes, that is what I mentioned in my opening
statement, sir. The first incidence was 4.2 million, and we
have not determined the scope of the second incident yet.
Senator Booker. And you had some pointed questions as to
why that is, why are there varying numbers.
Ms. Archuleta. Because I do want them to be accurate.
Senator Booker. And so you are holding back giving a number
until you have all the information.
Ms. Archuleta. We have a team that is doing the analysis
even as we speak to make sure that we will announce an accurate
number.
Senator Booker. Right, so to be premature would be to be
inaccurate.
Ms. Archuleta. That is exactly right.
Senator Booker. I do have 55 seconds, sir. Could you just
add a little bit more to what is being done?
Mr. Ozment. Absolutely. I can speak to the timeline of the
incident itself. In April, OPM detected this incident because
they had been rolling out security capabilities over the last
year and a potentially additional timeframe. So if they had not
rolled out those capabilities, we would never know that this
intrusion----
Senator Booker. So the upgrades you all were doing in order
to promote better hygiene, in order to do the right things, was
the reason why we detected the attack that had occurred more
than a year earlier?
Mr. Ozment. That is right. So OPM's upgrades are what
detected the attack. They notified DHS, my organization,
immediately. We used the information they provided to detect
the second intrusion at the Department of Interior Data Center.
And the team since then has been on the ground doing the
forensics analysis. In May, they were able to assess with high
confidence that the 4.2 million personnel records had been
exfiltrated from the Department of Interior Data Center. That
is OPM's data but at the Department of Interior Data Center.
In June, they assessed that some amount of information had
been exfiltrated from OPM itself, but, it is complicated
databases, and that is the analysis OPM is currently doing to
figure out what exactly what the data that was taken.
Senator Booker. Thank you, Dr. Ozment.
And, Mr. Chairman, thank you for your deference to the
people in New Jersey.
Chairman Johnson. Thank you, Senator Booker. Always looking
out for the folks in New Jersey--and Iowa. Senator Ernst.
OPENING STATEMENT OF SENATOR ERNST
Senator Ernst. Thank you. Thank you, Senator Booker, and
thank you, Ranking Member. Thank you, Mr. Chairman, very much.
This is a significant data breach. We will talk about this
all the day, but bottom line, we need to see some action on
this immediately.
Mr. McFarland, thank you for being here today. We have
heard in your testimony, we have seen your Flash Audit Alert
that was released by your office earlier this month, and in
that audit alert, you did highlight your serious concerns
regarding OPM's management of its new IT project, the
improvement project. And I cannot overstate the importance of
project management, particularly with respect to projects as
complex and important as this particular project.
In fact, just yesterday in this Committee, we did approve a
bill introduced by Senator Heitkamp and myself which will focus
on improving program management in the Federal Government, and
I would be interested to learn from you just a little bit more
detail about your concerns to OPM's management of this IT
improvement project.
Mr. McFarland. Yes, Senator. I think a good start here and
a good example would be the fact that anyone doing a capital
investment in the IT world, at least my understanding--and I
can be corrected if I am wrong--by OMB's regulation is required
to do a business plan known as Exhibit 300. That has not been
done by OPM, yet I do hear in the last few days information
that OPM and OMB are working very closely together. And I do
not doubt that. But my concern is something as simple and
straightforward as a business plan, if it is not completed--and
we hear it is completed by OPM, and then our documentation that
we requested shows that it has not been done, I would like to
find out--I do not necessarily want to use this forum for my
question, but I think it goes to the heart of your question.
What has happened with this business plan? Has it been done or
not?
Senator Ernst. And that to me is significant failure that
the fact that something so simple as a business plan cannot be
produced for this project, which left millions of Federal
employees and their data at risk.
So, Ms. Archuleta, I do want to followup, because it sounds
like now there is a request for additional dollars, and what we
want to ensure is that if the dollars are allocated, that it
will actually be put toward this project and that we do see
results and that it is managed wisely. I cannot say that
dollars we have put forth so far have been utilized maybe to
the best of the taxpayers' interests.
So if you could address that, just give us that assurance
that this will be handled.
Ms. Archuleta. Thank you. Thank you for that question. In
his Flash Audit, the Inspector General recommended the
completion of a major IT business case document for fiscal year
2017, and I actually look forward to discussing with the
Inspector General the practical implications of completing such
a document for submission for fiscal year 2017. We are in an
urgent situation. I do understand, though, his concerns, and I
would like to assure him that all of our decisions are being
tracked, documented, and justified, and that we are working
very closely with OMB.
As I mentioned earlier, I think that the Flash Audit
discussions need to occur between me and the IG, and we will do
that. Our staffs are meeting next Tuesday, and I am sure Mr.
McFarland and I will meet immediately following. The important
thing is that we address his concerns, but I think the other
thing is that we move quickly. As Tony and Andy have already
described, we are in a very urgent situation. So we need to
balance and make sure that we are doing all the things that the
IG has described, but as well, we understand the urgency of
moving forward aggressively.
Senator Ernst. I do appreciate that, but this is rather
late, and in retrospect we cannot go take back the data that
has been captured by whoever this person or entity is out there
that has gotten into the system, who has breached and gotten
this data.
One thing that maybe we have not discussed yet is the fact
that not only do we have millions of Federal records, and
employee records that were breached, but I know when I filled
out the applications for security clearances in the military,
not only was my personal information on those forms, but I had
to list references on those forms. Their information is also
included in this.
So we have not only millions of Federal employees,
potential Federal employees, but all of their reference's
information is there as well. How many more millions of people
are we talking about? Have we alerted those people? And what is
going to be done to followup on their information as well?
Ms. Archuleta. Thank you for that question. It is an
important question, and I agree with you totally. I am as upset
as you are at the fact that these documents or this information
has been breached.
Here is what we are doing, as I mentioned in my testimony,
and why I cannot give a number right now. When we look at, for
example, the background investigation, there is a lot of
information in that. Some of that contains, if there is a--some
of it does contain personally identifiable information (PII),
and some of it does not. And so as we are analyzing the type of
data that is in these files, those are the things that we are
looking at, because we care as deeply as you do that we notify
those who have been affected by this, and also understand those
who have not been affected, even though you may have mentioned
them in your SF-86. We are doing a complete analysis of that,
and that is why I am very hesitant not to put out a number
until we are absolutely sure we have looked at the whole range
of possible impact.
Senator Ernst. Thank you today for the testimony.
Yes, sir?
Mr. McFarland. Senator, if I may make one other point? Is
it all right?
Senator Ernst. Yes.
Mr. McFarland. The funding is a prime example of our
concern. It is all over the board. The situation basically is
in 2015 OPM is dealing with $32 million. In 2016, they are
asking for another appropriation of another $21,000. In the
meantime, DHS has provided them $5 million. And the other $67
million from what I understand, is supposed to come from the
program areas at OPM. That is so sporadic. It just does not
hold water from our perspective as to having a funding source
ahead of time for the full project. It is like playing catchup,
and the worst part of that is that the OPM program offices are
going to be tasked to pay for that from their program office
funds, appropriated funds, for the migration of each of their
systems, instead of having a big picture of funding very
clearly for everybody. Plus I think, the OMB is very much in
favor of having transparency, and this just avoids
transparency. It subsumes the money coming from program offices
instead of a dedicated source of funding.
Senator Ernst. Thank you. I think that is an exceptional
point.
Thank you for allowing the additional response.
Chairman Johnson. Thank you, Senator Ernst. I do want to
point out, as best as I can determine, the information given to
me, we spend something like $80 billion per year on IT systems
in the Federal Government. So this is a problem of management;
it is a problem of prioritization. And that is why I pointed
out in my opening statement that this should be a top priority
of the Federal Government. If it was made a top priority, there
should be plenty of funding within the current budget to
provide this kind of security. Senator Carper.
