At a contentious hearing in Congress today, members of a House committee grilled the director of the Office of Personnel Management over the hacking of agency computers, and later called for her resignation.
OPM Director Katherine Archuleta came under attack from Republicans and Democrats for her agency's handling of the breach that hit the computers where the personal information of most federal employees is kept.
House Oversight Committee Chairman Jason Chaffetz, R-Utah, said the inspector general's office had said earlier that OPM's computer security was so bad some of the systems should be shut down. His voice rising, Chaffetz told Archuleta, "your systems were vulnerable, the data was not encrypted, it could be compromised, they were right!" Chaffetz went on, "last year they recommended it was so bad that you shut it down and you didn't and I want to know, why?"
Archuleta said some of the OPM computers were too old to handle encryption, and that shutting down the systems would have created payroll and benefit problems.
The OPM director did confirm that a second breach, revealed Friday, included records of people who had undergone background checks to qualify for federal jobs. She said, "there is a high degree of confidence that systems related to background investigations of current, former, and prospective federal government employees, and those for whom a federal background investigation was conducted may have been exfiltrated."
Archuleta would not say publicly whether those whose data was stolen included government contractors, military personnel, or CIA agents. Nor would she say how many additional people were impacted. Some sources have put the number in excess of 14 million people.
Officials did confirm that the data includes personnel records that for some long term employees go back decades.
Also testifying today was the U.S. Chief Information Officer, Tony Scott. He told the panel that because of the age of some of the government computer systems, patching the holes was difficult. "In some cases, its very very hard to sort of duck tape and Band Aid things around these systems. It doesn't mean there's nothing you can do, but fundamentally it's old architectures that need to be replaced."
Scott has ordered that government agencies conduct what he's calling a 30-day "cybersecurity sprint," to patch vulnerabilities, immediately report possible hacks and make access more difficult by requiring multiple forms of verification.
James Lewis, is a cybersecurity expert with the Center for Strategic and International Studies. Lewis says the sprint "sounds like a good idea," but
says the government "has tried this before and the problem is always follow-up; how do you make sure that people do it and what do you do to them if they don't do it." Lewis calls it "a nice set of ideas, but the question will be 30 days from now what happens to an agency that doesn't follow through."
After the hearing, oversight committee chairman Chaffetz, who earlier said the OPM director had "utterly failed," called for Archuleta to step down.