[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
OPM DATA BREACH: PART II
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JUNE 24, 2015
__________
Serial No. 114-81
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
U.S. GOVERNMENT PUBLISHING OFFICE
22-363 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Sean McLaughlin, Staff Director
David Rapallo, Minority Staff Director
Troy D. Stock, IT Subcommittee Staff Director
Jennifer Hemingway, Government Operations Subcommittee Staff Director
Sharon Casey, Deputy Chief Clerk
C O N T E N T S
----------
Page
Hearing held on June 24, 2015.................................... 1
WITNESSES
The Hon. Katherine Archuleta, Director, U.S. Office of Personnel
Management
Oral Statement............................................... 6
Written Statement............................................ 10
The Hon. Patrick E. McFarland, Inspector General, U.S. Office of
Personnel Management
Oral Statement............................................... 15
Written Statement............................................ 17
Ms. Ann Barron-Dicamillo, Director, U.S. Computer Emergency
Readiness Team, U.S. Department of Homeland Security
Oral Statement............................................... 23
Mr. Eric A. Hess, Chief Executive Officer, Keypoint Government
Solutions
Oral Statement............................................... 25
Written Statement............................................ 28
Mr. Rob Giannetta, Chief Information Officer, US Investigations
Services, LLC
Oral Statement............................................... 31
Written Statement............................................ 32
APPENDIX
2015-06-16 FLEOA to Chaffetz-GR & Johnson-HSGAC-OPMData Breach... 98
2015-05-13 WP Defense Firm That Employed Drunk High Contractors
in Afghanistan................................................. 100
1963-04-22 WSJ New Lingo Spells Out Common Orders for Different
Computers...................................................... 102
2015-06-24 Director Archuleta-OPM Letter to Chairman Chaffetz.... 103
2014-07-09 NYT Chinese Hackers Pursue Key Data on US Workers..... 105
2015-06-17 OPM Flash Audit Alert................................. 109
2015-06-22 Response to OPM Flash Audit Alert..................... 115
2015-04-24 WSJ Altegrity Executives Got Payouts Before Security
Screener Filed for Bankruptcy.................................. 119
2015-03-27 BI Hedge Fund Manager Said Sorry For Losing 99.7% of
Clients Money.................................................. 120
Questions for the Record......................................... 122
OPM DATA BREACH: PART II
----------
Wednesday, June 24, 2015
House of Representatives,
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 10:03 a.m., in Room
2154, Rayburn House Office Building, Hon. Jason Chaffetz
[chairman of the committee] presiding.
Present: Representatives Chaffetz, Mica, Turner, Duncan,
Jordan, Walberg, Amash, Gosar, DesJarlais, Gowdy, Farenthold,
Massie, Meadows, DeSantis, Mulvaney, Walker, Blum, Hice,
Carter, Grothman, Hurd, Palmer, Cummings, Maloney, Norton,
Clay, Lynch, Connolly, Cartwright, Duckworth, Kelly, Lawrence,
Lieu, Watson Coleman, Plaskett, DeSaulnier, Welch, and Lujan
Grisham.
Also Present: Representative Comstock.
Chairman Chaffetz. Good morning. The Oversight Committee is
coming to order. Our hearing today is about the OPM data
breaches. This is part 2.
$529 billion: $529 billion is how much the Federal
Government has spent on IT since 2008. Roughly $577 million has
been spent at the Office of Personnel Management. Roughly 80
percent of that money has been spent on legacy systems, and
we're in a situation here where the hurricane has come and
gone, and just now OPM is wanting to board up the windows.
That's what it feels like.
This is a major, major security breach, one of the
biggest--if not the biggest--we have ever seen. This demands
all of our attention and great concern about what happened, how
we're going to prevent it from happening in the future, and
what are we going to do with the information now? Because there
is no simple, easy solution, but I can tell you, oftentimes it
feels like one good trip to Best Buy, and we could help solve
this problem and be a whole lot better than where we are today.
There are a lot of questions that remain about what
happened last month, and the uncertainty is very disconcerting
to a host of people. And it's unacceptable to this committee
and to the Congress. The most recent public reports indicate
that many more Americans were affected by the breach than
originally disclosed. Federal workers and their families
deserve answers, answers on both the scope of the breach and
the types of personnel information compromised.
Because of these many outstanding questions, we still don't
understand the extent to which the breach threatens our
national security. However, according to the intelligence
community, the risk is significant. Only the imagination limits
what a foreign adversary can do with detailed information about
a Federal employee's education, career, health, family,
friends, neighbors, and personal habits.
I'd ask unanimous consent to enter into the record a letter
we received on June 16 from the Federal Law Enforcement
Officers Association.
I want to read part of it: Here are the concerns about the
Office of Personnel Management data breaches, our demands of
the government, and a list of questions that remain unanswered.
They represent some 28,000 current and retired Federal law
enforcement officers and special agents from over 65 different
agencies.
This is what they wrote: OPM turned its back on Federal law
enforcement officers when they failed to protect sensitive
information from an inexcusable breach. And OPM's delay and
aloof response is a pathetic and irresponsible miscarriage of
its obligations to affected Americans. The very lives of
Federal law enforcement officers are now in danger, and their
safety and security of innocent people, including their
families, are now in jeopardy because of OPM's abysmal failure
and its continued ignorance in the severity of the breach. The
information lost includes personal, financial, and location
information of these officers and their families, leaving them
vulnerable to attack and retaliation for criminals and
terrorists currently or formally investigated by the United
States of America.
Without objection, I will enter this into the record.
Chairman Chaffetz. OPM is currently attempting to overhaul
its technical infrastructure but without a full understanding
of the scope or the cost of the project. In fact, the agency
kept the project from the inspector general for more than a
year. The IG determined OPM's chief information officer,
``initiated this project without a complete understanding of
the scope of OPM's existing technical infrastructure or the
scale and cost of the effort required to mitigate it to the new
environment.'' Because of these concerns, the project is,
quote, ``possibly making OPM environment less secure and
increasing cost to taxpayers.''
The IG also raised questions about why OPM awarded a sole-
source contract for this project without going through the
process for full and complete competition.
In fact, I would like to enter into the record without
objection, this is an article from the Washington Post. This is
May 13, ``Defense Firm that Employed Drunk, High Contractors in
Afghanistan May Have Wasted $135 Million in Taxpayer Dollars.''
Chairman Chaffetz. These are the recipients of a sole-
source contract to try to help clean up this mess. They were
formally known as Jorge Scientific Corporation. They're now
known as Imperatis Corporation. They have a good list of very
impressive military personnel who are involved and engaged.
Maybe this is the right decision. But when it is a sole-source
contract, it does beg a lot of questions. No doubt we need to
move fast. But this organization has had a lot of problems in
the past, and it begs a lot of questions.
In addition to data security problem, we have a data
management problem. It is unclear why so much background
information related to security clearances was readily
available on the OPM system to be hacked. It is unclear to me
why there is a need for SF-86 background information--the SF-86
is the Standard Form 86. It's what the employees or prospective
employees fill out. Why was this background information on the
network if the applicant isn't currently being investigated?
Part of the reason we're in this mess and we have such a
big mess in our hands is a lot of information and background
checks that we're not even engaging in was still on the system.
If information isn't accessible on the network, it can't be
hacked. So if a security clearance isn't under investigation
wall off the data. It's a best practice that others use and
probably should have been used in this situation as well.
We have to do a better job of anticipating our adversaries
and protecting information from unnecessary exposure. One of
the concerns is this legacy system that we're using is a COBOL.
The language used is COBOL. I'd ask unanimous consent to enter
into the record a Wall Street Journal article from April 22,
1963, ``COBOL Can Help Users Cut Costs When Changing Models;
Government Spurs Progress.'' 1963. I wasn't even born yet. And
that's the system that we're operating on in this day and age
when technology is changing moment by moment, minute by minute.
Without objection, I will enter that into the record.
Chairman Chaffetz. Yesterday, Ms. Archuleta stated that no
one is personally responsible for the OPM data breach and
instead blamed the hackers. Hackers certainly have a lot of
culpability on their hands. There's no doubt that there are
nefarious actors that are going to be attacking the United
States on a moment-by-moment basis. We literally take millions
of hits on a daily basis. That's not new news. But I disagree
that nobody is to be held personally responsible. Personal
accountability is paramount. People have roles and
responsibilities. They are charged with the fiduciary
responsibility of carrying out those.
As the head of the agency, Ms. Archuleta is, in fact,
statutorily responsible for the security of the OPM network and
managing any risks. And while she may have inherited a lot of
problems, she was called on by the President and confirmed by
the Senate to protect the information maintained by OPM. During
her confirmation in 2013, she stated that IT modernization
would be one of her main priorities, yet it took a security
breach in March of 2014, 5 months after the confirmation, to
begin the process of developing a plan to fix the problem. That
was just the beginning of the start to think about how to fix
the problem. And yet the shift in blame is just inexcusable.
I really hope we hear solid answers. It's not going to be
good enough to say: Oh, well, we'll get you that information.
It's under investigation. There was a security--no. We're going
to answer questions. Federal workforce, the people affected,
they need to hear that. We're different. We're unique in this
world because we are self-critical, and we do have hearings
like this.
I would also ask unanimous consent to enter two letters
into the record. One was the flash audit that was done, it was
June 17 of this year, from Patrick McFarland, the inspector
general. It's a flash audit, U.S. Office of Personnel
Management Information Improvement Project.
Without objection, I will enter that into the record.
Chairman Chaffetz. I will also ask unanimous consent to
enter into the record the June 22 response by the Director of
the Office of Personnel Management, Ms. Archuleta.
And I ask unanimous consent that enter into the record as
well.
Without objection, so ordered.
Chairman Chaffetz. We also have some contractors here, and
we appreciate their participation. They have answers--or we
have questions that need to be answered as well. We need their
cooperation to figure this out. A lot of what was done by OPM
was contracted out. And there are very legitimate questions in
particular that Mr. Cummings and others have asked that--and
that's why I'm pleased to have them invited and participating
as well. So it will be a full and robust committee hearing. And
we appreciate all the participation.
As I conclude, I would also say, without objection, the
chair is authorized to declare a recess at any time. I should
have said that--without objection, so ordered. I should have
said that at the beginning.
Now, I'd like to recognize the distinguished ranking
member, Mr. Cummings, for his opening statement.
Mr. Cummings. Thank you very much, Mr. Chairman.
And this is a very important hearing. We're here today
because foreign cyber spies are targeting millions of our
Federal workers. OPM has made it clear that every month, there
are 10 million efforts to pierce our cyberspace. These folks
are hacking into our data system to get information about our
employees, private information about them, their families,
their friends, and all of their acquaintances. And they may try
to use that information in their espionage efforts against
United States' personnel and technologies.
Mr. Chairman, I want to start by thanking you. Last week,
we held a hearing on cyber attacks against OPM. And this week,
we have an opportunity to hear from OPM's two contractors that
also suffered major data breaches, USIS and KeyPoint. Some
people in your shoes might have merely criticized the agency
without looking at the whole picture, but you agreed to my
request to bring in the contractors. And you deserve credit for
that, and I thank you.
On Monday night, I received a letter from USIS'
representatives finally providing answers to questions I asked
more than 7 months ago, Mr. Giannetta. Seven months ago. Seven
months ago. Their letter disclosed that the breach at USIS
affected not only DHS employees but our immigration agencies,
our intelligence community, and even our police officers here
on Capitol Hill.
But it took them 7 months, the night before the hearing, to
give me that information but not only to give me the
information but Members of Congress that information. My
immediate concern was for the employees at these agencies. And
I hope that they were all alerted promptly. But there's no
doubt in my mind that USIS officials never would have provided
that information unless they were called here to testify today.
So I thank you again, Mr. Chairman.
I have some difficult questions for USIS. I want to know
why this company paid millions of dollars in bonuses to its top
executives after the Justice Department brought suit against
the company for allegedly--allegedly--defrauding the American
taxpayers of hundreds of millions of dollars. I can hardly wait
for the answer. I want to know why USIS used these funds for
bonuses instead of investing in adequate cybersecurity
protections for highly sensitive information our Nation
entrusted to it.
Mr. Giannetta, I want to know if you as the chief
information officer of USIS received one of those bonuses, and
I'd love to know how much it was and what the justification for
it was. I understand that you just returned from Italy. Welcome
back. So this is probably the last place you want to be. I also
understand you are leaving the company in a matter of weeks.
But I want to know why USIS has refused for more than a year to
provide answers to our questions about the board of directors
of its parent company, Altegrity.
Mr. Hess, I also have difficult questions for you, for
KeyPoint. At last week's hearing, I said one of our most
important questions was whether these cyber attackers were able
to penetrate OPM's networks using information they obtained
from one of its contractors. As I asked last week, did they get
the keys to OPM's networks from its contractor?
Yesterday, Director Archuleta answered that question.
Appearing before the Senate Appropriations Committee, she
testified, ``The adversary leveraged a compromised KeyPoint
user credential to gain access to OPM's network.'' So the weak
link in this case was KeyPoint.
Mr. Hess, I want to know how this happened. I appreciate
that OPM continues to have confidence in your company, but I
also want to know why KeyPoint apparently did not have adequate
logging capabilities to monitor the extent of data that was
stolen. Why didn't you invest in these safe guards?
Mr. Chairman, to your credit, one of the first hearings you
called after becoming chairman was on the risk of third-party
contractors to our Nation's cybersecurity. At that hearing, on
April 20, multiple experts explained that Federal agencies are
only as strong as their weakest link. If contractors have
inadequate safeguards, they place our government systems and
our government workers at risk.
I understand that we have several individuals here sitting
on the bench behind our panel of witnesses who may be called to
answer questions if necessary: Mr. Job, who is the CIO of
KeyPoint; and Mr. Ozment from the Department of Homeland
Security.
Thank you, Mr. Chairman, for allowing them to be here.
As we move forward, it is critical that we work together.
We need to share information, recognize when outdated legacy
systems need to be updated, and acknowledge positive steps when
they do occur. Above all, we must recognize that our real
enemies are outside of these walls. They are the foreign
nation-states and other actors that are behind these
devastating attacks.
And, with that, I yield back.
Chairman Chaffetz. Thank the gentleman.
I'll hold the record open for 5 legislative days for any
members who would like to submit a written statement.
We're also pleased to have Representative Barbara Comstock,
who is able to join us this morning.
And I ask unanimous consent that our colleague from
Virginia be allowed to fully participate in today's hearing.
No objection. So ordered.
We now recognize the panel of witnesses. I'm pleased to
welcome the Honorable Katherine Archuleta, Director of the
Office of Personnel Management. We also have the Honorable
Patrick McFarland, inspector general, the Office of Personnel
Management; Ms. Donna Seymour, Chief Information Officer of the
Office of Personnel Management; Ms. Ann Barron-DiCamillo--help
me there, DiCamillo, just the way it's spelled--Director for
the U.S. Computer Emergency Readiness Team at the United States
Department of Homeland Security.
Appreciate you being here.
Mr. Eric Hess is the chief executive officer of KeyPoint
Government Solutions. And Mr. Rob Giannetta is the chief
information officer at USIS.
Pursuant to committee rules, all witnesses are to be sworn
before they testify. So if you will please all rise and raise
your right hands.
Do you solemnly swear or affirm that the testimony you're
about to give will be the truth, the whole truth, and nothing
but the truth?
Thank you. Let the record reflect that all witnesses
answered in the affirmative.
In order to allow time for discussion, please limit your
verbal testimony to 5 minutes. And, obviously, your entire
written record or written statement will be made part of the
record.
We will start first with the Director of the Office of
Personnel Management, Ms. Archuleta, first. You're now
recognized for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF THE HONORABLE KATHERINE ARCHULETA
Ms. Archuleta. Chairman Chaffetz, Ranking Member Cummings,
and members of the committee, thank you for the opportunity to
testify before you again today.
I understand and I share the concerns and the frustration
of Federal employees and those affected by the intrusions into
OPM's IT systems. Although OPM has taken significant steps to
meet our responsibility to secure personnel data of those we
serve, it is clear that OPM needs to dramatically accelerate
those efforts.
As I testified last week, I am committed to a full and
complete investigation of these incidents. And we continue to
move urgently to take action to mitigate the longstanding
vulnerabilities of the agency's systems.
In March of 2014, we released our strategic IT plan to
modernize and secure OPM's aging legacy system. We began
implementing the plan immediately. And in fiscal years 2014 and
2015, we directed nearly $70 million toward the implementation
of new security controls to better protect our systems. OPM is
also in the process of developing a new network infrastructure
environment to improve the security of OPM infrastructure and
IT systems.
Once completed, OPM IT systems will be migrated into this
new environment from its current legacy networks. Many of the
improvements have been to address critical immediate needs,
such as security vulnerabilities in our network. These upgrades
include the installation of additional firewalls, restriction
of remote access without two-factor authentication, continuous
monitoring of all connections to ensure that only legitimate
connections have access, and deploying antimalware software
across the environment to protect and prevent the deployment or
execution of cybercrime tools that could compromise our
networks.
These improvements led us to the discovery of the malicious
activity that had occurred. And we were immediately able to
share the information so that other agencies could protect
their networks.
I also want to discuss data encryption. OPM does currently
utilize encryption when possible. I have been advised by
security experts that encryption in this instance would not
have prevented the theft of this data because the malicious
actors were able to steal privileged user accounts and
credentials and could decrypt the data. Our IT security team is
actively building new systems with technology that will allow
OPM not only to better identify intrusions but to encrypt even
more of our data.
In addition to new policies that were already implemented
to centralize IT security duties under the CIO and to improve
oversight of new major systems development, the IT plan
recognized that further progress was needed. And the OIG's 2014
report credited OPM for progress in bolstering our security
policies and our procedures and for committing critical
resources to the effort.
With regard to information security governance, the OIG
noted that OPM had implemented significant positive changes and
removed its designation as a material weakness. This was
encouraging, as IT governance is a pillar of the strategic IT
plan. Regarding the weaknesses found with authorization, the
OIG has recommended that I consider shutting down 11 out of the
47 OPM IT systems because they did not have current and valid
authorization.
Shutting down systems would mean that retirees could not
get paid and that new security clearances could not be issued.
Of the systems raised in the 2014 audit, eleven of those
systems were expired. Of those, one, a contractor system, is
presently expired. All other systems raised in the 2014 audit
have either been extended or provided a limited authorization.
OPM is offering credit monitoring services and identity
theft information with CSID for the approximately 4.2 million
current and former Federal civilian employees. Our team is
continuing to work with CSID to make the online signup
experience quicker and to reduce call center wait times. They
are expanding staffing and call center hours and increasing
server capacity.
I have taken steps to ensure that greater IT restrictions
are in place, even for privileged users. That includes removing
remote access for privileged users and requiring two-factor
authentication. We're looking into further protections, such as
tools that mask and redact data that would not be necessary for
a privileged user to see.
I want to share with this committee some new steps that I
am taking. First, I will be hiring a new cybersecurity adviser
that will report directly to me. This cybersecurity adviser
will work with OPM CIO to manage ongoing response to the recent
incidents, complete development of OPM's plan to mitigate
future incidents, and assess whether long-term changes to OPM's
IT architecture are needed to ensure that its assets are
secure. This individual is expected to be serving by August 1.
Second, to ensure that the agency is leveraging private
sector best practices and expertise, I am reaching out to chief
information security officers at leading private sector
companies that experienced their own significant cybersecurity
challenges. And I will host a meeting with these experts in the
coming weeks to help identify further steps the agency can
take. As you know, public and private sectors both face these
challenges, and we should face them together.
I would like to address now the confusion regarding the
number of people affected by two recent related cyber incidents
at OPM. First, it is my responsibility to provide as accurate
information as I can to Congress, the public, and, more
importantly, the affected individuals. Second, because this
information and its potential misuse concerns their lives, it
is essential to identify the affected individuals as quickly as
possible. Third, we face challenges in analyzing the data due
to the form of the records and the way they are stored. As
such, I have deployed a dedicated team to undertake this time-
consuming analysis and instructed them to work--make sure their
work is accurate and completed as quickly as possible.
As much as I want to have all the answers today, I do not
want to be in a position of providing you or the affected
individuals with potentially inaccurate data. With these
considerations in mind, I want to clarify some of the reports
that have appeared in the press. Some press accounts have
suggested that the number of affected individuals has expanded
from 4 million individuals to 18 million individuals. Other
press accounts have asserted that 4 million individuals have
been affected in the personnel file incident, and 18 million
individuals have been affected in the background investigation
incident. Therefore, I am providing the status as we know it
today and reaffirming my commitment to providing more
information as soon as we know it.
First, the two kinds of data that I'm addressing, personnel
records and background investigations, were affected in two
different systems in the two recent incidents. Second, the
number of individuals with data compromised from the personnel
records incident is approximately 4.2 million as reported on
June 4. This number has not changed. And we have notified those
individuals. Third, as I have noted, we continue to analyze the
background investigation data as rapidly as possible to best
understand what was compromised. And we are not at a point
where we are able to provide a more definitive report on this
issue.
That said, I want to address the figure of 18 million
individuals that has been cited in the press. It is my
understanding that the 18 million refers to a preliminary,
unverified, and approximate number of unique Social Security
numbers in the background investigations data. It is a number
that I am not comfortable with at this time because it does not
represent the total number of affected individuals.
The Social Security number portion of the analysis is still
under active review, and we do not have a more definitive
number. Also, there may be an overlap between the individuals
affected in the background incident and the personnel file
incident. Additionally, we are working deliberately to
determine if individuals who have not had their Social Security
numbers compromised but may have other information exposed
should be considered individuals affected by this incident.
For these reasons, I cannot yet provide a more definitive
response on the number of individuals affected on the
background investigation's data intrusion, and it may well
increase from these initial reports. My team is conducting this
further analysis with all due speed and care. And, again, I
look forward to providing an accurate and complete response as
soon as possible.
Thank you, Mr. Chairman, for this opportunity to testify
today, and I'm happy to be here along with my CIO to address
any questions you may have.
[Prepared statement of Ms. Archuleta follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Mr. McFarland, you are now recognized for 5 minutes.
STATEMENT OF THE HONORABLE PATRICK E. MCFARLAND
Mr. McFarland. Chairman Chaffetz, Ranking Member Cummings,
and members of the committee, good morning. My name is Patrick
McFarland, and I am the inspector general of the U.S. Office of
Personnel Management. Thank you for inviting me to testify at
today's hearing.
I would like to note that my colleague, Lewis Parker, the
deputy assistant inspector general, is here with me. With your
permission, he may assist in answering technical questions.
In 2014, OPM began a massive project to overhaul the
agency's IT environment by building an entirely new
infrastructure called the shell and migrating all of its
systems to the shell from the existing infrastructure.
Before I discuss the OIG's recent examination of this
project, I would like to make one point. There have been
multiple statements made to the effect that this complete
overhaul is necessary to address immediate security concerns
because OPM's current legacy technology cannot be properly
secured. This is not the case. There are many steps that can be
taken or, indeed, which OPM has already taken to secure the
agency's current IT environment. I just wanted to emphasize
that while we agree that this overhaul is necessary, the
urgency is not so great that the project cannot be managed in a
controlled manner.
Last week, my office issued a flash audit alert discussing
two significant issues related to this project. Because my
written testimony describes these issues in detail, I will give
only a summary for you this morning.
First, we have serious concerns with how the project is
being implemented. OPM is not following proper IT project
management procedures and does not know the true scope and cost
of this project. The agency has not prepared a project charter,
conducted a feasibility study, or identified all of the
applications that will have to be moved from the existing IT
infrastructure to the new shell environment.
