vimarsana.com
  1. Home
  2. Live Updates
  3. Transcripts For CSPAN Hearing On Office Of Personnel Management Data Breach 20240622 : vimarsana.com

Transcripts For CSPAN Hearing On Office Of Personnel Management Data Breach 20240622

His writing, how fast he was producing the work. He knocked out the first rough draft of a farewell to arms, two weeks after arriving in key west. He said if you really want to write, start with one true sentence. For a true writer, each book should be a new beginning where he tries again. He should always try for something that has never been done or that others have tried and failed. Key west is also where president harry truman sought refuge from washington. Resident truman regarded the big white house as the great white jail. He felt he was constantly under everyones i and so by coming to key west, he could come with his closest staff, let down his hair sometimes some of the staff would let their beards grow for a couple of days. They certainly at times used offcolor stories. He certainly could have a glass of bourbon and visit back and forth without any scrutiny from the press. A Sportswear Company sent a case of hawaiian shirts to the president. With the thought that if the president is wearing our shirt, we will sell a lot of shirts. President truman wore those free shirts that first year, and then organize what they call the loud shirt contest. That was the official uniform of key west. Watch all of our events from key west today. Then sunday afternoon at 2 00 on American History tv on cspan3. Katherine archuleta estimates that 4. 2 million federal personnel are affected by two recent data breaches and the number is likely to grow. Her comments came tuesday during testimony for testimony at the House Oversight committee. The first breach occurred late last year, the second was uncovered during an investigation into the first one. The system impacted host data for the federal governments background investigations for individuals who need security clearances. This is about two hours and 40 minutes. Mr. Chaffetz this meeting will come to order. The chair is allowed to call a recess at any time. Mr. Cummings will be with us momentarily. Last week, we learned that the United States of america may have had one of the most devastating Cyber Attacks in our nations history. This may have been happening over a long period of time. There is a lot of confusion about what personal information for millions of employees and workers that was exposed in the data breach at the office of personnel management. Opm initially reported that more than 4 million employees had information exposed during this attack. More recent reports suggest that yes, sir. You have the tools now to do that . Opm has procured the tools. There are some of our legacy systems that may not be capable of accepting those types of encryption and the environment they exist in today. Thats why its important for us to focus aggressively and proactively on building out that new architecture. Are you talking about three months, three years . We began our program after the march 2014 incident. We work with our inner partners to devise a very aggressive and very competent plan. We had been implementing that plan since then. We are delivering the new architecture, delivering that this fall. This is the question. We are collecting data right now. In the meantime, where are we . I know you are trying to do some things. That doesnt make federal employees feel pretty good. It doesnt make me feel good. Tell me more. Are you saying that we are just horrible boulder opal. Vulnerable . We dont know when we will be able to employ the type of system we just talked about . Guest we have done a number of things. Im talking about whats going on today. Thats exactly what im offering, sir. We have implemented Remote Access to our network. Without some type of device that our users cannot log into our network remotely. We have implemented additional firewalls now network. We have tightened the settings of those firewalls. We have reduced the number of privileged users in our account and even further restricted the access privileges of those users. We have made a number of steps to increase the security of our existing network. We began that work last march and it has continued and we continue to work with dhs and our Agency Partners to test those systems and make sure they are working appropriately. The office of Inspector General conducted an audit in 2014 of opms Information Security programs and found several weaknesses. Can you briefly identify what those weaknesses were . Yes, sir. The most critical weaknesses we identified in our report from 2014 were they continued Information Security governance problems that have existed since 2007, the decentralization of the controls. That is an area that is certainly close to being improved to a full extent. Another area of weaknesses were the security assessments and authorization, which is each system that o. P. M. Owns should go under an assessment every three years and be authorized for usage. We identified 11 systems at the end of 2014 that had not been authorized that were due to be authorized. The technical security controls was another big area that we identified. While o. P. M. Has implemented a number of strong tools sand improving in that area, our concern is that some of those tools were not being used properly and that they do not have a complete and accurate inventory of databases and servers that those tools should be applied against. Rep. Cummings so the chairman asked ms. Archuleta a question of how she thought she had done. Based on that, what grade would you give . I dont know that i can give a grade. Rep. Cummings so of all the things that you just stated, there were certain things that were not done. Is that right . Yes, sir. Rep. Cummings did any of them lead to this breach . The things that were not done . I dont know the exact details of how this breach occurred so i really cant answer that question. Certainly there is a lot of weaknesses at o. P. M. That are in the process of trying to address. Rep. Cummings last, but not least do, you have a Silver Bullet to address this issue sir . No, sir i do not. There is very sophisticated attackers out there and there is no one Silver Bullet. I think that that can be applied that will prevent these types of things from happening. Rep. Cummings you heard me ask ms. Seymour about the fact that were collecting information and it seems as if we just are vulnerable. Is that and there are certain areas that we may not be able to defend ourselves in. Is that an accurate statement . Certainly there is a lot of things that can be done to make our systems more secure. Is there something that can be done to make them inpenetratable . Not that im aware of. I appreciate the witnesses being here. This morning, we have certainly heard there is no Silver Bullets and i dont think we expected the answer to be yes, there is a Silver Bullet. We are concerned that knowing what has been going on, having clear evidence that hackers have been attempting for quite some time and at least those of us here, who trust on agencies and people like yourselves who know the issues that some more efforts could have been successful in stopping the most recent attacks, we have heard today that networks are not compartmentalized, segmented, in certain cases, encrypted, with the recent attacks, it the perimeter has been breached. The attacks often remain undetected for months. That is concerning. They are able to exploit vulnerabilities within the Networks Without passing through this is most concerning to me, Additional Inspector security measures. Mr. Scott, as i understand in the private sectors have have been shifts toward zero trust model. Ultimately, given o. P. M. s role for metrics settings for agencies, can you tell us what o. M. B. Is