Senator Carper. It has been raised who was behind this
hack, this latest hack at OPM, this series of hacks, and
someone just gave me a copy of an article that quotes FBI
Director Comey, and it says: ``There are two kinds of big
companies in the United States. There are those that have been
hacked by the Chinese and those who do not know they have been
hacked by the Chinese.''
It goes on to say that, ``They are prolific. Their strategy
seems to be we will just be everywhere all the time, and there
is no way they can stop us.''
It goes on to say, ``Bonnie and Clyde could not do a
thousand robberies in the same day in all 50 States from their
pajamas halfway around the world.'' Those are the words of
James Comey. I thought I would just share them with all of you
today as we reflect on our inability to do a perfect job
protecting our sensitive information within the Federal
Government.
I am going to go from here to a hearing on how do we fund
transportation in our country, and I think there is a corollary
here, Ms. Archuleta, between your failure to be able to come in
and in 18 months to turn this around. I think there is a
corollary here, and I will just use transportation. I think we
need to be fair, OK? I am a Navy guy, I think my colleagues
know. We have a tradition in the Navy. If you are the
commanding officer of the ship, your ship runs aground in the
middle of the night, you were sound asleep in your wardroom, we
hold the captain responsible. Some people say that is not fair,
but that is our tradition in the Navy. You are the captain of
the ship, and so you are held responsible, whether that is fair
or not.
Having said that, I am reminded of a situation where let us
say--and we are not talking about personnel management. Let us
say we are talking about transportation in our country. We all
know we have roads, highways, bridges, and transit systems that
are decrepit, failing, and we need to do something about it.
Let us say we confirmed a Secretary of Transportation 18 months
ago. We do not give that Secretary of Transportation the money,
which we are not doing, that is needed to be able to fix our
roads, highways, bridges, and transit systems. And not only
that, we do not confirm a Deputy to be part of the team, the
leadership team at the Department of Transportation (DOT). It
has been 4 years since we have had a Deputy, and, again, in the
Navy, you have a commanding officer. You are the commanding
officer. The Deputy is the executive officer, and this
important agency has been without an executive officer for 4
years.
Part of that responsibility is the administration because
they did not send us somebody, they did not send us a name for
a long time. But they did last year. They sent us a great guy,
a Navy guy, Naval Academy, commanded ships, aircraft squadrons,
has all kinds of credentials, and we need to get him confirmed.
This Committee has done its job. Now we have to get him
confirmed so you have the help that you need.
In terms of the help that you need, this Committee I think
did some pretty remarkable things last year in terms of
legislation. We took the old Federal Information Security
Management Act and we modernized it. That is being implemented
now. We said the Department of Homeland Security does not have
the kind of workforce capabilities that they need to hire and
retain the sort of talent that the need to fight these cyber
wars. We have addressed that. You are beginning to use those
skills at DHS.
We took your ops center, the so-called National
Cybersecurity and Communications Integration Center (NCCIC),
and made it real. We authorized it, said this is the real deal,
and let us just not pay attention to them but let us give them
the authority they need.
We said let us look at our Federal information technology
and our acquisition systems and see what we can do to reform
them and give them the kind of oomph that they require. We have
done all those things. We have done all those things. But there
are some things we have not done. There are some things we have
not done. I have heard enough on EINSTEIN 3 in the last week
that I am convinced that that is something we ought to do. And
EINSTEIN 1 and EINSTEIN 2, good start, but 3, 3A is obviously
important. Andy, I thought you gave us a real good explanation.
I want to ask you to come back and just explain again external,
internal, the idea of the building, the locks, the vault
inside, and how EINSTEIN 3 actually interfaces with--I think
you called it CDM, the Continued Diagnostics and Mitigation
approach, which is more like the inside protection as opposed
to EINSTEIN 2, which is the outside protection. Would you just
run that by us again? I thought it was a very helpful
explanation.
Mr. Ozment. Certainly. The most important concept here is
the concept of defense in-depth, that there is no one tool, no
one security measure that solves the security challenge. Just
as in a physical building you have multiple layers of
security--a fence, guards, cameras, locks on doors--you have to
have the same in cybersecurity.
EINSTEIN is that perimeter system. It is the fence and the
guard houses and the cameras around the perimeter of the
government. It is equally important that you have security on
the inside. Agencies have to do more of that internal security
based upon their unique needs and missions, but Continuous
Diagnostics and Mitigation is a program we have to help
agencies with that, where we are buying capabilities on behalf
of those agencies. They choose from a menu that suits them and
roll it out. And those capabilities will come in three phases.
The first phase is the equivalent of a guard that goes
around and checks that all the buildings are locked, that all
the doors and windows are closed, basic security measures to
make sure that they are in place.
The second phase of CDM opens the doors to the buildings
and checks who is on the inside. Does that person--are they
authorized to be in this building? Are they doing things that
they are permitted to be doing?
And then the third phase is like a very smart security
guard that goes around and just says, Hey, I see something
unusual, we need to look at that, because that behavior, that
thing I see inside this facility, that does not belong here.
Those are the three phases of CDM looking inside the
building.
EINSTEIN, which is that perimeter, the first phase was just
a camera. Here are the cars coming in and out. Record the cars.
If there is an unusually large number of cars, set off an
alarm.
The second phase added a watch list: Hey, this particular
blue car is not supposed to enter this facility. Set off an
alarm.
The third phase, which we are currently rolling out, is
like a gate. It is a guard house and a gate. The gate stops the
malicious car from entering the facility, but the other great
thing is, because it is a guard house, we can add different
security capabilities to it. We can add new cameras. We can add
new gates, additional guards. It is a platform that we can add
new capabilities to over time.
So while we are first focused on rolling it out across the
government and building that first gate, we are also looking to
the future and saying what other capabilities can we add to
this guard house.
Senator Carper. Excellent explanation. Thank you so much.
Chairman Johnson. Senator Lankford.
OPENING STATEMENT OF SENATOR LANKFORD
Senator Lankford. Thank you. Thanks for all your
preparation and being here. I know this is not what you wanted
to be able to do today. There are lots of other things you
would like to be able to do outside on a beautiful day like
that than be in here with us. But we have a lot of things to be
able to deal with in the days ahead on this.
Ms. Archuleta, let me clarify a couple things with you. You
made the statement about the first intrusion, second intrusion,
and the 4.2 is from the first intrusion. So just to clarify,
none of the letters that have gone out have been connected to
the breach dealing with the background security, so the letters
that went out, all of them are related to the first breach,
none of those letters related to the second.
Ms. Archuleta. That is correct, sir.
Senator Lankford. OK. You and I had an interaction just a
couple of days ago, and we were talking about the development
of the plan. By the way, I mentioned to you we had sent you a
letter from the Subcommittee that I chair on this Committee,
and your staff has been very prompt to be able to get back to
us on that, and I appreciate that, to be able to get back on
those details.
One of the questions I had asked about was the
cybersecurity plan development. You had mentioned your CIO and
the Chief Technology Officer (CTO) had led the effort to put
this together, but one thing I am going to need clarification
on, among
several--and we will reply back to you formally on this--is the
contractor that was the adviser, or was there an outside
adviser to the CIO and CTO when they were putting the cyber
plan, or did they completely put that plan together in-house?
Ms. Archuleta. No, our plan was developed in-house. The IT
security plan was--the IT implementation plan was built in-
house.
Senator Lankford. OK. Also in our interaction from a couple
of days ago, I had asked about the statement that has been made
about authorizing systems. There are 47 total systems that are
out there, that there were 11 systems that were reported not
authorized at that point. You said, no, 10 of those had been
authorized, there is one of them that is an outside contractor
that has not.
