A new report by the House Oversight Committee lambastes the Office of Personnel Management for “decades of mismanagement” that allowed last year’s massive security breach.
In the summer of 2015, hackers stole the personnel files of 4.2 million former and current government employees. The cyber attackers also pilfered security clearance background investigation details on 21.5 million individuals and fingerprint data for 5.6 million people.
The report, which reads a bit like a crime novel, was issued today by Republican members of the committee, who claim the potential damage caused by the breach “cannot be overstated, nor will it ever be fully known.”
“The longstanding failure of OPM’s leadership to implement basic cyber hygiene, such as maintaining current authorities to operate and employing strong multi-factor authentication, despite years of warnings from the Inspector General, represents a failure of culture and leadership, not technology,” the group said.
Following an announcement of the breach, OPM Director Katherine Archuleta resigned from her position in July; Beth Cobert, US chief performance officer and deputy director for management at OPM, stepped in as acting director.
Now, Cobert is hitting back at the House Committee, writing in a blog entry that the claims do not “fully reflect where this agency stands today.”
In the year since the breach went public, OPM tightened its security and strengthened its IT infrastructure, and is currently in the process of enhancing its Web-based application system.
“The cybersecurity incidents at OPM provided a catalyst for accelerated change within our organization,” Cobert said. “Throughout this agency, management has embraced cybersecurity as a top priority.
“We hope Congress will also continue to support our efforts and provide us with the resources we need to continue to strengthen our cybersecurity posture now, and into the future,” she added.
Democratic Committee staff on Tuesday published a 21-page pre-emptive memo, suggesting the Republican report contains inaccuracies.
“The most significant deficiency uncovered during the committee’s investigation was the finding that federal cybersecurity is intertwined with government contractors, and that cyber requirements for government contractors are inadequate,” the statement said.
A number of federal agencies have been the victims of cyber attacks in recent years, from the State Department and US Postal Service to the National Weather Service and Energy Department.