His writing, how fast he was producing the work. He knocked out the first rough draft of a farewell to arms, two weeks after arriving in key west. He said if you really want to write, start with one true sentence. For a true writer, each book should be a new beginning where he tries again. He should always try for something that has never been done or that others have tried and failed. Key west is also where president harry truman sought refuge from washington. Resident truman regarded the big white house as the great white jail. He felt he was constantly under everyones i and so by coming to key west, he could come with his closest staff, let down his hair sometimes some of the staff would let their beards grow for a couple of days. They certainly at times used offcolor stories. He certainly could have a glass of bourbon and visit back and forth without any scrutiny from the press. A Sportswear Company sent a case of hawaiian shirts to the president. With the thought that if the president is wearing our shirt, we will sell a lot of shirts. President truman wore those free shirts that first year, and then organize what they call the loud shirt contest. That was the official uniform of key west. Watch all of our events from key west today. Then sunday afternoon at 2 00 on American History tv on cspan3. Katherine archuleta estimates that 4. 2 million federal personnel are affected by two recent data breaches and the number is likely to grow. Her comments came tuesday during testimony for testimony at the House Oversight committee. The first breach occurred late last year, the second was uncovered during an investigation into the first one. The system impacted host data for the federal governments background investigations for individuals who need security clearances. This is about two hours and 40 minutes. Mr. Chaffetz this meeting will come to order. The chair is allowed to call a recess at any time. Mr. Cummings will be with us momentarily. Last week, we learned that the United States of america may have had one of the most devastating Cyber Attacks in our nations history. This may have been happening over a long period of time. There is a lot of confusion about what personal information for millions of employees and workers that was exposed in the data breach at the office of personnel management. Opm initially reported that more than 4 million employees had information exposed during this attack. More recent reports suggest that yes, sir. You have the tools now to do that . Opm has procured the tools. There are some of our legacy systems that may not be capable of accepting those types of encryption and the environment they exist in today. Thats why its important for us to focus aggressively and proactively on building out that new architecture. Are you talking about three months, three years . We began our program after the march 2014 incident. We work with our inner partners to devise a very aggressive and very competent plan. We had been implementing that plan since then. We are delivering the new architecture, delivering that this fall. This is the question. We are collecting data right now. In the meantime, where are we . I know you are trying to do some things. That doesnt make federal employees feel pretty good. It doesnt make me feel good. Tell me more. Are you saying that we are just horrible boulder opal. Vulnerable . We dont know when we will be able to employ the type of system we just talked about . Guest we have done a number of things. Im talking about whats going on today. Thats exactly what im offering, sir. We have implemented Remote Access to our network. Without some type of device that our users cannot log into our network remotely. We have implemented additional firewalls now network. We have tightened the settings of those firewalls. We have reduced the number of privileged users in our account and even further restricted the access privileges of those users. We have made a number of steps to increase the security of our existing network. We began that work last march and it has continued and we continue to work with dhs and our Agency Partners to test those systems and make sure they are working appropriately. The office of Inspector General conducted an audit in 2014 of opms Information Security programs and found several weaknesses. Can you briefly identify what those weaknesses were . Yes, sir. The most critical weaknesses we identified in our report from 2014 were they continued Information Security governance problems that have existed since 2007, the decentralization of the controls. That is an area that is certainly close to being improved to a full extent. Another area of weaknesses were the security assessments and authorization, which is each system that o. P. M. Owns should go under an assessment every three years and be authorized for usage. We identified 11 systems at the end of 2014 that had not been authorized that were due to be authorized. The technical security controls was another big area that we identified. While o. P. M. Has implemented a number of strong tools sand improving in that area, our concern is that some of those tools were not being used properly and that they do not have a complete and accurate inventory of databases and servers that those tools should be applied against. Rep. Cummings so the chairman asked ms. Archuleta a question of how she thought she had done. Based on that, what grade would you give . I dont know that i can give a grade. Rep. Cummings so of all the things that you just stated, there were certain things that were not done. Is that right . Yes, sir. Rep. Cummings did any of them lead to this breach . The things that were not done . I dont know the exact details of how this breach occurred so i really cant answer that question. Certainly there is a lot of weaknesses at o. P. M. That are in the process of trying to address. Rep. Cummings last, but not least do, you have a Silver Bullet to address this issue sir . No, sir i do not. There is very sophisticated