doing to set i. T. Security metrics to limit the number of workloads, application tiers to the networks . Mr. Scott thank you for the question. I think there is a number of things that i would point to in addition to the measures that you just talked about. The first one is to share across the federal government, not only the Lessons Learned from o. P. M. But what we see from other attacks, whether successful or not. Private and public and make sure that all agencies are up to speed with the latest information on the methods of attack, the tools that are used and so on. That is the weakness . Mr. Scott it has been historically for the government and the private sector to share information for our ability to thwart these things. The specific measure that you mentioned, the segmentation and zero trust is something that is more easily applied to very modern architectures. It is not as easily applied to some of the oldest and old legacy systems that we have. And i think that is going to be a challenge for all agencies where the architecture itself just doesnt lend itself to the application of certain technologies. The best answer i think in terms of what we have and where we go is a model that were promoting and encouraging across the agencies which is defense in depth. It is a number of different measures so that if one thing doesnt work, you the next layer that helps stand that doesnt work, you the next layer and zero trust is applicable in some of those environments and frankly is very difficult or impossible to apply. How far are we from that . Mr. Scott i would say years and years comprehensively. One of the things were working on now is prioritizing based on the highest value assets that the federal government has so that were going after the most valuable stuff first and make sure that is protected the best way we can. Ms. Seymour, with the millions of current and former federal employees, a lot of them in my district sign on to do the work we give to them. We appreciate the work. It is something we ask them to do. The federal jobs of the departmentes they work under have been asked to do. They dont expect their life to be compromised, their history to be compromised, their records to be compromised. When did o. P. M. Begin to let the victims know of the risk and breach . Ms. Seymour thank you for your questions, sir. I too am a federal employee. And am concerned about this matter. It is grave and serious. We began identifying personnel on june 8 and will continue to make those notifications through june 19. That is for the personnel records security incident that we had. We have not yet been able to do the analysis to have data involved with the background investigations incident that is ongoing. As soon as we can narrow the data that is involved if that incident, we will make appropriate notifications for that one as well. Rep. Chaffetz i recognize the gentlewoman from new york. I want to thank the chairman and Ranking Member for calling this hearing and all of our panelists for your public service. As one who represents the city that was attacked by 911, we lost thousands on that day and thousands more are still dying from healthrelated causes from that fateful day, but i consider this attack, i call it an attack on our country, a far more serious one to the National Security of our country. And i would like to ask mr. Ozment from homeland security, would you character size this as a large scale cyber spying effort . Thats what it sounds like to me. What is it . Dr. Ozment i think to speak to who were the this is a spying whether or not this is a spying effort, we would have to talk to any understanding of who the adversaries were and what their intent was. You do believe it was a coordinated effort . They appear to be attacking Health Records, employment records, friendship, family whole background. This seems to be a large fear of information not only from the government but private contractors, individuals and sometimes it appears targeted towards americans who may be serving overseas in sensitive positions. Would you consider this a coordinated effort . Can you answer that or is it classified . Dr. Ozment i would refer that to classified. I will be at the 1 00 briefing. Thank you. I would like to refer to this article. I would like to place it in the the record. I think it is an important one. It came from abc news. It reports that they seem to be looking at and gathering information on an sf18 form, a standard form 18 which is required for any employee seeking classified security clearances. So that would be people in important positions in our government. I wont ask a question on that. Ill just wait until later. It is classified, but i am extremely disturbed. This article also points out it is not only individuals that they are going after. They are going after contractors and those that serve the government and it mentions in other reports, Lockheed Martin where they went after their secure i. D. Program. Is that true, mr. Ozment . Dr. Ozment i cant speak to whether any adversaries have gone after private sector others say they were hit by Cyber Attacks and other Government Contractors. Now one that probably hit congress is one in 2013 where the f. B. I. Warned that a group called anonymous hacked into the u. S. Army department of Energy Department of health and Human Services and many agencies by exploiting a weakness in the adobe system. I have that in my office. They could have hacked into my office and probably every other congressional office. Then they talk about going into healthcare. They go into the Blue Cross Blue Shield system of all the federal employees. It seems like they want a comprehensive package on certain millions of americans, many whom are serving our country, i would say at negotiating tables, commerce, state department probably defense and every other aspect of American Life in the world economy. But mr. Scott, you have been before this committee before, and you announced you were going to review the agencys Cyber Security programs to identify risks and implement gaps. I wonder if you could report on what you learned from this review and any specific changes in Cyber Security policies, procedures or guidance, if you can report on that or that may be classified, too. Anything you can share with us on what you have been doing to act to build some firewalls. Mr. Scott sure. Thank you for the question. Were conducting regular cyber stat reviews with each of the agencies. It is along the key lines with many of the topics we have talked about here. To factor patching, minimizing the number of system administrators, all are called hygiene factors that we think lead to good Cyber Security. My time is expired but anything you want to give to the committee in writing, we would appreciate it. Rep. Chaffetz i recognize the gentleman from north carolina. Thank you, mr. Chairman. Ms. Archuleta, you have been in your current position since 2013 . Is that correct . Ms. Archuleta i was sworn in in november of 2013. So in 2013, you, according to your testimony, made cyber the highest priority. I think that is how you opened up your testimony that the security of federal employees was your highest priority. Is that correct . Ms. Archuleta yes, sir. So help me reconcile then, if it is your highest priority, how when the most recent report that came out that took security from being a Material Weakness, is how it was characterized before you got there, to significant deficiency, how would you reconcile highest priority and significant deficiency as being one and the same . Ms. Archuleta thank you for your question. As i mentioned earlier, one of the first things that we did or i did for o. P. M. Was to develop within 100 days an i. T. Strategic plan. The issues that the i. G. Just mentioned in terms of i. T. Governance and leadership as well as i. T. Architecture, agility, data