The federal agency that lost millions of Americans’ most personal data to hackers has long been delinquent on its cybersecurity controls — including in two particularly sensitive systems that govern most of the government’s background checks, an inspector general will tell Congress on Tuesday.
The Office of Personnel Management doesn’t even keep track of all of its servers and databases on its main network, which means the agency “cannot fully defend its network” against potential attacks, said Michael R. Esser, Office of Personnel Management assistant inspector general, in prepared testimony to be delivered to the House Oversight Committee.
In the case of the background check systems that aren’t updated, that “could potentially have national security implications,” he says.
Problems with the OPM’s cybersecurity protocols date back to the end of the Bush administration and had improved somewhat as of a couple of years ago when the agency began to centralize its controls. But the agency has since slipped again, the inspector general said.
Things got so bad that investigators recommended shutting down systems whose authorization hadn’t been kept up to date, but the agency director rejected that plan and kept them running.
“Not only was a large volume (11 out of 47 systems) of the OPM’s IT systems operating without a valid authorization, but several of these systems are among the most critical and sensitive applications owned by the agency,” Mr. Esser says in his testimony.
The agency has revealed it was struck by a cyberattack that stole the personal information of millions of current and former federal workers. The extent of the loss is still being studied.
Oversight Chairman Jason Chaffetz vowed this weekend to get to the bottom of the attack, saying the administration had ignored repeated warnings.
“We should have seen this coming a long time ago,” the Utah Republican said on C-Span’s “Newsmakers” program.