OPM Inspector General Disagrees says Lack of Professional Security Staff the Problem
WASHINGTON, D.C. – Yesterday, a hearing was held to review intrusion and theft of data at the Office of Personnel Management (OPM) in front of the Senate Subcommittee for Financial Services and General Government. The purpose of the hearing was to find the cause behind the OPM intrusion/theft of an unknown amount of personnel records of government employees and the reasons behind this intrusion. The head of the OPM and the Inspector General differed on cause.
OPM Director, Katherine Archuleta read a statement that mostly concluded that the breach was found because of the implementation of new intrusion detection equipment and that there is no real way to determine when the breach the first occurred.
According to Ms. Archuleta, “As a result of these efforts to improve our security posture, in April 2015, an intrusion that predated the adoption of these security controls affecting OPM’s IT systems and data was detected by our new cybersecurity tools. OPM immediately contacted the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) and, together with these partners, initiated an investigation and forensic analysis to determine the scope and impact of the intrusion.”
Shortly thereafter, OPM notified Congressional leadership and select committees of this incident. In early May, the interagency incident response team shared with relevant agencies that the exposure of personnel records had occurred.
Ms Archuleta added “That very same day, we worked to brief Congressional leadership and select committees. In early June, OPM informed Congress and the public that notifications would be sent to affected individuals beginning on June 8 through June 19. We refer to this incident as the intrusion affecting personnel records.”
Ms. Archuleta blamed the computers themselves for the intrusion, not the employees, she said “We have legacy systems that are very old and oftentimes we have to test to be sure that we can even add those security protection systems into the legacy systems.”
Michael Esser, OPM Assistant Inspector General, partially agreed but stated that some systems that were impacted were in fact modern systems where security.
Mr. Esser also stated, “the program office personnel responsible for IT security frequently had no IT security background and were performing this function in addition to another full-time role. For example, this meant that an employee whose job was processing retirement applications may have been given the additional responsibility of monitoring and managing the IT security needs of the system used to process those applications.”0