and Cyber Security, were all strong components of this i. T. Plan and the i. G. Regular parts of the plan and the i. G. Recognized that. I only have five minutes and i cant let you just ramble on with all of these things. Let me ask you, how if he recognized that, would he still characterize it as significant deficiencies. Ms. Archuleta as we were instituting the improvements we were making, he was at the same time conducting his audit. His audit was conducted in the summer of 2014 when we were beginning to implement our strategic plan. The i. G. Has continued to work with us and we have taken his recommendations very seriously. You have taken them seriously. Have you implemented all of them . Yes or no . Just yes or no. Ms. Archuleta we have many of them. Have you implemented all of those . Ms. Archuleta as i said, sir, i have implemented many of them and continue to work so you will implement all of them. Ms. Archuleta were looking at each of those recommendations. Not looking. Can you assure the federal workers that you are going to implement all of what the i. G. Recommended to you . Ms. Archuleta we are working very closely with i. G. I will take that as a no. Let me go on further. Im very concerned. We have not notified most of the federal employees that have we have known about it. They continue to not be notified. And yet here you are saying that you have different priorities. When chairman chaffetz asked you about why did you not shut it down, you said well, o. P. M. Has a number of other responsibilities. Is that correct . That was your answer to chairman chaffetz. Ms. Archuleta we house a variety of data. Not just data on employee personnel files. We also house healthcare data and employee other records. Youre saying it was better that you supply that and put federal workers at risk versus making it according to your words the highest priority to make sure that the information was not compromised . If it is your highest priority why didnt you shut it down like mr. Chaffetz asked and like what was recommend . Why didnt you shut it down . Ms. Archuleta in our opinion we were not able to shut it down in view of all of the responsibilities we hold at o. P. M. So in your opinion, protecting federal workers then could not have been your highest priority because they were competing i guess, priority, you said it was better that you continued on with the others versus protecting the federal workforce. Ms. Archuleta the recommendations that the i. G. Gave to us are ones that we take very seriously. I dont want to characterize that we didnt. That in fact we did take there is a quote ok. There is a quote that says what we occasionally have to look at, you know, no matter how beautiful the strategy, we have to occasionally look at the results and the results here are pretty profound that we have got security risks all over and i would encourage you to take it a little bit more serious and indeed make it your highest priority. I yield back. Thank you, mr. Chairman. Rep. Chaffetz i recognize the gentleman from massachusetts for five minutes. I want to thank the panel for your help. I want to associate myself with the remarks and the Ranking Member which doesnt always happen. Duly noted. I would like to ask excuse me, the national treasurery employees union and also a letter from the president of the American Federation of Government Employees, aflcio. I want to also i want to read the first three paragraphses. Worst three paragraphs first three paragraphs. This is a letter from the president of the aflcio to the honorable archuleta. It says im writing in reference to the data breach by the office of personnel management. This was dated last week in in in the days since the breach was announced, very little substance or information has been shared with us despite the fact that we represent more than 670,000 federal employees and agencies throughout executive branch. O. P. M. Has attempted to justify the withholding on the breach with the claim that it restricts your ability to inform us of what happened. What vulnerabilities were exploited, who was responsible for the breach and how they might be compensated. We believe that the data file was the targeted database and that the hackers are now in possession of all Personnel Data for every federal employee every federal retiree. Up to one million former federal employees. We believe the hackers have affected every persons Social Security number, military record, address, birthday, job, paid history, Life Insurance email, pension information, age gender, race, union status and more. We believe the Social Security numbers were not encrypted. A basic Cyber Security failure that is absolutely indefensible and outrageous. Were the Social Security numbers encrypted . Ms. Archuleta o. P. M. Is in the process is that an i dont know . Ms. Archuleta i dont believe that could we just stick to a yes or no . This is one of those hearings where i think im going to know less coming out of this hearing than i knew walking in because of the dancing around that were all doing here. As a matter of fact, i wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are keeping information out of the hands of congress and federal employees. It is ironic. Youre doing a great job stone walling us but hackers, not so much. So were the Social Security numbers, were they encrypted . Yes or no . Ms. Archuleta no, they were not. There you go. There you go. Now were getting somewhere. That is pretty basic, though. That is pretty basic. Encrypting Social Security numbers. All of this happy talk about these complex systems were going to come up with, youre not even encrypting peoples Social Security numbers. That is a shame. Let me ask you about this standard form 86. For those of you, obviously you know standard form 86 is what we require employees to fill out if they are going to receive security clearance. These are people who have Sensitive Information. We drill down on these folks. This is a copy of the application. It is online if you want to look it. It is 127 pages online. We ask them everything. What kind of underwear they wear. What kind of toothpaste. It is a deep dive. We want to know when people get security clearance that they are trustworthy. There is information, have you ever been arrested . You have Financial Information in here. There is a lot of information on this form. They hacked this. They hacked this. They got this information. On standard form 86. So they know all of these employee who is and everything about them that we asked them in the standard form 86. Is that right, ms. Seymour . Ms. Seymour i believe that is a discussion that would best be held until this afternoon, sir. I think you have got to be honest with your employees. I think that we need in order to protect them, we need to let them know whats going on because they have the email addresses in here as well. Several, you know, your first, your second, your third email address and all of that information is out there. So we need to be a little bit more not a little bit more, we need to be more forth coming with our own employees. These are people who work for us. A lot of them deserve a lot more protection than they are getting from the United States government and the office of o. P. M. I see that my time is expired. I yield back. Rep. Chaffetz i recognize the gentleman from South Carolina for five minutes. Thank you, mr. Chairman. Many of us are uncomfortable asking questions in this type of setting. We dont want to ask questions the answers to which should be kept confidential. I encourage you in advance if i ask you something we should talk about in another setting, that is an acceptable answer. Let me start with this. The follow up question that mr. Meadows asked of ms. Archuleta. He asked if you were going to implement all of the i. G. s recommendations. Whether or not that was