Further, the agency has not prepared the mandatory OMB
Major IT Business Case, formally known as Exhibit 300. This
document is an important step in the planning of any large-
scale IT project as it is the proper vehicle for seeking
approval and funding from OMB. It is also a necessary process
for enforcing proper project management techniques.
Because OPM has not conducted these very basic planning
steps, it does not know the true cost of the project and cannot
provide an accurate timeframe for completion. OPM has estimated
that this project will cost $93 million. However, the amount
only includes strengthening the agency's current IT security
posture and the creation of a new shell environment. It does
not include the cost of migrating all of OPM's almost 50 major
IT systems and numerous subsystems to the shell.
This migration will be the most costly and complex phase of
this project. Even if the $93 million figure was an accurate
estimate, the agency does not have a dedicated funding stream
for the project. Therefore, it is entirely possible that OPM
could run out of funds before completion, leaving the agency's
IT environment more vulnerable than it is now.
OPM also has set what I believe to be an unrealistic
timeframe for completion. The agency believes it will take
approximately 18 to 24 months to migrate all of its systems to
the shell. It is difficult to imagine how OPM will meet the
goal when it does not have a comprehensive list of all the
systems that need to be migrated. Further, this process is
inherently difficult, and there are likely to be significant
challenges ahead.
The second major point discussed in the alert relates to
the use of sole-source contract. OPM is contracted with a
single vendor to complete all four phases of this project.
Unless there is a specific exception, Federal contracts must be
subject to full and open competition. However, there's an
exception for compelling and urgent situations.
The first phase of this project, which involves securing
OPM's IT environment, was indeed such a compelling and urgent
situation. That phase addressed a crisis, namely the breaches
that occurred last year. However, the later phases, such as
migrating the application to the new shell environment, are not
as urgent. Instead, they involve work that is essentially a
long-term capital investment.
It may sound counterintuitive, but OPM should step back,
complete its assessment of its current IT architecture and
develop an OMB major IT business case proposal. When OMB
approval and funding have been secured, OPM should move forward
with the project in a controlled manner using sound project
management techniques. OPM cannot afford to have this project
fail.
I fully support OPM's effort to modernize its IT
environment and the Director's long-term goals. However, if it
is not done correctly, the agency will be in a worse situation
than it is today and millions of taxpayer dollars will have
been wasted.
I'm happy to answer any questions you may have.
[Prepared statement of Mr. McFarland follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
Ms. Seymour, was your statement with Ms. Archuleta, or do
you have one yourself?
Ms. Seymour. It was with the Director. Thank you, sir.
Chairman Chaffetz. Okay. Very good.
I would ask unanimous consent to enter into the record a
letter that was given us this morning from the Office of
Personnel Management. It's dated today, signed by Ms.
Archuleta, dealing with the number of records.
Without objection, so ordered. We'll enter that into the
record.
Chairman Chaffetz. We'll now recognize Ms. Barron-DiCamillo
for 5 minutes.
STATEMENT OF ANN BARRON-DICAMILLO
Ms. Barron-DiCamillo. Thank you. Chairman Chaffetz, Ranking
Member Cummings, and members of the committee, good morning. My
name is Ann Barron-DiCamillo. I appear here today to talk about
the role that my organization, the United States Computer
Emergency and Readiness Team, known as US-CERT, played in the
recent breaches involving OPM.
As stated by Ranking Member Cummings, Assistant Secretary
Dr. Andy Ozment, is also here with me to answer any questions.
Like many Americans, I, too, am victim of these incidents
and concerned about the continued cyber incidents at numerous
government and private sector entities. I am a career civil
servant who has worked to improve the security of critical
government and private sector networks for the past 13 years. I
understand both the scope and the problem we face and the
challenges in securing critical networks.
Cybersecurity is a true team sport. There are many
different agencies responsible for aspects of cybersecurity,
including members of the intelligence community, law
enforcement, the Department of Homeland Security, as well as
individual system owners, and individual end users as well. My
organization within DHS, the US-CERT, is part of the National
CyberSecurity and Communications Integration Center, also known
as an NCCIC.
US-CERT focuses on analyzing the evolving cyber risks,
sharing information about threats and vulnerabilities, and
responding to significant cyber incidents. We work with trusted
partners around the world and focus on threats and incidents
facing the government and critical private sector networks. In
both cases, our role is largely voluntary. We build and rely
upon trusted relationships to both share information and
respond to incidents.
When an entity believes that they have been a victim of a
significant cyber incident, they often invite us to help them
assess the scope of any intrusion as well as provide
recommendations on how they can mitigate the incident and
improve their security posture going forward. US-CERT's current
involvement with OPM began in March of 2014, when we first
learned that there was a potential compromise within the OPM
networks.
From March through May of 2014, US-CERT was part of an
interagency response team that first assessed the scope of the
malicious activity and then remediated that intrusion.
Throughout that time, US-CERT shared information that we had
learned about the intrusion with our governmental partners as
well as private sector partners, so that they too could better
protect themselves.
We also created signatures so that our EINSTEIN systems
could look for malicious activity at other Federal agencies. On
May 28, 2014, the interagency response team concluded that the
malicious actor in question from that event had been removed
from the network. US-CERT also provided OPM with
recommendations about what steps they could take to increase
their own security.
It is important to note that there is no silver bullet or
magic solution to secure networks from a sophisticated actor.
Most government agencies and their private sector counterparts
are making up for years of underspending on security as part of
the information technology development. As many experts have
noted, the Internet was designed with ease of use rather than
security in mind.
The status of OPM networks in May of 2014 was not unlike
other similarly situated agencies. OPM did some things well and
was weak in other areas. I understand that OPM had at the time
under its new leadership just started an effort to improve its
cybersecurity. The US-CERT incident report for OPM included
several specific mitigation recommendations, some of which
could be implemented fairly quickly and others of which would
take longer.
From what I observed, OPM made a concerted effort to adopt
the US-CERT recommendations beginning last summer. Indeed, it
was OPM who, in April of 2015, discovered the current intrusion
on its own networks using one of the tools recommended by US-
CERT. Based on the OPM discovery, US-CERT created new EINSTEIN
signatures to look for similar intrusions at other agencies.
This is how the malicious access to OPM data at the Department
of Interior data center was discovered. This newly discovered
threat information was also quickly shared by US-CERT with out
private sector partners and other trusted partners around our
communities.
US-CERT and the interagency response team have been working
with OPM since April of 2015 to assess the nature and scope of
the incident. While the investigation is ongoing, there are a
few things that I can share. We were able to use the EINSTEIN
capabilities to detect the presence of malicious activity on
the Department of the Interior data center, which houses the
OPM personal records.
Further onsite investigation revealed that some OPM
personal data was compromised and see that at least some of
that data had been exfiltrated by the Department of the
Interior data center. This is the 4.2 million number that
Director Archuleta has referenced today. As a result of what we
learned from the April 2015 investigation, OPM continued to
conduct forensic investigations into its own environment.
In that process, OPM discovered evidence of an additional
compromise on its own network. US-CERT then led another
interagency response team to assess OPM's networks and, in
early June, found that background investigation data had been
exposed and possibly exfiltrated. Again, that's currently under
investigation.
We also learned at the time that OPM's ongoing efforts to
implement two-factor authentication had precluded continued
access by the intruder into the OPM network. This protected
measure, like others instituted by OPM, may have mitigated any
continued effects of the intrusion. The work of the interagency
response team is ongoing, and we continue to assess the scope
of the potential compromise.
Although I am appearing today ready to provide information
to this committee, I do so with some concern. As I had
mentioned, US-CERT relies on voluntary cooperation from
agencies and private entities who believe that they may be
victims of malicious activity. I worry that US-CERT appearing
before this committee will have a chilling effect on their
willingness to notify us, the whole of government, of future
incidents. We especially need private companies to continue to
work with government and to share information about cyber
threats and incidents so that, through greater shared
awareness, we can all be more secure from those who seek to do
us harm.
Thank you, and I look forward to your questions.
Chairman Chaffetz. Thank you.
Mr. Hess, you are now recognized for 5 minutes.
STATEMENT OF ERIC A. HESS
Mr. Hess. Thank you, Chairman Chaffetz, Ranking Member
Cummings, and members of the committee. My name is Eric Hess. I
am president and chief executive officer of KeyPoint Government
Solutions.
Since 2004, KeyPoint has provided fieldwork services for
the background investigations to a number of Federal agencies,
including the Office of Personnel Management. KeyPoint, which
employs investigators in every State, is proud to be part of
OPM's team helping to ensure that security clearance
investigations it conducts are thorough, detailed, and
consistent.
KeyPoint takes issues of cybersecurity very seriously. And
as a contractor providing critical services across the Federal
Government, we stand in partnership with the Federal Government
in trying to combat ever-present and ever-changing cyber
threats. KeyPoint is committed to ensuring the highest levels
of protection for sensitive information in which we are
entrusted.
The recently announced breach at OPM is the focus of this
hearing. With that in mind, I would like to make clear that we
see no evidence suggesting KeyPoint was in any way responsible
for the OPM breach. There have been some recent media reports
suggesting that the incursion into OPM's systems last year is
what facilitated the recent announced OPM breach. There is
absolutely no evidence that KeyPoint was responsible for that
breach.
The press have also reported the hackers stole OPM
credentials assigned to a KeyPoint employee and leveraging to
access OPM systems. As Director Archuleta noted at the Senate
hearing yesterday, there was no evidence suggesting that
KeyPoint is responsible for or directly involved with the
incursion. To be clear, the employee was working on an OPM
system, not a KeyPoint system.
Now, I know that, during this hearing, the incursion of
KeyPoint system that was discovered last September will also be
discussed. Before going into more detail, I would like to note
that KeyPoint has continuously maintained its authority to
operate ATO from OPM and DHS. This means that we met the
stringent information and security requirements imposed under
our Federal contracts.
KeyPoint only maintains personal information that is
required under our contractual obligations. However, we, like
government agencies, face aggressive, well-funded, and ever-
evolving threats that require us to exceed the current FISMA
requirements in order to protect the sensitive information in
our charge.
Let me say a few words about the earlier incursion of
KeyPoint. In December of 2014, the Washington Post reported
that OPM had announced it would notify over 48,000 Federal
workers that their personal information may have been exposed
as a result of incursion to KeyPoint systems. I emphasize the
word ``may'' because in the report, after the extensive
analysis of the incursion, we find no evidence of exfiltration
of sensitive personal data.
Last August, following public reports of a data security
breach at another Federal contractor providing background
checks, OPM Chief Information Officer Donna Seymour asked
KeyPoint to invite the United States Computer Emergency
Readiness Team, or US-CERT, to test KeyPoint's network and
KeyPoint agreed. The team from the Department of Homeland
Security National Cybersecurity Assessment and Technical
Services conducted risk vulnerability assessment. The NCATS
team conducted full network and application vulnerability tests
of KeyPoint systems, including network mapping, internal and
external penetration testing.
The NCATS team provided a number of findings at the end of
the engagement, which were resolved while the team was on site,
as well as recommendations for the future. Ultimately, while
the NCATS team found issues, they were resolved, and the team
found no malware or KeyPoint system.
However, then in September, the US-CERT Hunt team informed
KeyPoint that it had found indications of the sophisticated
malware undetectable by commercial antivirus on two computers.
The US-CERT team provided KeyPoint with mitigation
recommendations to remove the malware from our environment and
other recommendations for hardening its network to prevent and
defeat future compromises.
KeyPoint acted quickly and immediately began implementing
the recommendations. KeyPoint conducted an internal
investigation of the data security issues identified by US-CERT
and concluded that the malware in question was not functioning
correctly, potentially caused by errors made during its
installation on KeyPoint system. Again, neither US-CERT's
investigation nor ours found any evidence of exfiltration of
personally identifiable information.
I recently attended a classified briefing at OPM where I
learned more about the OPM breach. In this open setting, I
cannot go into details that were presented in that briefing.
However, I can reiterate that we have seen no evidence of
connection between the incursion at KeyPoint and the OPM breach
that's the subject of this hearing. That said, we are always
striving to ensure KeyPoint cyber defenses are as strong as
possible, and we welcome US-CERT's recommendation for
strengthening the security of our system.
We've also been working closely with OPM and CBP to improve
our information security posture in light of the new advanced
persistent threats. OPM presented us with a 90-day network
hardening plan. We completed it. We have been working
diligently to make our systems more resilient and stronger by
implementing the US-CERT recommendations. And a number of the
most significant improvements we put into place are full
deployment of multifactor authentication; Security Information
Events Management; enhanced intrusion detection systems;
NetFlow and packet capture network information; improved
network segmentation; and many more.
Additionally, we've been working with all of our customers
to update our ATOs. This process includes an audit from a
third-party independent 3PAO assessor.
In closing, cybersecurity is vital to KeyPoint's mission,
and we will continue to fortify protections of our systems. Our
adversaries are constantly working to create new methods of
attack against our systems, and we must constantly work to meet
and deter those attacks. While it may be impossible to ever
truly eliminate the threat of cyber attack, we will continue to
evaluate our protections and ensure that they reflect the most
current best practices.
I want to thank the committee for drawing attention to this
critical issue and for allowing KeyPoint to share its
perspective with the committee today. I look forward to your
questions.
[Prepared statement of Mr. Hess follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you for your testimony.
Mr. Giannetta, we will now recognize you for 5 minutes.
STATEMENT OF ROB GIANNETTA
Mr. Giannetta. Thank you. Good morning, Mr. Chairman,
Ranking Member Cummings, and members of the committee. My name
is Robert Giannetta, and I'm currently the chief information
officer at US Investigations Services, LLC, which is often
referred to as USIS or USIS. I joined USIS as the CIO in August
2013. Before then, I was with BAE Systems, Nextel, and Verizon.
I also served in the United States Navy.
Until August 2014, USIS performed background investigation
work for the United States Office of Personnel Management. When
I started working at USIS, the information technology systems
it used to perform OPM background investigation work were
operating under two security certifications, known as
authorities to operate, which issued from OPM in 2012. Those
authorities to operate required annual review of USIS systems.
OPM's 2014 review included approval of USIS system security
plans and a site visit in May of 2014.
In June 2014, USIS self-detected a cyber attack on its
information technology systems. USIS immediately notified OPM
and initiated a comprehensive response plan pursuant to USIS'
written OPM-approved incident response plan. USIS' response
included retaining the highly regarded independent forensics
investigations firm Stroz Friedberg to lead the investigation
and remediation efforts.
USIS instructed Stroz Friedberg to leave no stone unturned
in their investigation. USIS invested thousands of person hours
and millions of dollars to investigate and remediate against
the attack. By early June 2014, those efforts succeeded in
blocking and containing the attacker.
The Stroz investigation was also able to develop
significant technical details about how the attack occurred,
what the attacker did within the USIS systems, and which
systems and data were potentially compromised. All of this
information was openly shared with OPM as well as other
government agencies.
In addition, USIS invited US-CERT and other government
investigators into its facilities in late July 2014 and gave
them full access to USIS systems. In August 2014, OPM issued a
stop-work order to USIS and subsequently terminated its
longstanding contractual relationship with the company. This
led USIS to exit the background investigation business and
ultimately to bankruptcy.
Just yesterday, I was invited to appear to testify before
the committee. I'll do my best to answer any questions you may
have. Thank you.
[Prepared statement of Mr. Giannetta follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Chaffetz. Thank you.
I now recognize myself. Ms. Archuleta, you have personal
identifiable information for how many Federal employees and
retirees?
Ms. Archuleta. We have----
Chairman Chaffetz. Move your microphone closer, please.
Ms. Archuleta. We have 2.7 individuals who were full-time
employees and 2.4 who are----
Chairman Chaffetz. No, I asked you how many--you have
personally identifiable information for how many Federal
employees and retirees?
Ms. Archuleta. The number I just gave you includes the
number of employees and retirees. And personally identifiable
information within those files depends on whether they've had a
background investigation or whether their personnel file----
Chairman Chaffetz. How many records do you have? This is
what I'm trying to get at.
Ms. Archuleta. I'll ask Ms. Seymour.
Chairman Chaffetz. No, I want you. Come on, you're the head
of this agency. I'm asking you, how many records are at play
here?
Ms. Archuleta. I'll get back to you with that number, sir.
Chairman Chaffetz. No, no. Let me read to you what you
wrote on February 2 of this year. This is to the Appropriations
chairmen, both in the House and the Senate. You wrote: As a
proprietor of sensitive data, including personally identifiable
information for 32 million Federal employees and retirees, OPM
has an obligation to maintain contemporary and robust
cybersecurity controls.
You wrote that in February. Are you here to tell me that
that information is all safe, or is it potentially 32 million
records that are at play here?
Ms. Archuleta. As I mentioned to you earlier in my
testimony, Mr. Chairman, we're reviewing the number and the
scope of the breach and the impact to all of the records.
Chairman Chaffetz. So it could be as high as 32 million. Is
that right?
Ms. Archuleta. As I mentioned to you, I will not give a
number that is not completely accurate. And as I mentioned in
my testimony today, I will get back to you as soon as----
Chairman Chaffetz. I'm asking you for a range. I don't need
a specific number. We know it's a minimum of 4.2 million, but
it could be as high as 32 million?
Ms. Archuleta. I'm not going to give you a number that I am
not sure of.
Chairman Chaffetz. And when they fill out the SF-86, that
would include other people that are identified within those
forms, correct?
Ms. Archuleta. That's correct, sir.
Chairman Chaffetz. Do we know, on average, how many people
are identified--if you fill out an SF-86, what's the average
number of people that are identified within those records?
Ms. Archuleta. I don't believe anyone has calculated an
average----
Chairman Chaffetz. Are you working on that?
Ms. Archuleta. As I mentioned in my testimony, each--my
team----
Chairman Chaffetz. I'm asking you if you will take a
sampling of records and understand how many other people are
identified in those records. If you have 32 million employees
and former employees in your database and they are also
identifying other individuals, I would like to know, on
average, how many people that is? Is that fair?
Ms. Archuleta. We're not calculating on average. We're
calculating on a very distinct and accurate number. We're not
going to make estimates.
Chairman Chaffetz. A distinct and accurate number. When you
asked for $32 million more in your budget request, it was
because you had 32 million Federal employees identified and
former employees. Correct?
Ms. Archuleta. That--the number of employees that we have,
yes. We're asking for support. We're asking for support for our
cybersecurity----
Chairman Chaffetz. Ms. Seymour, do you have a complete
inventory of servers, database, network, devices, and people
that have access to that information? Do you have the complete
inventory of that?
Ms. Seymour. We have as complete an inventory as we can
have, sir. That changes on a daily basis. We have run scans on
our network----
Chairman Chaffetz. Changes on a daily basis. You either
have it or you don't. You don't have it, do you?
Ms. Seymour. We have an inventory of all of our----
Chairman Chaffetz. Is it 100 percent complete?
Ms. Seymour. We believe that it is complete today.
Chairman Chaffetz. But the IG says that it's not complete.
Mr. McFarland says that it's not complete.
Ms. Seymour. His IG report was done in 2014. We've made
significant progress in our IT program since then. We have
tools on our network that scan our network for databases, so we
know where those are, and we know the PII in them.
Chairman Chaffetz. To the members of the committee here, we
have to move quickly, but I think just having an inventory of
what's at play here is key. And the inspector general does not
believe you when you say that.
Ms. Archuleta, in March of 2014, OPM became aware of an
attack on its computer networks. I would highlight and I'll ask
unanimous consent to enter into the record--without objection,
so ordered--``Chinese Hackers Pursue Key Data on U.S.
Workers.'' This is dated July 9 of 2014.
Chairman Chaffetz. As it relates to this attack, Ms.
Archuleta, did it result in a breach of security?
Ms. Archuleta. The March 24----
Chairman Chaffetz. Your microphone.
Ms. Archuleta. On the March 2014 OPM network, the adversary
activity that dated to that number was no PII was lost.
Chairman Chaffetz. I asked if there was a breach in
security.
Ms. Archuleta. On March 24, there was adversarial activity
that dated back to November of 2013. And with the forensics of
that information, we found that no PII was lost.
Chairman Chaffetz. I am asking you a broader question. So
did they have access to the PII, the personal identification
information? Did they have access to it?
Ms. Archuleta. You would have to ask forensic teams. I am
not a forensic expert. But we have the forensic team right here
with us on this panel.
Chairman Chaffetz. In your perception, from your
understanding, did they have access to the personal
information?
Ms. Archuleta. We know that there is adversarial activity
that dated back to November 2013. I also know that no PII was
lost.
Chairman Chaffetz. No. That's a different question. The
question I asked is, did they have access? Whether they
exfiltrated it is a different question. I am asking if they had
access. And I believe the answer is yes, isn't it?
Ms. Archuleta. That's what I've said to you, sir, that
there was adversarial activity.
Chairman Chaffetz. So they had access to that information.
Ms. Archuleta. There was adversarial access, activity.
Chairman Chaffetz. Yes. Did it result in a breach of
security, in your opinion? Is that a breach of security?
Ms. Archuleta. That's a breach of our systems, yes.
Chairman Chaffetz. Is that a breach of your security?
Ms. Archuleta. With the security systems, yes.
Chairman Chaffetz. So, yes, it was a breach of security,
yes?
Ms. Archuleta. They were able to enter our systems. The
security tools that we had in place at that time were not
sufficient to fight back, and we have since instituted more.
And that is why, in April of this year, we were able to----
Chairman Chaffetz. Okay. But at the time--at the time--it
was a breach of security, right?
Ms. Archuleta. Yes, there was a breach into our system.
Chairman Chaffetz. Was there any information lost?
Ms. Archuleta. As I have just said to you, there was no PII
lost.
Chairman Chaffetz. That's not what I asked you. I asked,
did you lose any information?
Ms. Archuleta. You would have to ask the forensic team.
Chairman Chaffetz. I am asking you if any information was
lost.
Ms. Archuleta. I will get back to you with that answer,
sir.
Chairman Chaffetz. I believe you know the answer to this
question.
Ms. Archuleta. You believe I know the answer to this
question?
Chairman Chaffetz. Yes. Did they take any information when
they hacked into the computers?
Ms. Archuleta. I have been advised by my CIO and our
forensic team that no PII was lost.
Chairman Chaffetz. That's not what I asked you. We will
take as long as you want here. I did not ask if they just
exfiltrated PII. I am asking you, did they take any other
information?
Ms. Archuleta. I will get back to you.
Chairman Chaffetz. I know you know the answer to this
question.
Ms. Seymour, did they take any other information?
Ms. Seymour. In the March 2014 incident, the adversaries
did not have access to data on our network. They did have
access to some documents, and they did take some documents from
the network.
Chairman Chaffetz. What were those documents?
Ms. Seymour. Those documents were some outdated security
documents about our systems and some manuals about our systems.
Chairman Chaffetz. What kind of manuals?
Ms. Seymour. Manuals about the servers and the environment.
Chairman Chaffetz. Is it fair to say--is that like a
blueprint for the system?
Ms. Seymour. It would be fair to say that that would give
you enough information that you could learn about the platform,
the infrastructure of our system, yes.
Chairman Chaffetz. Did they take any personnel manuals?
Ms. Seymour. No, sir, they did not take----
Chairman Chaffetz. But they----
Ms. Seymour. They took some manuals about the way that we
do business. They didn't take personnel manuals. I am not--we
may be not defining that the same way.
Chairman Chaffetz. But they did take information.
Ms. Seymour. Yes, sir, they did.
Chairman Chaffetz. Do you believe it was a breach of
security?
Ms. Seymour. Yes, sir, I do.