From the IG's testimony today, I noticed the statement:
``In April, the CIO issued a memorandum that granted an
extension of the previous authorizations for all systems whose
authorization had already expired, and for those scheduled to
expire through September 2016. Should this moratorium on
authorizations continue, the agency will have up to 23 systems
that have not been subject to a thorough security controls
assessment. The justification for this action was that OPM is
in the process of modernizing its IT infrastructure and once
this modernization is complete, all systems would have to
receive new authorizations anyway. While we support the OCIO's
effort to modernize its systems, this action to extend
authorizations is contrary to OMB guidance, which specifically
States that an `extended' or `interim' authorization is not
valid. Consequently, these systems are still operating without
a current authorization, as they have not been subject to the
complete security assessment process that the authorization
memorandum is intended to represent. OMB does not require
authorizations every 3 years if the agency has a mature
continuing monitoring program in place. Our audit work has
found that they do not.''
So the question is: The authorizations that are in place,
are they done by fiat basically of the agency saying we are
working on this, or have they actually gone through the actual
authorization process?
Ms. Archuleta. We have worked very closely with OMB, and
they are aware of the process that we are using on these
authorizations, and that understanding where we are in the
process of moving toward new systems. So we have complete
concurrence with OMB on these authorizations. So we are in
compliance, and we are working on the final one that we noted
as rapidly as possible.
Senator Lankford. So the question there on compliance is
OMB has changed what their typical ruling is----
Ms. Archuleta. There are circumstances that allow us,
because of the situation that we are in in terms of migrating
and because of the legacy of our systems, yes.
Senator Lankford. OK. Mr. McFarland, any comments on that
at all?
Mr. McFarland. Well, that is not my understanding. My
understanding is that what you just said, Senator, about the
continuous monitoring exception, if it is mature. OPM does not
have a mature continuous monitoring program.
Now, if OMB has made an exception, we have not been
notified of that.
Senator Lankford. OK. The very rapid path that you had to
take to deal with credit monitoring, to be able to notify and
provide credit monitoring for 4 million people at this point,
had to come together very quickly. My understanding of the
contracting on that, you put out on a Thursday, gave 2 days and
said anyone who wants to bid on this needs to have it finished
by Saturday and to be able to get the bid on, and you let that
out immediately the next week on that. The contractor that was
involved, is that someone that OPM has used before or is
familiar with? Or how did this process come together that
quickly? Because that is something obviously pulling that
together extremely fast.
Ms. Archuleta. The contracting office actually does handle
that process, and on May 28, they posted the RFQ, and it closed
on May 30. And they did receive several responses. We worked
first with the General Services Administration (GSA) list, and
we found that there were not vendors on that list that met the
requirements that we needed, and that is why we moved rapidly.
We wanted to be sure that we were able to notify individuals
very quickly, and that is why we used a very rapid turnaround.
We also find that the companies that were--the types of
services we were looking for, those companies are used to that
type of timeline, and so that is why we were able to get the
three responses that we did.
Senator Lankford. I do not know what kind of feedback you
have had so far on this, and this is just one of those
rolling--once things get hard, they just continue to get harder
for a while. But the contractor in question that has handled
this has dealt with numerous website crashes from, obviously, 4
million people hitting their site and has not been able to
sustain it. Even some of my own staff that have received a
letter cannot seem to get on their website and to be able to
get going on the credit monitoring. So while the contractor
that was placed in this was fast in the turnaround, they do not
seem to be able to sustain on the other side of it. Have you
had any other input on that?
Ms. Archuleta. I am very frustrated by sort of the initial
steps that the contractor faced, and we are meeting with them
on a daily basis to improve the services to our employees. Our
employees deserve quick answers. They need to begin on a
website. If they do not, they should not--if they cannot get to
a call center employee, for example, they should not have to
wait on the phone, and that is why we instituted a service
similar to the Social Security Administration (SSA) where there
are callbacks.
We think it has worked better, but we have learned a lot
from this and are noting very carefully as we look at the next
notifications, what areas we need to improve upon.
Senator Lankford. The questions will be--every agency head
across the entire Federal family is going to want your notes
from the past month, because the best thing that we can do is
to be able to get our technology up to speed so that we have
fewer instances like this, but also have preparation for when
something actually occurs. So I hope you will be able to share
some of those very quickly written notes, because there is a
lot that has to be put into place to be able to help clean this
up.
Ms. Archuleta. Thank you, sir.
Senator Lankford. Thank you.
Chairman Johnson. Senator Sasse.
OPENING STATEMENT OF SENATOR SASSE
Senator Sasse. Thank you, Mr. Chairman.
Director Archuleta, this is the fourth briefing, I believe,
on this topic in the last week. It is not surprising that new
details keep coming out, but I think what is frustrating and
confusing for many of us is that many core elements of the
timeline have shifted over the week. So I would like to just
walk through a basic timeline of events and have you help me
understand if we have some of these facts correct.
We heard in one setting this week that March 2014 is when
OPM was first breached. That is not accurate, is it?
Ms. Archuleta. In March 2014, there was adversarial
activity in the OPM network that dated back to November 2013,
and no PII was lost during that.
Senator Sasse. How was that November 2013 breach detected
and by whom?
Ms. Archuleta. We detected that adversarial activity, and
we worked with DHS on the forensics of that.
Senator Sasse. OK. Dr. Ozment, that is your understanding
as well?
Mr. Ozment. Certainly. I will elaborate on the timeline, if
you do not mind, because it is quite confusing. There was an
incident in 2014, March 2014, at OPM. DHS has received a tip
from an interagency partner and reached out to OPM, and we
worked together and found that intrusion, as the Director
noted, and that intrusion dated from November 2013.
We now, of course, have two incidents or potentially two
events that are the same incident. The terminology is not great
here.
Senator Sasse. That is an important distinction, though,
isn't it? Because the notifications both to the Congress,
potentially to folks in the White House, and ultimately to
whatever the right number is, north of 10 million, all those
things will be implicated based on whether or not there were
one or two events.
Mr. Ozment. There are clearly two events right now: the
Department of Interior Data Center that hosted the 4.2 million
OPM personnel records, and the breach at OPM itself where the
analysis is still occurring to identify how much data was
stolen. I think the key distinction is, who is the adversary
and was it the same adversary in both cases, and for that I
would have to defer to law enforcement and intelligence to
speak to that. But, clearly two different locations, two
different sets of data involved.
Senator Sasse. Thank you.
Director Archuleta, you said that the attackers got into
OPM's network through a credential that was given to a KeyPoint
contract employee who was working on background investigations,
correct?
Ms. Archuleta. That is correct, sir.
Senator Sasse. At yesterday's hearing, we learned that no
personally identifiable information was stolen in that breach,
but blueprints for the main frame were. Is that your
understanding?
Ms. Archuleta. I think we were talking about--I want to be
sure which one. That was in March 2014. I think there are two
different incidences that----
Senator Sasse. But what was gotten in November 2013?
Ms. Archuleta. In November of--OK, I am sorry, sir. I
misunderstood the question. I apologize.
Senator Sasse. Thanks.
Ms. Archuleta. As I understand it, in November 2013, while
no PII was lost, there was an extraction of some manuals. As
Donna Seymour testified yesterday, as did the representative
from DHS, those manuals are common manuals that could be bought
in a store.
Senator Sasse. And what information was on the main frame
computers that they got the manuals to?
Ms. Archuleta. I would have to get back with you, sir, on
that. I do not know exactly.
Senator Sasse. I believe it has been reported that it was
security clearance background information. Dr. Ozment, do you
think that is correct?
Mr. Ozment. I would have to defer to OPM on that.
Senator Sasse. It has been publicly reported that just a
few months later, in June 2014, USIS, another OPM contractor
working on security clearance investigations, reported that it
had also been breached. Is that correct?
Ms. Archuleta. Yes.
Senator Sasse. And what was stolen from USIS?