a yes or no answer, i agree that it was probably closer to no. Can you name for me some of the i. G. Recommendations that you are pushing back against or that youre not interested in implementing . Ms. Archuleta i dont have the specific recommendations in front of me. I would be very glad to come back and talk about that. What i would like to say, sir, as we look at the recommendations by the i. G. , we work with him and so that he can fully understand that, where we have moved in our security efforts and also to understand his observations and that is normal audit process and we continue to go through that on a regular basis. That makes perfect sense. What bugs me, mrs. Archuleta is back in the end of 2014, they recommended, in fact, it was their third recommendation that all active systems at o. P. M. Have current authorization and your response was we agree that it is important to maintain all systems but we dont believe this rises to the level of Material Weakness. You believe that your opinion on that has changed since november of 2014 . Ms. Archuleta i appreciate all of the information. And the recommendations that the i. G. Has given us and we will continue to you believe, knowing what you know now that did not rise to the level of Material Weakness . Ms. Archuleta we are working with a legacy system. It has the recommendations he has made to us, we are working those with the best of our ability. Thats what frightens me, ms. Archuleta, that this is the best of your ability. Let me see if i can get some information here as i go back and try to explain to folks back home. I heard it is just people in the executive branch. Are we still saying that the only people whose data was exposed were tpwholings worked folks who worked within the executive branch of government . Ms. Archuleta sir, this was an Ongoing Investigation and as we uncover new information, we are happy to share it with you. We have we are not necessarily restricted to the executive branch because there are people who worked in the executive branch today who worked in i got the notice and it says if you worked in the executive branch or ever have worked in the executive branch then there is a chance they got your data. If you never have, then you dont have to worry. Are you still comfortable with that statement . Ms. Seymour no, sir, this is an Ongoing Investigation and we are learning new facts every day. The original number we heard was 4 million. Is it still 4 million . I heard 14 million. What is the current number of previous employees who have been affected . Ms. Seymour approximately 4 million is the number we are making notifications of today. We continue to investigate so that we can understand that data and begin to make notifications there as well. I have a question. I dont think it has been asked yet. I think it is for mr. Ozment or whoever else understands the i. T. Systems. We used to differentiate between someone who hacked into our system is and someone who stole something from us. There is two levels of involvement there. Have you been able to make that distinction, where things were exposed and where possibly they actually downloaded data . Dr. Ozment that is an important distinction and one that we spent a lot of our investigative time examining. For the personnel records, approximately 4. 2 million records, the Incident Response team led by d. H. S. Has concluded with the high probability that that data was exfiltrated, meaning that it was removed from the network by the adversary who took it and we continue to investigate the information. I appreciate that. I dont mean to cut you off. Let me ask one more question. I heard about the data. I heard mr. Lynch ask about the Social Security numbers. Health data. Why do we collect health data on our employees . If i come to work for you, for the government, do i give you my Health Records . Ms. Archuleta not your Health Records but the information regarding your healthcarier is the information we receive. Not your health. It is not specific medication or specific conditions. It is just who my Health Insurance company is . Ms. Archuleta exactly. Rep. Chaffetz i recognize the gentleman from virginia. Thank you, mr. Chairman. In bloodless and bureaucratic language, were talking about the compromise of information for federal americans. The most catastrophic compromise of personal information in history of this country. Social security records. Ms. Archuleta, you mentioned not Health Information but healthcare. That is a road map to other information that hackers can get. Security clearances. Security clearances are deeply personal and often involve do they not, ms. Seymour, unconfirmed negative information. Even rumors. I think so and so has a drinking problem. That gets in that report even if the it is not confirmed. Is that not correct . Ms. Seymour sir, im not a federal investigator and im not familiar with all of the data. Let me confirm for you. It is correct. It is how do we protect our employees . Dr. Ozment, when i heard your testimony, it almost sounded like you were saying that the good news here was we detected the hack. But the object here is not effective detection although that is part of the process. It is to protect our citizens , including federal employees. You talked about einstein and you championed his merits. Was einstein in place at o. P. M. When this hack occurred . Dr. Ozment sir, i share your deep concern about the loss of this information and agree that that is a terrible outcome. A terrible outcome . Dr. Ozment absolutely. As a federal employee whose information itself is a part of this database. It might even be personally devastating, dr. Ozment. Not just a terrible outcome. Dr. Ozment that is correct, sir. What i would tell you on this is that einstein was critical in this incident as o. P. M. Implemented their new security measures and detected the breach was einstein in place at the time of this breach . Dr. Ozment one and two. Three was not yet available. I have only got two minutes. I want to understand your answer. You didnt successfully detect that a breach had occurred . Dr. Ozment it did not detect the breach that o. P. M. Caught on their own networks. We are focused on you first have to have the threat information. Once we had the threat information, we used einstein one and two to detect a separate breach that we were able to work. Im sure every federal employee who has had their information compromised is comforted by your answer. Ms. Archuleta, what is the time gap between discovering the breach and the actual breach itself . Ms. Archuleta we discovered the breach in april of this year. And when did this breach occur . Ms. Archuleta we expected it happened earlier in 2014. Sometime late last year . Ms. Archuleta yes, sir. Ok. So they whoever were the hackers, presumably an agency of the Chinese Government according to published reports confirmed by u. S. Officials, it is not a classified piece of information, but the details of it may be. Our government i believe has confirmed without at bution in public records that it was a systematic effort by the peems Peoples Liberation army which is notorious for hacking. They had four months in which to do something with this data. Is that correct . Maybe five . Ms. Archuleta the period of discovery from the time we believe the breach occurred and our discovery, yes. Im going to real quickly if the chairman allows mr. Scott one last question. The director said if agencies implemented three steps, we could 85 of breaches. New inventions and technology, ms. Seymour talks about new legacy systems. I had always hoped that the chinese didnt know how to log into it. Minimize privileges and continue to add software and this did not go on. What is your take on those three recommendations . I think those recommendations are great and there is a number of other things as well, some