attackers out there and there is no one Silver Bullet. I think that that can be applied that will prevent these types of things from happening. Rep. Cummings you heard me ask ms. Seymour about the fact that were collecting information and it seems as if we just are vulnerable. Is that and there are certain areas that we may not be able to defend ourselves in. Is that an accurate statement . Certainly there is a lot of things that can be done to make our systems more secure. Is there something that can be done to make them inpenetratable . Not that im aware of. I appreciate the witnesses being here. This morning, we have certainly heard there is no Silver Bullets and i dont think we expected the answer to be yes, there is a Silver Bullet. We are concerned that knowing what has been going on, having clear evidence that hackers have been attempting for quite some time and at least those of us here, who trust on agencies and people like yourselves who know the issues that some more efforts could have been successful in stopping the most recent attacks, we have heard today that networks are not compartmentalized, segmented, in certain cases, encrypted, with the recent attacks, it the perimeter has been breached. The attacks often remain undetected for months. That is concerning. They are able to exploit vulnerabilities within the Networks Without passing through this is most concerning to me, Additional Inspector security measures. Mr. Scott, as i understand in the private sectors have have been shifts toward zero trust model. Ultimately, given o. P. M. s role for metrics settings for agencies, can you tell us what o. M. B. Is doing to set i. T. Security metrics to limit the number of workloads, application tiers to the networks . Mr. Scott thank you for the question. I think there is a number of things that i would point to in addition to the measures that you just talked about. The first one is to share across the federal government, not only the Lessons Learned from o. P. M. But what we see from other attacks, whether successful or not. Private and public and make sure that all agencies are up to speed with the latest information on the methods of attack, the tools that are used and so on. That is the weakness . Mr. Scott it has been historically for the government and the private sector to share information for our ability to thwart these things. The specific measure that you mentioned, the segmentation and zero trust is something that is more easily applied to very modern architectures. It is not as easily applied to some of the oldest and old legacy systems that we have. And i think that is going to be a challenge for all agencies where the architecture itself just doesnt lend itself to the application of certain technologies. The best answer i think in terms of what we have and where we go is a model that were promoting and encouraging across the agencies which is defense in depth. It is a number of different measures so that if one thing doesnt work, you the next layer that helps stand that doesnt work, you the next layer and zero trust is applicable in some of those environments and frankly is very difficult or impossible to apply. How far are we from that . Mr. Scott i would say years and years comprehensively. One of the things were working on now is prioritizing based on the highest value assets that the federal government has so that were going after the most valuable stuff first and make sure that is protected the best way we can. Ms. Seymour, with the millions of current and former federal employees, a lot of them in my district sign on to do the work we give to them. We appreciate the work. It is something we ask them to do. The federal jobs of the departmentes they work under have been asked to do. They dont expect their life to be compromised, their history to be compromised, their records to be compromised. When did o. P. M. Begin to let the victims know of the risk and breach . Ms. Seymour thank you for your questions, sir. I too am a federal employee. And am concerned about this matter. It is grave and serious. We began identifying personnel on june 8 and will continue to make those notifications through june 19. That is for the personnel records security incident that we had. We have not yet been able to do the analysis to have data involved with the background investigations incident that is ongoing. As soon as we can narrow the data that is involved if that incident, we will make appropriate notifications for that one as well. Rep. Chaffetz i recognize the gentlewoman from new york. I want to thank the chairman and Ranking Member for calling this hearing and all of our panelists for your public service. As one who represents the city that was attacked by 911, we lost thousands on that day and thousands more are still dying from healthrelated causes from that fateful day, but i consider this attack, i call it an attack on our country, a far more serious one to the National Security of our country. And i would like to ask mr. Ozment from homeland security, would you character size this as a large scale cyber spying effort . Thats what it sounds like to me. What is it . Dr. Ozment i think to speak to who were the this is a spying whether or not this is a spying effort, we would have to talk to any understanding of who the adversaries were and what their intent was. You do believe it was a coordinated effort . They appear to be attacking Health Records, employment records, friendship, family whole background. This seems to be a large fear of information not only from the government but private contractors, individuals and sometimes it appears targeted towards americans who may be serving overseas in sensitive positions. Would you consider this a coordinated effort . Can you answer that or is it classified . Dr. Ozment i would refer that to classified. I will be at the 1 00 briefing. Thank you. I would like to refer to this article. I would like to place it in the the record. I think it is an important one. It came from abc news. It