As the old adage goes (I think), hack me once, shame on you, hack me twice; well, you know the rest. Unfortunately for the head of the federal government’s main human resources department, the U.S. Office of Personnel Management’s (OPM) Katherine Archuleta, two major data breaches into the sensitive electronic files affecting over 22 million people have shattered her reputation. On Friday, Archuleta handed her resignation to President Obama in the White House, which he quickly accepted. In a prepared statement, Archuleta said, “I conveyed to the President that I believe it is best for me to step aside and allow new leadership to step in, enabling the agency to move beyond the current challenges and allowing the employees at OPM to continue their important work.” White House spokesman Josh Earnest concurred, saying that the president believed that new leadership was needed with more expertise in cybersecurity, and that the administration must undergo a “rapid reassessment of the state of cybersecurity measures, and accelerate the implementation of reforms that need to be adopted.” The department began to come under-fire after a June 4th announcement that 4.2 million current and former employees had their sensitive information compromised from December 2014 until it was discovered in April.
The resignation came a day after OPM announced a much larger data breach had occurred during roughly the same time period involving a much larger pool of employees and contractors, including 3.6 million of the original 4.2 million from the first hack. The data compromised involved sensitive security clearance applications for millions of federal workers and contractors, active, retired, and even declined applications. The documents, known as SF-86 questionnaires, contain hundreds of pages of information including the Social Security numbers, phone numbers, emails, plus the vital information of relatives and other contacts. Informally, there is almost universal suspicion among cybersecurity experts involved in the case that China is responsible for the hacks, although the administration has been officially tight-lipped about the blame. For its part, the Chinese government has claimed the U.S. is making knee-jerk accusations and that their systems have also been compromised. The data breach has forced OPM to suspend its background check system, known as e-QIP indefinitely, with experts estimating it will take at least 4-6 weeks for a security upgrade.
Archuleta’s resignation, while greatly welcomed by lawmakers from all parties, has not erased the fear that the U.S. bureaucracy is losing the cybersecurity battle. Although Archuleta has argued that the department was making tremendous strides to upgrade a system that was no more secure than the average online-banking portal, many have faulted the administration for putting her in a position to fail. Prior to assuming the position in November, 2013, Archuleta was the national director of Obama’s re-election campaign. Although Beth Cobert, a deputy administrator for the Office of Management and Budget, will serve as director in the interim, a permanent director will have to be confirmed by the Republican-controlled Senate, a body already skeptical of the president’s appointment decisions. Republican presidential candidate Jeb Bush has referred to Archuleta as a “political hack,” although unsure if the pun was intended. The former director defended the agency’s progress during her tenure, pointing out that “It is because the efforts of OPM and its staff that we’ve been able to identify the breaches.”
Federal cybersecurity experts are hopeful that upgrades to the Einstein security system (Einstein 3) will prevent future attacks, but the reality may be that the hackers will always remain a step ahead. Given the oft-slow process of governmental rollouts, some lawmakers believe that security clearance applications should be moved from the OPM office altogether. Congressmen Ted Lieu (D-CA) and Steve Russell (R-OK) have stated that are preparing legislation to reassign the clearance application process. In a statement following Archuleta’s resignation, Lieu said in a prepared statement, “OPM was never designed to be an intelligence or national security agency. We should not be trying to fit a square into a round hole.” Earnest also said in the press briefing that the administration will work to limit privileged access to sensitive databases as well as implement a two-tiered password authentication system which includes a one-time, disposable password. OPM is also offering a free 3-year credit monitoring service for those affected by the hack, although some lawmakers are demanding that the service should be given to them for life.
National Journal – Dustin Volz and Kaveh Waddell
New York Times – Julie Hirschfeld Davis
Washington Post (blog) – Lisa Rein and Joe Davidson