this is a copy of the application. it's online if you want to look at it. it's 127 pages online and asked him everything. what kind of underwear they where. what kind of to space. it's a deep dive. we want to know when people get security clearance that they are trustworthy there's information come together been arrested, financial information is in your. there's a lot of information in this form.

they hacked this. they hacked this. they got this information on standard form 86. so then all these employees and everything about them that would ask them into standard from 86 is that right, ms. seymour? >> i believe that's a discussion that would be best help for this afternoon. >> that's probably a yes. like i say i think you got to be honest with your employees. i think that we need in order to protect them we need to let them know what's going on because they had e-mail addresses in your as well. several, your first, your second, your third e-mail address and all that information is out there. we need to be a little bit more not a little bit more. we need to go more forthcoming with our own employees. user people to work for us.

a lot of them deserve polymer protection and are getting from the united states government and the office of personnel management. i see my time has expired. i jo luck. >> recognizes the gentleman from south carolina mr. mulvaney for five minutes. >> turn one. many of us are uncomfortable asking questions in this type of setting. we don't want to ask questions the answers to which should be kept confidential. i encourage of an advanced if i ask you something of you talk about it in a different setting. that is acceptable answer but i feel like mr. lynch in that identify get my hands exactly what we're learning. let me follow up question mr. meadows as the ms. archuleta. he asked if if you going to implement all of the ig's recommendations. usage working with the igs. whether or not that was a yes or no answer. i agree that it was probably closer to know. can you name for me some of the ig recommendations that you're pushing back against that

you're not interested in implementing? >> i don't have the specific recommendations in front of me and i would be very glad to come back and talk about that. but what i would like to say is as a look at the recommendations by the ig we work with them so that he can fully understand where we have moved in our security efforts and also to understand his observations, and that's the normal audit process and we continue to go to that with him and update him on a regular basis. >> that makes perfect sense. what bugs me is back in the end of 2014 they recommended in fact the third recommendation, that all active systems had a complete and current authorization. your response to that we agree it's important maintain up-to-date all systems, but we do not believe this condition

rises to the level of material weakness. do you believe it's your opinion on that has changed since november 2014, ms. archuleta? >> i appreciate all of the information and the recommendations that the ig has given us, and we will continue to speak do you still believe now knowing what you know now that that condition did not rise to the level of material weakness? >> we are working with a legacy system. it has recommendations has made to its. we are working through those to the best of our ability. >> that's what frightens me. this is the best of your ability. let me see if i can get some and some are information as i go back and try to explain to folks back at home. i heard it was just people in the executive branch. i openness to anybody. are we still sing that the only people whose data was exposed were folks who work within the executive branch of government?

>> this is an ongoing investigation and as we uncover new information, we are happy to share it with you. >> right. >> we are not necessarily restricted to the executive branch because there are people who work in the executive branch today who work in -- >> and i got the notice. i got the nose and this is if you worked in executive in the executive branch or if you've ever worked in the executive branch, then there's a chance they got your data. but if you've never worked for the executive branch then you don't have to worry. are you still comfortable with the statements because no sir. this is an ongoing investigation and we are running the effects everything. >> the original number we heard was 4 million. is still 4 million? i heard 14 million. what is the current estimate of previous employees of an effective? >> approximate 4 million is the number we make notifications up today. we continue to investigate in

the background investigations incident so that we can understand that data and begin to make notifications there as well. >> i have a question i don't think has been asked and i think it is for mr. osman or whoever else understands the i.t. systems. when we used to do this in the private sector we should have which reached between some of acting to system and some of them stole some thing. your question is has been able yet to make the distinction between just where the hackers were and that access and things were exposed, and were possibly the actually downloaded data? >> thank you. that is an important distinction and one we spent a lot of our investigative time examining. for the personal records approximately 4.2 million records, the incident response team led by dhs with interagency partners has concluded with a high probability that the data

was exfiltrate, meaning it was removed from the network by the adversary who took a. we are continuing to investigate the information related -- >> i appreciate that. i wish i'd more time. let me ask one more question. i heard about the data. i heard mr. lynch ask about the social security numbers. sounds like that might of been exfiltrate it. health data. do we collect health data on our employees? ms. archuleta come in second work for you, for the government, do i give you my health records the? >> not your health records but information regarding your health care is the information we receive and -- >> said no specific medications, not specific conditions. just to my health insurance company isn't? >> exactly. >> thank you, mr. chairman. >> thank you, mr. chairman. what's jarring about this hearing is it's sort of been bloodless and bureaucratic language, we are talking about the compromise of information

fellow americans. from the federal employee point of view the most catastrophic compromise of personal information in the history of this country. social security records. ms. archuleta you mentioned not health information and health care. that's a roadmap to other information that hackers can get. security clearances. security clearances are deeply personal and often involve, do they not come ms. seymour and confirm negative information? even rumors. i think so-and-so has a drinking problem. baguettes in the report even if it is not confirmed, is that correct? >> i'm not a federal investigator ed in a family with all of the precise data that is in those. >> let me confirm for you.

it is a rhetorical question really. it is correct. it is from how do we protect our employees? dr. ozment ago when i heard a testament it almost sounded like you were saying that the producer is we detected that, but the object your isn't effective detection, though that's part of the process. it is prevention and preemption to protect our citizens, including federal employees. you talked about einstein and you champion its merits. was einstein in place at opm when this attack occurred? >> sir, i share your deep concern about the loss of this information and greeted that is a terrible outcome spent a terrible outcome speak was absolutely. as if the employer whose information itself is part of the database i --