Ms. Archuleta. There was OPM data impacting approximately
2.6 thousand individuals.
Senator Sasse. 2.6 thousand?
Ms. Archuleta. Yes.
Senator Sasse. And that was security clearance information,
but it was on laptops?
Ms. Archuleta. I believe, sir. I would have to get back
with you on that.
Senator Sasse. Earlier this week, you were asked about a
separate breach at KeyPoint which was discovered in September
2014. We believe in our office that that breach occurred in
August 2014 and that 49,000 security clearance holders' records
were breached. Do you think that is accurate?
Ms. Archuleta. The adversarial activity dated back to
December 2013, sir.
Senator Sasse. OK, but didn't you just a minute ago say
that the only thing captured in November and December 2013 was
the manuals?
Mr. Ozment. Sir, I can jump in and speak to that.
Senator Sasse. Please.
Mr. Ozment. The first incident that Director Archuleta is
referring to is an incident that was detected in March 2014 at
OPM and the activity at OPM that was detected in March 2014
dated back to November 2013.
Separately, the activity at USIS, a contractor to both OPM
and DHS, dated back to April 2013. Separately, the activity at
KeyPoint dated back to December 2013.
Senator Sasse. OK. So in addition to that distinction, you
said in your testimony that there was an October 2014 Interior
Department breach. Can you tell me what records were being
housed at Interior?
Mr. Ozment. I would defer to OPM in general, but I----
Ms. Archuleta. It is the employee personnel records.
Senator Sasse. So this is all non-security clearance
information from the Interior breach.
Ms. Archuleta. The 4.2, yes.
Senator Sasse. OK. And in December 2014, what was the OPM
breach in December?
Mr. Ozment. The breach that was--that started in--my
apologies.
The most recent OPM investigation where OPM is still
ascertaining which background investigations were compromised
was detected in April, but the activity ran from May 2014
through April, although the intruder was most active on the
network from June 2014 to January 2015. I am not sure what you
are referring to with the December 2014 data.
Senator Sasse. I am trying to confirm that there were
security clearance background investigations in that breach as
well. I think one of the reasons we care about this is because
in March 2014's breach, we have been told that blueprints to
the main frame were all that were stolen, and then that same
main frame I believe was hacked in December 2014. And if that
is true, I am wondering if any systems that did not have the
manuals taken were actually hacked with secure background
investigation in December 2014. If not, calling these mere
``manuals'' is inaccurate.
Ms. Archuleta. Can we get that information back to you in a
full list, sir?
Senator Sasse. Sure.
Ms. Archuleta. So it would describe it.
Senator Sasse. We have about a 10-page letter to you on
Monday, and so we would be grateful for info to that being
added to that response.
Ms. Archuleta. We are actively responding, sir. Thank you
very much.
Senator Sasse. I have more questions, but I will wait until
the second round, if the Chairman wants to go first.
Chairman Johnson. Thank you, Senator Sasse.
Dr. Ozment, based on Senator Sasse's questions, I mean,
obviously there has been a lot of activity. You combine the IG
reports that have been showing the lack of security or the
material problems with security. Just trying to get this all
straight, it is difficult.
Is it true that DHS did write a mitigation plan based on
that November 2013 attack?
Mr. Ozment. Yes, Senator. When DHS' Incident Response Team
goes onsite to any incident, as part of their report out of
that incident, they say here are some of the steps that we
recommend that an agency take to bolster its defenses. It is
not a complete plan. It is not a, ground-up look at a network.
It is based on what we saw and our time here, we recommend that
you make the following changes.
Chairman Johnson. OK. I am not sure our Committee has
access to that plan, so can you provide that to the Committee,
please?
Mr. Ozment. I will take that back, sir.
Chairman Johnson. I appreciate that. Rather than start a
second round right away, I will just defer to Senator Portman
for your first round.
OPENING STATEMENT OF SENATOR PORTMAN
Senator Portman. Great. Thank you, Mr. Chairman. Thanks for
having this hearing. It has been very helpful, I think, for all
of us to have an exchange of information. It has also been very
troubling, to be frank with you. And, one of my concerns from
the start of this has been about the nature of the information
that these hackers have received and specifically information
that is very sensitive. As was mentioned earlier in the panel,
the SF-86 is a form that you have to fill out to get a security
clearance, and it includes highly confidential information,
mental health history, issues about your personal life and so
on that in the wrong hands can be very damaging, not just to
that individual but also to our national security.
And so one of the concerns that I would like to raise with
you today is the extent to which this information you believe
might be in the hands of our adversaries, and specifically,
what are we going to do about that?
I realize that there are some sensitive matters here being
discussed, but I think this has all been sort of out in the
public, and if there is something you believe should not be
discussed in this setting--I know the Chairman is very eager to
get this information also--we would be happy to talk to you
about it in a more classified setting.
So my first question, Dr. Ozment, is to you: Are we any
closer to knowing what the scope of information was that has
been accessed on this Federal Investigative Services (FIS)
systems? Was it the SF-86 forms? Was it investigatory notes and
supporting documents? They are also part of background
information. And tell us what we know about that.
Mr. Ozment. Senator Portman, I will start the answer to
that question, and with your permission, I will ask Director
Archuleta to complete it.
Anytime you are trying to assess the impact of an
intrusion, you have two activities that have to take place.
First, the forensic investigators have to figure out
essentially where did the adversary go, what did they have
access to, and what did they do with the information they had
access to. And you are rarely working with full evidence. If
you think about a physical crime scene, you are looking for
fingerprint, you are looking--did somebody leave a half-smoked
cigarette? You are looking for clues, and that is what our
forensics investigators are doing. It takes time, and
sophisticated adversaries try to erase their tracks. They wear
gloves so they do not leave fingerprint. And that is definitely
the case here.
Senator Portman. So what do we know?
Mr. Ozment. So what we know is we continue to look at
systems and see where were the adversaries, were they on the
system. We then have to work with OPM, and OPM has to say this
is what was on the system, which means that, we can say the
adversary was here. They have to be able to say this is what
was on the system. And I will ask Director Archuleta to speak
to that.
Ms. Archuleta. I am glad to speak to that. In early June,
our forensics teams advised the interagency--well, they advised
me, I will just say that, they advised me that there was a high
confidence that the background investigation records had been
compromised.
Senator Portman. OK. Let me ask you another question. Dr.
Ozment, there has been some discussion regarding whether these
adversaries might have manipulated data in the background
investigation databases that we have just heard from the
Director she has high confidence that those have been breached.
They could have actually manipulated data in our Federal
Government systems with regard to these background
investigations, for example, to change the outcome of a
clearance adjudication, remove derogatory information, maybe
add derogatory information.
Can you tell us anything about that possibility?
Mr. Ozment. Sir, I can speak broadly. The adversary did
have the type of access that could allow them to change
information. I cannot speak to whether that change of
information would allow them to do any of the things that you
have specifically suggested there. I will say----
Senator Portman. Is it possible?
Mr. Ozment. It is possible to change information. The
implications of that I cannot speak to. I will say--and I do
not want to speak for my intelligence community colleagues, but
I will repeat what they said in a prior session, which is--and
law enforcement colleagues, which is they view that as
unlikely.
Senator Portman. Is it possible that adversaries
responsible for the breaches have also manipulated the data in
the background investigation data base itself?
Mr. Ozment. I can say that the adversaries had the type of
access that would allow them to manipulate some types of data.
I do not know specifically what was on the databases that they
had access to. I would have to defer to OPM for that.
Senator Portman. Yes. Director Archuleta, one thing we
talked about earlier is why we have not responded more quickly.
When did you first learn about these breaches?
Mr. Ozment. We were notified of the breach that you are
describing. The first breach occurred--I will talk about both
incidents. The first breach occurred in April, and----
Senator Portman. April of this year?