of which i talked about today. I think the one point i would make is there is no one measure that you could say thats going to preevent all attack or even prevent an attack. It is really defense and depth is your best measure and thats what were really looking at emphasizing. Thank you, mr. Chairman. I recognize the gentleman from north carolina. I agree with my colleague from virginia in his description, this is a catastrophic compromise. Ms. Archuleta, it appears that o. P. M. Did not follow the very basic Cyber Security best practices specifically Network Segmentation and encryption of data. Should the data have been encrypted . Can you address that . Ms. Archuleta that the data was not encrypted and as dr. Ozment has indicated encryption may not have been a valuable tool in this particular breach. As i said earlier, we are working closely to determine what sorts of additional tools we can put into our system. You said may not have been. But it doesnt answer the question, should it have been encrypted and could it have been another line of defense . Ms. Archuleta i would turn to my colleagues from d. H. S. To determine the use of encryption but i would say it was not encrypted at the time of the breach. An adversary that is credentials to the users on the network, they can access data even if it is encrypted. That did occur in this case. Encryption in this case would not have protected this data. Let me ask this. What consequences should c. I. O. s face for failing to meet such a baseline of Cyber Security standard on their networks . I believe the cio is responsible for the implementation of a solid plan and we have been doing that. We are working with a legacy system that is decades old. We are using our financial and Human Resources to improve that system. Cyber security is a government wide effort. We must Work Together to improve the systems we have. I am not sure the American People are content with how we are working together. I want to speak to einstein. Even if einstein is a necessary component of defending the system, the private sector is moving on. Is that a fair question . Dr. Ozmet it is a necessary but not sufficient tool. We need a defense in depth strategy. We are supplementing it with litigations. We are looking at taking what is a signature focus system and adding capabilities to detect previously unknown intrusion. As you do that, he received more you receive more false positives. You receive more notifications that an intrusion occurred even if it did not. We have do that carefully so that we are not overwhelmed. Mr. Walker it seems to be that you are more excited or confident in the einstein three a version . Is that going to be more solid . It will reply upon classified information to help us detect adversaries and block them. Mr. Walker i heard you Say Something about how that system needs to be supplemented with others. Dr. Ozment that is correct. No single system will solve the problem. Mr. Walker it says it prevents malicious traffic. Should we be understanding that before the hearing . Why are we just now getting the information . This may not be enough to prevent such a construct it compromise that catastrophic compromise. Dr. Ozment i cannot speak to the webpage, but i believe we need a defense in depth strategy. Mr. Walker who is responsible for posting the information . I will look into that and get back to you. Mr. Cartwright thank you and i think the chairman and ranking think thank the chairman and Ranking Member. I know there have been bigger data breaches than this. I share the sentiment of mr. Connolly from virginia. This is extremely troubling. We are talking about 4 million plus federal workers people dedicating their lives to our country. Another information has been now their information has been compromised through no fault of their own. If i understand your testimony the personal information of about 4 million current and former employees was potentially compromised. Do you believe the number is going to be bigger than 4 million . Thank you for your question. I described two incidents. Mr. Cartwright it is a yes, no, or i dont know. The first incident is 4. 2 million. Cartwright you know what it means when i say yes or no . Do you think it could be more . Yes, sir. Mr. Cartwright your professors discovered it in april. As ms. Be conley mentioned, the hack may have begun in december. Ms. Seymour yes, it began in 2014. Mr. Cartwright Something Else happened in 2013. They stated they were targeted in an earlier cyberattack. This is the company that does the majority of your background investigations. Am i correct on that . Ms. Seymour im not sure. Mr. Cartwright in that case personal information was compromised, correct . Ms. Seymour correct. Mr. Cartwright on friday there was an article which said, the hackers, who recently launched a massive cyberattack on the u. S. Government exposing Sensitive Information of millions of federal workers may have used information stolen from a private Government Contractor to break into federal systems. The article goes on. The hackers entered the u. S. Office of personnel management, o. P. M. s computer systems, after first gaining access last year to the systems of key point government solutions. It continues. Authorities meanwhile, believe hackers were able to extract electronic credentials or other information from within key points systems and somehow use them to unlock o. P. M. s systems according to hackers. This compromised information of not only the four current and former federal employees. Ms. Seymour, i know we are having this classified briefing later but can you comment on these reports. Did these hackers get what they wanted in the previous hack so they could then go after o. P. M. . Ms. Seymour i believe we should stay with us that in a classified setting. Mr. Cartwright fair enough. We know o. P. M. Was breached last year and its information was compromised. Can you tell us if those hackers got information in the u. S. I. S. Usis breach . Ms. Seymour i think we should discuss that in a classified setting. Mr. Cartwright i understand. Let me close with this question. Federal agencies are only as strong as their weakest link. Last year we saw breaches of two contractors. Now we have reports that these habblingers are getting into o. P. M. Information because of what they learned in those hacks. Agencies have leverage over contractors using provisions in the contracts and the billions of taxpayer dollars that they pay out to the companies. So i want to ask each of you, how can agencies use that leverage to improve cybersecurity practices of contractors so that they do a better job of safeguarding the information they are entrusted with . Go ahead, right on down the line. Starting with you, ms. Archuleta. Ms. Archuleta what we can do is make sure they are using the same types of systems. In addition i want to be sure i understand your question. The contractors that we employ as individuals or as companies . Mr. Cartwright the contractors as companies. Ms. Archuleta in our contracts with the companies we are working to make sure that they are adhering to the same standards that we have in federal government as outlined in our rules. Mr. Cartwright dr. Ozment. Dr. Ozment i would point you to the fed rampest governmentwide effort to establish baseline cybersecurity retirements for cloud contractors to the government. Mr. Cartwright scott . Mr. Scott yes, i think as my colleagues testified, we are strengthening the federal contract procurement language and creating contract language that any agency can use as a part of their standard contracts. Mr. Cartwright thank you. Ms. Burns . Ms. Burns i think it is beefing up the contract so they cover the full extent we need and then covering the monitoring and followup to make sure contractors are adhering to those clauses in the contract. Mr. Cartwright