>> it might even be personally devastating, dr. ozment, not just a terrible outcome. >> that is correct sir. whatever to you on this was that einstein was critical in this incident. as opm implemented their new safety measures and detected the bridge -- >> was einstein in place at the time of this bridge? >> einstein went one and two had been a place to einstein 30 is not yet available spend i've only got two minutes. i want to understand your answer. so did it successfully detect a breach had occurred? >> it did not detect the breach at opm crop on the own networks because just as the sabbath information sharing legislation would focus on technologies, you first have to have the threat information to einstein one, once we have that threat information and used einstein wanting to do detect a separate breach that we've been able to

work speak i'm sure every federal employee who at his or her information cover ms. is comforted by your answer, doctor osman. ms. archuleta, what was the time gap between discovering the event of breach and the actual breach itself? >> we discovered the breach in april of -- >> this year. and went to the breach occurred? >> we suspected it had been earlier in 2014. >> sometime late last year? >> yes sir. >> okay. so they come whoever were the hackers, presumably an agent agency of the chinese government, according to published reports, confirmed by u.s. officials, not a classified piece of information, but the details of it may be but our

government i believe has confirmed without attribution in public records that it was systematic effort by the people's liberation army which is notorious for hacking all over the last -- the west, so they had four months in which to do something with this data, is that correct maybe five? >> i can't make a comment on attributions. >> i didn't ask you to. i just as whether they had four or five months to do something with this data. >> the period between when discovery, the time that we believe the breach occurred and our discovery yes. >> i'm going to real quickly as the chairman allows mr. scott one last question. the director of cert set of agents into the three steps, i'm going to hold an advanced new

investments in new technology because ms. seymour talks about legacy systems and i'd always hoped that the chinese did not do hack into cobalt. but that's a different matter. three things are minimize administrative privileges, utilize applications whitelisting and continuously patch of software which interested does not go on. would you choose to comment? what is your take professional take on those three recommendations the? >> i think those recommendations are great and there's a number of other things, well some of which i've talked about today. i think the one point i would make is there's no one measure that you could say that's going to prevent all attacks or even prevent an attack. it's really defense in depth is your best measure, and that's what we are really looking at emphasizing. >> thank you, mr. chairman. >> thank you. i never does the gentleman from north carolina, esther walker,

for five minutes of. >> thank you, mr. chairman. i certainly agree with my colleague from virginia in his description, this is a catastrophic compromise. ms. archuleta, it appears that opm did not follow the very basic cybersecurity best practices specifically such as network segmentation and encryption of sensitive data. should that have been encrypted? did you address that? [inaudible] >> that data was not encrypted, and dr. ozment has indicated encryption may not have been a valuable tool in this particular breach. as i said earlier we are working closely to determine what sorts of additional tools we can put into our system to prevent further -- >> you said may not have been but that didn't answer the question. shifted a bit encrypted encrypted and could have been

another line of defense the? >> i would turn to my colleague from dhs to determine the use of encryption, but i will say that it was not encrypted at the time of the breach. >> i would note an adversary has the credentials of the user on the network, then they can access data even if it is encrypted, just as if the users on the network. so encryption in this instance would not have protected this data. >> let me ask you this, what consequences should cios face are going to meet such a baseline of cybersecurity standard on the networks? mayme i hear your thoughts on that? >> i believe that the cio is responsible for the implementation of a solid plan and i believe that my cio has been doing the. we're working with a legacy system that is decades old and we are using all of our financial and human resources to improve that system. this is an effort, this is a

cybersecurity is a governmentwide effort and we must all work together to improve the system that we have governmentwide. >> i'm not sure the american people are content with the pace of how we're all working together. i wanted stick over to einstein. i've heard several different comments today regarding it. the question is even if einstein is a nested component to effectively defending the system, i put the private sector is really moving on this kind of technology, is that a fair question? what is dhs doing to keep pace with the hackers the? >> einstein is necessary but not sufficient to for protecting networks. as mr. scott notably need them in debt strategy. we are also looking with einstein at taking what is currently a signature focused system and adding capabilities to let detect previously unknown

intrusion. but as you got you also receive more false positives are in other words, you receive more indications that an intrusion occurred even if it did not occur so we had to do that carefully so we are not overwhelmed by a essentially bad data. >> it seems to be that you're more excited or more confident in the einstein, what is it three a version come is that going to be more solid? >> einstein 38 with a significant step forward using classic information and is modeled on an similar department of defense program. it is still a signature-based program that will rely on classified information from intelligencetheintelligence committee to help us detect adversaries and block them. >> i even heard you earlier say something about how even a system needs to supplement be supplemented with others, is that correct? >> that is correct. no single system will solve the problem. >> this belies my problem because even on the dhs on what's up and talk three

radical, it's as it prevents malicious traffic. if that's not all-inclusive should not we understand that before today's hearing? why are we just now getting this information is then not enough to prevent such as the said earlier catastrophic compromise the? >> i can't speak to the webpage you are referring to but i can say that we have been consistent and i've been consistent in following interaction with congress to highlight the we do need an in depth strategy and that no one tool will solve all of our problems. >> who is responsible for posting this information on the website of you just? >> we will get back to you and make updates if necessary. >> thank you, mr. chairman. i yield back. >> now recognize the gentleman from pennsylvania, mr. cartwright. >> i think the chairmen chairman and ranking member for calling this hearing. director archuleta, i know there have been much bigger data breaches than this one but am concerned that i share the

