The Obama administration’s chief human resources officer ignored warnings to shut down the very computer systems that hackers would use to steal the most personal information of millions of federal employees, Congress was told Tuesday in testimony that left lawmakers stunned at the gaps in cybersecurity.
“It stinks. It doesn’t work,” said House Oversight Chairman Jason Chaffetz, who called the hearing to demand answers — though few were forthcoming in the public session.
Top officials said they don’t yet know how many millions had their information stolen from the Office of Personnel Management, and refused to say whether that included CIA agents and other sensitive employees, though lawmakers took that silence as confirmation of their worst fears.
Federal authorities said the mere fact that they even know they were hacked is an improvement, saying it was only because of security upgrades that they figured out they’d been attacked at some point late last year.
And OPM Director Katherine Archuleta said they stop more than 100 million intrusions a year already, which she said proves they are making headway.
But problems are still piled up, including Social Security numbers that remain unencrypted in OPM files, and nearly a quarter of the agency’s systems were behind in security authorization in 2014, leaving them vulnerable to hacking.
Two of those systems handle federal background checks, meaning they have some of the most sensitive information possible about Americans, while another system is actually in Ms. Archuleta’s office.
The OPM suffered two different hacks, one of which compromised basic personal identifying information such as dates of birth and Social Security numbers of 4.2 million current, former and prospective federal employees. The second breach saw hackers get into the government’s background check system — a potential national security nightmare, officials said.
That data is so sensitive that Ms. Archuleta wouldn’t even discuss who was affected in public, refusing to say whether CIA agents’ identities and information has been compromised.
Mr. Chaffetz said the failure lands at the feet of Ms. Archuleta, who was warned last year to shut down the entire background check system because it was vulnerable.
“The inspector general was right. Your systems were vulnerable. The data was not encrypted, it could be compromised. They were right last year. they recommended you shut it down, and you didn’t. I want to know why,” the congressman demanded.
Ms. Archuleta said some of the data was simply too old to be encrypted, and she said hackers have ways to get around encryption. Shutting down the system, as the inspector general had suggested, would have interfered with the agency’s ability to carry out its basic responsibilities, she told lawmakers.
She also said the breach probably came before the inspector general’s November 2014 warning, and said the only way they even know they were attacked is because of the improvements she ordered.
“While we have not yet determined its scope and impact, we are committed to notifying those individuals whose information may have been compromised as soon as practicable,” she said. “This separate incident is one that we refer to as the intrusion affecting background investigations.”
She declined to answer a number of lawmakers’ questions in open session, saying she could only talk about some of the worst details of the breach in a classified briefing later Tuesday.
That left committee members on both sides of the aisle frustrated.
“This is one of those hearings where I think I am going to know less coming out of this hearing than I did when I walked,” said Rep. Stephen Lynch, Massachusetts Democrat. “Matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are keeping information out of the hands of Congress and federal employees.”