Chairman Chaffetz. So, Ms. Archuleta, when we rewind the
tape and look at the WJLA-TV interview that you did on July 21,
you said: Again, we did not have a breach in security. There
was no information that was lost. That was false, wasn't it?
Ms. Archuleta. I was referring to PII.
Chairman Chaffetz. No, you weren't. That wasn't the
question. That was not the question. You said, ``There was no
information that was lost.'' Is that accurate or inaccurate?
Ms. Archuleta. The understanding that I had of that
question at that time referred to PII.
Chairman Chaffetz. It was misleading. It was a lie, and it
wasn't true. And when this plays out, we are going to find that
this was the step that allowed them to come back and why we are
in this mess today. It was not dealt with. You were misleading
when you went on television and told all the employees, all
these Federal employees watching local television: Don't worry,
there is no information lost.
Did they have access to personnel information, Ms. Seymour?
Ms. Seymour. No, sir, at that time, they did not have
access to personnel information.
Chairman Chaffetz. They may not have exfiltrated it, but
did they have access to it? Could they look at it?
Ms. Seymour. No, sir, at that time, they did not have
access to personnel information.
Chairman Chaffetz. We will explore that more. Thank the
indulgence of the committee.
Now recognize Mr. Cummings.
Mr. Cummings. Mr. Giannetta, I will get to you in a minute.
But I want to talk to you, Mr. McFarland. And I want you to
hear me very carefully, listen to me carefully. There have
been, after our last hearing on this subject, members on both
sides have wanted to ask for Ms. Archuleta's resignation. And I
asked that we not do that, but we have this hearing so we could
clear up some things and because I wanted to make sure we were
all hearing right, and we are being fair.
This is my question. You have one opinion, and Ms.
Archuleta, Director Archuleta, and Ms. Seymour have another
opinion. You seem to say they need to do certain things in a
certain order. They say they think the order that they are
doing them in is fine. They say they can do certain things in a
short time. You say it's going to take longer. You also say
that they don't have the necessary stream of funding that they
may need.
This is what I want to know. Is this a difference of
opinion with regard to experts? You understand what I am
saying? You have your set of experts; they have their set. Is
it a difference? Do you deem it a difference of opinion? The
reason why I mention from the very beginning about the desire
of certain members of our committee to ask for Ms. Archuleta's
dismissal is because I want you to understand how significant
that answer is because there are some members who believe that
you have made recommendations and that those recommendations
have been simply disregarded.
And so can you help us with that, Mr. McFarland? Do you
understand my question? You look confused. Don't be confused.
Mr. McFarland. I always look that way.
Mr. Cummings. Oh, good. You always look that way. Okay. Go
ahead.
Mr. McFarland. I am not confused, no, but it is a difficult
question.
Mr. Cummings. But it's a very important question.
Mr. McFarland. Yes, absolutely. Well, of course, it's a
difference of opinion.
But the opinion that I have comes from auditors who are
trained to look for the things that they reported on. And they
did, in my estimation, as normal and usual, an excellent job.
And they stand behind their findings. And I stand behind their
findings.
Mr. Cummings. But is this a difference of opinion?
Mr. McFarland. Well, it's obviously a difference of
opinion. But I think, without question, from my perspective,
ours is based on auditing and questioning and understanding of
the situation. And that's where we come up with our answer.
Mr. Cummings. Let me ask you this. You heard Ms. Archuleta
give a whole list of things that she is doing or about to do, I
think naming a new cyber officer and whatever. Does that
satisfy you as far as your concerns are involved?
Mr. McFarland. Well, no, it doesn't satisfy me as far as
our concerns. We have a whole suitcase of concerns that we have
identified in our reports. I think that the best way to explain
or answer that question is that we are, I guess, very
frustrated that we ask answers of OPM, and it takes a long time
to get the answers. We ask definitive questions, and we don't
necessarily get definitive answers. We know for a fact that the
things that we have reported are factual. We don't take a back
seat to that at all. Our people have done this for a long time.
They know what they are doing.
But, yes, it comes out to a difference of opinion, but ours
is based on fact. I can't speak for the other side.
Mr. Cummings. All right.
Mr. Giannetta, your company, USIS, and its parent company,
Altegrity, have a lot to answer. According to the Justice
Department, USIS perpetrated a multimillion dollar fraud,
orchestrated at the highest levels of the company. USIS failed
to protect sensitive information of tens of thousands of
Federal employees, including people in the intelligence
community and even the Capitol Police. And Altegrity doled out
millions of dollars of bonuses to top executives during the
fraud and after the data breach.
I want to question you about USIS and Altegrity's pattern
of refusing to cooperate with this committee and our requests
for information. Last week, the committee invited Altegrity's
chairman to testify. Do you know what he said?
Mr. Giannetta. I do not.
Mr. Cummings. I will tell you. He said no. He refused.
In 2014, a team from the Department of Homeland Security
asked Altegrity if they could scan the networks of Altegrity's
other subsidiaries because the cyber spies were able to move
from USIS to those other subsidiaries.
Mr. Giannetta, do you know how Altegrity responded?
Mr. Giannetta. I understand they declined the request.
Mr. Cummings. Yeah, that's right. They refused. They would
not allow DHS to examine the other Altegrity subsidiaries. Mr.
Giannetta Altegrity is your parent company at USIS. Who at
Altegrity made decision to refuse the government's requests?
Mr. Giannetta. I don't have that information. I am not
aware who made that decision. It certainly wasn't me.
Mr. Cummings. Well, can you find out for us?
Mr. Giannetta. I can ask.
Mr. Cummings. How soon can we get that information?
Mr. Giannetta. I will take it back to counsel and see what
we can do.
Mr. Cummings. I will just ask you get it to us within the
next 24 hours. I would like to have that. We have been trying
to get it for a long time. I would like you to tell the
committee the names of the specific members of the board who
made the decision. All right?
Mr. Giannetta. Sir, I am the chief information officer at
USIS. I interact almost never with the board of directors. I
don't know----
Mr. Cummings. Mr. Giannetta, you are about as close--we
have been trying to get this information for a while. You are
all we got. I know you are just back from vacation from Italy.
Did you get a bonus, by the way?
Mr. Giannetta. I did.
Mr. Cummings. Oh, my goodness. How much did you get?
Mr. Giannetta. I don't recall the exact amount.
Mr. Cummings. You can tell me.
Mr. Giannetta. It was in the neighborhood of $95,000.
Mr. Cummings. All right. Your company also refused to
provide answers to questions that I asked at a hearing in
February 2014 and again by committee letter, dated March 18,
2014. Mr. Giannetta, do you know what your company
representatives said when the committee attempted to get these
answers?
Mr. Giannetta. I am not in that communication chain, so I
don't.
Mr. Cummings. Let me tell you. They sent an email sent to
our committee staff, and Altegrity's attorney wrote, ``The
company does not anticipate making a further response.'' Would
you know why they would say that?
Mr. Giannetta. Again, I am the chief information officer at
USIS. I really don't know.
Mr. Cummings. It sounds pretty arrogant to me. So let me
ask you right now the same question I asked back in February of
2014, more than 16 months ago. Name the members of Altegrity's
board of directors who decided not to answer those questions.
You wouldn't know that either.
Mr. Giannetta. I don't know the board of directors. I know
the chairman's name is Steve Alesio. I don't anybody else at
the board. I apologize.
Mr. Cummings. So you are still working for USIS. Is that
right?
Mr. Giannetta. That's correct.
Mr. Cummings. How long will you be there?
Mr. Giannetta. Indeterminate, but within the next month or
so, I will be departing.
Mr. Cummings. And will you try to get me those names?
Mr. Giannetta. I will certainly take your request back to
the appropriate people.
Mr. Cummings. All right.
Thank you very much, Mr. Chairman.
Chairman Chaffetz. I will now recognize the gentleman from
Florida, Mr. Mica.
Mr. Mica. Thank you, Mr. Chairman.
And, Ms. Archuleta, there has been a discussion today about
how many people's--Federal employees' and retirees'--records
have been breached. And you testified at the beginning you
estimated about 2.4 million. Was that correct?
Ms. Archuleta. No, in the personnel records, it was 4.2.
And we haven't given an estimate for the second incident.
Mr. Mica. 4.2 in personnel. Because half of that is
retirees, is that 2.4, and then you add the other balance?
Ms. Archuleta. I don't know exact percentage, but it's
about half and half.
Mr. Mica. Okay. Then the second figure you started to
debate a bit about was 18 million, which has been reported by
the media, but--and that would deal with breach of Social
Security numbers?
Ms. Archuleta. The analysis right now is taking a look at
all the PII because PII comes in various forms. It could be a
Social Security number.
Mr. Mica. But you are not prepared to tell us how many of
the Social Security numbers are breached.
Ms. Archuleta. No, sir.
Mr. Mica. And then the chairman pointed out your statement,
I guess it was in February, that you had, say, over 32 million
records.
Ms. Archuleta. That was a number he used, yes.
Mr. Mica. You really don't know then how many records have
been breached beyond the 4.2?
Ms. Archuleta. No, sir. That's the investigation we are
doing right now.
Mr. Mica. You know, I thought about this a little bit. And
I thought, well, first thing, were my records breached, my
staff, and others? And then I was thinking of people downtown
that work in the agencies. And we have an important
responsibility to protect the information, their personal
information. Over the weekend, in fact Monday, I spent at one
of our embassies overseas being briefed all morning on a bunch
of issues. And brought to my attention by some of the people
serving in some sensitive positions were that they were
notified by you all of a breach of their records. So our
overseas personnel in sensitive positions have also been
subject to this breach. Is that correct?
Ms. Archuleta. Employee personnel records on current
employees who have records at OPM have been----
Mr. Mica. How much data? Is their address? But there is
personal information about these individuals. You know, you
think a little bit about people down in the glass places here,
you want everyone safe. I was absolutely stunned to find out
that some of the people, United States citizens serving
overseas, were notified that their personnel records have been
breached, and information is available on them, and they are in
possible situations that could be compromised by that
information. But you have notified them, right?
Ms. Archuleta. We have notified the 4.2 million people.
Mr. Mica. Those are the people. They mentioned this to me.
I was there on other subjects but expressed concern.
Ms. Archuleta. And I am as concerned as you are, sir, about
this because these are the individuals who have been--whose
data has been taken by these attackers. I am as concerned as
you are.
Mr. Mica. These people are on the front lines overseas, and
they are representing us. And I could hear concern in their
voice about what's been--what has taken place. I read--is it
Chinese hackers? Does anyone know? Was it Chinese? Do we know
for sure? Do you know for sure?
Ms. Archuleta. That's classified information, sir.
Mr. Mica. So you have some idea, but it's classified?
Ms. Archuleta. That's classified information. I can't
comment. I would be glad to in another----
Mr. Mica. Okay. Now whether it's Chinese or some group that
could give this information to people who would want to do
harm, that means some of those people to me are at risk.
Ms. Archuleta. Sir, every employee is important to me, not
whether they are serving in Kansas City or they are serving
overseas. Every employee is important to me.
Mr. Mica. Yesterday morning before I left, I visited a site
of a terrorist act in one of the capitals. And I saw that--
well, that place still hasn't been opened, and it has been
months since that terrorist attack. And our people are over
there on the front lines and, their information has been
compromised.
Now, you have been there the longest, Ms. Barron-DiCamillo,
is that the truth? I mean, since about 2012, is it?
Ms. Barron-DiCamillo. I am sorry, what was----
Mr. Mica. You have been in position since 2012 at OPM?
Ms. Barron-DiCamillo. No, I work for Department of Homeland
Security.
Mr. Mica. Homeland Security, I am sorry, but you are
responsible overseeing OPM's----
Ms. Barron-DiCamillo. So DHS has a shared responsibility
for cybersecurity. We are partnering with departments and
agencies to ensure the cybersecurity of the dot-gov and working
with critical infrastructure partners. And we work with them
protecting at the boundaries as well as----
Mr. Mica. When did we first find out about this breach?
Ms. Barron-DiCamillo. It was notified by a third-party
partner to us----
Mr. Mica. When? What date?
Ms. Barron-DiCamillo. --in March of 2014.
Mr. Mica. 2014. So when you came on, Ms. Seymour, about
2014?
Ms. Seymour. I came on board in December of 2013, sir.
Mr. Mica. 2013, so you were there. They talked about his
bonus. Finally, are you SES?
Ms. Seymour. Yes, sir, I am.
Mr. Mica. Did you get a bonus too?
Ms. Seymour. Yes, sir, I did.
Mr. Mica. How much?
Ms. Seymour. I do not know the exact amount, but I believe
it was about $7,000.
Mr. Mica. Okay. So whether you were private or public,
people were getting bonus while some of this was going on.
Thank you, Mr. Chairman.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentlewoman from New York, Mrs.
Maloney, for 5 minutes.
Mrs. Maloney. Thank you.
I am trying to get this straight. OPM was breached
directly. Is that correct? And I am going to ask Ms. Seymour,
the information officer. OPM was breached twice directly. Is
that correct?
Ms. Seymour. Yes, ma'am, that's correct.
Mrs. Maloney. And one was in--one occurred in December of
2014, detected in April 2015. And then the security breach--
when were the two breaches? When were the two breaches? The
dates?
Ms. Seymour. The first OPM breach goes back to we
discovered it in March of 2014, and the breach actually--the
breach actually occurred in----
Mrs. Maloney. You discovered it in March 2014?
Ms. Seymour. Yes, ma'am. And the breach actually occurred,
the adversary had access back to November of 2013.
Mrs. Maloney. November 2013. Okay. And then the second
breach was when? There were two breaches, correct?
Ms. Seymour. That is correct, ma'am. The second breach we
discovered in April of 2015, and the date that that breach goes
back to is October of 2014--I am sorry, June of 2014.
Mrs. Maloney. June of 2014.
Ms. Seymour. Yeah.
Mrs. Maloney. Who discovered this breach? How did OPM
discover this breach?
Ms. Seymour. The first breach we were alerted by DHS.
Mrs. Maloney. So you did not discover it. The Department of
Homeland Security discovered it?
Ms. Seymour. The first breach in March of 2014----
Mrs. Maloney. In 2014. Wait a minute. I think this is
important. Homeland Security discovered it.
Ms. Seymour. Yes, ma'am.
Mrs. Maloney. Okay. And then the second one, who discovered
it?
Ms. Seymour. OPM discovered it on its own in April of 2015.
By then, we had put significant security measures in our
network.
Mrs. Maloney. Now, when did you report these breaches, and
who did you report them to?
Ms. Seymour. On April 15, when we discovered the most
recent breach, we reported that to US-CERT and to----
Mrs. Maloney. Who?
Ms. Seymour. The Computer Emergency and Readiness Team,
DHS.
Mrs. Maloney. You did it to DHS. Did you report it to
Congress?
Ms. Seymour. We also reported it to the FBI, and then we
made our FISMA-required notification to Congress as well.
Mrs. Maloney. Okay. That was the April 15 one. What about
the first one?
Ms. Seymour. For the first breach, and again DHS notified
us of that activity in our network. And so they already knew
about that one. And yes, ma'am, we made notifications to
Congress of that one as well.
Mrs. Maloney. When?
Ms. Seymour. I am sorry, ma'am, I don't have that date in
my notes. I would be happy to get you a response.
Mrs. Maloney. Would you please get that back to the
committee for us?
Mrs. Maloney. Did you notify the contractors of the breach?
Ms. Seymour. At the first breach, there was not an
awareness of that--of what the adversaries were targeting and
that this may go beyond OPM. I know that our staffs, my staff,
my security staff had conversations with the security staffs at
the contractor organizations. I also know that the indicators
of compromise that DHS had were provided to other government
organizations, were put into EINSTEIN, as well as they have
communications that they would normally----
Mrs. Maloney. But the breaches were direct. Now, I want to
understand the interaction with the contractors. Now, when they
breached you, did it go into OPM? I am asking both Mr. Hess and
Mr. Giannetta. When they went into your system, did that
connect into OPM, or was it held in your system?
Mr. Giannetta. In our intrusion in June of 2014, it was
within our systems.
Mrs. Maloney. So it was within your system. So the 4
million identities that they have and information they have, it
came from OPM, or it came from the contractors? Are they one
and the same, or are they separate? And I will go back to Ms.
Seymour.
Ms. Seymour. No, ma'am, these are separate incidents. So
with the breach at USIS, the way that OPM does business with
its contractors is different from the way other agencies may do
business with both KeyPoint and with USIS. And so there were
approximately 49,000, I believe it was, individuals who we
notified based on the KeyPoint incident. There were other
agencies who made notifications both on the USIS--based on the
USIS and the KeyPoint incidents.
The 4.2 number that you are getting to, ma'am, is about the
personnel records that are the incident at OPM.
Mrs. Maloney. What I would like to get in writing is
exactly what information came out of OPM, what information came
out of the contractors. Is it the one and the same? You are the
final database. So I want to understand the connection and how
the breaches occurred and how they interconnected. If you could
get it back to Chairman Chaffetz, I think it is important
information.
Chairman Chaffetz. Thank you. Thank the gentlewoman.
Now recognize the gentleman from Ohio, Mr. Turner, for 5
minutes.
Mr. Turner. Thank you, Mr. Chairman.
Ms. Archuleta and Ms. Seymour, I just want to remind you
that you are under oath. And I have a series of questions that
follow on to Chairman Maloney's questions.
It was reported in the Wall Street Journal that a company
named CyTech has related that they were involved in discovering
the breach that apparently has been, according to this article,
linked to Chinese hackers. OPM's press secretary said the
assertion that CyTech was somehow responsible for the discovery
of the intrusion into OPM's network during a product
demonstration is inaccurate. CyTech related that they were
invited in by OPM, that they--Ms. Seymour? Ms. Seymour, could I
have your attention? That they were invited in by OPM and that
their equipment was run on OPM and that their equipment
indicated that there had been an intrusion of your system, that
they notified you.
But your response officially from OPM is that it's
inaccurate, that they were not involved. Ms. Archuleta, I
believe you were asked this question previously, were you not,
and you said that they were not involved?
I remind you both that you are under oath. Anybody want to
change their answer? Was CyTech involved in the discovery of
this data breach? Ms. Archuleta?
Ms. Archuleta. No, they were not.
Mr. Turner. Ms. Seymour?
Ms. Seymour. No, sir, they were not.
Mr. Turner. Okay. Now, reminding you again you are under
oath, was CyTech ever brought in to run a scan on OPM's
equipment?
Ms. Seymour. CyTech was engaged with OPM, and we had--we
were looking at using their tool in our network. We gave them--
it is my understanding that we gave them some information to
demonstrate whether their tool would find information on our
network, and that--in doing so, they did indeed find those
indicators on our network.
Mr. Turner. Great. Well, thanks, Ms. Seymour. Because I sit
on the Intelligence Committee. And CyTech Services president
and CEO, Ben Cotton, and his vice president of technology
development, John Irvine, came in and briefed the Intelligence
Committee staff. And they relate that they were given access to
your system, ran their processes, and their processes
discovered it. And I think you are confirming this now, where
previously it was denied that they had any involvement.
So you want to relate again, Ms. Seymour, what exactly did
CyTech do? Were they given access to your system? Did they run
it on your system?
Ms. Seymour. Here is what I understand, sir. OPM discovered
this activity on its own.
Mr. Turner. That wasn't the question, Ms. Seymour. And I am
assuming that you would have greater than an understanding,
that you would actually know, considering you are the chief
information officer, and you are testifying before us as to how
this happened, and there has already been a news article on
this. So please tell us clearly what access was CyTech given to
your system.
Ms. Seymour. I will be happy to answer your question, sir.
I am trying to explain to you how CyTech had access. OPM
discovered the breach, and we were doing market research, and
we were also--we had purchased some licenses for CyTech's tool.
We wanted to see if that tool set would also discover what we
had already discovered. So, yes, they put their tools on our
network, and yes, they found that information as well.
Mr. Turner. So you were tricking them? You like already
knew this, but you brought them in and said, Shazam, you caught
it too? That seems highly unlikely, don't you think?
Ms. Seymour. We do a lot of research before we decide on
what tools we are going to buy for our network.
Mr. Turner. At that point you hadn't removed the system
from your system? I mean, you knew it was there, you brought
them in, and their system discovered it too, which means it
would have to have been continuously running, and that
personnel information would have been still at risk.
Correct?
Ms. Seymour. No, sir. We had latent malware on our system
that we were watching that we had quarantined.
Mr. Turner. You had quarantined it. So it was no longer
operating.
Ms. Seymour. That is correct.
Mr. Turner. Okay. Well, clearly, you are going to have to
give us all an additional briefing and certainly the Intel
Committee staff an additional briefing on exactly how you did
this because, you know, CyTech's relating what they did is very
compelling. And, quite frankly, what you say sounds highly
suspicious, that you would have brought them in, tricked them
to see if they could discover it, something you have already
discovered. I mean, why would you need them if you have already
discovered it? And then further tricked them to say, Well, you
don't really have the system on your system anymore? It just
contradicts in so many ways it defies logic.
But the other thing I want to ask you, Ms. Archuleta, is on
your SF-86 forms that were compromised----
Ms. Archuleta. Yes.
Mr. Turner. When you say a form, it just sounds so minor.
But this is the form, this is the Security Form 86 that people
looking to work on national security and get clearance have to
fill out. It's not just their Social Security, but their Social
Security number is all over this. What are you doing--I have
Wright-Patterson Air Force Base in my district. My community
has a number of people who have had to fill these out to be
able to serve their country. What are you doing about the
additional information that's in this form that's being
released and that's out there about these individuals?
Ms. Archuleta. I filled out exactly the same form. And----
Mr. Turner. I didn't ask that. I asked you, what are you
doing? Because it is not about just identity theft. This is not
just their credit cards and their checking accounts. What are
you doing about the rest of information that is in here about
counseling them and assisting them?
Ms. Archuleta. I just used that by way of example that I
understand what is in the form, personally, and as Director of
OPM and because, at OPM, as you know, we do Federal background
investigations, and I am clearly aware of what is in the form.
As I mentioned in my testimony, that we are working with a very
dedicated team to determine what information was taken from
those forms and how we can begin to notify the individuals who
were affected by that. That form is very complicated. And that
is why I am very, very careful about not putting out a number
that would be inaccurate. That is a complicated form, with much
information. It has PII and other information. So we want to be
sure that as we look at how we protect the individuals who
completed those forms that we are doing everything we can. We
are looking at a wide range of options to do that.
This is an effort that was working on together throughout
government, not just OPM. We are all concerned about the data
that was lost as a result of this breach by these hackers who
were able to come into our systems. And I will repeat again,
but for the fact that we found this, this malware would still
be in our systems.
Mr. Turner. Mr. Chairman, I just want to thank them for at
least acknowledging that CyTech had access to their equipment
and that did run and did identify this, even though they
previously denied CyTech's involvement. Thank you.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentlewoman from the District of
Columbia, Ms. Norton, for 5 minutes.
Ms. Norton. Thank you, Mr. Chairman.
Actually, I have a question for Ms. Barron-DiCamillo.
But, first, I want to ask Ms. Archuleta, members have been
concerned about this 4.2 million number. You have tried to
straighten that out. For the record, that is not a final
number. It almost surely will go up. Is that the case?
Ms. Archuleta. There are two incidents.
Ms. Norton. I understand that.
Ms. Archuleta. So, in the first incident, that number is
4.2 million. In the second incident, we have not reached a
number.
Ms. Norton. So the number is going to go up. I understand--
indeed, I am receiving calls from Federal employees about OPM's
promise of 18 months, I believe it is, free credit monitoring.