sentiments of mr. connolly from virginia. this is extremely troubling. we are talking about 4 million plus federal workers, people who dedicate their entire careers indeed their entire lives, to our country and now their personal information has been compromised for absolutely no fault of their own. if i understand your testimony the personal information of about 4 million current and former employees was potentially compromised, and i want to ask you, as you investigation continues deeply that number is going to be bigger than 4 million? >> thank you for your question. in my opening statement i described two incidents. the first -- >> it's a yes or no question, or i don't know. >> no. because of the two incidents, the first incident is 4.2 million at an ongoing investigation led us to

understand that the federal investigative spirit you know exactly what i say when it's a yes or no question correct? >> yes sir. >> you think it could to be more than 4.2 million? >> yes sir. >> ms. seymour, your i.t. professionals discovered the breach in april and is also as mr. connolly mentioned, they believe the fact that had begun back in december, am i correct? >> yes, sir. to begin in 2014. >> something else happened in december of 2014. opm's contractor key point revealed that it was targeted in an earlier cyber attack. this is the contractor that does the majority other agencies background check investigations, am i correct? >> they do a number of of her background investigations. i'm not sure of the numbers. >> in that case the attack

against key point was successful. personal information was, in fact, a compromise correct? >> yes, sir. >> on friday abc news issued a report entitled quote that i link to private contractor in massive government had. this article says of this, the hackers who recently launched a massive cyber attack on the u.s. government, exposing sensitive information of millions of federal workers and millions of others, may have used information stolen from a private government contractor to break into federal systems. the article goes on. the hackers into the u.s. office of personnel management personnel management opm's computer systems after first gaining access last year to the systems of key point government solutions. it continues. authorities meanwhile believe hackers were able to extract electronic credentials or other information from within keypoint systems and some a use of them

to unlock opm systems, according to sources. the hackers then rummaged to separate segments of opm system potential to providing personal information of not only the 4 million current and former federal employees. ms. seymour, i know we're having a classified briefing later and i thank you for coming to that can you comment on these reports? did the hackers actually get what they wanted in the previous attack against opm contractor key point so you can go after opm itself? >> i believe that's a discussion we should have been a classified setting spencer in a. we know that opm's of the contractor, usis, was also breached last year and that its information was also compromised. can you tell us if those hackers got information in the usis breach that they were then able to use in the attack against

opm? >> i can, that's a discussion we should have later. >> i understand. i certainly don't want you to disclose classified information. let me close by asking a final question to the whole panel and i want each of you answer. federal agencies and private companies are only a strong as they weakest link. last year we saw breaches of two contractors, keypoint and usis. now we have reports of these hackers are getting into opm information because of what they learned in those hacks. agencies have leverage over their contractors using the provisions in the contracts and the billions of taxpayer dollars that they pay out for the companies. i want to ask each of you how can agencies use that leverage to improve cybersecurity practices of contractors so that they do a better job of safeguarding the information that they are entrusted with? go ahead right on down the line. starting with you, ms. archuleta

ms. archuleta. >> what we can do with the contractors that we engage is to make sure that they have visited the systems that match the federal government's and that they're using the same systems. in addition, i want to be sure i understand your question, the contractors that we employ as individuals or as companies? >> the contractors as companies. >> that in our contracts with the companies, we are now working to make sure that they are adhering to the same standards that we have in federal government as outlined in our rules. >> dr. ozment? >> dhs for its own contract as one example has been working to build additional secretary requirements. i would also point you to the federal ramp effort, governmentwide effort to establish a baseline of cybersecurity requirements for cloud contractors to the

government. >> mr. scott? >> yes. i think as my colleague and i testified last week we also are strengthening the federal contract procurement language and creating contractor language that any agency can use as a part of their standard contracts. >> ms. burns? >> i think it is not beating up to secure clauses in all contracts so that the cover the full extent of what we need and in doing monitoring and follow-up that you need to do to ensure the contractors are adhering to those clauses of the contract. >> ms. seymour? >> i agree with everything my colleagues have put forth by i will add that site inspections are also important that those are some of things that we do that opm. as well as continuous monitoring. looking at a system every third year is not ample. that is not a best practice in we need to move more towards looking at different security controls at different intervals of time.

the other option that we do this is our ig, also does inspections of our contractor companies. >> i agree with what the other witnesses stated. and like ms. seymour just said we go out and do audit of contractors, health insurance companies. the background investigation companies as well. we can be used and see ourselves in that role. >> mr. chairman i think you for indulgence but i also want to know the usis was invited here today -- >> i appreciate the judgment. you are almost three minutes overtime. we have classified we had to go to other members. >> yield like. >> i now recognize mr. russell from oklahoma for five minutes. >> thank you, mr. chairman. i'm baffled by all of this. upon receipt of upon your appointment the directorship of

opm, director archuleta has stated that she is committed to build an inclusive workforce. who would've thought that would have included our enemies? in his testimony here today, we heard statements that we did not encrypt because we thought they might be able to decrypt or the cipher. that is just baffling to me. there was another statement i heard earlier today that said that we not establish the system we would never have known about the breach. that's tantamount to saying if we had not watered our flower beds we would have never seen the muddy footprints on the open window sill. this is absolute negligence that puts the lives of americans at risk and also foreign nationals that interact with these americans. of particular concern are the sf-86 of which underestimate with my background prior to coming to congress.

