The OPM mega-breach has created a nice bipartisan coalition in Congress—against the bureaucrats who allegedly did nothing to stop it.

This week, members of Congress called for the resignation of OPM chief Katherine Archuleta after testimony revealed that security protecting OPM’s databases is so inadequate that some believe the systems should be shut down entirely.

During a 2-hour hearing before the House Oversight Committee, Chairman Jason Chaffetz (R-Utah) let loose on Archuleta, calling the breach “most devastating cyberattack in our nation’s history” and demanding to know why OPM was seemingly ambivalent about how vulnerable its systems were to attack.

Via Ars Technica:

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.


The system was vulnerable, but it’s still unclear what measures could have been taken on a software level to prevent this specific attack. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that, because the attackers had obtained valid user credentials, encryption wouldn’t have stopped sensitive information from being compromised. Because there is no system of multistep user authentication, the hackers were able to jump in and out of the database at will from both inside and (most likely) outside the network.

U.S. Chief Information Officer Tony Scott has ordered a 30 day cybersecurity “sprint” to identify vulnerabilities and kickstart development of a multistep user authentication process. Critics say that this move lacks the type of accountability that an emergency breach situation requires, so don’t expect this issue to go away any time soon.