Is it true that Federal employees must pay for this service----
Ms. Archuleta. No.
Ms. Norton. --after that time?
Ms. Archuleta. The service--well, the services that we are
offering is identity theft protection up to a million dollars.
We are also offering credit monitoring for 18 months, which is
the standard industry practice. As we look at the second
notification, we are looking at our whole range of options.
Ms. Norton. Ms. Archuleta, there is a great deal of
concern, not so much about how much to pay for it but the
amount of time, that the 18 months may be too short a period of
time given how much you don't know and we don't know.
Ms. Archuleta. And we are getting tremendous information
back from not only----
Ms. Norton. Well, are you prepared to extend that time if
necessary?
Ms. Archuleta. I have asked my experts to include this
feedback that we have received on a number of different
considerations that need to be made.
Ms. Norton. I will ask, are you prepared to extend that 18
months in light of what has happened to Federal employees if
necessary?
Ms. Archuleta. As I said, we don't know the scope of the
impact of the--the scope of----
Ms. Norton. Precisely for that reason, Ms. Archuleta, I
have got to go on. If the scope is greater as you get more
information, will you correlate that to extending the amount of
time that Federal employees have for this credit monitoring?
Ms. Archuleta. Congresswoman, I will get back with you as
to how and what range of options we have.
Ms. Norton. Will you get back to us within 2 weeks on that?
Ms. Archuleta, we have people out there, all of us have
constituents out there who have been directly affected. When
you won't even tell me that you are prepared to extend the time
for credit monitoring, what kind of satisfaction can they get
from OPM? I am just asking you that if necessary----
Ms. Archuleta. Congresswoman, I am as concerned as you are.
Ms. Norton. In other words, you are not even willing to
answer that question. Are you willing to answer this question:
They report having to wait long periods of time, sometimes
hours, to even get anybody on the phone from OPM. Can you
assure me that if a Federal employee calls they can get a
direct answer forthwith today if they call? And if not, what
are you going to do about it?
Ms. Archuleta. We are already taking steps. And what the
contractor has actually implemented is a system similar to what
the Social Security is using. So if they get a busy tone, they
also can leave their number, and they will get a call back.
Ms. Norton. Within what period of time, Ms. Archuleta?
Ms. Archuleta. For example, I have heard a gentleman told
me this morning that he left his number, and he was called back
in an hour. So that individual does not have to wait on the
phone. It is a very simple process.
Ms. Norton. Ms. Archuleta, you let the chairman know before
the end of this week what is the wait time for a return call.
Ms. Archuleta. Yes.
Ms. Norton. That was a subject of great concern.
Ms. Archuleta. I would be glad do that. We get those
numbers every day. I would be glad do that.
Ms. Norton. We need to do all we can to give some
assurance. We can't even assure them that beyond 18 months,
they are going to get credit monitoring. That's a very
unsatisfactory answer, I want you to know.
I want to ask Ms. Barron-DiCamillo, we understand that much
of this is classified, and we keep hearing: We can't tell you
things because it's classified.
Of course, the press is finding out lots of stuff. They
reported that law enforcement authorities have been examining
the connection between the cyber attack at OPM and a previous
data breach that occurred at KeyPoint. So I want to ask you,
Ms. Barron-DiCamillo, and I don't want to discuss--I am not
asking about anything classified--in the course of your own
investigation at US-CERT into KeyPoint's data breach, did you
find that hackers were able to move around the company network
prior to detection?
Ms. Barron-DiCamillo. In the case of the KeyPoint
investigation?
Ms. Norton. Yes.
Ms. Barron-DiCamillo. Yes, ma'am, they were able to move
around in the KeyPoint network. We had an interagency response
team that spent time reviewing the KeyPoint network after a
request for technical assistance.
Ms. Norton. Even to the domain level?
Ms. Barron-DiCamillo. Correct. They had access to--we were
there in August of 2014. The onsite assistance team was able to
discover that they had access----
Ms. Norton. What does that allow hacker to do if you can
get to the domain level?
Ms. Barron-DiCamillo. Well, they had access to the network
since----
Ms. Norton. KeyPoint.
Ms. Barron-DiCamillo. Yeah, KeyPoint network, from that
point in time through the fall of 2013. So, during that time,
they were able to leverage certain malware to escalate
privileges for the entry points. So they entered the network,
we are not quite sure how. Because of a lack of login, we
couldn't find the----
Ms. Norton. But they could get the background checks on
Federal----
Mr. Walberg. [Presiding.] The gentlelady's time has
expired.
Ms. Norton. I just want to get to this final thing. They
could get the background checks on Federal employees.
Ms. Barron-DiCamillo. No, they could not. They were not
able to--there was no--or there was a PII loss associated with
27,000 individuals associated with that case, I believe. But it
was potentially exposed. Because of a lack of evidence, we
weren't able to confirm that. So they had potential access, but
we weren't able to confirm exfiltration of that data.
Mr. Walberg. I thank the gentlelady.
Ms. Norton. Thank you, Mr. Chairman.
Mr. Walberg. I now recognize myself for 5 minutes of
questioning.
Let me ask Ms. Archuleta, what do you believe was the
intent behind the attack? We are talking all about the attack.
So what do you think the intent was?
Ms. Archuleta. You would have to ask my partners in
cybersecurity about that. I am not an expert in what the----
Mr. Walberg. Ms. Seymour, maybe you could respond?
Ms. Archuleta. I think that may be better placed with DHS
and perhaps others.
Mr. Walberg. Let me start, Ms. Seymour, do you have any
idea as to why the attack?
Ms. Seymour. OPM does not account for attribution or the
purpose to which this data would be used.
Mr. Walberg. Ms. Barron-DiCamillo?
Ms. Barron-DiCamillo. I would be happy to discuss those
types of issues further in a closed setting, as we did
yesterday with the staff, because the details around that is
something that would be more appropriate for a closed
classified setting.
Mr. Walberg. Ms. Archuleta, how would you assess OPM's
communication with current and former Federal employees
regarding the breach?
Ms. Archuleta. I believe----
Mr. Walberg. At this point in time, how would you assess
it?
Ms. Archuleta. I believe that we are very--we want to work
very hard with our contractor to make sure that we are
delivering the service that we want. We have asked them
throughout this process to make improvements. We have demanded
improvements. We are holding them accountable to deliver the
services we contracted for. Ms. Seymour is in communications
with them.
I do not, I do not want our employees to sit and wait on
the phone. I do not want them to have to wonder whether their
data has been breached. I want to serve them in every way that
we can. And that is why we are demanding from our contractor
the services that the contractor said they would deliver. And
we are working very hard on that and each day give them the
appropriate feedback from what we are hearing from our
employees.
Mr. Walberg. Federal News Radio conducted an online survey
about the data breach. You probably are aware of this. One of
the questions asked respondents was to rate OPM's communication
with current and former Federal employees about the data
breach. The results showed that 78 percent of the respondents
rated that OPM's communication as poor. An additional 12
percent rated it as fair. Only 3 percent described it as good.
And less than 1 percent said it was excellent. I appreciate the
fact that you want to improve that. We expect you to make sure
that who you have contracted with improves that.
Ms. Archuleta. Those numbers don't make me happy, sir. And
I am going do everything I can to make sure that we are doing
everything for our employees. I care deeply about our
employees.
Mr. Walberg. Let me move on.
Ms. Barron-DiCamillo, some news reports indicate that
attackers may now be in possession of the personal file of
every Federal employee, every Federal retiree, and up to 1
million former Federal employees. If true, that means the
hackers have every affected person's Social Security number,
address, date of birth, job and pay history, and more that
could be there. For years we have been hearing about the risk
of a cyber Pearl Harbor. Is this a cyber Pearl Harbor?
Ms. Barron-DiCamillo. The impact associated with the data
breach that was confirmed, the records that were taken out of
the personal records is what we would call on a severity scale
a significant impact.
Mr. Walberg. Significant impact. What does ``significant
impact'' mean?
Ms. Barron-DiCamillo. Meaning that the data, if it was
correlated with other data sources, could be severely--it could
impact the environment as well as the individual.
Mr. Walberg. The ``environment'' meaning?
Ms. Barron-DiCamillo. The fact that they were able to take
the data out of the environment, that's a significant impact to
the environment, and ensuring that they are able to mitigate
the ability that the attacker used to get into that
environment. And then the fact that that data was exfilled is
also considered to be a high significant impact.
Mr. Walberg. So it's blown up.
Ms. Barron-DiCamillo. I am sorry?
Mr. Walberg. It's blown up a lot of things, protection,
security. It's a Pearl Harbor.
Ms. Barron-DiCamillo. That's not a term I am comfortable
with using, but on the severity scale that we use----
Mr. Walberg. It's pretty significant.
Ms. Barron-DiCamillo. Yeah. It would be medium to high
significance, yes.
Mr. Walberg. Let me ask, Ms. Seymour, do you think issuing
a request for quotes on May 28 and establishing a deadline of
May 29 to potential contractors was a reasonable opportunity to
respond in this significant issue of cybersecurity?
Ms. Seymour. Our goal was to be able to notify individuals
as quickly as possible. And so we worked with the GSA schedule.
We contacted schedule holders. We also put it on FedBizOpps for
other opportunities. We received quotes from both schedule
holders as well as nonschedule holders. And so our goal was to
make sure that we could notify individuals as quickly as
possible.
Mr. Walberg. That was quick. Maybe too quick. My time has
expired.
I now recognize the gentleman from Massachusetts, Mr.
Lynch.
Mr. Lynch. Thank you, Mr. Chairman.
And, again, I want to thank the witnesses for participating
today.
Ms. Archuleta, you testified before the Senate. Let me ask
you at the outset, who is ultimately responsible for protecting
the personal identification information of employees at OPM? Or
that are covered by OPM, Federal employees.
Ms. Archuleta. Yes, the responsibility of the records is
with me and my CIO.
Mr. Lynch. Okay. So you also testified that no one was to
blame. Is that right?
Ms. Archuleta. I think my full statement, sir, was that I
believe that the breach was caused by a very dedicated, a very
focused actor who has spent much funds to get into our systems.
And I have worked--the rest of my testimony was I have worked
since day one to improve legacy systems.
Mr. Lynch. I understand that. I understand that. You are
blaming the perpetrators, that those are the people that are
responsible. Is that basically what you are saying?
Ms. Archuleta. The action was caused by a very focused,
aggressive perpetrator.
Mr. Lynch. Okay. I can't have repeated the same answers.
Let me just, Mr. McFarland, the assistant inspector
general, Michael Esser, testified that a number of the systems
that were hacked were not older legacy systems, but they were
newer systems. Is that your understanding?
Mr. McFarland. Yes.
Mr. Lynch. So this isn't the old stuff, this is the new
stuff.
Mr. McFarland. Yes, that's correct.
Mr. Lynch. Okay. And the former chief technology officer at
the IRS and the Department of Homeland Security said that the
breaches were found bound to happen given OPM's failure to
update its cybersecurity. Is that your assessment, Mr.
McFarland?
Mr. McFarland. Well, I think, without question, it
exacerbated the possibility, yes.
Mr. Lynch. Yeah. He also, this is a quote, he said: ``If I
had walked in there as the chief information officer and I saw
the lack of protection for very sensitive data, the first thing
we would have been working on is how to protect that data.''
I am concerned as well about the flash audit that you just
put out. And your ultimate determination was that you believed
that what they are doing will fail.
Mr. McFarland. The approach that they are taking I believe
will fail.
Mr. Lynch. Okay.
Mr. McFarland. They are going too fast. They are not doing
the basics. And if that's the case, then we are going to have a
lot of problems down the road.
Mr. Lynch. Let me ask you, so very crudely describing this,
they are creating a shell, a protective shell. And then we're
going to migrate applications in under the shell. And because
they will be under the shell, they'll be resistant or
impervious to hacking. It doesn't seem like we should have to
wait until the last application is under the shell before we
find out whether or not the shell is working. Will that give us
an opportunity to look at the early stages of this project?
Mr. McFarland. Well, I am not sure if it will give us that
opportunity or not. What is important, I think from our
perspective, is that they have the opportunity, OPM has the
opportunity right now to do certain things that will increase
the security a great deal. And that shouldn't be abandoned and
just placed in place of. And I don't mean to imply it is
abandoned, but it should not be in place of speeding through
the rest of the project to get it done. The crisis part--may
not seem this way to a lot of people, but the actual crisis at
OPM was with the breach. That part is over. The best thing to
do is safeguard the system as it is right now and then move
appropriately for a full restructuring.
Mr. Lynch. Okay. Do you think that OPM's estimates of $93
million is accurate?
Mr. McFarland. I don't think it's anywhere close to
accurate.
Mr. Lynch. I don't either. It doesn't seem to include the
whole migration function where they pull the information in.
Mr. McFarland. As an example, the financial system that we
have, CBIS, in 2009, we had to migrate that information.
Mr. Lynch. Right.
Mr. McFarland. And in so doing, it had a lot of oversight
and went pretty well. And, in fact, our office was part of that
oversight. But just that one system took 2 years and $30
million.
Mr. Lynch. Right. And that's a small fraction of what we
are talking about here, right? A very small fraction.
Mr. McFarland. Very small.
Mr. Lynch. Okay.
I will yield back. Thank you, Mr. Chairman.
Chairman Chaffetz. [presiding.] I thank the gentleman.
I now recognize the gentleman from South Carolina, Mr.
Gowdy, for 5 minutes.
Mr. Gowdy. Thank you, Mr. Chairman.
Mr. Chairman, I want to read a regulation. I would ask all
the panelists to pay attention. It's a little tedious, but it's
important: If new or unanticipated threats or hazards are
discovered by either the government or the contractor, or if
existing safeguards have ceased to function, the discoverer
shall immediately bring the situation to the attention of the
other party.
That's a regulation. Mr. Hess, Mr. Giannetta, were there
also contractual obligations in this realm between you and the
government?
Mr. Hess. There are.
Mr. Gowdy. And they would be what, similar to that, notice?
A notice provision?
Mr. Hess. I don't have an immediate recollection of exact
text, but it is similarly worded.
Mr. Gowdy. Okay. I think it's helpful sometimes to define
terms, particularly for those of us that are liberal arts
majors and don't deal with this. What is a ``new or
unanticipated threat or hazard''? Mr. Hess?
Mr. Hess. That would be an indication of compromise of a
system or a failure of any of the system protections.
Mr. Gowdy. Oh. So when Chairman Chaffetz was having a
difficult time getting answers to that question because the
focus was on the loss of personal information, that's really
not what that phrase means. It's just a threat or hazard. It
doesn't actually have to be a loss, does it?
Mr. Hess. Not the way I would define it.
Mr. Gowdy. Me either.
What about ``existing safeguards have ceased to function?''
What does that mean? Mr. Hess?
Mr. Hess. Sir, it's pretty explanatory.
Mr. Gowdy. It did strike me as being self-explanatory. It
did.
Mr. Giannetta, is that self-explanatory to you, ``existing
safeguards have ceased to function?''
Mr. Giannetta. Yes.
Mr. Gowdy. Here is the really tough question, and I will
let both of you weigh in on this one because it is tough. What
does the word ``immediately'' mean?
Mr. Hess. Without delay.
Mr. Gowdy. Without delay.
Mr. Giannetta, is there another meaning that you are
familiar with?
Mr. Giannetta. I think that's a good definition.
Mr. Gowdy. All right. So you had both a contractual
obligation with the government and there is a regulatory
obligation that if new or unanticipated threats or hazards are
discovered by either the government or the contractor, or if
existing safeguards have ceased to function, the discoverer
shall immediately bring the situation to the attention of the
other party.
Ms. Archuleta, I have heard this morning about a March 2014
data breach. Did I hear that right?
Ms. Archuleta. Yes, sir, you did.
Mr. Gowdy. And when did you bring that breach to the
attention of either Mr. Hess or Mr. Giannetta? And you are
welcome to turn on your microphone or else bring it closer to
you.
Ms. Archuleta. I would have to get that information back to
you. I don't have it in my notes. Perhaps Ms. Seymour would
know. But if not, we would get that information back to you.
Mr. Gowdy. Do you know if it was immediately?
Ms. Archuleta. I would expect that it was immediate, yes.
Mr. Gowdy. Let's find out. Ms. Seymour, do you know?
Ms. Seymour. No, sir, I don't. But I don't think that we--I
certainly don't think that we immediately notified our
contractors of a breach to our network because at that time we
did not have any question as to whether it was affecting them.
It was to our network at that time.
Mr. Gowdy. Mr. Hess, Mr. Giannetta, is that your
understanding, that they were under no duty to bring that to
your attention? Not all at once. It's your contractual
language, and you are looking at the regulation. Do you think
you should have been notified because of the March breach?
Mr. Giannetta. Absolutely.
Mr. Gowdy. Well, why? Because I just heard one person say
she didn't know and the other say it was really none of your
business. So why should you have been notified? Despite the
plain language of the regulation and the contractual language,
why do you think it was important that you be notified?
Mr. Giannetta. So that we could take appropriate or more
appropriate actions to protect data.
Mr. Gowdy. Were you notified?
Mr. Giannetta. I was not.
Mr. Gowdy. Were you notified immediately?
Mr. Giannetta. No.
Mr. Gowdy. Huh. What do you have to say about that, Ms.
Seymour?
Ms. Seymour. I believe that that's accurate, sir.
Mr. Gowdy. I am with you there. I guess my question is,
why? Why, despite the plain language of the contract and the
plain language of the regulation, why did you not immediately
notify the contractors?
Ms. Seymour. We worked with DHS and partners to understand
the potential compromise to our system so that we could----
Mr. Gowdy. Was DHS one of your contractors?
Ms. Seymour. No, sir.
Mr. Gowdy. Well, I didn't think so. Which that doesn't
really help me understand the regulation because it says
``contractor;'' it doesn't say ``DHS.'' So why didn't you
notify the contractor?
Ms. Seymour. At that time, we were still investigating what
had happened in our network.
Mr. Gowdy. What does the word ``immediately'' mean to you?
Ms. Seymour. Without undue delay.
Mr. Gowdy. Did you do so?
Ms. Seymour. No, sir, we did not.
Mr. Gowdy. Does the regulation say ``as soon as you figure
out what happened'' or ``after you talk to DHS?'' That is not
in my version of the regulation. Is it in yours?
Ms. Seymour. I have not read that regulation, sir.
Mr. Gowdy. You know why you haven't? Because that one
doesn't exist. The one that says ``notify DHS'' or ``try to
figure it out.'' The only one that exists says to immediately
notify the contractor, and you are telling me you didn't do it.
And my question is, why?
Ms. Seymour. I can't answer that question.
Mr. Gowdy. Who can?
Ms. Seymour. I will take that back and get you----
Mr. Gowdy. To whom will you take it?
Ms. Seymour. I believe--I would take it back to my staff to
see if we have processes in place that----
Mr. Gowdy. Do you think it's staff's responsibility to
notify the contractor?
Ms. Seymour. We have processes in place for making
notifications when we find these things.
Mr. Gowdy. Who is ultimately responsible for that process?
Who failed to meet the contractual and regulatory obligations?
Ms. Seymour. I would have to read that regulation, sir. I
am not familiar with it.
Mr. Gowdy. I just read it.
Ms. Seymour. I would be happy to read it. I would like to
read the full context of it.
Mr. Gowdy. You think the context is different from what I
just read?
Ms. Seymour. I would want to read the context and----
Mr. Gowdy. How about the contract? Have you read the
contract?
Ms. Seymour. I have read most of the parts of the contract,
sir.
Mr. Gowdy. Well, I can't speak for the chairman, but my
guess is that he and the other members would be really
interested in who failed to honor both the letter and the
spirit of the contractual obligation and the regulatory
obligation.
With that, I will yield back.
Chairman Chaffetz. I thank the gentleman.
We will now recognize the gentleman from California, Mr.
Lieu, for 5 minutes.
Mr. Lieu. Thank you, Mr. Chairman.
I have concerns not just about the failures of OPM
leadership but also the failures of its contractors, in
particular USIS, because it looks like what happened here
wasn't just recklessness or negligence; it was fraud. And I
want to know how far up this fraud went. I want to know if the
parent company knew about it. I want to know if the hedge fund
managers that funded these companies knew about it.
So let me begin with Mr. McFarland. As you know, the
Department of Justice joined a lawsuit against USIS in January
for defrauding the government under its contract with OPM. And
according to Justice Department filing, ``Beginning in at least
March 2008 and continuing for through at least September 2012,
USIS management devised and executed a scheme to deliberately
circumvent contractually required quality reviews of completed
background investigations in order to increase the company's
revenues and profits.'' You assisted their investigation in
this case, correct?
Mr. McFarland. That's correct.
Mr. Lieu. As I understand it, the parent company,
Altegrity, paid bonuses to top executives at USIS during the
period of their fraud that amounted to about $30 million.
Mr. McFarland, to your knowledge has USIS or Altegrity paid
the government back for those bonuses?
Mr. McFarland. I am not positive, but I believe not.
Mr. Lieu. All right. Let me enter into the record, Mr.
Chairman, if possible, an article from the Wall Street Journal
entitled ``Altegrity Executives Got Pay Out Before Screener
Went Bankrupt.''
Chairman Chaffetz. Pardon me.
Mr. Lieu. If I could enter an article into the record.
Chairman Chaffetz. Without objection, so ordered.
Mr. Lieu. Thank you.
I ask a second one to be entered, which is an article from
The Washington Post. It states that the Justice Department
filed a motion in this case on Friday in U.S. bankruptcy court,
seeking $44 million from USIS' parent company, Altegrity. That
is from this Monday.
If we could enter that, as well.
Chairman Chaffetz. Without objection, so ordered.
Mr. Lieu. Okay.
Now, let me ask Ms. Barron-DiCamillo: For USIS to have
upgraded assistance to prevent these kinds of breaches, it
would have cost well less than $30 million; isn't that correct?
Ms. Barron-DiCamillo. So, not having investigated
specifically, you know, the breadth and depth of all of the
parent companies as well as subsidiaries--we were focused just
on the USIS network--the findings estimates were actually
higher than $30 million for the recommendations that we had
provided to them at the end of our assessment. And that number
could be as high as $50 million.
Mr. Lieu. Got it. Thank you. I appreciate that.
So now I want to ask Mr. Giannetta about the bonuses
awarded during the alleged fraud.
Who on the board reviewed the deplorable performance of the
CEO and decided to award him with $1 million in bonuses during
the 4-1/2 years USIS was defrauding the government? Was it the
board? Who made that decision?
Mr. Giannetta. So my role began at USIS in August of 2013
as the chief information officer. I don't have any knowledge,
direct or indirect, of who approved or disapproved----
Mr. Lieu. So you don't know if it is the parent company or
the hedge fund managers? We don't know who did this?
Mr. Giannetta. I don't have that knowledge.
Mr. Lieu. Okay. All right.
So we are going to send you written questions after today's
hearing, and I want your commitment that USIS or Altegrity will
provide answers within 30 days to our questions. Will you
commit to at least that?
Mr. Giannetta. Certainly.
Mr. Lieu. All right.
Mr. Chairman, I also think the committee should call
Jeffrey Campbell, the president of Altegrity, as well.
And let me now turn to Mr. McFarland.
You issued two IG reports, one in November of 2013 and one
in November of 2014, correct, on OPM?
Mr. McFarland, you issued two IG reports, dated November
2013 and November 2014?
Mr. McFarland. I'm sorry. I didn't hear the very first
part.
Mr. Lieu. Okay. So you issued two IG reports, dated
November 2013 and November 2014, on OPM?
Mr. McFarland. You're speaking on FISMA. I'm sorry.
