In the wake of the cybersecurity breach at the Office of Personnel Management that exposed sensitive data of more than 22 million people, Congress is looking to shore up federal cybersecurity while also making sure the government is held accountable when things go wrong.
On the same day that Homeland Security Secretary Jeh Johnson said the OPM breach was a wake-up call and called on the House Judiciary Committee to specifically fund the EINSTEIN cybersecurity system for federal agencies, at least two members of Congress said they plan to investigate the OPM breach and government cybersecurity writ large.
The results of those investigations could mean serious consequences for leaders failing to uphold IT security at their agencies.
"The recent OPM hack and the departure of Director [Katherine] Archuleta is, I think, a good thing – because guess what? Every agency head and CIO should be pulling out their [inspector General] report on their digital infrastructure, because we're going to start calling them before our committee and asking them the same questions," said Rep. Will Hurd (R-Texas), chairman of the House Committee on Oversight and Government Reform's IT subcommittee. "We're going to make sure we don't see what happened at OPM happen again at other agencies. Now, the example is set: Major breaches are bad things and you're going to lose your job. That's great motivation within the federal government."
Full Coverage: The OPM Data Breach: What You Need to Know
Hurd spoke July 14 in Washington at an event held by Digital Globe and Cloudera.
Given that part of the OPM breach involved a database with security clearance-related data, many of the records stolen in the breach belonged to Defense Department employees and members of the military. That's particularly troubling to Rep. Mac Thornberry, who on July 14 pledged the House Armed Services Committee, which he chairs, will in the coming weeks hold hearings and briefings related to the breach.
"We have an obligation to ensure that those who serve the department, in or out of uniform, are able to do so securely," he said in a statement, according to Military Times. Thornberry also said he plans to investigate "larger questions of cyber defense and the security clearance process."
At least some of those questions will center on the government's procurement, use and management of IT systems – or their lack thereof.
"Agencies are buying software that have security functions, and they're disabling them. That's outrageous. In the design of digital infrastructure, they're not using secure practices," Hurd said. "The IRS is talking about moving from a relatively [21st]-century system back to mainframes. They literally are trying to move data back to mainframes. That's insane. So a lot of this is tied up in how the federal government is purchasing IT goods and services…we're trying to shine a light on that."
Hurd said that his subcommittee plans to roll out a system that will measure federal agencies' adherence to IT security rules and standards.
"We're coming up a scorecard that we'll be using against agencies on whether they're following basic practices in digital hygiene and cybersecurity," he said.