House Hearing on Data Breach likely to get Heated

6/15/2015

The House of Representatives’ Committee on Oversight and Government Reform will conduct a hearing Tuesday on the recent announcements of major data breaches involving the U.S. Office of Personal Management (OPM), essentially the “human resources” division of the U.S. Government. Many in congress are extremely worried about, not only the department’s security vulnerabilities, but of the convoluted and reclusive nature in which the department has managed information in the aftermath of the breach. OPM originally announced a breach of background check records involving an estimated 4 million current and former government employees on June 4^th. The hearing will likely take a more aggressive tone, however, following two more disclosures regarding OPM data late last week. First, it was revealed on Thursday by Bloomberg and the Associated Press that OPM drastically underestimated the original number of affected people and in fact, 9-14 million people, including government contractors, have had their data compromised. The bad news was compounded on Friday, when the department also announced that “a separate intrusion into OPM systems that may have compromised information related to the background investigations of current, former, and prospective Federal government employees, and other individuals for whom a federal background investigation was conducted,” according to OPM’s press secretary, Samuel Schumach.

Complicating the House’s investigation of the breach, according to committee chairman, Jason Chaffetz (R-UT), is OPM’s reluctance to communicate with congress. Chaffetz said on Saturday that “We’ve had resistance from OPM in terms of attendance. I’m prepared to issue a subpoena if need be. They’re going to come explain this to the public. No more hiding behind a press release.” As of Monday, however, OPM’s chief information officers are expected to testify at the hearing, along with Homeland Security Secretary, Jeh Johnson, as well as the Office of Management and Budget and the Department of Interior, where the server in which the breach occurred is located. Chaffetz, along with top committee Democrat, Elijah Cummings (D-MD), have prepared a list of questions for the department, including:

• What was the size and scope of the attack?
• Why did it take so long for OPM to become aware of the breach?
• What is being done to notify employees and protect them from future harm?
• What is the full extent of the information taken?
• Can that information be used to compromise those with security clearances?
• What was done to prevent a cyberattack?
• What happens after an attack?

Chaffetz has taken a rather hostile tone with the department and believes that federal employees, including Congress should be so trusting OPM, saying “I don’t trust them. I don’t know why they should. I really do worry about this.” Cummings, has taken a softer tone with the department, however, he too is extremely worried about the department’s competence. Cummings said about the upcoming questioning, “That’s what I’m concerned about. Do we have the capability, and are we doing all we can do?”

Although many data breaches have occurred in the past, both public and private, the OPM hacks contain especially sensitive background check information. Specifically, hackers were able to access OPM’s SF 86 form, which is a “questionnaire for national security positions.” This 127-page document contains nearly every conceivable personal detail, including the obvious Social Security, position title, pay, and birth dates. The form also contains information about passport numbers, eye-color, weight and other physical traits, as well as contact information for references and family among a host of other information. Although the U.S. hasn’t officially named the Chinese government as the source of the hack, insider rumblings and outside analysis by security firms uniformly point to China, and specifically, the Chinese military. The breach will likely spur additional action in the Senate as well, as Majority Leader Mitch McConnell (R-KY) failed in a recent attempt to attach a cybersecurity bill on the currently-debated National Defense Authorization Act, a primary military funding bill. The attachment was blocked by Senate Democrats, concerned the rushed process would not allow them time to propose amendments to protect privacy. The proposed legislation, the Cybersecurity Information Sharing Act (CISA) is geared to help facilitate communication between private sector and security officials regarding hacks and cyber-intrusions, however some Democrats believe the legislation will divert even more information to the National Security Agency (NSA). It is likely, especially in the wake of the latest news this week, that McConnell and the Senate will begin debate on another incarnation of the bill, including a reoccurring discussion on the balance between privacy and security.

Sources:

Roll Call – Matt Fuller

The Hill – Cory Bennett

Washington Post (Blog) – Joe Davidson