Mr. Lieu. No, no----
Mr. McFarland. Yes.
Mr. Lieu. Yeah. All right.
So these two IG reports, would you agree with me the 2014
report is quite similar to the 2013 report because OPM actually
failed to implement many of your recommendations?
Mr. McFarland. I think there were many carryovers, yes.
Mr. Lieu. Okay.
And would you agree with me that this isn't a difference of
opinion; you actually had OPM violating standards that the
administration had put in?
So, for example, in 2014, your report on page 24 says OPM
was not compliant with the Office of Management and Budget
Memorandum M-11-11 that required two-factor authentication. On
page 12, you also said that OPM was not compliant with National
Institute of Standards guidance saying that they should just do
a risk assessment.
And you would agree that OPM was not following these
standards, correct?
Mr. McFarland. Yes.
Mr. Lieu. Okay.
Director Archuleta, do you take responsibility for not
following OMB guidance as well as guidance from the National
Institute of Standards, which, had you followed, could have
prevented these breaches?
Ms. Archuleta. Well, sir, I----
Mr. Lieu. Yes or no, do you accept responsibility for those
two failures?
Ms. Archuleta. It can't be a yes-or-no answer.
Mr. Lieu. It is a yes or no. The IG identified that--look,
do you accept responsibility for not following the OMB guidance
and the National Institute of Standards guidance?
Ms. Archuleta. I have to----
Mr. Lieu. It's just a yes or no. Either you----
Ms. Archuleta. I have to take----
Mr. Lieu. You don't have to accept responsibility. I just
want to know if you do.
Ms. Archuleta. I have to take into consideration when an
audit is conducted by the auditor. I have to make an informed
decision about his recommendations. It's not an issue of
whether I disagree with him. I want to be sure that I----
Mr. Lieu. This is not an audit. This is the OMB. It is this
administration's guidance.
Ms. Archuleta. And we have worked very closely with OMB to
make sure that we're tracking, documenting, and justifying all
of our steps in this----
Mr. Lieu. All right. My time is up.
Ms. Archuleta. --as we move forward.
Mr. Lieu. So I take it, you actually don't take
responsibility.
I yield back.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentleman from North Carolina, Mr.
Meadows, for 5 minutes.
Mr. Meadows. Thank you, Mr. Chairman.
Ms. Seymour, let me come to you, because there seems to be
some conflicting information. Before this committee, on April
the 22nd, you had indicated that it was the adversary's modern
technology and the OPM's antiquated system that helped thwart--
in your words--thwart hackers at the first OPM attack. Is that
correct?
Ms. Seymour. Yes, sir.
Mr. Meadows. Okay.
Last week, you testified repeatedly that it was the OPM's
antiquated systems that were the problem and the chief reason
that the system was not secure and you didn't do just the basic
cybersecurity measures of encryption and network protection.
So, I guess, my question to you, Ms. Seymour: Which is it?
Is it the fact that the old system helped you or the old system
hurt you? Those are two conflicting pieces of testimony.
Ms. Seymour. I don't believe that they're conflicting, sir.
In the first incident, the old technology thwarted the
actor because they did not know what they were doing in that
environment. We immediately put in place a plan to provide
better security----
Mr. Meadows. So you caught them immediately is what you are
saying?
Ms. Seymour. No, sir. I said we----
Mr. Meadows. Well----
Ms. Seymour. --immediately put in place a plan so that we
could improve the security posture. What we did was we moved to
build a new architecture where we could put in additional
security controls.
We also, at the very same time, put security controls in
our current environment.
Mr. Meadows. Okay.
Ms. Seymour. We did not wait.
Mr. Meadows. Well, you say you didn't wait once you found
the problem, but is there----
Ms. Seymour. Sir, we didn't wait----
Mr. Meadows. Hold on.
Ms. Seymour. --from the day that I came on board.
Mr. Meadows. Let me ask the question. Is there, in the
security IT/cybersecurity technology chief operators, is there
anyone who would apply for a job who would suggest not to do
encryption of sensitive data?
Ms. Seymour. Encryption is not a panacea because of----
Mr. Meadows. I didn't ask that. Is there anybody in your
job or a similar job who would come in and say, ``We are going
to protect everything; let's leave it unencrypted''? Can you
think of anyone? Because I have been asking all over the United
States. I can't find anybody.
Ms. Seymour. So I'm going to--I'm trying to explain the
situation to you.
Our databases are very, very large. Our applications are
not always able to work properly and encrypt and decrypt that
data. So what we have done----
Mr. Meadows. So you are saying that this was a volume
problem, not a management problem.
Ms. Seymour. Well----
Mr. Meadows. Because you are under oath----
Ms. Seymour. Yes, sir.
Mr. Meadows. --and that is concerning, because you are
saying that you just didn't have the resources to handle the
large volume of information?
Ms. Seymour. It's not a resource issue. It's whether our
applications are built so that they can--so that----
Mr. Meadows. So they are not encrypted today.
Ms. Seymour. --the encryptions can be done.
Mr. Meadows. So they are not encrypted today?
Ms. Seymour. We have purchased the toolset, sir, and we are
in the process of encrypting pieces of our databases, as
opposed to the entire database. We are trying to focus on the
sensitive information. That allows----
Mr. Meadows. I agree, we need to focus on the----
Ms. Seymour. --our applications to run in an operable
manner.
Mr. Meadows. --sensitive information.
So what do we tell the millions and millions of Federal
workers, that now, because their system has been breached, now
you are going to encrypt it? Do you feel like you have done
your job?
Ms. Seymour. I do, sir.
Mr. Meadows. Well----
Ms. Seymour. I came on board, and I recognized these
issues. And I worked with Director Archuleta to put in place a
plan----
Mr. Meadows. Okay. Well, both of you all came in----
Ms. Seymour. --that would improve OPM's security posture.
Mr. Meadows. --in 2013. You both came in in 2013.
Ms. Seymour. At the end of 2013, yes, sir.
Mr. Meadows. How long did it take you to buy equipment to
start encrypting?
Ms. Seymour. The tool----
Mr. Meadows. Simple answer.
Ms. Seymour. June of 2014.
Mr. Meadows. All right. So you bought equipment in June of
2014.
Ms. Seymour. Uh-huh.
Mr. Meadows. So when did you start encrypting?
Ms. Seymour. We have a couple of databases that are
encrypted already, and we are----
Mr. Meadows. A couple out of how many?
Ms. Seymour. Sir, we have numerous databases.
Mr. Meadows. Well, and that is my point.
Ms. Seymour. And so it takes time, and it takes resources,
and we have to test before we can just----
Mr. Meadows. All right.
Ms. Archuleta, let me come to you. When you applied for the
job and you were going through your Senate confirmation, you
said that you would make IT, technology your number-one
priority. Again, in this committee, you said that it was your
number-one priority.
Can you explain to the Federal workers and all those that
have had their personal information breached how making it your
number-one priority when you were confirmed in 2013 is still to
be believed? Or was it just what you said during a confirmation
hearing and you really never intended to act on it?
Ms. Archuleta. I believe that the record will show that I
have acted on it, that I am dealing with a legacy system that
has been in place for 30 years, and we are working as hard as
we can. In 18 months, we have made significant progress, but so
have our aggressors.
Cybersecurity is an enterprise responsibility, and I am
working with all of my partners across government. And I have
shown that we have prioritized this even as early as 2014 and
2015 in our budgets and in the resources that we have directed
towards that.
I do not take this responsibility lightly. And, as I
pledged in my confirmation hearing and as I pledged to you last
week and as I have pledged to you today, I take it extremely
seriously. And I am as upset as you are about every employee
that is impacted by this.
That is why we're dedicating resources throughout
government, not just as OPM but at every level of government,
to be sure that this does not occur again.
Mr. Meadows. All right.
Ms. Archuleta. We're working very hard. I am serious about
it.
Mr. Meadows. I appreciate that.
And I appreciate the patience of the chair.
Mr. Hurd. [Presiding.] Thank you, Mr. Meadows.
Now I would like to recognize my colleague from the great
State of New Jersey, Mrs. Watson Coleman.
Mrs. Watson Coleman. Thank you, Mr. Chairman.
Thank you for your being here today. I have a couple of
questions, and I would like as short an answer as possible.
So, with regard to the one breach that involved the 4.2
million employees, those are actual employees and retirees.
That is a closed system. We know how many that is.
With regard to the individuals whose information was in a
system because background checks were being done with them, A,
we don't know how many; B, every one of those individuals
didn't ultimately get a job, so we have some people's
information who aren't even employed by the Federal Government.
Is that yes--is that true, Ms. Archuleta?
Ms. Archuleta. Yes, that's true.
Mrs. Watson Coleman. Okay.
Ms. Archuleta. If there was a background investigation
requested.
Mrs. Watson Coleman. Right.
So, in that second breach of that universe that is so
large, that information was breached through a breach in the
security of KeyPoint? Is that true, Ms. Archuleta? Is that----
Ms. Archuleta. Yes.
Mrs. Watson Coleman. Someone who had credentials with----
Ms. Archuleta. There was a credential that was used, and
that was the way that they got in----
Mrs. Watson Coleman. Thank you.
Ms. Archuleta. --from an employee of KeyPoint.
Mrs. Watson Coleman. So who is trying to identify all the
universe that has been compromised through the latter breach?
Is it KeyPoint who is trying to clean up its mess, or is it----
Ms. Archuleta. No, no.
Mrs. Watson Coleman. --OPM?
Ms. Archuleta. We have a total enterprise-wide security
team, or forensic team, that is doing the forensics on this.
Mrs. Watson Coleman. Okay.
So Mr. McFarland has made a number of observations and
recommendations, and I believe that I was left with the feeling
that he didn't believe that OPM was moving in the right
direction, on the right path to get to where it needs to go.
And so I was also informed that his recommendations or his
findings are a result of auditors and specialists in this area.
So I have two questions for you, Ms. Archuleta. Number one
is, are you using experts and the same kinds of skill sets that
Mr. McFarland is using in looking at the same things that he is
looking at, number one? And, number two, do you agree with his
recommendations? And if not, on what areas do you disagree?
Ms. Archuleta. The flash audit I can just take by way of
example.
And, first of all, I want to say that I respect the
inspector general's diligence in overseeing this topic. And
there are areas where we have areas of agreement, and there's
areas that I think we need to have further conversation about.
In terms of the existing contracts and the use of full and
open competition, I would like to assure the IG that the
processes we used to award the already-existing contracts have
been perfectly legal, and we're going to continue to ensure
that our future contracts and processes entered into will also
be legal.
I also understand that he's concerned about the sole-source
contract of tactical and shell that he spoke about. I
understand his concerns. And I would like to remind him that
the contracts for migration and cleanup have not yet been
awarded, and we will consult with him as we do that.
Where we don't--where we have areas that we need to
consider together--and, by the way, the IG and I meet on a
monthly basis, and our staffs meet on a weekly basis or at
least biweekly--I look forward to discussing to him about the
major IT business case so that we can figure out what the
practical----
Mrs. Watson Coleman. Okay.
Ms. Archuleta. --timeline should be.
Mrs. Watson Coleman. Thank you. I kind of get the drift
then.
Tell me what you think is the timeframe for the IG's office
and your office--and, Mr. McFarland, you might weigh in--
necessary to get to where we need to get. Not that all these
things are going to be implemented, but that we agree on what
needs to be done. Are we talking about 3 months from now?
Thirty days from now? Six months from now? Do we have any idea?
Ms. Archuleta. I would ask Donna just to talk about the
tactical and the shell processes that we're using. We're trying
to do that as rapidly as possible so that we can move out of
the legacy network.
The issue about the migration and the cleanup we'll
continue to discuss, but we're trying to rapidly move towards
that shell.
Mrs. Watson Coleman. Do we still have contracts with
KeyPoint?
Ms. Archuleta. Yes.
Mrs. Watson Coleman. And KeyPoint--this is to Mr. Hess, I
believe.
How many contracts with how many departments do you have?
Mr. Hess. Our primary contracts are through Homeland
Security and OPM.
Mrs. Watson Coleman. Okay. And so, are your contracts
active contracts? Are they coming to an end? Or are you at the
end of these contracts? What is the----
Mr. Hess. They're all active contracts.
Mrs. Watson Coleman. They are all active contracts.
Mr. McFarland, should we be ceasing our relationship with
KeyPoint?
Mr. McFarland. Based on what I know at this point, I have
no reason to believe that we should.
Mrs. Watson Coleman. That we should. That we----
Mr. McFarland. No. I have no reason to believe that we
should cease relationship.
Mrs. Watson Coleman. That we should cease.
Mr. McFarland. No. That we should not cease.
Mrs. Watson Coleman. Should not.
Ms. Archuleta, do you agree with that?
Ms. Archuleta. I do agree with that. KeyPoint has taken the
steps necessary to mitigate any security questions. They have
been very active in working with us on that.
Mrs. Watson Coleman. So but my question is, should we cease
contracting with them? Mr. McFarland says yes, and you said
yes----
Ms. Archuleta. No. He said no.
Mrs. Watson Coleman. Both of you said no. Okay.
Mr. McFarland. No, I'm sorry. I said no.
Mrs. Watson Coleman. Okay. I am sorry. Thank you very much.
Mr. McFarland, last question to you. What are the three
important things that we need to do just to get us back on the
right track, and how long do you think it should take?
And that will be the end of my questioning, Mr. Chairman.
Thank you very much.
Mr. McFarland. Well, I'll give you four, if I could.
First, we'd like to see the implementation of multifactor
authentication using PVI cards; then develop a comprehensive
inventory of information systems, servers, and databases; then
further protect existing data with encryption and data-loss-
prevention technique tools; and then proceed with the
infrastructure overhaul with a disciplined project management
approach.
And I have no idea how long that will take for a
discussion.
Mrs. Watson Coleman. Thank you.
Thank you very much, Mr. Chairman. I yield back.
Mr. Hurd. Thank you.
And I would now like to recognize Mr. DeSantis from Florida
for 5 minutes.
Mr. DeSantis. Thank you, Mr. Chairman.
You know, this is a really, really frustrating hearing and,
obviously, a colossal failure. I mean, we have a government
that will tell us how much water we can have flushing in our
toilets, how much corn we have to put in the gasoline we use to
drive our cars and boats, and the government will tell us the
type of health insurance we can and cannot buy. And yet, on the
core functions of government, the things that we all need the
government to do, it seems to me that it fails habitually. And
this is a major example of that.
The numbers of people affected, when Ms. Archuleta talked
about we don't know on the clearance side, yeah, we don't know.
You know why? Because it is not just the person who filled out
the form that is at risk of that. I mean, you have friends,
family members, associates, foreign nationals who you may know,
who China would like to know who those foreign nationals are.
So you are talking about an exponentially larger number than
just simply the number of people who filled out those forms.
And yet it seems to me that we just have bureaucratic
paralysis. Nobody is really accountable.
Now, Ms. Archuleta, let me ask you: Members of this
committee have called upon you to resign. You have rebuffed
that. Do you still believe you should remain in your position?
Ms. Archuleta. I am more committed than ever to serve the
employees of this administration. I am working very hard, and I
think----
Mr. DeSantis. Do you accept responsibility?
Ms. Archuleta. I accept the responsibilities that are given
to the Director of the OPM. And I have fulfilled those
responsibilities by making sure that we have the right people
in the right places and seeking the resources that we need to
do our work and to make sure that the systems that we have in
place can do the work that they're expected to do. Again, we
have a legacy system that is 30 years old.
Mr. DeSantis. So----
Ms. Archuleta. We have dedicated money and human
resources----
Mr. DeSantis. And I appreciate that. And I have been here
for your statements, and I have heard you make that point.
Ms. Archuleta. Thank you, sir.
Mr. DeSantis. But if not you, then who, if anybody, in OPM
should be held accountable for this colossal failure?
Ms. Archuleta. I am responsible, as the Director of OPM,
for a number----
Mr. DeSantis. Is anybody going to be held responsible?
Ms. Archuleta. --for a number of different
responsibilities. I take very seriously, as I said in my
confirmation hearing and many other hearings after, including
today----
Mr. DeSantis. But what about responsibility? Because I
will----
Ms. Archuleta. I accept----
Mr. DeSantis. --tell you what my constituents will tell me.
They will say, ``Ron, we have people mess up in the government
all the time, and nothing ever happens.'' And that is not the
world that our constituents live in, where there are usually
consequences.
And so you are not committing that anybody will be fired or
held accountable because of this, correct?
Ms. Archuleta. I am committing to you that we are going to
do the best job we can.
Mr. DeSantis. Well, and I appreciate that, but that, quite
frankly, is not something that I think the American people have
confidence in right now, given what has happened.
Now, let me ask Ms. Barron-DiCamillo: People have been
warning about the risk of a cyber Pearl Harbor. Obviously, the
IG had warned OPM about vulnerabilities in their system for
years and years. Does this constitute a cyber Pearl Harbor?
Ms. Barron-DiCamillo. That question was asked to me
earlier. I don't know if you were here.
We use a severity scale, and on the severity scale, based
on the impact to data, the impact to the network, and getting
back to a known, good, healthy state, we would consider this to
be a medium- to high-severity-level kind of an event based on
the kind of data that was possibly exposed and exfilled and
then the ability for the mitigations that we put in place as
part of the plan that we provided to OPM post-assessment.
Mr. DeSantis. But those are mitigations for the system
itself, correct? The mitigations that you have performed don't
include mitigations for any of the capabilities that some of
the people whose identities may have been compromised perform
on behalf of our country, correct?
Ms. Barron-DiCamillo. Correct. I am a technical operator in
cybersecurity operations, and we're focused on helping OPM and
other departments' and agencies' critical infrastructure ensure
the protection of their networks.
So when we do an event like this, we provide mitigations to
help them get back to a known, good, healthy state as well as
prevent these kinds of things and, if they are targeted again,
which a lot of times they are, helping them detect that
activity quicker in the cycle so they can contain it and then
clean that up.
Mr. DeSantis. So if China gets blackmail information that
they could use against people serving in our government in
important positions, if China is able to identify foreign
nationals, Chinese foreign nationals maybe, who are friendly
with the United States and with people, there is no way you can
calculate the damage that that causes, correct?
Ms. Barron-DiCamillo. I'm a cybersecurity operator. That's
clearly a question for intelligence--the intelligence
community.
Mr. DeSantis. And I think it is a very important question.
And I think the damage to this is very, very severe.
And I yield back the balance of my time.
Mr. Hurd. Thank you, sir.
I would now like to recognize my colleague from Virginia,
Mr. Connolly.
Mr. Connolly. I thank the chairman.
And I thank my good friend from Pennsylvania, Mr.
Cartwright, for allowing me to go at this moment because I have
to chair a meeting at 12:30.
Let me just say, you know, I was just listening to our
colleague from Florida. It is easy to make a scapegoat out of
somebody or something. That isn't to absolve people of
responsibility. But what we are facing is a much bigger threat
than a management snafu.
We are facing a systemic, organized, financed, pernicious
campaign by the Chinese Government, in the form of the People's
Liberation Army, with a trained unit to penetrate weak spots in
our cyber world. And that includes the Federal Government, and
it may include retail and commercial enterprises, certainly
banks among them.
To pretend somehow this is Ms. Archuleta's fault is to
really miss the big picture and, frankly, a disservice to our
country. We have a bigger threat. Whether we want to
acknowledge it or not, we now are engaged in a low-level but
intense new kind of cold war, a cyber war, with certain
adversaries, including China and Russia. And it is every bit as
much a threat to the security and stability of this country,
and we need to gird ourselves for this battle.
And it is not okay to dismiss testimony that resources were
denied. This committee led the effort, and I probably
cosponsored the bill, to try to modernize how we purchase and
manage IT assets in the Federal Government. Is that important?
Why are these people here today before us? Because it is
important. And Congress has neglected it. We can't have it both
ways.
So, while we certainly hold Ms. Archuleta responsible, as
the head of OPM, for how they are managing this breach and we
have every right to question why the breach occurred, to make a
scapegoat in this ``Alice in Wonderland,'' you know, world we
have created here sometimes, where the answer is, ``Off with
your head,'' how easy. What a cheap headline that gets. And it
does get a headline every time. But it begs the question which
is far more fundamental, far more profound, and far more
disturbing as a threat. And that is ultimately what we need to
deal with, it seems to me.
Mr. McFarland, last week, your office issued a flash audit
alert to raise awareness of serious concerns over OPM's ongoing
overhaul of its entire IT infrastructure. According to that
flash alert, your office stated, ``In our opinion, the project
management approach for this major infrastructure overhaul is
entirely inadequate and introduces a very high risk of project
failure.''
If I understand correctly, what you are saying is that the
project won't do what we need it to do. Is that correct, Mr.
McFarland?
Mr. McFarland. No, I'm not saying that the project wouldn't
ultimately do what is hoped for. I'm saying that the potential
for problems exists, and it is very high probability----
Mr. Connolly. Well, I want to use the word in the report:
``entirely inadequate''; ``introduces a very high risk of
project failure.'' That doesn't say, to me, there is the
possibility of failure. It kind of predicts it is more likely
than not.
Mr. McFarland. I agree.
Mr. Connolly. Okay.
Mr. McFarland. A high risk, for sure.
Mr. Connolly. You also indicated it will cost too much. Do
you want to expand on that a little bit?
Mr. McFarland. Well, the $93 million that's set aside at
this point won't come close. The migration itself is going to
be an extremely costly measure.
Mr. Connolly. Right. One would note that the CIA used an
outside vendor, and I think they spent $600 million, but their
system seems to be working. But it cost $600 million, I think,
over 10 years, if I am not correct. Ring a bell? Sound right?
Mr. McFarland. I'm not familiar with that, sir.
Mr. Connolly. Worth looking at, because they partnered with
the private sector rather than try to find all the answers
inside.
Ms. Archuleta, what is your response to that IG flash audit
alert?
Ms. Archuleta. The IG brought up some process issues that
were very important, I think some that we don't agree with, but
there are other areas that we do agree with.
I think the important thing is to underscore the
relationship that we have with our IG. And we will continue to
value his opinion and to bring forth his ideas into the
considerations that we make.
I do believe that we have to move carefully but we have to
work swiftly. As you said, these aggressors are spending a lot
of money--a lot of money to get into our systems.
We need his assistance. We will seek his guidance. We will
listen carefully to his recommendations and certainly consider
those as we move forward.
Mr. Connolly. Just a final note, Mr. Chairman. I introduced
the Federal Agency Data Breach Notification Act of 2014.
Unfortunately, although we blended that on a bipartisan basis
into the Safe and Secure Federal Websites Act, the Senate did
not act.
Had we acted, we would have had protocols in place for
dealing with this kind of breach, at least after the fact, so
that, you know, we could reassure the victims, who are Federal
employees and Federal retirees. And I would hope that this
committee once again will help prod the system, as it did last
year, only this time getting the Senate to act, because that is
really important.
Thank you, Mr. Chairman. My time is up.
And, again, thank you to my dear friend from Pennsylvania.
Chairman Chaffetz. [Presiding.] I thank the gentleman.
I now recognize the gentleman from Texas, the chairman of
the Subcommittee on IT, Mr. Hurd, for 5 minutes.
Mr. Hurd. Thank you, Mr. Chairman.
My mom always told me that you can always find the good in
any situation, so let me try to start off with that.
DHS caught them, caught the problem, right? I think that is
a good thing. When they were engaged, we found it. Wish it was
a little bit sooner, but we caught the problem, so that is
good.
I also got a letter from the Chief Information Officer of
OPM. I am going to read a little bit.
