Videos & Speeches

OPM Data Breach

Mr. President, earlier today the Financial Services and General Government Appropriations Subcommittee, of which I am a member, conducted a hearing on the data security breach at the Office of Personnel Management. I am a member of that subcommittee, and we had several witnesses, including OPM Director Archuleta. Our goal was to learn about the latest data breach that was revealed earlier this month.

I think that in many ways the hearing was useful and in other ways it was inadequate. The hearing once again demonstrated that much more needs to be done to address the ongoing IT management issues which plague so many agencies but in particular OPM.

As our witnesses testified, the recent breach--and really, it is breaches--at OPM was not a resource issue but a management issue. Too often--and I certainly understand that how we appropriate money is important--the excuse is we don't have enough resources. Today, in my view, it was made clear that this is much more of a management issue than a resource issue.

As Director Archuleta said in her confirmation hearing as well as in today's hearing, IT security was her top priority when she entered the agency in November of 2013. But what has transpired since then has been troubling. She reminded me today that in her confirmation hearing--IT data security was her top priority when she arrived at the agency in late 2013.

Ms. Archuleta highlighted the fact that in March of 2014, OPM detected a sophisticated attack targeting sensitive information. While the hackers didn't get information in that particular instance, this should have been the first alarm to go off that somebody was trying to get access to very sensitive documents.

I will reiterate what I am talking about in this case. This was March of 2014. We are talking about a hack attempt that occurred last year, not the ones that are making the news today. Unfortunately, it happened again a year ago--in June of 2014--when a company that was involved in background checks for the government, U.S. Investigation Services, USIS, suffered a breach impacting as many as 26,000 Federal employee records. It happened again in August of 2014--a third time. So we have March, June, and August. In August of 2014, another company involved in background checks, KeyPoint, was breached, and this time over 48,000 records were stolen.

In both of these contractor breaches, OPM was required to send out notifications to Federal employees who were affected. Clearly OPM knew about these breaches. Now we have learned that the credentials stolen in those original breaches were used to enter the OPM system and this time steal highly sensitive information. The information stolen was Social Security numbers, military records, veteran status, addresses, birth dates, job and pay history, health insurance, life insurance, pension, age, gender, race, and union status. So these three separate examples should have been the stark warning to secure this highly sensitive data.

When I asked the Director today about this topic, she merely pointed to an IT modernization plan that was drafted when she entered the agency about 20 months ago. My question was: Having seen these three attempts to breach the information at OPM, what then occurred at OPM following that which was different to further and better protect information at the Office of Personnel Management? The answer was really about pointing to a plan that was developed when the Director initially arrived at OPM some 20 months ago.

In addition to those three breaches, if those were not warning enough, there were two other important reports which also could have and should have suggested that better management was needed. In November 2014, the inspector general for OPM released its annual report on Federal information security. That report found that 11 of the 47 major information systems--23 percent--at OPM lacked proper security authorization. In fact, 5 of the 11 systems were in the office of the Chief Information Officer, the person responsible for the agency's data security.

This morning, Ms. Archuleta was proud to claim that the agency had been upgraded to just “significant deficiency” with regard to its IT system, up from “material weakness.” And the inspector general testified this morning that they had offered 29 recommendations in their November report, and to date only 3 of the 29 recommendations had been adopted.

In addition to the inspector general report in November of 2014, in December--the following month--of 2014, the General Accounting Office, or GAO, issued a report highly critical of IT management at OPM. The report identified best practices that OPM should implement to improve IT management. The report found that “OPM's efforts to modernize retirement processing have been plagued by IT management weaknesses”--another indication that OPM desperately needed to address IT management, which our witnesses argue is critical to ensuring agency-wide security.

So my takeaway from this morning's hearing is that all the warning signs were there. OPM was aware of the persistent issues. They knew about breaches to their contractors, and the agency knew they were a target. Yet the only evidence that OPM did anything was a plan that was written in the first 100 days of the new Director's tenure at OPM. Planning is important, but execution matters a lot more.

We still need lots of answers as to what OPM did following those original breaches last year. What security plan did they put in place? Have they identified which information to secure? How did they secure these documents? Were they effective in preventing other attacks? How often did the OPM Director and the CIO, the Chief Information Officer, meet and what were their discussions?

I am encouraged to know that our Financial Services and General Government Appropriations Subcommittee intends to have another hearing, and this time we will have the opportunity to present it in a secured setting so that no one can indicate that they are incapable of answering the question because of security issues. I look forward to that hearing. However, I will tell my colleagues that it is discouraging to know what I now know, and it is a discouraging time for IT security and the Federal Government.

I hope we can use this as a lesson for other agencies that they need to be vigilant. We face real and serious threats. Inaction by agencies put Federal workers, the American people, and, most importantly, our national security at risk.

In my view, this is important. These hearings matter. The information we are garnering and attempting to garner is important for those who are employees of the Federal Government. They need to know what has transpired so they can better protect themselves. Why are they at risk because of these hacks? Secondly, and perhaps more importantly, we need to know what has transpired here. Processes need to be in place to prevent additional challenges to our information technology, because it is a matter of our national security.

So for the sake of our federal employees and their well-being but also for the sake of the American citizens and our national security, this is not an issue that we have the opportunity to avoid. Answers need to be forthcoming and decisions need to be made system-wide--not just at OPM but throughout the entire Federal Government--as we work to protect those who work for the Federal Government and as we work to protect American citizens from a national security perspective.