Ms. Archuleta. April of this year, and we were notified of
the high--as I mentioned earlier, we were notified of the
second breach, the high probability of extraction or exposure
in June.
Senator Portman. So these background investigations we are
talking about here, the highly sensitive information, we have
known since June. Is that correct?
Ms. Archuleta. Yes, sir.
Senator Portman. We did not know before that?
Mr. Ozment. No, sir.
Senator Portman. We talked earlier about your not having
met with the Director of the FBI despite these incredible
discrepancies in the information we are receiving from the two
agencies. So I would hope the conclusion there is that you all
are going to get one story for the American people. My
constituents want to know, including the 10 million people who
are wondering. Have you met with the Secretary of Defense or
the Director of National Intelligence (DNI) about this breach
in the background information database and the potential impact
it could have on their employees?
Ms. Archuleta. I have not met with them personally, no.
Senator Portman. I would think that would be another
obvious thing to do. I mean, my concern, again, was the concern
I think every American should share, which is the most
sensitive information and the most important national security
agencies has now potentially been compromised. And I would hope
that the FBI Director who leads our counterintelligence efforts
as well as Secretary of Defense and DNI would be involved in
this effort.
Ms. Archuleta. May I just say that because I have not met
with him does not mean that they are not engaged in this
effort. The intelligence community issues are issues I know
that they are meeting about, but those are not issues, as I am
on the personnel records, that I am included in. But I do know
that there have been meetings about that with them.
Senator Portman. One final question, and this just sort of
comes to me as we have been listening today to the testimony,
who should have this information, the most sensitive
information we talked about. The Department of Defense (DOD)
used to have it. OPM has it now. Clearly, with these breaches,
this should be revisited. So I would ask you, Mr. Scott, do you
believe the Department of Defense is a better place to have
this sensitive information? Are they better prepared to handle
it?
Mr. Scott. I have to say, Senator, I am fairly new to the
Federal Government, and I do not have a comprehensive view at
this particular point. This 30-day sprint that we are doing
will look across a wide range of policy, practice,
organization, resourcing, and a number of other things, and
that certainly we can put on our list as something to come back
with----
Senator Portman. The Federal Investigative Services is a
specific area, Mr. Scott. We would appreciate your input as to
where you think that ought to reside. I do not know if you, Mr.
Ozment, or you, Ms. Archuleta, have thoughts on that.
Ms. Archuleta. As a suitability agent, I work very closely
with our security agent and OMB to really discuss the
improvements that need to be made throughout the Federal
investigative background, and we have been working on that
together and take very seriously that responsibility. I think
we do a good job at this, and because we do work very closely
with our partners on it, especially with DOD, to make sure that
they are getting the type of background investigations and the
quality and the timeliness that they deserve, and we are
working very hard at that and making improvements all the time
to be sure that we are delivering the product they deserve.
Senator Portman. Thank you. My time has expired.
Chairman Johnson. Thank you, Senator Portman.
I just want to kind of get the timeline straight on these
breaches we are talking about that are the subject of this
hearing. The breach that involved personnel information
occurred in December 2014 and was discovered in April of this
year, about 4 months later. Is that correct, Director
Archuleta?
Ms. Archuleta. Yes, sir.
Chairman Johnson. And the breach that involved all the
background information, very sensitive national security
background information, that occurred a year ago in June 2014,
and basically took 12 months to discover. That was actually
discovered because we implemented some--is it a dual
authentication process and we actually prevented them from
continuing to exfiltrate information?
Mr. Ozment. Sir, if you will, I will recapitulate the full
set of dates, because I think you are right, it is extremely
important.
The Department of Interior Data Center--and as you know,
the investigation on all of these continues, so we learn new
information all the time. All of these were discovered due to
the April 2015 discovery, so OPM rolled out new security
technologies, as they had been rolling out new security
technologies, detected an intrusion on their networks in April
2015. They gave DHS the cyber threat indicators, similar to
what is being discussed in information-sharing legislation. We
used those and identified the breach at the Department of
Interior.
The breach at the Department of Interior, the adversary was
on the network of the Department of Interior from October 2014
through April 2015. Specific pieces of data were removed in
December 2014. So that is where the December date is coming
out, but looking at the whole range of when the adversary was
on the network, it was October 2014 through April 2015. And I
would encourage you to think about as the most relevant
timeframe.
Chairman Johnson. OK.
Mr. Ozment. At OPM itself, there are really two key
timeframes: the timeframe when the adversary was on the
network, which was May 2014 to April 2015; but the time that
the adversary was essentially active on the network was only
June 2014 through January 2015. OPM rolled out a security
control in January 2015 that stopped the adversary from taking
further significant action, but it did not detect the
adversary. So the adversary was largely stopped in January, but
not detected until an additional control was rolled out in
April.
Chairman Johnson. OK. Again, so we found out in mid-April,
and we announced this on June 4. The public became aware of
this on June 4.
Mr. Ozment. So in mid-April, we discovered that the
adversary was on the network, but not what they had done. And
so we then commenced the forensics work. The forensics work
reached a high confidence level more rapidly at the Department
of Interior. So the Department of Interior, they more rapidly
finished the forensics--or largely finished the forensics
investigation and were able to conclude the breach.
Chairman Johnson. OK. So, again, so I understand. That
takes time.
Mr. Scott, in your role within OMB as the Federal
Government's Chief Information Officer, you did announce the
cybersecurity sprint last week. I realize you are relatively
new in the role, just starting in February, and we are not
going to solve these problems overnight. I have that. Why
didn't we announce a more robust effort right off the bat,
basically in April?
Mr. Scott. So we formed an E-Gov Cyber Unit late last year
in my office, put that team together, worked closely with DHS
and so on. And I began with that team to look at the cross-
government data. Some of the elements of what we announced in
the sprint we actually started before the full sprint was
announced. So it has been an escalating set of activities.
Chairman Johnson. So, again, you have expressed a fair
amount of confidence in Director Archuleta and her team to fix
this. But, again, I go back to the Federal Information Security
Management Act audits, and, even in fiscal year 2009, in that
audit, the first page of the executive summary says, ``The lack
of policies and procedures was reported as a material weakness
in fiscal year 2007 and fiscal year 2008.''
The weakness in our government security systems has been
known for a long time. I understand that you do not solve these
problems overnight. I understand that Director Archuleta has
been in the office about 18 months. But certainly, having been
a manager in the private sector myself--again, I do not expect
perfection. I understand the problems are difficult to solve.
But I am looking for people to prioritize. I am looking at
people's actions that they took. And the fact that the Director
did not meet with the Inspector General to specifically discuss
these IG reports, the fact that she has not yet met with FBI
Director Comey on these very serious issues really gives me
pretty great pause in terms of having confidence that the
current management team in OPM really is up to the task.
Do you disagree with that? Do you really have that great a
confidence?
Again, you are the Federal Government's Chief Information
Officer. Do you really have confidence in the management team
of OPM that they are going to be able to solve this problem
when they have shown such a lack of attention and priority to
this issue? And let us face it, a record of failure now.
Mr. Scott. Well, Senator, I think there are several bits of
evidence I can go back to, many of which you have mentioned
here. But the history going back to 2009 and 2010 shows that
there has been a historical set of issues there.
If I look in at OPM and elsewhere where progress has been
made, I can see a delineation point from when Director
Archuleta took place and recruited Donna Seymour into that role
where there is a dramatic difference in terms of the actions
that not only were planned, but then began execution. And I
worry in this particular case that as we deploy more tools
across the Federal Government and as we are likely to discover
more of these kinds of issues, that there is a chilling effect
on anybody wanting to come in and take one of these roles----
Chairman Johnson. I understand, and, again, that is a real
problem. I appreciate that you are willing to exit the private
sector, with your expertise and bring that to bear in terms of
service to this Nation. But, again, here is my problem. A Flash
Audit on the Infrastructure Improvement Project, where the
final conclusion is, ``In our opinion, according to the
Inspector General, the project management approach for this
major infrastructure overhaul is entirely inadequate and
introduces a very high risk of project failure.''