``Dear Mr. Hurd, I am writing to inform you that the U.S.
Office of Personnel Management recently became aware of a
cybersecurity incident affecting its systems and data, and you
may have been exposed. You are receiving this notification
because we have determined that the data compromised in this
incident may have included your personal information, such as
your name, Social Security number, date and place of birth, and
current or former address.''
I know Ranking Member Cummings and Mr. Mica were talking
about how could an adversary use this information. I spent 9
years as an undercover officer in the CIA. I think I have a
little bit of idea and perspective on this.
If it was the Chinese, any Federal official traveling to
China, former official, someone there is a subject of being
targeted for elicitation of information about what is going on
in the Federal Government.
If it was the Russians, all this information is going to be
sold and then used against them to drain people's bank
accounts, use this to create new access codes to get into
private information.
If it was narcotraficantes in Mexico, which have the
capability of doing cyber attacks, it is the home addresses of
men and women in Border Patrol, people that are keeping us
safe, right?
So the threat is huge. The impact is fantastic.
And one thing my dad always said was, ``It never hurts to
say you're sorry.'' And further in this letter, it says,
``However, nothing in this letter should be construed as OPM or
the U.S. Government accepting liability for any of the matters
covered by this letter or for any other purpose.'' Later, it
says, ``We regret this incident.'' ``I'm sorry'' actually goes
a long way.
Now, I agree with what my colleague from Virginia had said
about this long, committed attack by advanced, persistent
threats. And my issue is actually not with how we responded to
the threat, because I think the immediate technical steps that
were taken were good things, right? And I believe all the folks
involved in the mitigation of the immediate threat were doing
some things that I think can be used in other places.
But what I have a problem with is everything before this.
If you were in the private sector, the head of a publicly
traded company, and Ernst & Young was doing your yearly audit,
and you had at least 5 years of audit information saying that
your digital infrastructure had some high risk to it and needed
to be immediately fixed, the board of directors would be held
accountable for criminal activity, multiple years.
I did this for a living. I would penetrate the networks of
companies and identify the problems that they had. And a lot of
times, if there was a high-risk issue, we would call the
customer immediately and say, ``This has to be fixed right
now,'' and the company and the customer would do that
immediately. And so then, you know, we would issue our report,
saying, ``Here was the high-risk report, but it was fixed.''
Because a company like Ernst & Young doing an audit would
probably not even put this information into an audit report to
go to the board, because it is, ``Guys, y'all gotta fix it.''
So my problem is that these high-risk issues that were
identified by the IG haven't been addressed.
KeyPoint--and I guess my first question is to Ms. Ann
Barron-DiCamillo.
Has US-CERT reviewed KeyPoint's network?
Ms. Barron-DiCamillo. Yes, sir. We were on site last summer
at KeyPoint's network in Loveland, Colorado. And we were there
with our interagency protesters and did an assessment of the
network.
We actually went there in an abundance of caution based off
of the event that happened both at USIS and OPM. It was decided
by leadership that we needed to take a look at contractors that
were performing background clearance investigations.
So there wasn't an indication that led for us--or led our
teams to go on site, as the case with OPM. This was done out of
an abundance of caution because of the target that we saw
associated with background clearance information.
Mr. Hurd. Thank----
Ms. Barron-DiCamillo. So our team did an assessment, a
network integrity assessment. Some results came back that
caused some concern, so we sent an incident response team on
site and reviewed their network. We were there for a couple of
weeks last summer.
Mr. Hurd. When we hire contractors, are they subject to the
same standards of network hygiene that U.S. Government networks
are?
Ms. Barron-DiCamillo. Are contractors subject to the same?
It would be part of the contract language associated with FISMA
requirements. There's FISMA requirements that are--for any kind
of network that houses government data, there are certain
requirements, per the FISMA law of 2002.
Mr. Hurd. And, Mr. Chairman, my last question.
In his opening remarks, Ranking Member Cummings read some
of Director Archuleta's comments to the Senate committee. ``The
adversary leveraged a compromised KeyPoint user credential to
gain access to OPM's network.''
And then the written information that KeyPoint submitted
said, ``We have seen no evidence of a connection between the
incursion at KeyPoint and the OPM breach that is the subject of
this hearing.''
Mr. Hess, feedback?
Mr. Hess. Congressman Hurd, it is true that the KeyPoint
incursion, we've seen no evidence of a connection with the OPM
incursion----
Mr. Hurd. So are you saying that Ms. Archuleta is lying?
Mr. Hess. No, I'm saying she is correct. From knowledge
that I have been given, there was an individual who had an OPM
account that happened to be a KeyPoint employee and that the
credentials of that individual were compromised to gain access
to OPM.
Mr. Hurd. Thank you.
I yield back.
Chairman Chaffetz. I thank the gentleman.
We will now recognize the gentlewoman from the Virgin
Islands, Ms. Plaskett, for 5 minutes.
Ms. Plaskett. Thank you. Thank you very much.
Good afternoon, everyone.
I think that it is very interesting--I was listening to
Ranking Member Cummings talking about the vulnerability of
government contractors and the questions of my colleague Mr.
Hurd regarding whether or not companies that have government
contracts must keep the same level of security and care that
the OPM or other agencies would have to, in terms of preparing
for cyber attacks.
Mr. Giannetta, I have a letter that was sent from USIS to
Ranking Member Cummings on December 5 of 2014, and the letter
says that the Federal agencies have the failure of the company.
And I wanted to ask you some assertions that you made in that
letter.
In the letter, it says--their counsel wrote that the
critical cyber attack defense information only flowed in one
direction, from USIS to the government. Is that correct?
Mr. Giannetta. In the discussion we had earlier about the
shared responsibility to notify from a contractor to the
government and the government to the contractor, that is
correct.
Ms. Plaskett. You are qualifying it now. So you are saying
that in terms of----
Mr. Giannetta. I'm not qualifying it. I'm suggesting that
we were required and obligated by our contract to notify OPM
that we had an intrusion, which we did immediately. And in the
discussion that was held earlier, OPM recognized that they did
not notify USIS or, I believe, KeyPoint of their intrusion of
March of 2014.
Ms. Plaskett. So, in terms of the cyber defense
information, was it one-way or did it go both ways?
Mr. Giannetta. In my humble estimation, it was one-way.
Ms. Plaskett. So it was from yours to the others.
What would have, in your estimation, been the requirement
of OPM or others towards you?
Mr. Giannetta. Well, I'm not a lawyer or a contract expert.
I don't have the contract in front of me. But my understanding
is that there's a requirement to notify, to say, we've got an
issue, here's what the issue is, so that there's a free flow
and sharing of information.
Ms. Plaskett. So, if you have an issue, you are supposed to
let them know, correct?
Mr. Giannetta. That's correct.
Ms. Plaskett. And that is what you felt you did.
Mr. Giannetta. Absolutely.
Ms. Plaskett. And then U-CERT, did U-CERT then--what did
they do about that information that you gave them?
Mr. Giannetta. The CERT team?
Ms. Plaskett. Yes.
Mr. Giannetta. We invited the CERT team to our facilities
in Grove City, PA, formally via a letter. And the CERT team
arrived shortly after receiving that letter and enumerated our
network and understood through discussions with our technicians
as well as the third party that we hired what had transpired
from the 5th of June through the time they arrived.
Ms. Plaskett. So why does your letter also state that U-
CERT has not provided USIS with any sort of briefing regarding
information it may have uncovered during the course of its
limited review?
Mr. Giannetta. Let me just be clear that I didn't write the
letter you're referring to.
Ms. Plaskett. You are here testifying for your company.
Your attorney--I am an attorney. I would never write a letter,
as an attorney, for a company without the entire company
agreeing to that.
Mr. Giannetta. I'm just suggesting that I didn't write the
letter.
Ms. Plaskett. But you are here to testify for the veracity
of the letter. Was the letter correct or no?
Mr. Giannetta. We did not receive a briefing from CERT as
to the findings that they had vis--vis the intrusion. We did
receive----
Ms. Plaskett. Okay. Then let's ask CERT, since they are
here.
Mr. Giannetta. If I could finish, we did receive some
recommendations relative to what we might do to----
Ms. Plaskett. That is not a review?
Mr. Giannetta. Our invitation to CERT requested their
assistance in identifying threats to our network, and we did
not receive that.
Ms. Plaskett. Okay. Well, let's ask Ms. Barron-DiCamillo.
Can you speak to that?
Ms. Barron-DiCamillo. Yes.
So our team was on site. It was an interagency response
team including our law enforcement partners. We worked--just
part of the incident response team, what we do is we're working
with the system administrators daily. We're informing them
every day at the end of the day of----
Ms. Plaskett. How many days did you inform them on a daily
basis?
Ms. Barron-DiCamillo. We were there for about 2 weeks. I'd
have to go back and get the specific timeframe.
Ms. Plaskett. So that's at least 10 reports that you've
given them.
Ms. Barron-DiCamillo. We worked through the weekend, ma'am.
Ms. Plaskett. Through the weekend?
Ms. Barron-DiCamillo. Yes.
Ms. Plaskett. So that's 14 reports that they were given
asserting what the issues were.
Ms. Barron-DiCamillo. The daily findings. And they can
change, so that's why we----
Ms. Plaskett. And did you find something, and did you give
them ideas about what needed to be done?
Ms. Barron-DiCamillo. Yes. We were able to discover that
there was malicious malware present on the network, that there
was compromised credentials, specifically----
Ms. Plaskett. And how did that happen? How did those
compromised credentials--what were the two areas that you found
within their own system that should have been taken care of
previously?
Ms. Barron-DiCamillo. We found a lack of some security
mechanisms that would have helped to prevent this kind of
intrusion, but, because of the lack of logging, we weren't able
to find the initial point of entry. We were able to find----
Ms. Plaskett. Can you talk about that, the lack of logging?
What is that?
Ms. Barron-DiCamillo. There's a number of types of logs
that we look at forensically that can help us piece together a
picture of what's happened within your network.
Ms. Plaskett. And why weren't those there?
Ms. Barron-DiCamillo. I suppose a number of reasons. It's a
risk decision, a risk-based decision. It can cost a lot of
money, depending on the volume.
Ms. Plaskett. It is a risk and a cost decision made by the
company itself.
Ms. Barron-DiCamillo. It can be, because it can require
quite a bit of storage associated with some of the kinds of
logs.
Ms. Plaskett. So the government contractor that we hired to
do government work for us decided that a risk and a cost
decision on their part did not require them--they didn't put in
the logins that were necessary to protect the system.
Ms. Barron-DiCamillo. I can't answer that specifically. I
can just give you some of the reasons I've seen, that people
are not continuing to have the historical logs because of the
volume of data. You know, there's millions of net flow records
that happen a day, and that does require quite a bit of
storage. And----
Ms. Plaskett. So the letter that was sent by USIS to
Ranking Member Cummings, would you agree with the assertions
that were made there?
Ms. Barron-DiCamillo. No, I would not. We did provide them
daily reports as well as a final findings report. We went over
that with the team. And then we also provided a mitigation
report. And I have documented evidence of all of that.
Chairman Chaffetz. I thank the gentlewoman.
Did you want to respond to that?
Mr. Giannetta. If I may.
Chairman Chaffetz. Sure.
Mr. Giannetta. It's my understanding from our forensic
investigator, Stroz Friedberg, that what was found by the CERT
team vis--vis Ms. Barron-DiCamillo's comments was not
information that they hadn't already discovered. In other
words----
Ms. Plaskett. So the logins that were needed for them to be
able to go and do a deeper forensic was something that they
already knew?
Mr. Giannetta. That----
Ms. Barron-DiCamillo. I think what he's saying----
Ms. Plaskett. Yes or no, did they already know?
Ms. Barron-DiCamillo. --is we confirmed the forensic
evidence of the third-party partner.
Mr. Giannetta. Thank you.
Ms. Barron-DiCamillo. Right. So I believe what he's saying
is, it sounds a bit of a--you know, it was a confirmation. And
we were able also to confirm the compromised credentials
associated with the third-party forensic firm that they had in
there. And then we were able to discover additional findings
throughout the assessment that we did.
Chairman Chaffetz. I thank the gentlewoman.
We will have to further explore that, but, for now, we will
recognize the gentleman from Alabama, Mr. Palmer, for 5
minutes.
Mr. Palmer. Thank you, Mr. Chairman.
Ms. Archuleta, last week, I brought up a letter from two of
my legislative staffers received warning them that their
personally identifiable information may have been compromised
in the cybersecurity hack.
I bring this up again because, earlier, you disputed the
number of people that are affected by this when Ms. Seymour
admitted, after I questioned her about the letter that she
signed, that this goes beyond the people who filled out the
Form 86.
And I just want to know, considering the fact that a vast
amount of personally identifiable information stored by OPM was
vulnerable due to the login credentials, was it likely exposed
by foreign contractors, outsourced by OPM and OPM's failure to
communicate with and abide by the IG's recommendations?
Ms. Archuleta. I'm sorry, sir. Could you repeat that
question?
Mr. Palmer. I am just asking you, do you--let me rephrase
it. Do you standby your assertion that this is limited to a
smaller group than is being indicated in the media and might be
indicated by the fact that this extends beyond the people who
filled out Standard Form 86?
Ms. Archuleta. Thank you for clarifying the question, sir.
I think it's really important not to conflate to the two
incidents. The first incident was the employee personnel
records, which is the 4.2 million.
Mr. Palmer. That is not--I am just asking----
Ms. Archuleta. And the second----
Mr. Palmer. --is it more than 4.2 million?
Ms. Archuleta. And the second incident, we haven't
determined the number yet, of the scope of that incident and
the number of employees that would have been affected by that
and others.
Mr. Palmer. Okay. So the answer is yes, that it is more.
I think it is very evident that this attack on the Federal
employees' personally identifiable information not only puts
those workers at risk but also puts secondary groups at risk.
For instance, if they have their personal email addresses, as
it is pretty evident from, as I pointed out last week, that
some of the breaches occurred through personal email addresses,
that all of these employees and their secondary relationships,
is it possible that certain information was exposed there as
well?
Ms. Archuleta. Yes, the team that is working on the
analysis of the scope is--it's exactly why we're taking our
time to make sure that it's accurate. And the SF-86s we've
talked about earlier. The data in there is--includes not only
the employee but may include other information and PII for
other individuals. That's why we're being very, very careful
about that and looking at the data, because it could be that
there was no PII for some individuals.
Mr. Palmer. But, ma'am, beyond the SF-86s, I am talking
about where the breach apparently occurred, as well, through
personal email addresses, particularly at the Immigration and
Customs Enforcement Agency, that was reported in The Wall
Street Journal.
I brought this up to you last week. I will be happy to
provide this information to you----
Ms. Archuleta. Yes.
Mr. Palmer. --if you need to see it. But where they got in
on personal email addresses, that would expose everybody in
their email chain.
Ms. Archuleta. Ah. I'm sorry. Yeah.
Mr. Palmer. And I think we have----
Ms. Archuleta. I understand your question.
Mr. Palmer. Let me go on to something else.
You received a letter last week from Senator Mark Warner
with some specific questions about a contract that you awarded
to CSID. Have you responded to Senator Warner's letter yet?
Ms. Archuleta. I'd have to check with my staff, sir. I
know----
Mr. Palmer. Have you----
Ms. Archuleta. --that we were attempting to respond as
quickly as possible, yes.
Mr. Palmer. Have you personally read his letter?
Ms. Archuleta. I have read his letter, but I have not--I
don't know that our response has made it through our system
yet.
Mr. Palmer. All right.
He raises a question here about how quickly this contract
was awarded to CSID. You didn't go through the normal process,
and it was awarded in 36 hours, I think, is what Senator Warner
says.
Was it intentionally steered to CSID?
Ms. Archuleta. No, sir.
Mr. Palmer. Who made the decision?
Ms. Archuleta. I would ask Donna to talk about the process
that we used. It was a fair and competitive process.
Mr. Palmer. A fair and competitive process.
Ms. Seymour. Our contracting officer made the selection on
the contract, sir.
Mr. Palmer. Okay. Did you evaluate the management of CSID?
Ms. Seymour. I did evaluate both the technical and the cost
proposals for----
Mr. Palmer. Did you evaluate the people who run the
company?
Ms. Seymour. I had resumes for the people--or for the key
personnel that they provided in the proposal.
Mr. Palmer. Are you familiar with their board of directors?
Ms. Seymour. No, sir, I'm not.
Mr. Palmer. Okay. Do you know Owen Li, one of their
directors?
Ms. Seymour. No, sir, I don't.
Mr. Palmer. Okay.
Mr. Chairman, my time has expired. I yield the balance.
Chairman Chaffetz. From start to finish, how long was it
from when you got the proposal that you awarded the contract?
Ms. Seymour. I would have to go back and look at exactly
when we released the RFQ. But I believe it--and I don't want to
misspeak. So let me go back and find out when exactly we
released the RFQ and exactly when we awarded the contract. I
don't have that data with me.
Chairman Chaffetz. But it was less than 48 hours, right?
Ms. Seymour. I think it was about in that timeframe, sir.
Chairman Chaffetz. And the award is how much money?
Ms. Seymour. The contract is about $21 million for the
services that we're providing for credit monitoring,
notification, and the identity theft insurance.
Mr. Cummings. Will the gentleman yield?
Chairman Chaffetz. Sure.
Mr. Cummings. Why was it made so fast?
Ms. Seymour. We wanted to----
Mr. Cummings. And was there other companies that could do
just as good a job? I am just trying to figure out how we got
that company.
Ms. Seymour. We received a number of proposals, and we
evaluated them based on the government's needs, several
requirements that we had put in the RFQ that the companies
responded to. And we evaluated all of those proposals that we
received against that criteria, and Winvale provided the best
value to the government based on those requirements.
Chairman Chaffetz. Will you also copy--when you give
Senator Warner the answer to his questions, will you send us
copies of that, as well?
Ms. Archuleta. Yes.
Ms. Seymour. Yes, sir.
Chairman Chaffetz. Okay. Thank you. I think he raises a
number of important questions, as does Mr. Palmer here, and we
will continue to pursue that.
We now will recognize the gentleman from Pennsylvania, who
has been waiting patiently, Mr. Cartwright, for 5 minutes.
Mr. Cartwright. Thank you, Mr. Chairman.
Mr. Chairman, I find myself utterly dissatisfied with the
explanations we have heard today.
And I want to train my attention on you, Mr. Hess. You have
made some fine distinctions about what that employee of your
company was doing, the one that got hacked and who was working
on OPM's systems at the time. And, because of that hack, that
employee became a victim and lost personal information. And
that led to the successful hacking of OPM's systems.
Have I broadly described that correctly, sir?
Mr. Hess. We actually do not know how the employee's
credentials were compromised.
Mr. Cartwright. All right. But it was a KeyPoint employee;
am I correct in that?
Mr. Hess. That is correct.
Mr. Cartwright. And you are the CEO of KeyPoint, right?
Mr. Hess. That is correct.
Mr. Cartwright. All right. And you are denying
accountability for that hack, for the OPM hack. And what you
said was the employee was working on OPM's systems at the time,
not KeyPoint's. That is what your testimony was, correct?
Mr. Hess. That is correct.
Mr. Cartwright. Well, so we have an individual's OPM
credentials that were taken. That individual happened to be a
KeyPoint employee. Did that KeyPoint employee have OPM
credentials as part of his or her scope of employment with
KeyPoint?
Mr. Hess. Correct.
Mr. Cartwright. Okay. It wasn't a coincidence that this
KeyPoint employee had OPM credentials. It was part and parcel
of his or her scope of employment with your company, wasn't it?
Mr. Hess. That is correct.
Mr. Cartwright. All right.
And it was KeyPoint paying this person as the person was
working on OPM's systems at the time; am I correct in that?
Mr. Hess. That is correct.
Mr. Cartwright. And you understand, under traditional
concepts of the law, KeyPoint is responsible for the acts of
its employees acting within the scope and course of their
employment with your company. You understand that, don't you?
Mr. Hess. I'm not familiar with that construct.
Mr. Cartwright. All right.
Mr. Hess, you are here today because a cyber espionage
operation succeeded in breaching very personal information that
your company was entrusted with.
On January 6, 2015, my ranking member, Mr. Cummings, sent
you a letter requesting information about the data breach. His
letter requested a number of documents. Did you get the letter?
Mr. Hess. Immediately upon receiving the letter, KeyPoint
counsel reached out to the ranking member's staff to arrange
for a briefing. And we tried to have a date and time set up,
and we are still waiting for confirmation on that.
Mr. Cartwright. You got the letter, right?
Mr. Hess. Yes, sir.
Mr. Cartwright. And more than 5 months later you haven't
responded with documents; am I correct in that?
Mr. Hess. We reached out immediately to the ranking
member's staff to brief the staff, and we have not received a
response on a time and day to do so.
Mr. Cartwright. Well, let's go through the document request
that Mr. Cummings made.
He requested a log of all successful cyber intrusions into
your company's networks in the last 4 years. That is a
reasonable request, isn't it, Mr. Hess?
Mr. Hess. I don't find it unreasonable.
Mr. Cartwright. Will you provide this to the committee?
Mr. Hess. I will take that back to my team and let you
know.
Mr. Cartwright. You are the boss there, aren't you?
Mr. Hess. I am the CEO.
Mr. Cartwright. All right. But you are going to get
permission from your team, who work for you; is that it?
Mr. Hess. I'm going to take it back and discuss it with my
team.
Mr. Cartwright. Let's go to the next request: copies of all
forensic analyses and reports concerning the data breach,
including findings about vulnerabilities to malware.
When will you provide these documents to the committee?
Mr. Hess. I'll take that request back to my team and let
you know.
Mr. Cartwright. Ranking Member Cummings requested a list of
all Federal customers affected by the data breach. Will you
provide those to the committee?
Mr. Hess. I will take that back to my team and let you
know.
Mr. Cartwright. Mr. Hess, your company exists because of
the largesse of the United States Federal Government. We expect
you to respond to requests from this committee.
Mr. Cummings does not write letters because he just enjoys
writing letters. He is concerned about the security and the
safety not only of Federal employees but of the United States
public.
This is really important. Will you please treat it as such?
Mr. Hess. I do, Congressman Cartwright. Just--we responded
immediately to Congressman Cummings' request by calling their
staff, having our counsel. And I would also inform----
Mr. Cartwright. By responding and calling but not providing
the documents. We want the documents, Mr. Hess.
I yield back.
Mr. Cummings. Will the gentleman yield?
I just want to clear this up, because you just said some
things that--you talked about my staff.
Mr. Hess. Yes, sir.
Mr. Cummings. And it is my understanding that they did get
back to us, but for months--for months, some back-and-forth
because you all did not want to agree to the scope of the
meeting.
And then, just recently, because of this hearing, you
finally said, scrap the limitations on the meeting, the scope,
and we'll meet.
And so I don't want you to, you know--I don't know whether
you have the information or what, but I want you to be
accurate.
Mr. Hess. That's not the information that I have, sir.
Mr. Cummings. Well, then your information is inaccurate.
Mr. Hess. I will research that.
Chairman Chaffetz. Mr. Hess, is it reasonable by the end of
this week to provide us the documentation on the communication
and the lack of the meeting over the last several months? Is
that fair? By the end of the week?
Mr. Hess. I will take that back to my team and get back to
you.
Chairman Chaffetz. You are the CEO. You can make these
decisions. Are you or are you not going to do that?
Mr. Hess. I'm going to take it back to my team and discuss
it.
Chairman Chaffetz. No. That is not good enough. Give me a
date that you think is reasonable to give us the correspondence
dealing with setting up a meeting. It can't be that difficult.