ms. Seymour . Ms. Seymour i agree, and i would also add that we need to move more toward looking at different security controls at different intervals of time. The other otchings that we use is our i. G. Also does inspections of our contractor companies. Mr. Cartwright mr. Esser . Mr. Esser i agree with what ms. See seymour just said. We do background investigations of other companies as well, so we can be used in that way as well. Mr. Cartwright i want to note that usis was invited here today. I appreciate the gentleman, but we have members that would like to speak. Pll cartwright very good. Mr. Russell im baffled by all of this. Upon receipt or upon your appointment of the directorship o. P. M. Director archuleta stated she was committed to building an inclusive workforce. Who would have thought that would have included our enemies. In this testimony here today we heard statements that we did not encrypt because we thought they might be able to decrypt or desifere. There was another statement i heard earlier today that had we not established the systems, we would never have known about the breach. Thats like saying, had we not watered our flower beds, we would not have seen muddy footprints on the open wind owe sill windowsil. This puts our International Partners at risk. We had Sean Gallagher who summed it up probably best. He said this breach was the result of inertia a lack of expertise, and a decade of neglect. Director archuleta, why did not did you not shut down 1121 systems that had no authorization . Ms. Archuleta as i mentioned before, there are numerous priorities that go into employee safety and security, including making sure that our retirees receive their benefits or that our employees get paid. Theres numerous considerations. Mr. Russell would one of those be encrypting Social Security numbers . Does it take a agree in i. T. To encrypt Social Security numbers . [no answer] mr. Russell i didnt think so. Did your plans include leaving half of o. P. M. Without security . Was that the plan . Ms. Archuleta no, sir. Mr. Russell then why was it not made a priority . Ms. Archuleta the systems in our plan, those systems that he recommended we shut down, he recommended we shut them down because they were without authorization. All of our systems are now authorized and they are now operating. I have to say that we are looking at systems that are very very old. And we could take a look at encrippings and other steps that could be taken, and certainly we are doing that. But as we look at this system, we are also having to deal with decades of mr. Russell i understand that. But there is an old saying we had in the military, poor is the workman who blames his tools. Missions can be accomplished even with what you had and measures could have been done had this been made a priority. What i see now is why did o. P. M. Have no multifactor authentication for users outside the system. There was no multifaceted way of accessing the system, is that right . Once they get in, they can access. Pl ms. Archuleta we had factors. Mr. Russell when was that put in place . Ms. Archuleta this was after january 2015. Mr. Russell so that was ms. Archuleta these systems have gone neglected when they have needed resources. It is winnie administration that we put resources to it. We have to act quickly, which we are doing, and quer also working with our partners across government. As i said before, cybersecurity is an issue that all of us would like to address across the consumer did not country. Mr. Russell was a priority made to these outside accessing systems to o. P. M. s data base that once they get in them, they have free reign . It takes time. Mr. Russell it didnt take our enemies time. The chairman mr. Lieu. Mr. Lieu this year the third data base was reached. A data base was breached. I. T. S. Said that o. P. M. , your Technology Systems were either weak or seriously deefficient. My question to you, a simple yes or no, do you accept responsibility for what happened . Ms. Archuleta i accept responsibility and i take seriously my responsibilities in overseeing the improvements to a decades old system. Mr. Lieu i dont know what that means. I asked for a yes or no. Thats fine. You answered it. Im going to reserve the balance of my time to make a statement. Having been a member of this Oversight Committee and having been a Computer Science major, it is clear to me there is a high level of technological incompetence across our federal agencies. We have seen that federal agencies couldnt employ or deploy without massive bugs. We have held hearings where the f. B. I. Had a fundamental misunderstanding of technology where they continued to believe they can put in back doors to encrippings systems just for the good guys and not for hackers, which you cannot do. We had over 10 federal data systems breaches last year. So there is a culture problem, and there is a sprob not understanding that we are in a cyberwar. Every day we are getting attacks in both the public and private sector. The u. S. Military understands thfment thats why they stood up an entire u. S. Cybercommand. Until the u. S. Leadership understands the gravity of this issue, we will continue to have more data breaches. Let meff give you an example of this let me give you an example of this problem. You hear there are unencrypted data. That is unacceptable. Look at last years report, page 12, that says as of november of last year o. P. M. Had not yet done a risk assessment. That is ridiculous, especially since you knew in march your system was breached. That is a failure of leadership. This goes beyond just o. P. M. Now, you have only been here a few months, you will get a pass on this, but why wasnt it until last friday that agencies were ordered to put in basic cybersecurity measures . Why wasnt this done last year . Years before . There is a failure in leadership at o. P. M. When there is a culture problem what have we done in the past . Well especially in the area of National Security. You cant have the view that will oh, this legacy system, oh we have these excuses. In National Security it has to be zero tolerance. That has to be your program. The c. I. A. Cant go around and say, oh, every now and then are our data base of spies is breached. In the past when this has happened, leadership resigns or they are fired. At the d. E. A. Leadership left. We had this happened at the secret service it happened at the veterans administration. We as a government do that for two reasons. One is to send a signal that the status quo is not acceptable. We cannot continue to have this attitude where we make excuse after excuse. I have heard a lot of testimony today. One word i havent heard is the word sorry. When is o. P. M. Going to apologize to over four million federal employees that had their personal information compromised . When are they going when is o. P. M. Going to apologize . When there is a culture problem we send a message that leadership has to resign. Another reason we do that is because we want new leadership in that is more competent. So im looking here today for a few good people to step forward accept responsibility, and resign for the good of the nation. I yield back. Mr. Chairman i thank the gentleman. Well said. I now recognize the chairman of the i. T. Subcommittee, mr. Herd of texas. Mr. Hurd of texas. Mr. Hurd thank you, mr. Chairman. It is my hope the first thing they do when they wake up tomorrow is pull out the report that identifies areas they have problems with, they read their own i. G. Report and take and start working to address those remediations. Ive been at this job for 21 weeks, similar to mr. Scott and one of the things you hear from people they are frustrated with their government. Intentions are great. Ms. Archuleta you said at the beginning that federal employee status is paramount and i believe you believe that but the