Efforts by US govt's OPM to fix IT security are criticized by auditor

Senators rip into agency director for data losses from major breach

Katherine Archuleta, director of the U.S. Office of Personnel Management, testifies about recent data breaches during a Senate hearing June 25, 2015.

Katherine Archuleta, director of the U.S. Office of Personnel Management, testifies about recent data breaches during a Senate hearing June 25, 2015.

Efforts to fix cybersecurity problems at the U.S. Office of Personnel Management (OPM) may be doomed because the agency is moving too quickly and ignoring some best practices, an auditor said Thursday.

Even before two recently disclosed breaches at OPM, agency director Katherine Archuleta pushed to improve cybersecurity at the agency, which still runs several mainframe systems.

But a "massive" agency-wide effort to update decades-old systems is not following proper IT project management procedures, including a cost-benefit analysis, and the agency does not have a firm estimate on the cost of the project, said Patrick McFarland, OPM's inspector general.

OPM has not factored in the cost of migrating its old data into a new IT system when preparing budget estimates, and it doesn't have a dedicated funding stream for the transition, McFarland told the Senate Homeland Security Committee Thursday.

"It may sound counterintuitive, but OPM must slow down and not continue to barrel forward with this project," he said. "The agency must take the time to get it right the first time."

The recent breaches at OPM show that the government and the agency's leaders aren't serious about cybersecurity, some lawmakers said.

Breaches of OPM's government employee personnel files and its security clearance database raise questions about whether Archuleta, appointed to the job 18 months ago, should stay, two Republican members of the committee said.

The breach of OPM's security clearance database may be the largest and most damaging breach ever for the U.S. government, said Senator Ron Johnson, a Wisconsin Republican. "It is hard to overstate the seriousness of this breach," he said. "It has put people's lives and our nation at risk."

Johnson and Senator John McCain, an Arizona Republican, both questioned the commitment of the Obama administration to protect the government against cyberattacks. With years of cybersecurity warnings from its inspector general, "OPM has become a case study in the consequences of inadequate action and neglect," Johnson said.

McCain questioned why Archuleta has given conflicting statements about whether she or other OPM officials are responsible for the breach.

"You are responsible," he said. "I wonder whether you think you should stay in your present position?"

OPM is moving forward on aggressive IT updates, Archuleta said. "I have been working hard from day one to correct decades of neglect," she said. "We've taken great strides."

McCain pressed Archuleta to confirm press reports saying 18 million people may be affected by the two breaches. Archuleta also declined to give senators a number, saying that breach is still being investigated. About 4.2 million employees were affected in the separate personnel file breach, but the security clearance breach numbers could even be larger than the numbers in the press reports, she said.

The hearing turned largely into a partisan debate, with Republicans slamming OPM and the Obama administration and Democrats defending the agency. The hearing uncovered little new information about the breaches.

OPM leaders have shown "such a lack of attention and priority to this issue, and let's face it, a record of failure now," Johnson said.

But the agency has made great strides forward since Archuleta took over as director, said Tony Scott, the U.S. CIO. in the Office of Management and Budget. "I worry in this particular case, that as we deploy more [cybersecurity] tools across the federal government, and as we are likely to discover more of these kinds of issues, that there's a chilling effect on anybody wanting to come in and take one of these roles," said Scott, a Microsoft veteran.

Andy Ozment, an assistant secretary for cybersecurity at the U.S. Department of Homeland Security, appeared to suggest Congress was partly responsible for cybersecurity problems in the federal government.

"We're now making up for 20 years of underinvestment in cybersecurity across the public and the private sectors," he said. "At the same time, we are facing a major challenge in protecting our most sensitive information against sophisticated, well-resourced and persistent adversaries."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. SenateGovernment use of ITU.S. Office of Personnel ManagementJohn McCainPatrick McFarlanddata breachTony ScottRon JohnsonAndy OzmentgovernmentsecurityKatherine Archuleta

More about IDGMicrosoftNewsOffice of Management and BudgetTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place