we had johnny gallagher has something to probably best. he said that this bridge was result of inertia lack of internal expertise and a decade of neglect. director archuleta why did you not shut down 11 of the 21 systems that had no security assessment and authorization? >> as i mentioned before, the are numerous priorities that go into safety and security including making sure that our retirees receive their benefits come or that our employees get paid. there's numerous considerations that we had speeded would one of those considerations be encrypting social scooting numbers? i mean, doesn't take a degree in

i.t., and cybersecurity to put social security numbers? i didn't think so. teacher cybersecurity strategic plan include leaving half opm systems without protection when you formulated it? was that part of the plan speak with no, sir. >> then why was it not made a priority of? >> the systems that the ig refer to in our plan is about is the systems that he recommended that we shut down, we have, they are he recommended we shut them down because they were without authorization. all of our systems are not authorized and they are operating. i have to say that we are looking at systems that are very, very old and we could take a look at encryption and other steps that could be taken and certainly we're doing that, but as we look at the system we are also having to deal with decades of --

>> and i understand that but i also understand, there's an old saying we had in the military. poor is the workman who blames his tools. missions can be accomplished even with what you have, and measures could have been done at this been made a priority. and what i see now is why did opm have no multifactor authentication for users accessing the system from outside opm? there was no multifaceted means. if they get into the system they have free rein is that correct of? >> we have implemented multi-factor, ms. seymour has mentioned multi-factor authentication with our remote users and continue come at a working speed when was that put in place before after the breach of? >> this began in january 2015 spent so stolen credentials could still be used to run free in the system is that correct? >> prior to the time of the

two-factor authentification, it takes time to input all of these tools. i am as distressed as you are about how long the systems have gone neglected, when they admitted much resources. in my administration we put those resources to it. we have to act quickly in which we are doing and we are also working with our partners across government. as i said before, cybersecurity is an issue that all of us address the cross the federal government spent was a party made across the system that would allow this type of frequent? >> would you repeat the question? >> was a priority made to the outside systems to opm's database that once they get in them, they have a free reign, a three-run? >> yesterday was a priority as a said before, legacy systems, it takes time.

>> it didn't take our enemies of time. thank you, mr. chairman. i yield back. >> now recognize the gentleman from california, mr. mr. blue, for five minutes. >> thank you, mr. chairman. director archuleta, under your watch last march opm database containing the crown jewels of american intelligence was breached. issued the same exact database was breached. if their database content over form in federal employees was unencrypted, breached the yankees had opm, your technology systems are weak are seriously deficient. and my question to you, just a simple yes or no is do you accept responsibility for what happened? >> i accept responsibility for the administration of opm and the important role of our i.t. systems in delivering services. and i take very seriously my responsibilities in overseeing the improvements to a decades old legacy system. >> i don't really quite know

what that means. i asked for a yes or no. but that's fine. you've answered it. i'm going to reserve the balance of my time to make a statement. having been a member of this oversight committee and as a computer science major, it's good to me there is a high level of technological incompetence across many of our federal agencies. we have held hearings when which other federal agencies couldn't procure, implement or deploy i.t. systems without massive bugs or massive cost overruns. we've held hearings were at least one federal agency, in this case fbi have a fundamental misunderstanding of technology when they continue to believe they can put in backdoors to encryption systems just for the good guys and not for hackers, which you cannot do. we had over 10 federal data system breaches last year. so there is a culture and the and a problem of sub and leadership not understanding we are in a

cyberwar. every day we're getting attacked. in both the public and private sector. the u.s. military understands this. that's why they stood up an entire u.s. cyber command until our leadership understand the gravity of this issue will continue nothing more data breaches. let me give you some examples of this culture problem. you've heard today there was unencrypted social scooting numbers. that's just not acceptable. that is a failure of leadership at look at the there is reports showing the material weaknesses and the lib look at last year's ig report page 12 that says as of november of last your opm have not yet done a risk assessment or that is ridiculous. especially since ascension in march your system was breached. that is a failure of leadership. this goes beyond just opm. you get a pass on this. i want to know why was it that it wasn't until last friday that

agencies were ordered to put in basic cybersecurity measures? why wasn't this done last year? why wasn't this done years before? there's a failure of leadership about that at opm. when there is a culture problem what have we done in the past? especially in the areas national security. you can't have the view that this legacy system, a national security, it's got to be zero tolerance. that's got to be your attitude. we can't have these breaches. the cia can't go around saying every now and again we do the breach. that can't happen. we have a culture problem as we've had, in the past when agencies have had this comp leadership resigned or verified. at the dea leadership left. we had this happened at secret service that has happened at that his administration. send a sect of the status quo is not acceptable. we cannot continue to have this attitude when we make excuse

after excuse. i've heard a lot of testimony today. the one word i haven't heard is the word sorry. when his opm going to apologize to over 4 million federal employees who just had the personal data compromise? when his opm going to apologize to federal employees that had personally devastating information released? i haven't heard that yet. wind is a culture problem we send a signal to others that that is unacceptable and leadership needs to reside another reason is we want new leadership in that is more competent. so i'm looking here today for a few good people to step forward accept responsibility and resign for the good of the nation. i yield back. >> thank the gentleman. well said. i now recognize that chairman of the i.t. subcommittee, mr. hurd a texas for five minutes. >> thank you, mr. chairman. it's my hope that an agency head

and every cio of these agencies are listening or watching or will read that testimony after this event and at the first thing to do when you wake up tomorrow is pull out the gao high risk report that identifies areas that have problems with they read their own ig report and take answer working to address those radiations. i've been at the chopper 211 weeks, similar to mr. scott. and one of the things they are from people, they are frustrated with their government. one, intentions agree. ms. archuleta you said at the beginning security of federal employees that is paramount and that's why but the data is paramount. i believe you believe that, right, but the execution has been horrific. intentions are not enough. we have to have execution. this is the thing that scares me. so my question, let's start with

