The agency that allowed hackers linked to China to steal private facts about almost each and every federal employee — and detailed personal histories of millions with safety clearances — failed for years to take standard actions to safe its computer networks, officials acknowledged to Congress on Tuesday.
Democrats and Republicans on the Residence Oversight and Government Reform Committee spoke in unison to describe their outrage over what they called gross negligence by the Workplace of Personnel Management. The agency’s information was breached last year in two massive cyberattacks only lately revealed.
The criticism came from within, as nicely. Michael Esser, the agency’s assistant inspector general for audit, detailed a yearslong failure by OPM to adhere to affordable cybersecurity practices, and he said that that for a extended time, the people operating the agency’s information technology had no knowledge.
Final year, he mentioned, an inspector general’s audit advisable that the agency shut down some of its networks for the reason that they were so vulnerable. The director, Katherine Archuleta, declined, saying it would interfere with the agency’s mission.
The hackers were already inside her networks, she later acknowledged.
“You failed utterly and completely,” mentioned committee Chairman Jason Chaffetz, a Utah Republican. “They advised it was so poor that you shut it down and you did not.”
Archuleta, stumbling occasionally beneath withering concerns from lawmakers, sought to defend her tenure and portray the agency’s issues as decades in the creating as its gear aged. She appeared to cast blame on her recent predecessors, one particular of whom, John Berry, is the U.S. ambassador to Australia.
Offered probabilities to apologize and resign, she declined to do either.
Chaffetz stated the two breaches “may be the most devastating cyberattack in our nation’s history,” and mentioned OPM’s security policy was akin to leaving its doors and windows unlocked and expecting nothing at all to be stolen.
“I am as distressed as you are about how long these systems have gone neglected,” Archuleta mentioned, adding at a further point, “The entire of government is responsible and it will take all of us to resolve the concern.”
Archuleta and the other witnesses provided handful of new facts about the breaches in the public hearing, deferring most queries about methods and harm to a later, classified session.
Just after that session, Rep. Elijah Cummings of Maryland, the committee’s ranking Democrat, demanded that the committee hear testimony from two OPM contractors, KeyPoint and USIS, that fell victim to hacks last year. Earlier, Cummings and other lawmakers questioned irrespective of whether the OPM network was compromised first by way of hacking of the contractors, and OPM officials declined to answer.
Through the open hearing, Donna Seymour, the agency’s chief information officer, confirmed that personnel info on 4.2 million existing and former federal workers had been stolen, not just accessed.
The quantity of security clearance holders whose information has been taken is not but known, she mentioned. But the records go back to 1985 and incorporate contractors as properly as federal staff. Some government officials estimate the quantity could be up to 14 million.
And due to the fact their safety clearance applications contain individual facts about close friends and family members, these people’s data is vulnerable as effectively.