That does not give me much confidence in the management
team that is implementing that.
Inspector General McFarland, do you have confidence in,
based on your audits, on the work you have done, do you have
confidence in OPM's current management to really follow through
on this and provide the security I think this Nation deserves?
Mr. McFarland. I believe that the interest and the intent
is there, but based on what we have found, no.
Chairman Johnson. I have no further questions. Senator
Ayotte.
OPENING STATEMENT OF SENATOR AYOTTE
Senator Ayotte. Thank you. I wanted to ask about--one of my
staff members received a letter from OPM, and as I understand
it, in the letter she was asked by a third-party contractor to
produce information on her credit card and bank accounts, and
she was also not told about the IRS' IP PIN program, which we
have spent some time on in this Committee, which allows
taxpayers who are victims of identity theft or potential
victims to protect themselves.
So I was kind of troubled when I learned that this morning
from her just because here we have a situation where all of
these records have been breached, and if our solution is to ask
people to submit additional very personal information on credit
card bank records, that you would then--either you or your
third-party contractor would be holding rather than working
with potential victims of this to, have them seek the proper
mechanism with the credit reporting agencies. So can you help
me understand this and why you think this is a good approach?
Because, let us face it, the fact that we are where we are with
all these records that have now been breached, I do not think
people should feel real confident at the moment of giving you
additional information or a contractor working with the
government on this.
Ms. Archuleta. To my knowledge, Senator, we are not asking
and so I would like to talk to your--we are not asking for that
information, so I would like to talk to your staff member to
find out exactly what conversation or what information she got,
because the registration for the credit monitoring is an action
that each individual takes. So I would be glad to talk to her.
I would like very much----
Senator Ayotte. That would be great. I hope she is not
already being--her information trying--identity thieves already
trying to manipulate this because----
Ms. Archuleta. Yes.
Senator Ayotte. When she told me that this morning, my jaw
dropped. And so I want to understand why OPM is not using
encryption or what steps are being taken to better use
encryption of people's information given the breadth of
personal information that OPM is maintaining on so many of the
people in this country.
Ms. Archuleta. Certainly. I wish that our systems, all of
our systems were able to be fitted with the encryption tools,
but we have an older legacy system, and there are certain
applications that it would not--we would not be able to use
encryption. And as Dr. Ozment will say, the encryption, in
fact, would not have prevented this incident. That is an
important fact. But that does not mean that we should not move
forward to indeed apply encryption wherever we can, and we are
moving forward with that as well as using more modern tools
such as masking and the hiding of--or redacting of information
when it is not needed.
Senator Ayotte. Well, encryption is one tool in the
toolbox. Does OPM employ a layered approach at all? Because,
obviously, layering is something that is important when you are
looking at making sure that there are different ways that
information is protected as a multi-verification process versus
relying on one tool in the toolbox.
Ms. Archuleta. I would have to get back with you, Senator,
to be sure that I can give you the full information.
Senator Ayotte. Well, that would be very important, I
think, because to me the fact that many of the tools that seem
to be lacking in the use here are already being engaged in the
private sector, yet the type of personal information that is
being held by an agency like OPM is just staggering in terms of
what we are hearing about the breadth of this breach. So I
would like a followup on that question.
One thing that I want to understand is that, in January,
OPM began utilizing this two-factor authentication approach and
incidentally, and unknowingly, ended the intrusion into the
data system containing security clearance information. Do you
believe that had this been in place to begin with the intrusion
would not have been able to happen in the first place?
Ms. Archuleta. I would have to ask Dr. Ozment more on the
forensics side for that, but I know that we have moved very
rapidly to increase the percentage of unprivileged users with
two-factor strong--two-factor authentication. We also for
remote users have a 100-percent--I am sorry, that for--we
have--requiring two-factor authentication for all remote users.
Senator Ayotte. And one of the things that I had asked you
about with my staff member when I told you the information she
had received--and we touched upon it at the beginning--was
something we heard a lot of testimony in this Committee on from
the IRS Commissioner, because, unfortunately, the IRS has been
breached as well, and they have this IRS IP PIN Program. It
strikes me that, given the type of information that has been
breached in this, the victims of this theft can very much
expect that they could likely be victims of tax fraud going
forward. So what steps are you taking to ensure that these
victims have actual and are enrolled in the IRS IP PIN program
to ensure that we are not having another hearing on I suppose
potentially millions of individuals who now find themselves to
be victims of tax fraud as well?
Ms. Archuleta. I will ask my colleague Tony Scott to talk
about that. I am not familiar with the IRS.
Mr. Scott. Yes, the PIN program is actually designed to do
a different thing, as I understand it, than would be the use
case for OPM. But I can answer some of the question that you
asked the Director. They do have a multilayered approach----
Senator Ayotte. But, Tony--excuse me. I am sorry, Mr.
Scott.
Mr. Scott. Yes.
Senator Ayotte. But let me just say what the IRS--what I am
trying to say is this, is that we know all this personal
information has been breached. People are going to be--that are
the victims of this will be filing their tax returns. If they
are enrolled in the IRS PIN program, people cannot just file
the tax return. They are then given a PIN at their physical
address so, therefore, the identity thieves cannot then use
this information to then victimize them on the IRS end. And
this would be something, if I were a victim of this, that I
would want to have put in place right away because this could
protect me from potential tax fraud because of the extra step
that has to be taken.
So how are we working this with the IRS to make sure these
victims have access to this program? Because this is a very
large problem right now.
Mr. Scott. Sure. I am sorry. I misunderstood your question
initially. We will look at this cross-agency, not just at the
IRS but anywhere else citizens need to interact with the
Federal Government as part of our longer-term recommendation.
Senator Ayotte. So, forgive me, my time is up, but I think
looking at it is probably insufficient given how devastating
this type of use of people's personal information can be. And I
think that we cannot just look at it. I think we have to come
up with a plan to give the people who have been victimized the
opportunity to be part of this program so they then are not
further victimized by becoming victims of tax fraud.
Thank you.
Chairman Johnson. Senator Sasse.
Senator Sasse. Director Archuleta, here is where I think we
are. I think this morning we have heard a sketch of a timeline
that shows attackers persistently coming after confidential
personnel and background investigation and OPM being caught
flat-footed for up to 19 months. Has any malware been detected
on OPM's network since June 8 when the intrusion into security
clearance databases was discovered?
Ms. Archuleta. We are unaware of any at this time.
Senator Sasse. Given how long it took OPM to detect the
attacks, how can we know that the attacks are over?
Ms. Archuleta. We worked very closely with our
cybersecurity experts throughout government, working closely
not only with DHS but FBI and their hunt teams. So we are
constantly monitoring our systems.
Senator Sasse. But couldn't you have given that same answer
in March and it would have been wrong?
Ms. Archuleta. As we have developed and installed new
security systems--in March 2014?
Senator Sasse. March 2015 you did not have information--you
had not discovered these attacks that were then on going.
Ms. Archuleta. We have been working very hard, sir, to put
in place all of the security measures, and I think in my plan
there is a long list of things that we have done and been able
to do. We need more resources to get that done, and that is why
we have come to Congress to ask for them.
Senator Sasse. I want to go to Dr. Ozment in a minute, but
if I can translate, I think what you just said is you do not
know that the attacks are over. Director Archuleta, I am
saying----
Ms. Archuleta. I am sorry. We----
Senator Sasse. You said you are trying hard. That is
different than having knowledge that the attacks are over.