you, ms. archuleta. did the hackers use zero vulnerability to get into networks? >> i think that would be better answered in a classified setting. >> well, it was a zero day vulnerability i hope everybody has been notified of this zero day, not on the cover but the private sector. we should be keeping secrets as zero day volatility i know a little something about protecting secrets. -almost my adult life in the cia doing to. this is something we do get out. if we haven't, because what i read is einstein did detect the breach after the appropriate indicators.com provides was lured into. so my question is how long did some have access to this and why did it take however much that time to get into einstein system and has that been promoted to every of the agency is using

einstein speak was represented opm went and updated -- gave us the indicators of compromise immediately and we loaded into einstein immediately. that is can we loaded into einstein to both detect and look back through history to see if any other traffic back in time indicated a similar compromise come is how we found an intrusion into opm related to this incident that led to our discovery of the breach of the personnel records. we also put into einstein three so that agencies covered by einstein three would be protected against a similar activity moving forward. then we held a call with all the federal cios anticipated these indicators and asked them to search the networks. >> has that been done? >> that has been done. >> so mrs. seymour, you talk about legacy systems.

the difficulty of protecting to start what are some of those legacy systems and what programming software is used to develop those systems? >> these are systems have been around for going close to 25-30 years. they are speed written by global? >> cobol systems. one of the things i would like to offer is that, you know director archuleta and i actually were broader to solve some of these problems. problems. >> when they just torture job? >> in december of 2013. these -- >> why did we wait to implement to factor authentication? >> we have not waited. >> two factor authentication was deployed part speak with these are two decades in the making went on to solve them all into years. and if we -- >> that's where i disagree with you. because i can we got to stop thinking about this that we have years to solve the problem. we don't we should be thinking

about this and did. ms. archuleta, how much overtime have you sign off on since this hack the people that are dealing with the compromise the? >> my cio team works 24/7. >> so if i walk into the building at 8 p.m., to beat people drinking red bull working in your to solve this problem? >> i'm very proud of employers that are working on this issue and they been working 24/7. >> mr. doggett your inherited -- mr. scott coming up in their domestic were looking to you. we will continue to drag people up here and enter these questions. because that's our responsibility we have to say i recognize that you're not going to talk -- something of them penetrate a network but how

quickly can you identify them can be quarantined and intend to keep them off the networks with those of the metrics we should be using. we are woefully inadequate the i yield back the time i did not have. thank you, sir. >> thank you, mr. chairman. ms. archuleta, in your testimony you said i think this is a direct quote. we have now confirmed that any federal a boy from across all branches of government whose organizations submitted service history records to opm may have been compromised even if their full personnel file was not stored on opm system. what do you mean by service historic? >> there may be, at the risk of they may have been in a different position earlier than perhaps come as they move around government. so it may be someone whose current job and not the in the system but because of their service history their information would be dated back,

and it's for retirement purposes. >> so potentially broader breach. i'll tell you with sf-86, a member pulling that out when i was a young officer in the navy and it is by far the most intrusive form that i have ever filled out. it took me days. i had to go do research on myself to try to figure out and it's not just that you a lot of personal and sensitive data about the individual applicant. the sf-86 asks about family members. asks about friends spouse, relatives, where you've lived, who you knew when you live in these different places. it also ask you to complain about anything in your past life. and so to me people have said that this is crown jewels which are in terms of potential blackmail. so this is a very very serious breach. my question for ms. archuleta

were cabinet level officials implicated in this breach? >> sir, this type of information would be better discussed in a classified setting. >> understood. what about people in the military and intelligence communities speak with as i mentioned earlier i put this is something we could respond in a classified setting. >> okay. and so you don't disagree with my characterization of the sf-86, and the compromise can let'scomplex just a theoretical it didn't want to say what actually happened, but that is a major, major breach that will have ramifications for our country? >> as i said will discuss this with you in the classified setting. >> sf-86 forms also require applicants to list of foreign nationals with whom they are in close contact with the so that means china now has a listing for sample of chinese citizens worldwide who are in close

contact with american officials. again and will use that information for espionage purposes. what are the security implications of that type of information falling into enemy hands? that could before anybody. >> -- that could be for anybody. >> we will discuss that this afternoon. >> some reports i not only with hackers pursuing information on federal employees but also password and encryption keys that could be used for trade secret theft and espionage. i guess you'll have more to say in a classified setting at least for this forum can you say that that is a significant risk that is not the type of information that we want the enemy to have? and its impact can be very damaging, corrective? >> again, we are going to defer discussion of that to a classified briefing. >> and i get that and i will be there and i've listened

intently. but it really concerns me because this is what a treasure trove for our enemies potentially, and the fact that this system was hacked and we didn't even know about it for a long time that is really, really troubling. and i think that the american people, i mean if you ask people to want to serve in these sensitive positions and they think that by filling out these forms they going to put themselves or their family potential at this because the government is not competent enough to maintain that secretly, that is a major problem as well. of information to biggest against the country and then you're also i think will have a chilling effect on people wanting to get involved if we don't depend on this. i look forward to and from the witnesses and a classified setting and i yield back the balance of my time spent thinking. now recognize the gentleman from alabama, mr. palma for five minutes -- mr. palmer spectrum when. ms. seymour, does the exposure

include others or does it include those of fellow other former 86? >> our investigation is ongoing. >> apparently it does because i had to employees who never fill out a standard form 86 and i have a letter from you informing them of the possibility of their dated may been compromised. i will ask you again and this is a yes or no does it extend beyond the people who filled out an sf-86? >> my answer to that is yes, sir. there are two incidents we've come here to talk to you about today. >> why didn't you answer yes? >> your doctor sf-86. >> i made it clear to do the exposure extend beyond those who filled out sf-86 and you said the investigation was ongoing it apparently you've invested enough to send a letter to employees who didn't fill out the forms.