reports that they seem to be looking at and gathering information on an sf18 form, a standard form 18 which is required for any employee seeking classified security clearances. So that would be people in important positions in our government. I wont ask a question on that. Ill just wait until later. It is classified, but i am extremely disturbed. This article also points out it is not only individuals that they are going after. They are going after contractors and those that serve the government and it mentions in other reports, Lockheed Martin where they went after their secure i. D. Program. Is that true, mr. Ozment . Dr. Ozment i cant speak to whether any adversaries have gone after private sector others say they were hit by Cyber Attacks and other Government Contractors. Now one that probably hit congress is one in 2013 where the f. B. I. Warned that a group called anonymous hacked into the u. S. Army department of Energy Department of health and Human Services and many agencies by exploiting a weakness in the adobe system. I have that in my office. They could have hacked into my office and probably every other congressional office. Then they talk about going into healthcare. They go into the Blue Cross Blue Shield system of all the federal employees. It seems like they want a comprehensive package on certain millions of americans, many whom are serving our country, i would say at negotiating tables, commerce, state department probably defense and every other aspect of American Life in the world economy. But mr. Scott, you have been before this committee before, and you announced you were going to review the agencys Cyber Security programs to identify risks and implement gaps. I wonder if you could report on what you learned from this review and any specific changes in Cyber Security policies, procedures or guidance, if you can report on that or that may be classified, too. Anything you can share with us on what you have been doing to act to build some firewalls. Mr. Scott sure. Thank you for the question. Were conducting regular cyber stat reviews with each of the agencies. It is along the key lines with many of the topics we have talked about here. To factor patching, minimizing the number of system administrators, all are called hygiene factors that we think lead to good Cyber Security. My time is expired but anything you want to give to the committee in writing, we would appreciate it. Rep. Chaffetz i recognize the gentleman from north carolina. Thank you, mr. Chairman. Ms. Archuleta, you have been in your current position since 2013 . Is that correct . Ms. Archuleta i was sworn in in november of 2013. So in 2013, you, according to your testimony, made cyber the highest priority. I think that is how you opened up your testimony that the security of federal employees was your highest priority. Is that correct . Ms. Archuleta yes, sir. So help me reconcile then, if it is your highest priority, how when the most recent report that came out that took security from being a Material Weakness, is how it was characterized before you got there, to significant deficiency, how would you reconcile highest priority and significant deficiency as being one and the same . Ms. Archuleta thank you for your question. As i mentioned earlier, one of the first things that we did or i did for o. P. M. Was to develop within 100 days an i. T. Strategic plan. The issues that the i. G. Just mentioned in terms of i. T. Governance and leadership as well as i. T. Architecture, agility, data and Cyber Security, were all strong components of this i. T. Plan and the i. G. Regular parts of the plan and the i. G. Recognized that. I only have five minutes and i cant let you just ramble on with all of these things. Let me ask you, how if he recognized that, would he still characterize it as significant deficiencies. Ms. Archuleta as we were instituting the improvements we were making, he was at the same time conducting his audit. His audit was conducted in the summer of 2014 when we were beginning to implement our strategic plan. The i. G. Has continued to work with us and we have taken his recommendations very seriously. You have taken them seriously. Have you implemented all of them . Yes or no . Just yes or no. Ms. Archuleta we have many of them. Have you implemented all of those . Ms. Archuleta as i said, sir, i have implemented many of them and continue to work so you will implement all of them. Ms. Archuleta were looking at each of those recommendations. Not looking. Can you assure the federal workers that you are going to implement all of what the i. G. Recommended to you . Ms. Archuleta we are working very closely with i. G. I will take that as a no. Let me go on further. Im very concerned. We have not notified most of the federal employees that have we have known about it. They continue to not be notified. And yet here you are saying that you have different priorities. When chairman chaffetz asked you about why did you not shut it down, you said well, o. P. M. Has a number of other responsibilities. Is that correct . That was your answer to chairman chaffetz. Ms. Archuleta we house a variety of data. Not just data on employee personnel files. We also house healthcare data and employee other records. Youre saying it was better that you supply that and put federal workers at risk versus making it according to your words the highest priority to make sure that the information was not compromised . If it is your highest priority why didnt you shut it down like mr. Chaffetz asked and like what was recommend . Why didnt you shut it down . Ms. Archuleta in our opinion we were not able to shut it down in view of all of the responsibilities we hold at o. P. M. So in your opinion, protecting federal workers then could not have been your highest priority because they were competing i guess, priority, you said it was better that you continued on with the others versus protecting the federal workforce. Ms. Archuleta the recommendations that the i. G. Gave to us are ones