Mr. Hess. Chairman Chaffetz, I was asked last week, on
Wednesday, to brief both your staff----
Chairman Chaffetz. But you were asked months ago to brief
the minority staff, and that didn't happen. I just want to see
the documentation; is that fair?
Mr. Hess. I will take that request back to my team.
Chairman Chaffetz. No. I want an answer from you. I want to
know when you will provide that information to this committee.
Mr. Hess. I will take that request back----
Chairman Chaffetz. No. I want a--you give me the date. When
is it reasonable? You are the CEO.
Mr. Hess. I understand, sir. I will take that request back
to my team.
Chairman Chaffetz. No. I need an answer from you. All
right, we will sit here all day if you want. You want me to
issue a subpoena? Is that what you want me to do? Because I
will sign it. I will sign it today.
Give me a date that is reasonable.
Mr. Hess. I need to take that information back to my staff.
Chairman Chaffetz. Sir, seriously, when are you going to
provide that information?
Mr. Hess. I'm trying to be helpful, Chairman. I did do a
briefing last week, and we did reach out to Congressman
Cummings' staff immediately upon receipt of the letter. And we
did not receive, by the information that I have----
Chairman Chaffetz. Am I asking for anything unreasonable,
to provide the correspondence and the interaction? I mean, they
are going to have their half. I just want to see your half. I
am trying to give you an equal opportunity here.
Mr. Hess. I understand that, sir.
Chairman Chaffetz. When is it a reasonable date?
Mr. Hess. Let me get back to you with that information.
Chairman Chaffetz. No. I want you to decide before the end
of this hearing. We are going to go to the next set of
questioning. You can counsel with all the people that are
sitting behind you, but it is a reasonable question. What Mr.
Cartwright said is not unreasonable. And so, if you think it
is, tell me. But I just want to see the correspondence.
Counsel all you want while we ask the next set of
questions, but I suggest you keep an ear to Mr. Grothman, who
we are going to recognize for 5 minutes.
Mr. Grothman. Thank you.
Two comments before I ask questions. First of all--and this
is kind of a followup on what I think Congressman Hurd was
trying to get at--it surprises me you folks are not more
contrite over what happened. It seems like you don't understand
the enormity of the disaster that has happened here.
Secondly, I think sadly this is all too often common for
government, and it is something that I think everybody in this
institution should remember as we pass bills having the
government have these huge data banks of educational
information or medical information or what have you. Because if
the people in charge of these banks of information don't
display more sense of urgency than you folks, I think, you
know, the possibility of this happening at other agencies is
something we should be considering.
But now I have some questions for Ms. Seymour.
You are going to be in charge of a whole overhaul of this
whole IT thing, correct?
Ms. Seymour. Yes, sir.
Mr. Grothman. Do you feel you have got the skill set to
oversee something of this magnitude?
Ms. Seymour. I don't ever believe that I have the skill set
to do something this large. And that's why I employ people who
have a broader skill set or a different skill set than me in
various areas. I don't have all the technical skills that I
would need to do something like this. It takes a team.
Mr. Grothman. Okay. In your past positions, have you
overseen--what were the largest projects that you have
overseen, IT projects in your prior work experience?
Ms. Seymour. I have overseen some very large projects, sir,
both in my past employment with Department of Defense as well
as the Department of Transportation. Systems that were
certainly enterprisewide and served large populations of people
like OPM.
Mr. Grothman. Sizewise similar to----
Ms. Seymour. Yes, sir, sizewise similar.
Mr. Grothman. And how quickly were they able to complete
these projects?
Ms. Seymour. Some of them took--some of them were much
faster than others. You know, it depended on when I came into
them. Some of them were delivered within a year, and some of
them took years, multiple years to deliver. I think sometimes
the way that we're changing the way that we deliver IT
solutions now, we're trying to be much more agile. And so we're
trying to find what we call a minimal viable product. We are
trying to find segments of capability that we can deliver in
shorter term. So we are trying to deliver, you know, capability
within 6 months, 6-month segments, and then build on that to
get to a whole system.
Mr. Grothman. And how quickly do you think you will be able
to complete this current project? Do you have a goal or an
expectation?
Ms. Seymour. When we started the project, sir, we kind of
divided it into two pieces so that we could understand it. The
first we called our tactical phase, which was shoring up the
network that we have today. And we have put a great number of
security tools into our current network. And that's what
allowed us to find this adversarial activity this year.
The second piece of this was building the shell. And we
estimated that it would take us approximately a year to be able
to deliver that. That project is on schedule, and it is on
budget. And we will be delivering the shell environment this
fall.
The next phase is migration. And we have recognized from
the very beginning that we did not have a full enough scope,
certainly not from my tenure on board back to June of 2014,
that I have enough scope or understanding of exactly the OPM--
the full OPM environment to be able to assess what it was going
to take to do that migration. And so that's why we only
contracted for the first two pieces. And we said as we worked
through this project, to understand it, we will be able to
better estimate and understand what needs to move into that
shell. But we knew from the beginning that there were some
systems that were very old, that are about 30 years old, that
we were going to have to migrate into that shell. So we focused
on those first.
Mr. Grothman. Okay. One other question. Last time you were
before this committee, you referred to the fact that you deal
closely with the IG. And last time we had a major IG project
you apparently did not notify him of the project. Do you have a
reason for that or an explanation for that?
Ms. Seymour. I am not aware of a requirement, and I
certainly could be corrected, but I am not aware of a
requirement to notify the IG of every project that we take on.
Certainly we included in our budget request for 2016, we talked
through this project and documented it in that arena. We also
discussed on a couple of occasions with the IG this project
because they have an interconnection with our network. And some
of their systems, we actually host some of their systems. And
so they have to come along with us in this project if we are
going to continue to provide those services.
Mr. Grothman. Okay. But an undertaking of this size, you
know, maybe it's not something you normally tell the IG about,
but you would not have felt the necessity to notify them what's
going on here?
Ms. Seymour. Sir, it's just based on my experience that if
I am--no, sir, I would not normally advise the IG of a project
that we are doing. That doesn't mean I am holding the
information from them. But I also do know that we discussed
with the IG on a number of occasions the fact that we were
taking on this project and that they needed to modernize their
systems and upgrade their systems to be able to meet the
security requirements for this project.
Mr. Grothman. Okay. Thank you.
Chairman Chaffetz. I thank the gentleman.
I will now recognized the gentlewoman from New Mexico, Ms.
Lujan Grisham, for 5 minutes.
Ms. Lujan Grisham. Thank you, Mr. Chairman.
I just got back down to this hearing after a meeting in my
office with the leadership of one of the five national labs,
Sandia Laboratories, which is in my district, Albuquerque, New
Mexico. And, of course, the theme of many of those meetings are
the constant threats. Every second of every minute of every
day, they are clear that someone, something is entertaining a
cybersecurity attack. And it's a constant threat. And they're
clear that that's the environment that they work in. They are
also clear that they need our support and recognition to be
proactive and to do something about these problems both
internally and externally. And I appreciate their constant
surveillance and their awareness of this critical problem.
I too--before I ask my question--am extremely disappointed
in the reaction from this panel at this hearing, that we know
that these are issues that we have to deal with, that we are in
fact accountable, and in fact you are liable. And what I hear
is that none of those really are occurring, that if you don't
provide us the answers at this hearing and the answers that we
are requesting in the documents, you cannot help us assure that
we are protecting or adequately identifying the scope, which
means that then you become part of the problem again. And I
find it incredibly offensive that that's what is occurring in
this hearing. What we all ought to be doing is assuring that we
are protecting not only the thousands of Federal employees in
my district, and the hundreds of thousands of employees around
the country, and the millions of employees who are affected, we
are all scrambling to figure out who is the most accountable
and who is the most responsible and who is the most liable. And
I am expecting much better cooperation.
There is a lot of work to do in accountability, identifying
the scope, doing something about the legacy systems, making
sure we are prepared for the next potential breach. And as we
do that, I do want to focus on how we are treating these
employees. And so, Director Archuleta, I hold in my hand one of
the letters that many of my employees and my constituents are
getting. And I am concerned about some of the aspects of the
letter, and want you to talk me through about some of the
concepts identified in the letter and how you came to these
conclusions and what we might do to broaden those. For example,
in the letter, you say that, your information--to an employee--
could have been compromised, that potentially affected--I don't
know when you are going to find out about that--will receive a
subscription to CSID, protection and identity theft, for 18
months. Now, what happens if you have an issue after the 18
months? Is that individual going to be covered?
Ms. Archuleta. The individual on the identity theft, yes.
Ms. Lujan Grisham. So even though the letter says you have
got an 18-month, when are we going to know in writing? Because
these are lifetime issues. Unfortunately, they don't go away.
Once that's been compromised, that's the problem, you're
compromised. I don't think that these consequences are just 18
months. And I was interested in how you came with that
framework. It seems to me people should know that they're going
to be protected by you and supported, irrespective of the
timeframe.
Ms. Archuleta. I understand your concerns. And I understand
the responsibility that we have to our employees about their
PII. I take that responsibility very, very seriously. I want to
say that there are--in the letter, the first sentence that you
wrote, the difference between exposure and exfiltration. It
could be that their data was exposed and not exfiltrated. But
we feel strongly that we need to offer the same protections to
those employees who their data might only have been exposed.
Ms. Lujan Grisham. I got it. But I want to know that you
are going to be responsible and supportive of these employees.
Ms. Archuleta. Absolutely.
Ms. Lujan Grisham. Not just in the short term, but the long
haul. So they can expect maybe another letter, something that
says, ``We are here,'' because the other thing I would like you
to consider--and I appreciate that response--is that if you
look at the letter, again, and I read it carefully, we are
pushing folks, I get also, I agree, to the right kinds of
experience, I hope, contractors to provide that support and
identity restoration. I would like more clarity about what that
will involve.
Ms. Archuleta. Sure.
Ms. Lujan Grisham. But in addition, you have got to call
all these outside numbers. You have to call all these credit
agencies. You have to enroll yourself. I would really strongly
encourage you that there ought to be a phone number that I can
call to OPM.
Ms. Archuleta. By law, they have to enroll in the credit
monitoring.
Ms. Lujan Grisham. I understand that part. But in terms of
managing and supporting employees, I expect that the
organization that's the source of the breach would be available
to me and not just outside numbers. And I don't know if you
have done any mystery shopping of the toll-free numbers or
calling these credit folks, but there is an interesting long
waiting period. I would really strongly suggest that we step up
H.R. and that there is a quick and immediate response in your
own department.
Ms. Archuleta. Thank you. I appreciate your comments.
And I agree with you totally that we need to hold our
contractor responsible for their response. We are also
instituting new ways that they can respond to the employees. I
think I mentioned before you got here is that we are using the
SSA model where we in fact are being able to call them back,
that no one has to wait on line.
Chairman Chaffetz. I thank the gentlewoman.
We will new recognize the gentlewoman from Virginia, Mrs.
Comstock, for 5 minutes.
Mrs. Comstock. Thank you, Mr. Chairman.
Thank you for letting me sit in on this hearing. And I
think, as I have already talked with OPM, we do plan on doing
some hearings in the Science and Technology Subcommittee, which
I chair also. Like some of my colleagues have already
mentioned, and they have had that experience, I have received
those same letters, as have, more importantly, tens of
thousands of my constituents here in northern Virginia, like
Mr. Connolly.
I also had the unfortunate experience of also getting a
letter from the IRS saying my tax information had been
compromised. But that's probably another hearing, Mr. Chairman.
But what I am concerned about is I am not hearing
leadership here. I know when I visit the Visa data center in my
district, and I see all the things they have in place and the
leadership they are exerting there and the leadership that
comes from the top there, I see a very strong culture of
leadership in their cybersecurity and how they are attacking
it.
So my question, Ms. Archuleta, now when you came here 18
months ago, you understood that we had a very real threat from
China and other bad actors, that this was constant, like the
Congresswoman was just talking. It is constant. It is something
every day, and it is something you are always going to face. Do
you understand that?
Ms. Archuleta. Yes, I do.
Mrs. Comstock. Okay. So, in doing that, because I think
really what we know here from what Mr. Connolly said, I think
what we have all recognized is they are at war with us. And we
aren't up to speed. And we aren't responding in kind in terms
of the problem. Now, what I am hearing is the blaming the actor
here, saying that, well, we know they are bad actors. And we
know that; that's part of the job. So what I would like to know
is in the 18 months, how many meetings have you had yourself
personally where it's been exclusively about cybersecurity, and
you have had those meetings, and who have they been with?
Ms. Archuleta. I have had those meetings with individuals
throughout government. I have had those almost on a daily basis
with my own staff and the CIO. I would say that since the 18
months that I arrived, I recognized the same problem that you
did. And we have taken tremendous steps but, as you say, that
there are these actors, and they are aggressive, and they are
well funded, and they are persistent. And the first thing I did
was to implement an IT strategic plan with a focus on IT
security.
Mrs. Comstock. I appreciate that because we have gone
through those details. Have you visited a private sector, a
data center and seeing what the private sector does?
Ms. Archuleta. I have had discussions with the----
Mrs. Comstock. No, have you visited? Have you visited
someplace?
Ms. Archuleta. I have visited other, yes, other companies.
The issue of cybersecurity was not the one that we discussed.
But as the plan that I outlined this morning is that we are
holding a summit in the very near future to bring those private
individuals who are facing the exact same threats that we are
so that we can learn from them. We need to access experts.
Mrs. Comstock. But in the past 18 months, you had not done
that?
Ms. Archuleta. I have not met personally on cybersecurity
issues.
Mrs. Comstock. Okay. With the private sector.
Ms. Archuleta. With the private sector. But my colleagues
from across government have, like Tony Scott and others, the
Federal CIO. And I have been the benefit of those conversations
and his experiences, as well as other people throughout
government. We recognize that cybersecurity is an enterprise
issue for all of us in government. And it's not just one person
who has to take responsibility. All of us across government
have to.
Ms. Comstock. I appreciate that. But I think the point that
has been made to me by people who are leaders in this field is
the person at the very top has to take that role. And I would
note that when Target, when they had this breach, when they had
this problem, it wasn't just their CIO that lost their job, it
was the CEO who lost their job. And that's how that was
responded to in the private sector. So I want to continue with
some of the points that have been made by Mr. McFarland. Have
you sat down with Mr. McFarland to discuss his recommendations?
You personally.
Ms. Archuleta. I sit with Mr. McFarland. He has brought
some of those to my attention. I also, with the flash audit, I
have not had the opportunity because of the time period that it
was released. But it's my full intention not only to talk with
him about the flash audit but also to engage him as we move
forward, as we always have.
Mrs. Comstock. Okay. Now, when I sent you the letter that
you had sent back, really one of the questions I had in there
was how many people in my district have been impacted by this?
I think it's a fairly simple question because you sent out the
4.2 million letters, right? And letters usually have a ZIP
Code. So when you asked--you should be able to tell us how many
people we have in our districts that have been impacted by
this. I certainly have been hearing from many. And they have a
lot of questions.
And I would like to also mention I would like to submit for
the record questions from the Federation of Government
Employees.
Mrs. Comstock. And I have had a lot of incoming questions
that have come that obviously we don't have time here. But just
a simple question that did not get answered was, how many
constituents do I have impacted by this?
Ms. Archuleta. I would be able to get you that information
from our data, and we would be glad to share it with you.
Mrs. Comstock. Okay.
Thank you, Mr. Chairman. I yield back.
Chairman Chaffetz. I thank the gentlewoman.
I will now recognize the gentleman from California, Mr.
DeSaulnier, for 5 minutes.
Mr. DeSaulnier. Thank you, Mr. Chairman.
I apologize for having had to leave. Very troubling. I have
what may be a character flaw for this committee. I tend to give
the benefit of the doubt.
So, Ms. Archuleta, I would like to give you the benefit of
the doubt, but the flash report really is quite concerning to
me. So, Mr. McFarland, a quote from that says, ``In our
opinion, the project management approach for this major
infrastructure overhaul is entirely inadequate and introduces a
very high risk of project failure.''
Having sat here and listened to multiple hours now in this
hearing, would you say that your level of confidence in OPM is
heightened, or do you stand by that comment?
Mr. McFarland. I stand by that comment.
Mr. DeSaulnier. And you also asked for responses from OPM.
It says you asked for it on June 2 of 2015, and you asked for
comments by June 5, and then later extended that to June 10. By
June 17, we had still not received comments or indication that
comments would be forthcoming. Did you ever get comments back
before the hearing?
Mr. McFarland. I think we may have gotten comments back
that day.
Mr. DeSaulnier. Okay. Well, I got something this morning,
U.S. Office of Personnel Management, actions to strengthen
cybersecurity and protect critical IT systems. It doesn't have
a specific date, June 2015. But, Ms. Archuleta, is this the
response that you provided the IG, or is this for the
committee? It is a 7-page report.
Ms. Archuleta. No, I am familiar with it, sir. The action
plan that you received today is an action plan that I developed
along with my staff in response to the very serious issues and
threats that we are facing right now. It outlines what we have
done and what we will be doing.
The response to the IG on the flash audit he has received.
As I said before, Mr. McFarland and I have not had the
opportunity because of the time period that where we have been
engaged with other things. But it's our intent, as in the plan,
to make sure that he is engaged with this alongside us, and
that we value his opinion and the work of his staff.
Mr. DeSaulnier. So, Mr. McFarland, heretofore you haven't
got that kind of impression--at least that's my impression from
your testimony--I am sorry, you were distracted for a second.
Mr. McFarland. Sorry.
Mr. DeSaulnier. That Ms. Archuleta said she valued your
input and looked forward to working with you. But, heretofore,
you haven't gotten that, from what I ascertained from your
comments today and the written commentary.
Mr. McFarland. Well, what is on paper is exactly what I----
Mr. DeSaulnier. Do you have any heightened confidence that
what Ms. Archuleta just said about your relationship will
improve? It doesn't seem there is any evidence to that.
Mr. McFarland. Well, I think in general we have a good
relationship. Just, I mean, truly, I think we have a good
relationship. Regarding this matter, I think we are worlds
apart.
Mr. DeSaulnier. That's fairly significant. As you said to
Mr. Lynch, $93 million you said isn't even close to the amount
needed in your opinion and that the ability to succeed--there
is a high risk that these efforts will ultimately be
unsuccessful. Given how horrible the consequences of what has
already happened doesn't really give me a lot of confidence
that going forward anything is going to improve. As a matter of
fact, it sounds like it is going to get worse.
Mr. McFarland. I think going forward at the right pace and
concentration might be very successful. What I think is planned
by OPM I think is dangerous.
Mr. DeSaulnier. Would you like to respond to that, Ms.
Archuleta? And I can only imagine how difficult it is coming in
here. But I must tell you, just sitting here and being willing
to give you the benefit of the doubt, you appear to come across
as petulant, defensive, and evasive.
Ms. Archuleta. I don't mean to do that at all. I take very,
very seriously what has happened.
Mr. DeSaulnier. You said that over and over again. With all
due respect, I believe you, but it doesn't appear to be the
truth.
Ms. Archuleta. Well, I do--what I have tried to do today is
to convey to the members how seriously I take this and that we
are garnering all the resources, including the opinion of the
IG. We disagree on some issues, but we do have other areas of
agreement. We also have areas that would benefit from
discussion between me and the IG. I think that's an important
step. IGs work very closely with their administrations to make
sure that we are doing the best job we can. I take his
information very seriously. I do not want to convey that I am
angry or petulant about it. What I am is respectful for the
position he holds and value the input that he gives.
But I do feel passionately about what has happened. I feel
very passionate about the employees. I am a champion and have
worked very hard throughout my entire career. And if I sound
passionate about it, I have to say that I am.
Mr. DeSaulnier. So I just, personal observation, sometimes
you can feel passionate about things but not be capable of
doing what you desire to do. And I think we need to have a
serious conversation. I know the chairman has these concerns
about, to be perfectly honest, whether the current
administration is competent enough to protect this information
from people who would hack us.
Mr. Cummings. The gentleman yield?
Mr. DeSaulnier. Yeah.
Mr. Cummings. I think the gentlemen gets to the point that
I was trying to get to a little bit earlier. And the question
becomes we have got Mr. McFarland saying that--I think he used
the word ``dangerous.'' Is that what you said?
Mr. McFarland. That's correct.
Mr. Cummings. We are heading down a dangerous path.
Mr. McFarland. I believe so.
Mr. Cummings. And when you say ``dangerous,'' you are
saying we are headed for some very serious trouble. Is that a
fair definition of ``dangerous''?
Mr. McFarland. Absolutely.
Mr. Cummings. So, Ms. Archuleta, our problem is this: We
sit here, and we have got an IG who we believe in and trust.
The IG is saying that you need to take his advice, and what you
are doing is not going to get us there, as a matter of fact,
may harm us. Am I right, Mr. McFarland?
Mr. McFarland. That's correct.
Mr. Cummings. So you have put us in kind of a difficult
situation. We have now been given notice as Members of Congress
that we are headed down this path by somebody who we rely on.
You disagree with him, but then you expect us to be supportive
of you. No, no, no. Listen to me. That's a problem because now
you put us in a kind of bad position.
So that means that if this happens again, problems get
worse, then people say: Well, wait a minute, Chaffetz,
Cummings, you all were sitting there. You heard what the IG
said. I mean, why did you let this go on?
That's the position that we find ourselves in. And so I
don't care whether you like each other or not. That doesn't
matter to me. A lot of people get along. The question is it
sounds like you are refusing--no, no, answer me now; I am going
to give you a chance--to do what he has asked you to do because
you disagree. But on the other hand, he is saying that we are
going down a dangerous path. I mean, come on now. Do you have a
comment?
Ms. Archuleta. Yes. I just wanted to be sure. The flash
audit identified issues. A flash audit is meant to alert the
administration about concerns. It merits an opportunity for the
IG and his staff and my staff to sit down and find out where
his concerns are. If he says it is a dangerous path, I want to
know specifically why.
Mr. Cummings. Mr. McFarland, haven't you told her that
before? Is this new?
Mr. McFarland. As far as the word ``dangerous,'' I probably
didn't use that.
Mr. Cummings. But, I mean, you told her the urgency of the
moment.
Mr. McFarland. Absolutely.
Mr. Cummings. And the problems that we are having and where
you see it heading.
Mr. McFarland. Yes, in a letter.
Mr. Cummings. Well, come on now.
Ms. Archuleta. He sent a letter attached to the flash
audit. And we have not had the opportunity to sit down with
him. And I take very seriously his concerns, Mr. Cummings. And
the opportunity, if he uses the word ``dangerous,'' I need to
understand clearly from him and his staff why he attaches that
word. And the flash audit needs the scrutiny of both him and I
together to protect the employees and to protect our data, to
protect our systems.
Chairman Chaffetz. Ms. Archuleta, with all due respect, and
I know you are fairly new to this position, but the audits have
been coming from the Inspector General's Office since 1997.
They come year in and year out. They have happened and happened
and happened and happened. I mean, I started the other hearing
by reading through all the comments that have come along.
So this is a flash audit. You haven't had time to talk
about it. You haven't had time to go through it. And yet you
can award a multimillion dollar contract in less than 48 hours.
That's what we don't understand. And we are going to go through
that here in a minute. We are almost done with this hearing.
But this isn't just one audit. This isn't just one observation.
The good people in the Inspector General's Office have been
warning about this since the 1990s. And it was never taken care
of.
Ms. Archuleta. Thank you for pointing that out. And I
appreciate it and acknowledge that.
I have been here 18 months, and I took seriously the audits
that came before me. And that is why I have done and taken the
steps.