thank you for your just answer. -- yes answer. in your judgment ms. archuleta, how likely is it that the hackers were able to access these personnel files to an employee account? >> sir, we will be able to discuss that with you during the classified session. >> let me be a little more specific. our youth may with a "wall street journal" article that indicated that it was possible -- are you familiar -- at the breach occurred to personal e-mail accounts because simply for using the federal system? and that early in 2011th immigration and customs enforcement agency noticed a significant uptick in infections and privacy spills, and they asked for a direct, or they put out a directive that federal

employees could not use the federal system to access their personal e-mail? that the american federation of government employees filed a grievance with the federal arbitrator claiming that that was something that needed to be bargained, needed to be part of the collective bargaining agreement. the arbitrator dismissed the security arguments and 75 words, claiming the law didn't give exclusive discretion to manage i.t. systems. so i wasn't able to shut off the you have any comment on the? >> no, sir. again, those are issues that we've able to discuss in a classified hearing. >> is being discussed in "the wall street journal." i think for now since we need to have you there and i will yield the balance of my time. thank you, mr. chairman. >> thank the chairman and the recognize the gentleman from georgia, mr. heise for five minutes. >> than one. what are the risks associated with not having a valid system

authorization? >> i think the risks are evident that not having a valid authorization essentially could be a symptom of weak controls over operating systems and applications and lead to things such as a breach. >> okay. with all the things we're talking about here today, and ms. seymour, you are fully aware of these risks, and opm was aware of these risks. >> yes, sir i was aware of these reports. >> okay. now, this is, i can't be going back to this because it's come up several times already today but still i'm waiting for an answer to inspector general of put out his report last november expressing great alarm, recommending that opm consider shutting down the systems

because of the risks that you knew about. ms. archuleta knew about, and get these recommendations were ignored. i'm going to come back to you with this because, quite frankly, ms. archuleta has tried to dodge this question and dance album and. i want to come straight up with you. why were those recommendations not followed? >> two reasons. one is and authorization to operate is nearly the documentation of the security controls of a system and their effectiveness. that does not mean simply because you don't have an authorization that those tools don't exist. the other effort is as the ig was doing its audits we were taking all of those vulnerabilities into play. we already develop a security plan that we are in the process of implementing. and the ig admits in the report

that we are in the process of implementing many of those controls. >> did the plan for curing process of implementing work? obviously it didn't. would shutting it down have worked? >> the controls that we put in place allowed us to stop the remote access to our network, and also about as to detect this activity that had occurred prior to the ig report. >> but the vulnerability was still there. and your plan failed. >> there are vulnerabilities in every system the what we do is a risk management process where we look at the vulnerabilities as well as the business we must conduct spent mr. as a company come back to you. what a currently, carla, what are the consequences of owners of an opm i.t. system, currently?

what are the consequences now if they operate without a valid authorization? >> to our essentially no consequences. we reported in our audits but other than that there are no official sanctions in place. it is something that gets publicized and that's the extent. >> it sounds to me like this thing is to not being taken sir so. so there are no consequences for operating without authorization. why are we still operating without authorization, or is not over in? >> i have extended the authorizations that we had on the systems because we put a number of significant of in place in the environment. we've increased the effectiveness of the security around those systems. >> but there are no consequences for not operating on a system with authorization. so how seriously are you taking a? >> there are consequences spent

what are they? >> those consequences are if you are not doing the assessment documenting them is wow that is evidence that those assessments have been done, the assessments themselves are more important. ms. kinney of the network with the tools -- >> that's not a consequence. you said there are consequences. i want to know what they are. >> the consequences we have our is we report to only be on a quarterly basis about the status of our security at our network. >> that doesn't sound like consequences. that sounds like just reporting you required to do anyway so there's no consequences involved. mr. esser, again, are the measures that need to be taken to get the whole thing up to the standard it ought to be? i mean, is there anything you

would recommend? >> yes, yes. we do recommend that the cio, the agency, take the steps that in a lot of cases they are beginning to take. the centralization of the i.t. governance is well along the way. would also need to do is get a full inventory of assets that they are responsible for protecting. and the shell project that ms. seymour has alluded to earlier is also something that we support. we also have some concerns about the way it's been, the project has been started and managed. but overall we support the idea behind the shell project spent we appreciate the joke but i now recognize gentlewoman from new mexico for five minutes. >> thank you, mr. chairman.

and thank you for having this morning i want to thank the panel for taking this conversation and these questions so seriously. in new mexico we are one of the states that has one of the largest percentage our per capita federal employees in the country come into top five so i've got 50,000 federal employees in my home state and i am on your side by being incredibly concerned about this and quite frankly many other data breaches. the growing sophistication can frequency and impact on both public and private entities by cyber attacks continue to be a very serious threat and, in fact, two days after my first election one of the key briefings by one of the national labs which is in my district at kirkland air force base is continuing growing concern with cybersecurity issues and their aggressive responses both to be

proactive as much as they can be, and to properly be reactive once you've got an identifiable breach. and given the data breach at opm and home depot and target, anthem, exclude me that not only does the federal government have a role in protecting federal employees in the information that you but we have a role in working to protect the public in general from these serious and continuing series of cyber attacks. but i recognize also that this is a very challenging effort and that there's not a simple solution. if there was we could stop this hacking altogether. as but doesn't want you to do that, i do want to minimize the fact that it recognizes that's more difficult to do than to say to do it is easy to say. it's not so easy to do. but my concerns are growing given that, even the best in the country are facing significant

