Cyberattacks such as the one that exposed the personal data of millions of federal workers will continue and are likely to increase, says the head of the U.S. Office of Personnel Management. OPM Director Katherine Archuleta came under fierce criticism during a congressional hearing on Tuesday over the OPM data breach revealed last week. That hack reflected decades of neglect of government computer systems and could have been much worse, Archuleta said. Some U.S. officials suspect the cyberattack was linked to China but the Obama administration has not publicly accused Beijing. China denies any involvement.
Archuleta said government and non-government entities are under "constant attack" by sophisticated, well-funded cyber adversaries. "In an average month, OPM, for example, thwarts 10 million confirmed intrusion attempts targeting our network. These attacks will not stop — if anything, they will increase," she told the House Committee on Oversight and Government Reform.
In a three-hour hearing punctuated by committee member attacks, snide jabs and demands for simple yes/no answers, Archuleta and her CIO Donna Seymour defended their agency's response to two security breaches OPM detected this spring. Archulet said the breaches were discovered and contained because of new security measures taken in the last year. One breach discovered in April affected personnel records and the other, detected in May, affected background investigations for current, former and prospective government employees. Archuleta said 4.2 million employees were affected by the OPM hack discovered in April, but refused to say how many people had been affected in the other attack. She also refused, despite repeated questions, to say how many years' worth of records had been affected.
Archuleta described security measures her agency had taken to encrypt personal data. "It didn't work. So you failed. You failed utterly and totally," scolded Republican Rep. Jason Chaffetz, R-Utah, the committee chairman. Chaffetz read from a series of Inspector General annual reports that weaknesses in OPM systems. and noted, "This has been going on for a long time." He peppered Archuleta with questions on the on the lack of encryption and why OPM failed to follow an IG recommendation to "shut the system down." He shook his head when Archuleta noted that she had instigated improvements.
Michael Esser, OPM's assistant inspector general for audit, said the agency has a history of failing to meet basic computer network security requirements. He said that for years many of the people running the agency's information technology had no IT background. He also said the agency had not disciplined any employees for the agency's failure to pass numerous cyber security audits.