Ms. Archuleta. Sir, we combat over 10 million attempts in a
month, and so we are working very hard. I can describe to you
each of the things that we have done. That is why I gave you
the paper this morning so that you would have that. We have
worked very hard to do that not just at OPM but with all of our
colleagues. Cybersecurity is an enterprise endeavor, and that
is why we work with Tony and Andy and our colleagues at FBI and
National Security Agency (NSA). We do work with them on this.
We are combating a very aggressive, a very well funded, and a
very focused perpetrator.
Senator Sasse. I agree that we are dealing with persistent
attackers, but I think you did not say that you have certainty
that the attacks are over.
Dr. Ozment, do you believe the attacks are over and that we
know that with certainty?
Mr. Ozment. I spend a lot of time with both government and
private sector cybersecurity experts, and I do not think any
cybersecurity expert I know would ever say that we can be
certain that we have blocked all intruders who are trying to
get into our networks. And I think that is the State of the
world that we are living in right now. It is not a condition
unique to OPM. That is a universal truth for cybersecurity.
Senator Sasse. Mr. Scott, has the malware that was found at
OPM been discovered on any other agency's networks?
Mr. Scott. I think it is a better question for Andy, but
the way it works is these indicators of compromise DHS has, and
then they circulate to all the other agencies. And part of our
cyber sprint, we have asked agencies to go back and take a look
at those.
Senator Sasse. This is not a blame allocation question----
Mr. Scott. Right.
Senator Sasse [continuing]. And not meant to be hostile,
but isn't your title senior to his? Help us understand what
your role is if that is a question for Dr. Ozment.
Mr. Scott. Ours is more policy and guidance. DHS has the
operational responsibility in the cyber framework.
Mr. Ozment. And, sir, I can tell you that we have, as Mr.
Scott highlighted, shared these indicators to departments and
agencies. We have had at least one department think that they
had an intrusion, but after further forensics, it turned out
not to be the case. But we continue to, ask agencies to keep
using these indicators, keep looking to see if they see
activity on their networks. And, of course, if anything comes
up, we work with the agency to investigate it. But we have not
confirmed anything additional
since--other than this Department of Interior Data Center and
OPM itself.
Senator Sasse. So would that mean that any other known
Federal intrusions would be visible to this Committee? Are
there any other cyber attacks against the Federal Government
that have not been disclosed to this Committee?
Mr. Ozment. The FISMA 2014 legislation imposed requirements
for notifying the Congress on cyber intrusions and attacks. To
my knowledge, any intrusion and attack that would fall into
those requirements has been notified to you. There is a
constant low level of activity across the government, where
sort of the noise of the Internet occurs. You have low-level
criminal malware. I do not know that that is--I would not
expect that that is required to be reported and is not
reported. But the significant activity that is covered by FISMA
2014, to my knowledge all of that has been reported to the
Congress.
Senator Sasse. Thank you. I would like to go back to
Senator Portman's line of questioning about the SF-86. Director
Archuleta, there have been many summaries of where we are in
this attack in the media that have likened this to the Target
or the Home Depot attack, which is where credit card
information was stored. Obviously, we are talking about
something much more serious than that. I want to quote from the
SF-86 for a second.
``In addition to the questions on this form, this inquiry
also is made about your adherence to security requirements,
honesty and integrity, vulnerability to exploitation or
coercion, falsification, misrepresentation, and any other
behavior or activities or associations that tend to demonstrate
a person is not reliable, trustworthy, and loyal.''
As those of us who have been through top secret background
investigations know, they ask lots of questions about sexual
history, relationships, associations, anything that could lead
an individual to be coerced or blackmailed. Can you help us
understand why this information would have been stored on OPM
networks to begin with?
Ms. Archuleta. It is part of the background investigation
that we do for the clearances at very high levels for
classified positions, and that is part of the determination for
the adjudication information.
One of the things that is important is that--in
understanding this scope of this breach is to really understand
how that data was saved. So I want to be sure, again, as I go
back to my opening statement, is that we are looking at all of
these files to see how that data was stored and sort of the
impact and scope of that breach. And that is why we are taking
much more careful time to do so.
Senator Sasse. In the sexual history kinds of questioning,
if people named other parties, would those have been in this
information?
Ms. Archuleta. It really is relying on the--I actually do
not know what is stored in which files. I would be glad to get
that to you to give you a description. I believe that, again,
it is how that information is stored and what access the breach
had to that.
Senator Sasse. Dr. Ozment, do you think that narrative
history would be stored?
Mr. Ozment. I cannot speak to the contents of the
databases.
Senator Sasse. I think I need to yield to Mr. Carper. I
have more questions, but I will wait.
Chairman Johnson. Senator Carper.
Senator Carper. Thanks. Thank you for yielding. And, again,
thank you all for being here. I know you have been here for
quite a while, and we are grateful for your presence and your
answers to our questions.
General McFarland, I am going to ask you to come back in a
minute--and maybe not right now, but in a minute I am going to
ask you to come back. You shared a cautionary note with us
about rushing, maybe rushing so far to address this problem,
fix this problem, that we actually waste money, and you sounded
a cautionary note. Why don't you just go ahead and sound that
cautionary note again? What did you say right at the end of
your testimony, please? Because we want to move with great
dispatch, and usually that is good--maybe not always, but you
gave us some advice that I thought was probably worth
repeating. What did you say?
Mr. McFarland. I said it may sound counterintuitive, but
OPM must slow down and not continue to barrel forward with this
project. The agency must take the time to get it right the
first time to determine the scope of the project, calculate the
costs, and make a clear plan about how to implement this
massive overhaul. OPM cannot afford to have the project fail.
Senator Carper. Thank you. I mentioned earlier these four
legislative steps that we took last year to bolster DHS and
their ability to fend off government, writ large, cyber
attacks: the passage of the Federal Information Security
Modernization Act; the workforce capabilities, strengthening
the workforce capabilities at the Department of Homeland
Security; strengthening and making real the ops center for the
Department of Homeland Security; and also the passage of the
Federal Information Technology and Acquisition Reform Act
(FITARA).
I think in your testimony here and in other hearings we
have had, almost everybody says those were the right things to
do. I am not sure we are fully implementing them as quickly as
we need to, but at least I think on that front we have done our
job. And we are going to do oversight to make sure that the
implementation is being done in an appropriate and expeditious
way.
Give us our to-do list. Give us a very brief to-do list of
some things on the heels of what we have done legislatively
what we need to do. What do we need to do next? And just very
briefly.
Director, very briefly.
Ms. Archuleta. Yes, and as I do that, I would like to
clarify perhaps a statement that the IG made in terms of the
additional resources, an answer that he responded to. We
requested $21 million in the President's Fiscal Year 2016
budget, but we are currently reevaluating fiscal year 2016 IT
modernization needs in light of these developments, and so we
would appreciate the Senate's support. And as I said, we will
get back to you with that number.
Senator Carper. All right. Thanks.
Mr. Scott, give us one thing that ought to be at the top of
our to-do list.
Mr. Scott. Sure. I have four very quickly.
Senator Carper. OK.
Mr. Scott. The first one is pass the administration's
proposal for information sharing with the private sector. It
will help everybody. It will help the Nation.
Second----
Senator Carper. I actually introduced, with a slight
modification, the administration's proposal, and hopefully we
can get that done. God knows we need to.
Mr. Scott. Thank you. The second one is do not allow
exceptions to the FITARA rule. That legislates good governance
and good practice and helps make the CIO fully accountable in
each agency.
Senator Carper. OK.
Mr. Scott. We will have recommendations coming out of our
sprint, and I am sure there will be a reallocation of resource
and priority as a result of those recommendations.
Senator Carper. All right. Thanks. Dr. Ozment.