execution has been horiffic. Intentions are not enough. We have to have execution. This is the thifpk that scares me. Lets start with you, ms. Archuleta. Did the hackers use a zero drive vulnerability to get into your network . Ms. Archuleta i think this would be better answered in a classified setting. Mr. Hurd i hope everyone should know even in the public and private sector. I spent almost my whole life in the c. I. A. Keeping secrets, but i have read that eye stein did detect the breach after the spropet indicators of compromise was loaded into it. My question is, how long did the federal government have access to these days of compromise and how long did it take to get into ineine steins system and has that been promoted to every other agency thats using einstein, too . Dr. Ozment representative o. P. M. Gave us the indicators of compromise pleed immediately and we loaded it into einstein immediately. We loaded into einstein 2 to both detect and to look back in history to see if any traffic back in time had indicate aid similar compromise. That is how we found an intrusion into o. P. M. Related to this incident that led to our discovery of the breach of the personal records. We also put into einstein 3 so employees moving forward would be protected. We held a call with all the federal c. I. O. s and asked them to search their networks. Mr. Hurd has that been done . Mr. Ozment yes. Mr. Hurd you talked about legacy systems. What are those legacy systems and what Programming Software is used to develop those systems . Ms. Seymour these are systems sir, that have been around for close to 25, 30 years. Mr. Hurd so written by cobalt . Ms. Seymour cobalt systems. I want to point out director archuleta and i were brought in to solve some of these sprobs. Mr. Hurd when were you brought in . Ms. Seymour 2013. Mr. Hurd and why have you waited . Ms. See more seymour we have not waited. Mr. Hurd we do not have years to solve this problem. We dont have that. We have days. Ms. Archuleta how many people have you signed off on of people dealing with the compromise. Mr. Archuleta my team works at 24seven. Mr. Hurd so if i walk in at 8 00 at night there will be people drinking red bull trying to solve this problem . Ms. Archuleta i am very proud of my employees, and they are working 24seven. Mr. Hurd mr. Scott, you have inherited a nightmare. We are here to answer to the recommendations of the g. I. O. , and we are here to drag people out here, because we have to i realize we are not going to stop someone from penetrating your network. How quickly can you identify them, quarantine them, and quick them off the ne network . Those are the measures we need to use about the health of our systems. I yield back the time i did not have. Thank you, sir. Mr. Chairman the gentleman is recognized for five minutes. Mr. Sesantis what do you mean by Service History . Ms. Archuleta their careers they may have been in a different position earlier than as they move around government. So if may be someone who currently whose job would not be current job would not be in the system but because of their Service History their information would be given back, and it is for retirement purposes. Mr. Desantis so with fs86, i remember filling that out when i was in the navy, and it was by far the most intrucive intrusive form ive ever filled out. I had to go do research on myself to fill it out. It is not just that you are doing personal data about the individual applicant the fs86 asks about family members, friends, spouse, relatives, where you lived, who you knew when you lived in these different places. It asks you to come clean about anything in your past life. So to me you know, people have said that this is crown jewel material in terms of potential black mail. So this is a very very, very serious breach. My question for ms. Archuleta. Were cabinet member officials implicated in this breach . Ms. Archuleta sir, this information would be better discussed in a classified setting. Mr. Desantis sure. What about the people in the security communities . Ms. Archuleta i again think this would be better discussed in a classified setting. Mr. Desantis you dont disagree that this is a major, major breech that will have major ram dix fixes for our country . Ms. Archuleta cln as i said, i will discuss in in a classified situation. Mr. Desantis enemies can and will use this information. What is the possibility of that information falling into enemy hands . That can be for anybody. Dr. Ozment sir that is a question we will discuss in a closed setting later today. Mr. L desantis for this forum can you say that, that is a significant risk . That is not the type of information that we would want the enemy to have, and it can, in fact, be very damaging, correct . Dr. Ozment we will defer discussion of that. Mr. Desantis i get that, and i will be there, and i will listen intently. But it really concerns me because this is a treasure trove for our enemies potentially, and the fact that this system was hacked and we didnt even know about it for a long time, that is really, really troubling. I think that the American People i mean, if you ask people to want to serve in these sensitive positions and they think by filling out these forms they are actually going to put their families at risk because the government is not competent enough to maintain that secretly, that is a problem as well. The information can be used ghens the country, and i think you will also have a Chilling Effect on people wanting to get involved if we dont get a handle on thfment i look forward to the witnesses in a classified setting and i yield back the balance of my time. Mr. Chairman i now recognize mr. Palmer for five minutes. Mr. Palmer thank you, mr. Chairman. Ms. Seymour does the exposure extend only to those who filled out form 86 or others as well . Ms. Archuleta well, maam, apparently mr. Palmer well, ma am, i have employees whose personal information may have been compromised. Does it extend to people that filled out an fs 6. Ms. Seymour you were talking about fs86s sir. Mr. Palmer i asked you did the exposure extend beyond those who filled out fs86, and you said the investigation was ongoing. Apparently you have investigated enough to send a letter to employees who didnt fill out those forms. Thank you for your yes answer. Is there in your judgment, ms. Archuleta how likely is it that the hackers were able to access these personal files through an employee account . Ms. Archuleta sir, we will be able to discuss that with you in a classified setting. Mr. Palmer are you familiar with the wall street journal article that indicated that it was possible that the breach occurred through personal email accounts because employees were using the federal system, and that early in 2011 the Immigration Customs Enforcement Agency noticed an uptick in infections and privacy spills, and they asked for a directive or they put out a directive that federal employees could not use the federal system to access their personal emails. The American Federation of Government Employees filed a grievance with the federal arbitrator saying that was something that needed to be part of the collective bargaining agreement. The arbitrafor arbitrator missed the agreements saying that so they werent able to shut that off. Do you have comment on that . Ms. Archuleta no, sir. Those are things we can discuss in the classified setting. Mr. Palmer well, it is being discussed in the washington journal wall street journal. I think for now since we need to head to the hearing i will yeelyeel. Mr. Chairman the chair will recognize the gentleman from florida, mr. Hice, at this time. Mr. Hice what are the problems with not having a valid system authorization . The risks are evident that not having a valid authorization essentially could be a symptom of weak controls over operating systems and applications