Chairman Chaffetz. We don't believe you. I think you are
part of the problem. I think if we want different results, we
are going to have to have different people. And if you want to
refresh the deck, and we want to put Mr. Ozment or somebody
else in charge like that, let's to it because you know what, we
got a crisis. That hurricane has come and blown this building
down. And I don't want to hear about putting boards up on
windows, and it's going to take years to get there. That's why
I think it's time for you to go.
And, Ms. Seymour, I am sorry, but I think you are in over
your head. And I think the seriousness of this requires new
leadership and a new fresh set of eyes to do that. I wish you
both the best in life. I am not out here to get you. But you
know what, this is as big as it gets. And there are going to
have to be a new team brought in. That's where I am at on this.
Yield back to the gentleman.
Mr. Cummings. I yield back.
Chairman Chaffetz. I am going to recognize myself.
We have got to talk about some things.
Mr. Hess, have you come up with a decision about the timing
of when you will provide this information I asked for
previously?
Mr. Hess. You will have it by next week.
Chairman Chaffetz. Fair enough. Next week, if we can get
that information, we would certainly appreciate it. And we will
follow up. I will follow up.
Chairman Chaffetz. I got Mr. Cummings' back on this one,
and I will support him in this. He is asking reasonable
questions. And I appreciate the cooperation. Thank you.
I am going to yield to the gentleman from Alabama, who has
brought up a great issue and a great point. And I want to go
through this contract timeline here again. We are getting close
to wrapping up. But, on Thursday, May 28 of this year, just not
too long ago, at 11:33 a.m., OPM posted a 29-page request for
quotes to provide notification, credit report access, credit
monitoring, identity theft insurance, and recovery service, and
project management services.
On May 28, 2015, at 1:46 p.m., OPM posted amendment 1, a
pricing sheet. On May 29, at 1:32 p.m., OPM changed the
deadline from May 20 to May 30. On May 29, at 2:45 p.m. OPM
posted another change, modified info to be submitted, and
deleted some of the clauses. And, on Tuesday, June 2, a
contract was Winvale Group. I don't know the Winvale Group.
Could be nice people. I don't know.
But they immediately turned around and subcontracted this
to a group I don't know a whole lot about. I want to have Mr.
Palmer ask you some questions about this.
Mr. Palmer. Thank you, Mr. Chairman.
This question is to you, Ms. Seymour. Do you know any of
the management of CSID?
Ms. Seymour. Not that I am aware of, sir.
Mr. Palmer. Do you know or have any knowledge about the
management of CSID?
Ms. Seymour. No, sir, not that I am aware of. I got key
personnel resumes in the proposals.
Mr. Palmer. Did anyone discuss with you any knowledge about
the CEO Scott Cruickshank? He is the chairman of the board.
Ms. Seymour. No, sir.
Mr. Palmer. About Hazem Ben-Gacem?
Ms. Seymour. No, sir.
Mr. Palmer. How about James Mansour?
Ms. Seymour. No, sir.
Mr. Palmer. There are only four directors. So the last one
is Owen Li. I asked you about him earlier.
Ms. Seymour. No, sir. I have no recollection of them.
Mr. Palmer. You know, you let a contract in a very
sensitive area. I mean, this literally impacts millions of
people. It potentially impacts their financial well-being,
their careers, yet it appears that you didn't do the most basic
research into the company that you have contracted this with.
If you had, I think you might have discovered that Mr. Li is
under investigation by the Department of Justice and the
Securities and Exchange Commission. They are looking into his
management of a group called Canarsie, in which in 9 months, he
lost 99.7 percent of the money invested in that hedge fund.
Mr. McFarland, let me ask you this. If you had known this,
would this have raised a red flag with the Inspector General's
Office?
Mr. McFarland. Absolutely.
Mr. Palmer. I have listened to Mr. Cummings. I have
listened to the chairman. And the more I listen to these guys
and the members of this entire committee ask these questions,
the more concerned and more frightened I have become about how
OPM has handled this. And then to find this and to find that
just the most basic analysis has not been done just adds to
that.
One other question I want to ask you. Mr. Ozment, who
testified last week, made this comment. I want to ask you, are
you aware of any outside contractors who are foreign nationals?
Have you contracted any work with them?
Ms. Seymour?
Ms. Seymour. I am sorry, I didn't realize that was my
question. I apologize. Am I aware of any----
Mr. Palmer. Have you contracted any of this work to foreign
nationals?
Ms. Seymour. Not that I am aware of, sir.
Mr. Palmer. How about you, Ms. Archuleta?
Ms. Archuleta. No, sir.
Mr. Palmer. May I read this? Or do you want to read it?
This is from the Wall Street Journal. This is Mr. Ozment. He
said: Some of the contractors that have helped OPM with
managing internal data have had security issues of their own,
including potentially giving foreign governments direct access
to the data long before the recent reported breaches. A
consultant who did some work with the company contracted by OPM
to manage personnel records for a number of agencies told ARS
that he found the Unix systems administrator for the project
was in Argentina, and his coworker was physically located in
the People's Republic of China. Both had direct access to every
row of data and every database. They were root. Another team
that worked with these databases had at its head it two teams
members with Republic of China passports--People's Republic of
China passports. I know that because I challenged and
personally revoked the privileges.
You are not aware of that?
Ms. Seymour. Sir, I am aware of two of our--two Federal
employees who have ties to foreign countries. They are U.S.
citizens, and they work on our programs.
Mr. Palmer. How are they--does it not raise--here is what
Ozment said. He said from his perspective, OPM compromised this
information more than 3 years ago. And his take on the current
breach is, so what is new?
I yield the balance of my time.
Chairman Chaffetz. I would like to ask unanimous consent to
enter into the record this article. This is written by Julia La
Roche. It is March 27, 2015, ``Hedge Fund Manager Who Said
Sorry for Losing 99.7 Percent of His Client's Money is Now
Being Investigated By the SEC and the Department of Justice.''
Ms. Seymour, were you aware that the contract that you let
for Winvale was going to be sublet, or there would be a
subcontractor?
Without objection, by the way, I will enter this article
into the record.
Chairman Chaffetz. Did you know that there was going to be
a subcontract?
Ms. Seymour. Winvale's proposal included the fact that it
had work--that it was subcontracting or partnering with CSID on
it.
Chairman Chaffetz. So when you did your due diligence and
you looked into some of the resumes of the people that would be
involved and engaged in this, did that include the employees
and the board at this subcontractor?
Ms. Seymour. It did not include the board. We used past
performance, and there are other systems that the contracting
officer uses to research a firm to make sure that they are
qualified to do work with the Federal Government.
Chairman Chaffetz. Had either Winvale or the subcontractor,
or if there is more than one subcontractor, do you personally
know anybody who is in any way, shape, or form involved in any
of those companies?
Ms. Seymour. Not to my knowledge, sir.
Chairman Chaffetz. There is nobody from the former
Department of Defense or from the Office of Personnel
Management? You know none of those people?
Ms. Seymour. I do not believe I know anyone that's working
for those firms.
Chairman Chaffetz. Ms. Archuleta, do you know anybody that
works for either of those two firms?
Ms. Archuleta. Not to my knowledge.
Chairman Chaffetz. So here we have somebody who lost
millions of dollars, under investigation by the Department of
Justice. We have got to figure out how in the world these
people get the contract because now what we are doing is we are
saying: Okay, all you Federal employees, millions of you that
were affected, go give them your information.
And that's the kind of person we are dealing with. I am not
saying he is guilty. But he is under investigation. Why should
we take the chance? Why didn't you go to the GSA list? I mean,
there is a list of approved vendors out there. Why not use one
of them?
Ms. Seymour. We did consult with GSA and the GSA schedule
on this. There were some requirements that we wanted to include
in our contract that were not available on the GSA schedule.
Chairman Chaffetz. Like what?
Ms. Seymour. D duplication of services is one of them. What
we were trying to do at OPM was to set up a contract vehicle
that we could use in the future for any additional breaches,
whether it's one or twosies or anything else. We wanted to set
up a vehicle that would not cause us to pay or to offer the
same services to affected individuals at the same time. That is
not something that the GSA schedule afforded us the opportunity
to do, even after we talked with the schedule holder at GSA.
Chairman Chaffetz. I am just telling you, this reeks. And
for any contract to go out that fast, I understand the gravity
of this situation, you are going to deviate from that and then
they immediately go out to subcontract, I would encourage you
to as swiftly as possible get back to Senator Warner and Mr.
Palmer as well as this committee.
I do need to ask about credentials. Ms. Archuleta, is there
anybody in the OPM system, whether they be an employee or a
contractor, who is a foreign national?
Ms. Archuleta. Sir, I want to be sure of that answer. I
would have to come back to you to be sure that I----
Chairman Chaffetz. Ms. Seymour, is there anybody who is a
foreign national who is involved as either a contractor or
directly as an employee at OPM?
Ms. Seymour. I will get back to you on that, sir.
Chairman Chaffetz. The fact that you two don't know, that's
what scares me. That's what really scares me is that you don't
know.
Ms. Seymour. I know about my staff, sir.
Chairman Chaffetz. How many people on your staff?
Ms. Seymour. About 280.
Chairman Chaffetz. How many people have credentials to
become a network administrator or have access to the network?
How many?
Ms. Seymour. I believe it is about 50.
Chairman Chaffetz. So of those 50 people--and how often do
you routinely audit that?
Ms. Seymour. We review them very frequently.
Chairman Chaffetz. Like what?
Ms. Seymour. Probably monthly. We have processes for when
people come onboard and when they leave, that we remove their
access privileges.
Chairman Chaffetz. Do you review the traffic that's going
through there? Because that's evidently part of what happened
is somebody gained network administrator access and----
Ms. Seymour. So that's how we were able to track through
and understand that our background investigations----
Chairman Chaffetz. After they had been there for than a
year, right?
Ms. Seymour. Yes, sir.
Chairman Chaffetz. So how often do you track that and
monitor that?
Ms. Seymour. So we had put the tools on our network just
over the last 6 months or so to be able to see this type of
activity in our network. Again, sir, when I came on board, I
recognized that these systems were in need of some
modernization. We put in place a plan and began to execute that
immediately to put the security tools in place so that we had
visibility in our network. That's what led us to understand
this latent activity that went back to even prior to my arrival
at OPM.
Chairman Chaffetz. I have got a series of other questions,
but let's recognize the gentleman from Georgia, Mr. Carter, for
5 minutes.
Mr. Carter. Thank you, Mr. Chairman.
And thank all of you for being here.
Ms. Seymour, I would like to start with you. It's my
understanding that OPM's legacy system, that you are currently
using COBOL, a system that was developed originally in 1959, is
that correct?
Ms. Seymour. I don't know when it was invented, sir, but
yes, we are using COBOL in some of our systems at OPM.
Mr. Carter. Okay. According to my research and my staff
research, it was originally developed in 1959. And that's the
system that we are using?
Ms. Seymour. Yes, sir.
Mr. Carter. Ms. Archuleta, OPM since 2008 has spent $577
million on IT. Is that correct?
Ms. Archuleta. I don't know exactly that number, but I will
accept that.
Mr. Carter. You think that's pretty close?
Ms. Archuleta. I would have to trust your judgment. I don't
know that number yet, but I could get back to you. But yes, if
you want to----
Mr. Carter. But would you say that's in the ballpark, $577
million? I mean, give or take a couple hundred million, what
are we talking about?
Ms. Archuleta. I can tell you what we spent on it, but yes,
I will----
Mr. Carter. $577 million dollars since 2008, yet we are
still using a legacy system that was developed in 1959?
Ms. Archuleta. I agree with you totally, sir. We are using
a legacy system that was designed in 1959. And that is what we
are working to change.
Mr. Carter. It's my understanding that approximately 80
percent of our IT budget is being spent on legacy systems. Is
that correct?
Ms. Archuleta. Right now, we are working off of our legacy
system. That's why we are making the investments into a new
system.
Mr. Carter. I am sorry, I am just flabbergasted by this.
It's just mind-boggling that we can spend--first of all, we can
spend $577 million; secondly, that we are spending 80 percent
of what we have budgeted on legacy systems. I mean, it's just
amazing to me that we're doing that.
Nevertheless, Ms. Seymour, let me ask you, the IG's flash
audit indicated that the estimated cost for just two phases,
only two phases of your infrastructure improvement project, is
going to be $93 million. Is that correct?
Ms. Seymour. Yes, sir. We put together the plan with a very
robust interagency team and had that reviewed by a number of
experts.
Mr. Carter. $93 million?
Ms. Seymour. Yes, sir.
Mr. Carter. I am sorry, I don't mean to be dramatic, but
$93 million?
Ms. Seymour. That covers both securing our legacy
architecture, the one that we have today----
Mr. Carter. The one that was originally developed in 1959?
Ms. Seymour. Not all of it was developed that long ago.
Mr. Carter. If any of it was developed.
Ms. Seymour. So our network was designed, you know, about a
decade ago. So we are trying to shore that up, provide as much
security around that network as we can. That's part of what the
money is going to. And then the other part of the money is
going towards building a more modern and more securable network
that we will transition to.
Mr. Carter. Okay. Okay. Well, it's my understanding that
despite the decades that we have been spending all this money,
these millions of dollars, that we are still using paper forms
in some cases? Is that true?
Ms. Seymour. A number of our business offices still use
paper forms.
Mr. Carter. We have spent $577 million on IT since 2008,
and we are still using paper forms. Of course, hey, paper forms
may be better in this case. I mean, at least we have still got
control of those.
Ms. Seymour. I can't speak to what's happened before me,
sir. I can tell you that when I came in and saw the state of
our IT systems, I worked with Director Archuleta to put in
place a plan, an aggressive plan, for migrating to more modern,
more secure network and systems.
Mr. Carter. Does it include paper forms? Does it include
paper forms? Will we still have paper forms after you make
these adjustments?
Ms. Seymour. We want to remove as much paper as we can from
our environment, sir. That's one of our goals.
Mr. Carter. I can't help but wonder if that's not a move in
the wrong direction. At least we can have some control over
these paper forms. We obviously don't have control over the
computers and the information that we have on the Internet.
Ms. Seymour. I would offer, sir, that there are security
concerns with paper just as well. We have, you know, violations
or issues with paper as well as you leave paper around. The
other issue we have with paper, sir----
Mr. Carter. So we leave paper around?
Ms. Seymour. Sir, when you leave it in your office or when
you are working with it. I would also offer that when we have
paper, we don't have backup systems. That's a concern as well
as we move forward with our automated----
Mr. Carter. Ms. Seymour, I agree with every point you are
making here. My point is that we spent $577 million since 2008,
and we are still using paper.
Ms. Seymour. And, sir, I also said I can't tell you what
has gone on before me. What I can tell you is the plan we are
putting in place, we are planning to put in place an enterprise
case management system. We are working towards that. That will
eliminate a lot of our paper. We will modernize our systems and
provide better protections around our data and our systems.
Mr. Carter. And that includes that $577 million that we
have already spent?
Ms. Seymour. I am sorry, sir?
Mr. Carter. This is going to be more money we are going to
throw at this problem, right?
Ms. Seymour. Again, sir, I cannot account for what has
happened before me.
Chairman Chaffetz. Thank the gentleman.
We have a vote on the floor. I will recognize Mr. Cummings,
who has got a few more questions.
Mr. Cummings. I will be very quick, Mr. Chairman. Thank you
very much. I want to go back to this contract. Winvale got this
contract. Is that right, Ms. Seymour?
Ms. Seymour. Yes, sir, that's correct.
Mr. Cummings. What was the process? It doesn't smell right.
Something doesn't smell right about this contract. Winvale gets
it, and then they turn around and CSID, what?
Ms. Seymour. No, sir. The proposal that we got was from
Winvale partnered with CSID. We knew up front that they were--
they had support from CSID. It was part of their proposal
package to the government.
Mr. Cummings. And you didn't know about Mr. Li?
Ms. Seymour. No, sir, I did not.
Mr. Cummings. You didn't know of his apology for losing
99.7 percent of $60 million went viral?
Ms. Seymour. No, sir, I did not.
Mr. Cummings. In March?
Ms. Seymour. No, sir, I did not.
Mr. Cummings. And so the question becomes--I mean, do you
think you should have done some better due diligence?
Ms. Seymour. So we did due diligence on the company. There
are several ways that the contracting officer validates that
the company is able to do business with the government.
Mr. Cummings. And, Mr. McFarland, this concerns you I take
it.
Mr. McFarland. Yes, of course.
Mr. Cummings. And why is that, sir?
Mr. McFarland. Just because of the reasons that you have
espoused. It was very fast. And as a matter of fact, a few days
ago, we were talking about that in the office. And we are going
to be looking into it.
Mr. Cummings. I appreciate that. I just have one statement
real quick, Mr. Chairman. I want to conclude by thanking you
again for agreeing to invite the contractors here today. We
have obtained some significant information. But there are also
many, many unanswered questions. We asked USIS for information
they have refused to give us for more than a year. Mr.
Giannetta promised to help us get those answers. But I am
concerned that he may not be there in a couple weeks. So we may
need to follow up with USIS' parent company, Altegrity.
We also asked KeyPoint for documents we originally
requested months ago. And you pressed them to provide those
documents. I think you understand how frustrating it has been
for me over the past year. So I thank you for your help, for
agreeing to invite them, for helping us get the information we
need. We will prepare questions for the record for today. And I
hope we will be able to get all of these answers. And I really
do hope it won't require a subpoena.
With that, I thank you, and I yield back.
Chairman Chaffetz. I thank the gentleman.
We are now at the halfway point. I am just teasing. We are
wrapping up here. We are wrapping up. You all have been sitting
here for a long time. All right. So a couple more questions. We
do have votes on the floor.
Director Archuleta, I need to go back to some of your
previous comments. This has to do with what you said in July of
2014 regarding the OPM data breach that became public in March
of that year. At the time, you said that you did not have a
breach in security. Ms. Seymour was very candid in saying that
she did think it was a breach in security. So is she wrong?
Ms. Archuleta. As I explained earlier, sir, in the question
that was asked me, the conversation was around PII, and I
answered it in that context.
Chairman Chaffetz. But you don't believe there was any
access to see that information?
Ms. Archuleta. I don't believe that there was--that that
data was breached and that there was no data exfiltrated.
Chairman Chaffetz. Exfiltrated. But do you believe that
they had at least access to it to look at it?
Ms. Archuleta. That's why we understand that there was in
fact a breach. I am not the forensics. I don't know what they
did with it. What I was assured of, sir, and why I responded in
that interview was there was no PII extricated from the system.
Chairman Chaffetz. So you did know that the OPM network,
the network platform, that the blueprint, essentially the keys
to the kingdom, was exfiltrated, right? You did know that.
Ms. Archuleta. As I said, the question was around the PII,
and that's the way I answered it.
Chairman Chaffetz. I am asking you now. I am asking you
now, do you believe--you knew, somehow you had to know, I hope.
Ms. Archuleta. Ms. Seymour informed me that other data had
been taken from, but it was not--it was in different context to
that question.
Chairman Chaffetz. But that was essentially a blueprint of
how the system worked. Correct?
Ms. Archuleta. She had informed me that some manuals had
also been exposed and potentially exfiltrated, yes. I knew
that. Again, in that interview, the question was around PII.
Chairman Chaffetz. Okay. So but you did know that there was
a security breach. Correct?
Ms. Archuleta. Correct.
Chairman Chaffetz. And you did know that there were things
other than the PII that were potentially exfiltrated. Correct?
Ms. Archuleta. I did.
Chairman Chaffetz. You did know that.
What do you think is a bigger success for hackers, you
know, stealing the files for tens of thousands of employees or
the files for 32 million, up to 32 million employees?
Ms. Archuleta. I believe that all of that is very
important, sir. I can't distinguish between both of them. They
are each equally as important.
Chairman Chaffetz. So when did the hackers first gain
access to OPM's network? The ones we just learned about? Maybe
Ms. Seymour is in a better position to answer that. Either one
of you. If you know what the timeline is on that.
Ms. Barron-DiCamillo. I have the timeline associated with
that, sir.
Chairman Chaffetz. Yes.
Ms. Barron-DiCamillo. So the actors first gained--adversary
access was first noted within the network around November of
2013.
Chairman Chaffetz. The ones that we just learned about?
Ms. Barron-DiCamillo. I am sorry, that was from the 2014
intrusion that you were referencing based upon the manuals.
Chairman Chaffetz. I am sorry, that happened in what
timeframe?
Ms. Barron-DiCamillo. We were able to confirm, based upon
the onsite assessment, that they had access, confirmed access
in November of 2013.
Chairman Chaffetz. Okay. Ms. Seymour, I think you were
going to say something.
Ms. Seymour. I was just going to try clarify for you, sir,
that for this most recent incident, it dates backs to June of
2014. The access that the adversary had dates back to June of
2014, I believe.
Chairman Chaffetz. Is it possible that when they took this
blueprint--I call it the keys to the kingdom--that that would
have potentially aided the hackers in coming back into the
system and stealing these millions of records?
Ms. Seymour. These are available manuals typically for
commercial IT equipment. So, yes, it would aid an adversary in
understanding our platform. They did not get, you know,
specific configuration diagrams of our entire environment. But
these are commercially available--a lot of these are
commercially available documents about platforms, computing
platforms.
Chairman Chaffetz. Ms. Barron-DiCamillo, did they include
any proprietary information, anything that was----
Ms. Barron-DiCamillo. Based on what we saw as the potential
exfil, it did not include proprietary information or specific
information around the architecture of the OPM environment. It
was manuals associated with certain types of platforms. But,
again, as Ms. Seymour stated, a lot of that information is also
publicly available. It's available on--I think IBM is one of
the----
Chairman Chaffetz. Did the hackers have access to be able
to see the information regarding personal employees?
Ms. Barron-DiCamillo. So, in 2014, is that the incident you
are referring to?
Chairman Chaffetz. Yes.
Ms. Barron-DiCamillo. So based on the onsite assessment, we
weren't able to confirm that they were able to access any of
the PII information. So not only so your question about seeing
it, they did not--there is certain portion of the network they
were specifically focused on, and they were not able to
infiltrate into those portions of the network.
Chairman Chaffetz. Ms. Seymour--or let me ask Ms.
Archuleta. If Ms. Seymour was responsible for safeguarding the
PII, as we call it, information in 2014, who do you hold
responsible for its loss today?
Ms. Archuleta. I hold all of us responsible. That's our job
at the OPM. We work very hard to do this, and we work with our
partners across government. I know that you are perhaps tired
of hearing this from me, but we are facing a very aggressive
attacker. We protect against 10 million attempts each month. So
we are working very hard to do that. We are working extremely
hard to prevent the types of things that we are seeing here
today.
Chairman Chaffetz. Mr. Cummings.
Mr. Cummings. Mr. Hess, I want to make sure you are going
to get us some documents. We have been requesting documents a
long time. I want to make sure what documents you are going to
provide us. Are those the ones we have been asking for?
Mr. Hess. We are going to be addressing----
Mr. Cummings. I can't hear you.
Mr. Hess. I am sorry. We are going to be addressing that
letter and each of the requests that you made to the extent
that we are able to.
Mr. Cummings. All right. Thank you.
Chairman Chaffetz. It's been a long morning and into the
afternoon. I thank you all. You all represent a number of
people that have a lot of staff, people who work hard. They are
patriotic. They care about this country. To that extent, please
let them know how much we appreciate them and all that you are
doing. But we will have somebody help you know where the
restroom is. It's been a while.
So, again, thank you for your participation today. We stand
adjourned.
[Whereupon, at 1:54 p.m., the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]