(CNSNews.com) - When Office of Personnel Management Director Katherine Archuleta testified in the House Oversight and Government Reform Committee last week she said that the personnel records of about 4.2 million current and former federal employees had been “compromised” by a “cyber intrusion” into the OPM’s computer systems.
She also said that “an additional OPM system was compromised.”
“These systems included information based on the background investigations of current, former and prospective federal government employees, as well as other individuals,” Archuleta told the committee under oath.
When Oversight Chairman Jason Chaffetz asked Archuleta whether this included the files on military and CIA personnel, Archuletta gave him an identical answer to each question.
“I would be glad to discuss that in a classified setting,” she said.
Here is part of the exchange between Achuleta in Chaffetz in which Archuleta says she will discuss “in a classified setting” whether the hack involved files of military and CIA personnel:
Chaffetz: Ms. Archuleta, my question for you is how big was this attack? How many federal workers have been compromised? We've heard 4 million, we've heard 14 million. What's the right number? Your microphone, please.
Archuleta: Sorry. During the course of the ongoing investigation into the cyber intrusion of OPM that compromised the current, the personnel records of current and former federal employees that we announced last week, that number is approximately 4.2 million. In addition, in the investigation of that breach, we discovered, as I mentioned in my testimony, an additional OPM system was compromised. And these systems included information based on the background investigations of current, former and prospective federal government employees, as well as other individuals.
Because different agencies feed into OPM background-investigation systems in different ways, we are working with the agencies right now to determine how many of their employees were affected. We do not have that number at this time but we will get back to you once we have more information.
Chaffetz: What's your best estimate? Is the 14 million number wrong or accurate?
Archuleta: As I said before, we do not have an estimate because where this is an ongoing investigation.
Chaffetz: How far back does it go? The information that your telling me--you have former employees, current employees, and potential employees. So, how far back does this information go that was in your system?
Archuleta: Thank you for that question, Mr. Chaffetz. I would have to respond, again, it's because it's an ongoing investigation.
Chaffetz: It has nothing to do with impeding an investigation. You should know what information you have and what you don't, so this is not going to slow down any investigation. People have a right to know. The employees have a right to know. How far back does your information database go that was compromised?
Archuleta: The legacy systems date back to 1985, but I do not--
Chaffetz: So anything's that 1985--
Archuleta: No, sir, that would not be correct.
Chaffetz: You don't know. Does it include military personnel?
Archuleta: As I said, this is an ongoing investigation.
Chaffetz: It's a yes-no question. Does it include military personnel?
Archuleta: I would be glad to discuss that in a classified setting.
Chaffetz: Does it include contractor information?
Archuleta: Again, I would be glad to discuss that in a classified setting.
Chaffetz: There's nothing classified as to what information this includes. Does it include CIA personnel?
Archuleta: I would be glad to discuss that in a classified setting.
Chaffetz: Does it include anybody who's filled out SF-86, the Standard Form 86?
Archuleta: The individuals who have completed an SF-86 and may be included in that. We can provide additional information in a classified setting.
Chaffetz: Why wasn't this information encrypted?
Archuleta: The encryption is one of the many tools that systems can use. I'll look to my colleagues at DHS for their response.
Chaffetz: No, I want to know from you why the information wasn't encrypted. It's personal, sensitive information: birthdates, Social Security Numbers, background information, addresses. Why wasn't it encrypted?
Archuleta: Data information encryption is a valuable--
Chaffetz: Yeah, it's valuable. Why wasn't it?
Archuleta: And is an industry best practice. In fact, our cyber security framework promotes encryption as a key protection method.
Chaffetz: Why didn't you--
Archuleta: Accordingly, OPM does utilize encryption.
Chaffetz: We didn't ask you to come read statements. I want to know why you didn't encrypt the information.
Archuleta: An adversary possessing proper credentials can often decrypt data. It is not feasible to implement on networks that are too old. The limitations on encryptions is effective, on the encryptions, our effectiveness, is why OPM is taking other steps, such as limiting administrators, accounts and requiring multifactor authentication.
Chaffetz: Okay, well, it didn't work. So you failed, okay? You failed utterly and totally. The inspector general, November 12, 2014: We recommends that the OPM director consider shutting down information systems that do not have current valid authorization, and you chose not to. Why?
Archuleta: I appreciate the report by the IG. We work very closely with IG, with our IG, and take very seriously--
Chaffetz: Okay, but he had a very serious recommendation to shut down the system. That's how bad it was--and you said no.
Archuleta: I'd like to turn that over to my--
Chaffetz: No, I would like you to answer that question. You get to made the--It says: We recommend that the OPM director consider shutting it down. Your response was--to quote, the response back to the office of thechief information officer, quote: "The IT program managers will work with the ISSOs to assure that OPM systems maintain current ATOs and that there are no interruptions to OPM's mission." Basically you said no. The inspector general was right. Your systems were vulnerable. The data was not encrypted. It could be compromised. They were right last year. They recommended it was so bad that you shut it down, and you didn't. And I want to know why.
Archuleta: There are many responsibilities we have with our data. And to shut down the system we need to consider all of the responsibilities we have with the use of our systems.
Chaffetz: So, you made a conscious decision, knowing that it was vulnerable, that all these millions of records for federal employees was out there--the inspector general pointed out the vulnerability--and you said, no, we're not making a change.
Archuleta: As the director of OPM I have to take into consideration all of the work that we must do. It was my decision that we would not, but continue to develop the system in making sure that we have the security within those systems. The recommendation--
Chaffetz: And did you do that? You didn't, did you? That didn't happen, did it?
Archuleta: The recommendation to close down our systems came after the adversaries were already in our network.
Chaffetz: When did they come in?
Archuleta: It was as a result of our security systems that we were able to detect this intrusion.
Chaffetz: When did they get into the system?
Archuleta: We detected the intrusion in April.
Chaffetz: So, but how did you know in November of 2014 that they were already, you didn't know if they were in there, did you?
Archuleta: No, we did not. We did not have the systems installed at that time. It was because we were able to add those security systems that we were able to detect.
Chaffetz: So you detected the system? It wasn't a software provider that detected? You found it yourself?
Archuleta: OPM detected the intrusion.
Chaffetz: So the New York Times and the others who wrote that were wrong?
Archuleta: That's correct.
Chaffetz: Two more questions to your indulgence here. How many people have received letters?
Archuleta: There's a rolling number as we work from the first date of notification, Jan. 8, we will complete the notification to 4.2 million by June 19. I'm sorry, I don't have the exact number as of today. I'd be glad to get that information for you.