cyber attacks including casper see lab where we live offer innovative and appropriate technologies to implement. so given that diatribe and given all the questions you about accountability on about this is nature, here's really my question. federal government is not known for being come and i mean no disrespect by this, but just in the facts, it's not a proactive very reactive body just by the nature of how large it is, how broad our mission is a now we are dependent on whatever the resources our and the priorities are at any given time. given that climate and the role to protect the general public and your role to protect federal employees information what can you do that's different that what you position to be much more proactive particularly given the nature of cyber

attacks? and quite frankly, they are already packed in as you making the next modifications? anyone on the panel. i mean mr. scott, that may be a question that is primarily for you but i'll be interested in anybody's response. >> sure. i can think of several things in the short run that actually already have underway. but probably long-term the biggest thing is to double down on replacing these legacy sort of old systems that we have. one of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats. in some cases very very hard to duck tape and band-aid things around the systems. it doesn't mean there's nothing you can do but fundamentally it's old architectures that need to be replaced and security

needs to be designed into the very fabric of the architecture of the hardware, software networks, the applications. and the fact we can do that the faster we are on a better -- >> and given your role to do that in federal government unaccredited what percentage of legacy systems and old architecture platforms that we are still operating under in which department are more at risk than others what is the timeframe for independent what is a reasonable course of this committee can take to make sure we have a candidate to move forward exactly in a separate? >> i think first thing is we're going to be very transparent with you in terms of the omb report, in terms of where we are at on that journey as we go through our work over the course of the year. so a member of the committee have said they will pay for it those attention to that of which i encourage -- >> the gentleman will suspend

our time is so tight that would like a full and complete answer to the questions for the record and we will continue to follow up. i hope you understand. i need time to the gentleman from wisconsin. >> i'm glad we established the federal government is not a proactive reactive body. something important to always remember, a matter what bill was rendered, some of you, you remember about the federal government. first question i have for you guys is kind of a significant story. just out of curiosity, has anybody lost their job over this? are there any intimations in that regard? >> no, sir. >> no, sir. >> next question, whoever answers it. as i understand, it took much for the state department to root out the russian hackers and their unclassified systems.

now, apparently the chinese hackers are known for leaving behind time delayed malware. do we know for sure that these people are out of the system by now or could it still be floating around? >> representative, we have a joint interagency led by dhs with participation by the fbi and actions could agency who have worked with opm at the department of interior. davis has been fully removed the anniversary from these networks but it is extreme difficult to have 100% certainty in these cases spent so it could be but you think probably spent yes sir. >> a. there are rumors that people are now selling some of these files. this is a threat? do we know if it's going on? and if it is going on are we doing anything to counter that? >> sir i think the impact and

such questions are better suited for a classified briefing. >> i yield the remainder of my time spent i want to thank the panels and everybody was eager i think you understand on a by person basis how serious we take this situation get to those federal employees who are effected, one of the things that should come out is come in the letter, the very end of the letter come if you receive one of these letters it does not have the office of personnel management is not going to cost you. they are not going to contact you to provide additional information. there will be some very bad actors that are going to try to take advantage of this bad situation and exploit it for their own here's looking. they've already done that the going to do it again and to the others that are going to try to do that. so to all of our federal employees, do not fall victim yet again to somebody who's going to send you an e-mail or make a call and try to pray upon you for the. it was noted in a letter to it is worth noting here from the

pulpit. and again we look forward to the 1:00 classified briefing. we're going to also. the committee now stands adjourned. thank you. [inaudible conversations] >> the supreme court is expected to decide the next week whether same-sex couples are constitutionally entitled to me. would've been head of the gay and lesbian rights group next. bernie sanders holds a presidential debate at the university of denver. this morning% hold a procedural vote on trade promotion authority legislation. big apple and it 10 a.m. eastern. -- they gavel in. >> the head of the office of personnel management will be back on capitol hill today to take more questions about the recent data security breach. live coverage for the senate

appropriations subcommittee starts at 10:30 a.m. eastern on on c-span3. later into the also on c-span3 i panel looks at proposed epa carbon regulations at the potential to affect that could have on energy costs. live coverage from the senate environment and public works committee at 2 p.m. eastern. >> next, the head of the gay and lesbian alliance against defamation known as glaad, talks about the supreme court's upcoming decision on same-sex marriage. sarah kate ellis' remarks at the national press club is 50 minutes. >> good afternoon and welcome to the national press club. int field, editor, writer with bloomberg, former press club vice president and a member of the club newsmaker committee. i will be today's moderator for the newsmaker with glaad president and ceo sarah kate

ellis. after the speaker's presentation we will take questions from the audience for the remaining time. the press club gives preference to questions from members of the media and many of those around you are working journalists so please respect they are here to do a job. once the members of the press have asked their questions we will invite non-press club members to ask their question. please keep your questions brief and to the point, no speeches please do we get in as many questions as time allows. i don't asking questions chip was identified themselves in state aid the organization they represent. ..

the decision oregon the plaintiff. sarah kate ellis president and ceo of glaad, the nations lesbian gay bisexual and transgender media advocacy organization since 2014. before taking the position she was an award-winning media executive and communication strategy is to let program installed in to the diversity of the lgbt community. ms. alice please join us. >> thank you very much.

