Consumer Electronics Daily was a Warren News publication.
'Cyber Pearl Harbor'

OPM Contractor's Credentials Used by Adversaries To Breach Personnel Files, Background Checks

June 25, 2015 by Katie Rucke|Top News

Some 32 million federal employees with security clearances may have had personally identifiable information (PII) compromised in a recent breach of Standard Form 86 (SF86) background checks stored on servers operated by the Office of Personnel Management (OPM), said House Oversight Committee Chairman Jason Chaffetz, R-Utah, Wednesday during part two of a hearing on the breach. OPM Director Katherine Archuleta declined to confirm whether that number was accurate, saying the background checks contain PII for family, friends, neighbors and associates of the subject of the background check.

Chaffetz questioned why SF86 forms for current and retired employees remained on the network if the background checks were completed and an individual wasn't under investigation. The best practice is to remove the data, Chaffetz said. The breach of background checks affects the Department of Homeland Security, intelligence community, immigration and border patrol officials and Capitol Hill police officers, said ranking member Elijah Cummings, D-Md.

Archuleta testified that in April OPM detected that the breach on its system had occurred in June 2014, and last month OPM determined data had been extracted from the system. Congress and the public were notified this month. During Wednesday’s hearing, Archuleta confirmed the adversaries behind the breach accessed the system using OPM credentials given to an individual employed by KeyPoint, a contractor that was hired to help protect OPM’s data. KeyPoint Government Solutions CEO Eric Hess said his company wasn't responsible or to blame for the OPM breach. Archuleta declined to answer publicly whether Chinese hackers were responsible for the breach, citing classified information.

DHS U.S. Computer Emergency Readiness Team Director Ann Barron-DiCamillo said the OPM system also was breached in November 2013, with that intrusion not detected until March 2014. In that breach, PII wasn’t lost, but documents about OPM’s system and manuals about its servers were taken, said OPM Chief Information Officer Donna Seymour. The documents would allow an individual to learn about the infrastructure of OPM’s platform, Seymour said. Personnel information wasn't accessed during that breach, she said. The intent attackers had for the latest breach is classified information, Barron-DiCamillo said.

Rep. Tim Walberg, R-Mich., called the latest OPM breach a cyber Pearl Harbor. Barron-DiCamillo said she wasn’t comfortable using that term, but said the attack had a significant impact on U.S. cybersecurity.

OPM needs to overhaul its IT system, but not urgently, said OPM Inspector General Patrick McFarland. McFarland’s team issued a flash audit alert last week raising serious concerns about the implementation of OPM’s overhaul project. In the alert, McFarland said OPM has estimated the project will cost $93 million total, but migrating OPM’s applications from the old system to the new system alone should cost more than $93 million, he said. OPM likely will run out of funds before the project's completion, leaving the structure more vulnerable than it is now, McFarland said.

OPM can’t afford to have this project fail,” McFarland said. If done incorrectly, the U.S. would be in a worse situation than it is today, he said. The IG recommended 11 of OPM’s 47 systems be shut down because they didn’t have current and valid security systems. Archuleta said she declined to follow the IG recommendations because if she had complied, retirees wouldn’t have been paid and new security clearances wouldn’t have been issued. To ensure OPM is leveraging best practices for privacy and cybersecurity efforts, Archuleta is hosting a summit in the next few weeks with leading private sector companies that have dealt with cyber issues to discuss what OPM’s next steps should be.

Despite breaches of sensitive information occurring with OPM contractor U.S. Investigations Services (USIS), its CIO Rob Giannetta said he received a bonus in the neighborhood of $95,000. USIS has declined to testify at House Oversight Committee hearings despite repeated invitations from Cummings. Rep. Ted Lieu, D-Calif., said the Justice Department and SEC launched an investigation into USIS for circumventing quality reviews in order to increase profit.

During Senate Financial Services and General Government Subcommittee hearing Tuesday (see 1506230046), former DHS CIO Richard Spires testified that the breaches at OPM were bound to happen due to lack of security. McFarland agreed Wednesday. The crisis at OPM -- the breach itself -- is over, he said. The best thing to do is to safeguard the current system as is and move appropriately for a full restructuring, McFarland said.

Rep. Gerald Connolly, D-Va., criticized colleagues who called for Archuleta's and Seymour’s resignations, saying the breach was a much bigger attack done on behalf of the Chinese government. The People’s Liberation Army has a trained unit to target weak spots in the U.S. cyberworld, Connolly said. “We are now engaged in a low-level, but intense, new kind of Cold War,” he said, with adversaries including China and Russia.

House Science, Space and Technology Subcommittee Chairwoman Barbara Comstock, R-Va., participated in Wednesday’s hearing despite not being a member of the committee. She said she planned a hearing on the breach. As the four-hour hearing neared the end, Rep. Gary Palmer, R-Ala., raised issues with the contractor OPM hired to overhaul its infrastructure.