OPM Just Tip of the Iceberg: Hacking Expected to 'Dramatically Accelerate'

WASHINGTON – The director of the Office of Management and Budget maintains that her agency has taken “significant steps” to protect sensitive cyber data but recent security breaches clearly establish that efforts to guard against future hacking attempts must “dramatically accelerate."

Katherine Archuleta, who assumed her post 18 months ago, told members of the Senate Homeland Security & Governmental Affairs Committee that her office is under “constant attack by evolving and advanced persistent threats and criminal actors” who are “sophisticated, well-funded and focused.” Given that, steps must be taken not only on behalf of those individuals whose personal information has been accessed “but also as a matter of national security.”

These cyberattacks, she told the panel, “will not stop. If anything, they will increase.”

OPM announced early in June that over the past year hackers stole personnel records of about 4.2 million federal employees. Subsequently, it was revealed that the attack was actually far greater and involved some of the most sensitive data the federal government maintains on its employees, and likely, many more records, perhaps as many as 18 million.

The massive data theft is considered one of the largest – if not the largest – security breach within the federal government to date. One internal OPM assessment, disclosed to Congress by the FBI, said the hacking likely was conducted by a Chinese intelligence-gathering operation.

Some lawmakers, including Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, have called for Archuleta’s resignation because of the security failure.

“It is hard to overstate the seriousness of this breach,” said Sen. Ron Johnson (R-Wis.), the committee chairman. “It has put people’s lives and our nation at risk.”

OPM has been hacked five times in the past three years and the agency “still has not responded to effectively secure its network,” Johnson said, asserting that cybersecurity “must be a top priority.”

“Cybersecurity on federal agency networks has proved to be grossly inadequate,” Johnson said. “Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity. While our defenses are antiquated, our adversaries are by comparison proving to be highly sophisticated. Meanwhile, agencies are concentrating their resources trying to dictate cybersecurity requirements for private companies, which in many cases are implementing cybersecurity better and more cheaply.”

Archuleta said she became aware of OPM’s security vulnerabilities within what she characterized as “the agency’s aging legacy systems” when she assumed office and made the modernization and security of the network and its systems a priority.

Regardless, Archuleta said two kinds of data found in two different systems -- personnel records and background investigations -- were affected in two recent incidents. While the agency has placed the number of records involved in the personnel data breach at 4.2 million, it continues to analyze the background investigation data to determine what was compromised.

“We are not at a point where we are able to provide a more definitive report on this issue,” she said.