Office of Personnel Management leaders got an earful Tuesday from the House Committee on Oversight and Government Reform, with agency heads and CIOs largely defending their records and trying to impress on committee members the unrelenting nature of modern cyberattacks.
Committee Chair Jason Chaffetz, R-Utah, hit the agency hard with his criticisms: "The fact that OPM was breached should come as no surprise considering the agency's security posture," he said.
He predicted that during the hearing, "We're going to hear, 'We're doing a good job.' You're not. You're failing."
The hearing comes two weeks after OPM announced a massive breach of its networks that compromised employee data on more than 4 million employees and an as-yet unknown number of background investigations.
The Oversight Committee grilled executives and CIOs from OPM, Homeland Security, the Office of Management and Budget and Interior Department (which manages the data center that houses OPM servers) for almost three hours before adjourning to a classified briefing for more information.
OPM Director Katherine Archuleta was the lightning rod for most of the representatives' questions, which centered on whether the breach could have been prevented with stronger security measures.
"But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government," Archuleta said, stating several times that OPM's cybersecurity posture was a work in progress.
Chaffetz cited OPM's 2014 FISMA audit, in which the inspectors general recommended the agency shut down 11 systems that were not properly secured and presented a "material weakness."
"The IG was right, your system was vulnerable. They recommended it was so bad that you shut it down and you didn't," Chaffetz said, pressing Archuleta about the decision.
"As director, I have to take into consideration all the work we do," she said. "We need to consider all the responsibilities we have with the use of our systems … It was my decision that we would not [close them down] but continue to develop the system and ensure we have security on those systems."
CIO Donna Seymour, who joined OPM in November 2013, explained some of the difficulties in implementing these security upgrades, particularly on legacy systems that cannot integrate with the latest technologies.
"A lot of our systems are aged and implementing these tools takes time and some of them we cannot even implement in our current environment," Seymour said. Her office is currently working on a new architecture for OPM's systems, which is expected to launch this fall.
"We have worked very hard," Archuleta said. "It's important we recognize there is a persistent and aggressive effort on the part of these actors to, not only intrude on our systems but systems throughout government and the private sector."
"Federal agencies are a rich target and will continue to experience frequent intrusions," said Andy Ozment, DHS assistant secretary for cybersecurity and communications. "As our detection methods continue to improve, we will in fact detect more incidents; incidents that are already occurring and we just didn't know it yet."
Michael Esser, assistant inspector general for audits at OPM, gave a stark assessment of the agency's posture but admitted cybersecurity is a losing game.
Slideshow: Federal data intrusions of 2015
"Certainly there are things that can be done to make our systems more secure," he said. "Is there anything that can be done to make them impenetrable? Not that I'm aware of."
Few on the Oversight Committee were moved by the testimony, with Rep. Ted Lieu, D-Cali., calling for Archuleta to resign.
"In national security it's got to be zero tolerance, that's got to be the attitude. We can't have these breaches," he said. "In the past when we've had this, leadership resigns or they're fired … Send a signal that the status quo is not acceptable. We cannot continue to have this attitude where we make excuse after excuse."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.