Mr. Ozment. I would second Mr. Scott's highlighting of
cybersecurity threat indicator sharing legislation. I would
also really emphasize the importance of passing authorizing
legislation for EINSTEIN. As you know, it played a key role in
this incident, and it is an important layer in our layers of
defense. And one of the impediments has been that some agencies
are concerned that existing legislation impedes their ability
to work with us on EINSTEIN. So your clarification of that
would be greatly appreciated.
Senator Carper. All right. Thanks.
Mr. McFarland, General, give us one more thing to put at
the top of our to-do list. These are helpful ideas.
Mr. McFarland. I would think that it would be very helpful
if FITARA and FISMA had more teeth to it from OMB's
perspective. And instead of getting lists of who is doing this
or who is doing that, who is delinquent, how far are they
delinquent, that there would be some accountability against
people.
Senator Carper. Good. Mr. Scott, would you respond to that,
please?
Mr. Scott. I think those are good recommendations, Senator.
Senator Carper. OK. Given what we all know about the OPM
breach, can each of you talk about some of the lessons learned,
kind of looking back, we are all better Monday morning
quarterbacks, but some of the lessons learned or the best
practices that we should be incorporating across the
government, and why haven't we already taken these steps at
some of the other agencies. Do you want to go first on that,
Mr. Scott?
Mr. Scott. Sure, I would be happy to. Some of the early
things in this also leverages my experience in the private
sector. If you look at where the money has gone and where most
of the effort has gone, it has been to prevent the cyber attack
from occurring in the first place. Even with multilayered
approaches, most of that has been on prevention, but it is very
clear with these persistent adversaries that some things are
going to get through. They are just nasty, and they keep coming
at you. And you are always going to have at some point somebody
getting through.
And so as a Nation, and especially as a Federal Government,
we also have to invest in technology that will allow us to
quickly detect much more rapidly than we have been when there
is a breach, then contain, and then quickly remediate. And so
some of our recommendations are likely to be in those areas
where we have underinvested, even in a history of
underinvestment in cyber more broadly.
Senator Carper. Dr. Ozment, same question, just briefly, if
you would.
Mr. Ozment. I would just second what Mr. Scott said.
Senator Carper. That was a short answer.
The last thing I would say is, to go back to my friend
Senator Sasse, the question of is this going to be the last
attack, we all know it is not. Will it be the last attack if
this was from the Chinese or some other source? We know it is
not. And one of the takeaways for me here today is this is an
all-hands-on-deck moment; we all have a responsibility. This is
a shared responsibility. You have yours, we have ours. And we
need to not just point fingers at one another, but to actually
figure out how to join hands and be a team in this all-hands-
on-deck moment. And you have my pledge to do that, and we are
going to bring our best efforts to bear, and we need for you to
do that as well.
Thank you.
Chairman Johnson. Thank you, Senator Carper.
Before I close out the hearing by giving the witnesses one
last opportunity to make a closing comment, I would like to
throw it over to Senator Sasse. You said you have another quick
question or two?
Senator Sasse. Yes, if I could just take 3 minutes, Mr.
Chairman.
First, following upon what Senator Carper just said, Mr.
Scott, did OMB give OPM permission to operate without proper
cybersecurity protections?
Mr. Scott. I am not aware of any either giving or denying
permission in that particular case. What we are doing is
revising our guidelines. There was an every-3-year
authorization thing earlier, and that is under review right
now. And we did issue guidance that allowed for more continuous
authorization versus a 3-year. But that is subject to revision.
Senator Sasse. Thank you.
Dr. Ozment, did you understand--you are now being brought
in to help cleanup this matter from DHS, but did DHS understand
OPM's vulnerabilities prior to them being breached?
Mr. Ozment. One of DHS and my organization's roles is to
help compile the annual FISMA report to Congress, some of which
we were handed today or presented today. As part of that, we
compile agencies' self-reported information on their
cybersecurity, and all agencies have vulnerabilities, just as
all companies have vulnerabilities.
To my knowledge, we were not aware of any specific
vulnerabilities that were relevant to this incident, but we are
generally aware that all agencies need to make additional
progress on cybersecurity.
Senator Sasse. But given some of the specific
vulnerabilities at OPM, do you believe that OPM was fully
honest about its problems with DHS leading up to the breach?
Mr. Ozment. To my knowledge, yes.
Senator Sasse. I will close with this last question. The
Inspector General has criticized OPM for operating a
``decentralized system'' of cybersecurity because it created
unique vulnerabilities. Could you explain what that means and
tell us if you think any other agencies are currently operating
with similarly decentralized systems? Dr. Ozment, I mean it for
you, but I did not know--the Inspector General leveled the
criticism, but I am curious as to whether or not you think
other agencies have the same vulnerability.
Mr. Ozment. I am sorry. Would you repeat the entire
question? I apologize.
Senator Sasse. You bet. The Inspector General has
criticized OPM for operating with a ``decentralized system'' of
cybersecurity which created some unique vulnerabilities. One, I
wonder if you can translate what that means. And, two, I wonder
if you think any other agencies have the same decentralized
system.
Mr. Ozment. Thank you. I absolutely believe that it is very
difficult for an agency to secure themselves if their CIO and
CISO at the agency level are not empowered. I know that that is
a concern that in part prompted, in fact, the FITARA
legislation, and I think that is the crux of the matter. If
they are not sufficiently empowered, if IT authority is
decentralized within the agency, it is extremely difficult for
that agency to secure itself.
Senator Sasse. So I think that means you think that many
agencies have the same problem.
Mr. Ozment. I think there are other agencies that need to
make progress in that area, absolutely.
Senator Sasse. Thanks.
Chairman Johnson. Thank you, Senator Sasse.
Again, I would like to offer the witnesses one last
opportunity if you have a closing thought or comment. We will
start with you, Madam Director.
Ms. Archuleta. Thank you, Chairman. I appreciate the
opportunity to be here today.
I would like to take the opportunity to clarify earlier
comments to Senator McCain about the 18 million number. The 18
million refers to the preliminary approximate number of unique
Social Security numbers. It comes from one of the compromised
systems. However, it is incomplete, and it does not provide an
accurate picture of the final number, and it is one system
among several, and the number has not been cross-checked
against the other relevant systems.
In closing, I would state that, again, we are reevaluating
our fiscal year 2016 needs. We are not seeking a fiscal year
2015 supplemental. And, again, I appreciate the opportunity to
be here with you today.
Chairman Johnson. Thank you. Mr. Scott.
Mr. Scott. Thanks for having us today. I look forward to
coming back to the Committee with our recommendations at the
end of the 30-day sprint period and would love to engage in a
further conversation with you at that point.
Chairman Johnson. Thank you. Dr. Ozment.
Mr. Ozment. Thank you. Upon reflection, I would like to add
to my answer to Senator Tester about Federal cybersecurity
strategy. We have the skeleton of our path forward, and we can
and should move out and execute on that skeleton.
I do think there is also value in continuing to flesh out
that skeleton, and, in fact, I hope that that is--the 30-day
surge will help us do that.
I would also thank Senator Carper again for his remarks and
reiterate the importance of information-sharing legislation and
also positive authorization for the EINSTEIN program.
Chairman Johnson. Thank you, Doctor. Inspector General
McFarland.
Mr. McFarland. Yes, I would like to go back to Senator
Sasse's recent comment and suggest that we work very hard to
centralize the governance of information technology whenever
and wherever possible.
Chairman Johnson. Thank you, Inspector General. Again,
thank you for your service. Thank you for your independence.
Mr. McFarland. Thank you.
Chairman Johnson. I want to thank all the witnesses for the
time you have spent, for your thoughtful testimony, and your
answers to our questions.
The hearing record will remain open for 15 days until July
10 at 5 p.m. for the submission of statements and questions for
the record.
This hearing is adjourned.
[Whereupon, at 11:59 a.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]