The U.S. Chief Information Officer (CIO), Tony Scott, defended the leadership of the Office of Personnel Management (OPM) on Thursday, in the wake of the OPM hacks.
“I think we need to be careful about distinguishing fire starters from firefighters in this particular case and they have my full support,” Scott said of Office of Personnel Management director Katherine Archuleta and OPM CIO Donna Seymour at a Senate Homeland Security and Governmental Affairs Committee hearing.
Scott was responding to a question from Sen. Cory Booker (D-N.J.) asking if he believed the OPM leadership is capable of dealing with the breaches.
“I do sir and I’ve spent time on the ground with the teams that are in OPM doing the work, both from DHS and the OPM teams. They are working really really hard and doing the right things. I’ve talked to them about the leadership they’re getting from both Director Archuleta and Donna Seymour and they tell me that they are very very supportive of the efforts and the leadership they see there,” Scott said.
Scott added he was impressed by the deployment of extra tools at OPM.
“The work that’s going on in OPM right now would serve as a template and a model for work that other agencies need to do as well. We’re learning on this across the whole federal government.”
Scott, responding to a criticism Chairman Ron Johnson (R-Wis.), said, “If I look at, in OPM and elsewhere where progress has been made, I could see a delineation point from when Director Archuleta took place and recruited Donna Seymour into that role where there’s dramatic difference in terms of the actions that not only were planned but then began execution.”
Thursday’s hearing was entitled “Under Attack: Federal Cybersecurity and the OPM Data Breach.
Scott’s support came following a testy back and forth between Sen. John McCain (R-Ariz.) and Archuleta, with the senator repeatedly talking over the director.
McCain sought a confirmation that China was responsible for the hacks, but Archuleta deferred to other agencies for attribution.
McCain also sought for Archuleta to acknowledge that 18.2 million persons may have had their information exposed as well, quoting statements from FBI officials.
“It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique social security numbers in the background investigations data. It is not a number I feel comfortable, at this time, represents the total number of affected individuals,” Archuleta said in her opening statement.
Archuleta highlighted there may also be an overlap between personnel affected in the background investigation hack and the earlier personnel file hack. She also said OPM is trying to determine if persons who did not have social security numbers compromised but might have other exposed information should be considered as affected by the incident.
In response to McCain asking when the American people will know the extent of the penetration, Archuleta said she will be able to tell the committee, “when I know that the number is accurate, that’s the time.”
While the committee chairman focused on responsibility and management of OPM, ranking member Tom Carper (D-Del.), stressed the need of an “all hands on deck” approach. He noted Archuleta has been working without necessary funds and a deputy director, which has been unfilled for years at the agency.
Carper also asked what should be changed legislatively.
Scott highlighted passing the administration information sharing proposal and not allowing exceptions to the FITARA (Federal Information Technology Acquisition Reform Act) rules because it legislates good governance. Further recommendations will come out of the administration’s 30-day Cybersecurity Sprint.
Andy Ozment, Assistant Secretary of Homeland Security at the Office of Cybersecurity and Communications of the National Protection and Programs Directorate, emphasized the importance of legislation authorizing the Einstein program.
“As you know it played a key role in this incident and it’s an important layer in our layers of defense. And one of the impediments has been that some agencies are concerned that existing legislation impedes their ability to work with us on Einstein.”
Scott also said, “as a nation, and especially as a federal government, we also have to invest in technology that allow us to quickly detect, much more rapidly than we have been when there is a breach, then contain, and then quickly remediate. And so some of our recommendations are likely to be in those areas where we’ve under-invested even in a history of underinvestment in cyber more broadly.”