and lead to things such as a breach. Mr. Hice with all the things we are talking about today, and ms. Seymour, you were obviously fully aware of these risks, and o. P. M. Was aware of these risks. Ms. Seymour yes, sir. I was aware of these reports. Mr. Hice the Inspector General put out his report expressing great alarm recommending that o. P. M. Consider shutting down the systems because of the risks that you knew about. Ms. Archuleta knew about. Yet these recommendations were ignored. Now, im going to come back to you with this, because quite frankly ms. A. R. C. H. U. Ms. Archuleta has tried to dance around this question. Im going to ask you, why were those recommendations not followed . Ms. Seymour two reasons. One, an authorization to operate is merely the documentation of the security controls of a system and their effectiveness. That does not mean simply pause you dont have an authorization that those tools dont exist. The other effort is, as the i. G. Was doing its audit we were taking all of those vulnerabilities into play. We had already developed a security plan we were in the process of implementing and the i. G. Admits in their report that we were in the process of implementing many of those controls. Mr. Hice did the plan you were implementing work . Obviously it didnt. Would shutting it down have worked . Ms. Seymour the controls we put in place allowed us to stop Remote Access to our network and they also allowed us to detect this activity that occurred prior to the i. G. Report. Mr. Hice the vulnerability was still there and your plan failed. Mr. See ms. Seymour we look at the vulnerabilities as well as the business we must conduct. There are vumner abilities in every system. Mr. Hice currently what are the vulnerabilities of an o. P. M. System . What are the consequences now if they operate without a valid authorization . Mr. Esser there are see sentionly no consequence there are officially no consequences. There are no official sanctions in place. It is something that gets publicized and thats the extent of it. Mr. Hice it sounds to me that there are that this is not being taken seriously. Why is this occurring . Ms. Seymour sir, i have extended the security. We have increased the effectiveness of the security around those systems. Mr. Hice but there is no consequences for not operating on a system with authorization . So how seriously are you taking it. Ms. Seymour there are consequences. Mr. Hice what are they . Ms. Seymour if you arent doing the assessments, while there is evidence that they have been done those assessment mr. Hice thats not a consequence. You said there are consequences. I want to know what they are. Ms. Seymour we report to o. M. B. On a quarterly basis about the status of our security. Mr. Hice that doesnt sound like consequences. That sounds like reporting you are required to do anyway. There are no consequences involved in reporting. Mr. Esser, again, are there measures that need fob taken to get the whole thing to the standard it ought to be . I mean is there anything you would recommend . Mr. Esser yes. We do recommend that the c. I. O. , the agency take the steps that in a lot of cases they are beginning to take. The central zation centralization of the i. T. Government is well underway. What they also need to do is get a full inventory of the assets they are responsible for protecting. And the shell project ms. Seymour has alluded to is also something that we support. We also have some concerns about the way it has been the project has been started and managed. Overall we support the idea behind the shell project. Mr. Chairman we appreciate the gentleman. We now recognize ms. Grisham for five minutes. Ms. Grisham. Ms. Grisham in new mexico we have one of the largest per capita federal employees in the country. I have 50,000 federal e employees in my home state. I am on their side by being incredibly concerned about this. Quite frankly, also many other data breaches. The growing cyberattacks continues to be a serious threat. In fact, two days after my first election, one of the key briefings by one of the National Labs which is in my district at kirkland ave air force base is the continuing growing concern with cybersecurity issues and their continuing response to be proactive as much as possible and be appropriately reactive once you have an identifyable breach. Given the data breach at o. P. M. And at home depot and at target, anthem, its clear to me that not only does the federal government have a role, but we have a role in working to protect the government in general from these continuing series of cyberattacks. I recognize there is not a simple solution, otherwise we could stop this immediately and have a magic bullet. As much as i want you to do that, i realize that is easier to say than do. But im my concerns are growing given that even the best in the country are facing significant cyberattacks. Including casper clab whom we are relying on in appropriate innovations. Given that diatribe and given all thats been said about the serious nature. Heres my question, and federal government is not known for being and i mean no disrespect it is not a proactive but very reactive body, just by the nature of how broad our mission is and how dependent we are on the resources at any given time. Given that climate and the role to protect the federal government and your role to protect federal employee information, what can you do thats different that puts you in a position to be much more proactive particularly given the nature of cyberattacks, and quite frankly they are already hacked in as you are making the next modifications . Mr. Scott i can think of several things we have underway in the short run, but probably the biggest thing is to double down on replacing these legacy, sort of old systems that we have. One of the central problems here is that you have old stuff that just was not design or built in an era where we had these kinds of threats. In some cases, it is very, very hard to sort of duct tape and bandaid things around these systems. It doesnt mean there is nothing you can do, but fundamentally, there is old architecture that needs to be replaced and security that needs to be designed into the very fabric of the architecture, the hardware, the software, the networks, the applications. And the faster with he can do that, the faster we are on a better road. Ms. Grisham given your role in federal government today, im not clear what legacy and old architecture platforms we are operating under and what is the time frame we are under. What can be done . Mr. Scott we are going to be very transparent on that journey as we go through our work over the course of the year. Several of the plebs of this committee have said we will pay close attention to that, that i encourage. Mr. Chairman the gentleman will suspend. Our time is so tight. We would like a full and complete answer. There will be answers for the record. I hope you understand. We need to give time to the gentleman from wisconsin. Im glad to know that the federal government is not a proactivereactive body. Something important to remember. Has anyone lost their job over this . Have there been recriminations in that regard . Sure, well give you the question. Ms. Archuleta no, sir. Next question. I dont care who answers it. As i understand, it took months for the state department to root out the Russian Hackers and their classified systems. Apparently the chinese hackers are known for leaving behind timedelayed malware. Do we know for sure these people are out of the system now or could they still be poking around . Dr. Ozment we have a joint team that has worked with o. P. M. And the department of interior. They have assessed they have fully removed the adversaries but it is difficult to know if they have been eliminated

© 2025 Vimarsana

vimarsana.com © 2020. All Rights Reserved.