high in things for having me today. there are three ways the ruling can come down. one is affirmative which is a yet and if that happens it will be a great celebration but we will be back to work on monday with the following day because there's much work to be done and i will talk about that in a little while. number two, the way the ruling can come down is the states that do not have marriage equality will have direct marriage equality for mothers days. that is a half when you could look at it that way. the third way is we didn't know altogether which means we'll be having to do a lot of work in the future. any way in which they come in there is still a lot of work we have left to do. i glaad we commissioned a poll of over 2000 americans that ask them how they really feel about

the lgbt community. it's an understanding about the culture is out there. we ask them on a five-point scale from very comfortable too uncomfortable and then we asked about everyday situation such as bringing kids to a same-sex household for a play date and attending a same-sex wedding, bringing your kids to a same-sex wedding, finding out a child and your kids sports team is. what we found this one out of every three americans are still there and come to bowl with the community. when you look closer at the numbers and missiles comment it turns out the levels of discomfort go even higher. when you look at the community the levels increase up to 40% to 90% of americans are very uncomfortable with the

community. from there what we've been doing is a bus tour in the south. finally do that is because we want to accelerate acceptance of the lgbt community to monitor the way scotus rules, we have to create a culture in which americans can live. we traveled from six states, 10 cities in seven days and met with community leaders. the premiere too many documentaries and we met with church and faith leaders and had very vibrant conversation on how to help accelerate acceptance in the south. additionally, we've been working closely with visibility. those are two-point out of the entire study period entire study. when you look globally to have real challenges as acceptance is moving forward in america discrimination is exported globally.

we are working very close late with advocates on the ground across the world to accelerate acceptance. i think that is about it. keith did a wonderful job of introducing me. i am sarah kate ellis. i have been a glaad for a year and a half. i come from the for-profit side of media and we do media advocacy so it is about raising stories of everyday americans but also people who are well known were supportive of the lgbt community because we know and understand to build acceptance in the country you need to know somebody who is lgbt because it opens your heart and mind and changes public opinion. we work hard to change public opinion in this country. with that i can take questions.

>> i will take moderators prerogative and ask a couple questions before i open it up. first i would like to focus on a couple controversies that glaad experienced in the last several years. in 2011 glaad supported at&t and eventually canceled merger when it was reported glaad received $50,000 from at&t. sacking in 2014 -- 2013 glaad gave former president told clinton noted as advocate for change by glaad. my question is, have either of those controversies affected how you broadcast your message in any way? >> fortunately none of them

happen under my watch. that being said when you deal with corporate america -- sorry do armada start over? i started by saying for chilling non-happen under my watch. however, i am the leader they are now and i feel at the speech bill clinton gave he talked about coming onto his turn in acceptance for the community and i think that was a powerful platform for him to have to talk about that. moving forward glaad is an advocate or an we've been known in the past as a watchdog. there's always a lot of controversy -- not always, but we do call people and things when they are not going well. i have to say the media and ice have a really good relationship

now. transfer was formed out of protest in front of the new york post almost 30 years ago this october when the post was reporting and calling aids the gay man disease. we've always had advocacy arm to us. >> i mentioned bill clinton and his journey of a guest self-discovery. what about where you have recognized individuals who may have talked to give gay marriage of one point but are now coming around. how do you address that so-called dichotomy for the flip-flopping some people call it. >> i think it is a journey.

except this is a journey. we've talked about it in the south with a lot of faith leaders trying to bring their congregations along with the to the place of acceptance and i think we have to give room for people to discover, understand, educate, and meet people who are lgbt for discovery in acceptance. it takes time and we seem not at the lgbt community and we talk about that openly that it is a journey to acceptance. >> let's shift gears a little bit. a week or so ago both american eye lands and wells fargo took some head for their lgbt rainbow. american airlines has a rainbow flag. how do you approach for heidi to the corporate community in

advocating for lgbt acceptance before the ruling comes out or up until the ruling has come out, how has glaad gone about trying to change the corporate mind that and try to get them to accept the lgbt community. >> you know, that thing we know being diverse and inclusive is good for business. once the business case scenarios were made, most of corporate america, the majority got on board and supporting the lgbt community. not only does it affect their bottom line, it helps them retain and recruit great talent. with corporate america they got the memo in the business case came out that it would help their business and so they have been very pro-lgbt for a

majority of companies. they have realized taking some of the heads the bigger social impact is really important in the business impact is important. >> at this point i will open the floor for questions. >> you mention what happens ruling wise. did you get a ruling that is not a strike down than make them more difficult? how do you go about that? >> the first i mentioned as one of the three people are still uncomfortable or have a high level of discomfort with the lgbt community. that is focused on raising the story, meeting lgbt people

through the media because a lot of people who don't ask that or not pro-lgbt don't know anybody who was lgbt. the other thing from a media standpoint, we would raise the stories of lovely couples being hurt by not having a positive ruling. when you talk about the tax they would put on families and with the human side -- what the human cost would be. that is our job at glaad, to raise awareness of what the human toll would be for not having a positive ruling. [inaudible] >> yes, we have authors narrows covered in terms of how we will proceed. we are not a policy organization. our plan is a media plan and how

we would raise stories up and make sure there is enough awareness if it is a negative ruling how that is hurting american families today. >> he talked a lot about how there's link ranks second. i am wondering, what is the mechanism by which we get people to be more except dean and more exposed to stories. how do you envision getting people there? >> a lot of it is by meeting lgbt people. we do it through tv shows and movies. movies are one of america's biggest cultural exports. we are doing a lot of work with movie studios to have them be more inclusive because they don't get a good rating. another is telling the stories of everyday people that we know and who have done extraordinary

things or that ordinary lives in the face of adversity. this way people get to know people who are lgbt. with caitlyn jenner coming out recently, before caitlyn came out, we note a percent of americans knew people who are. now we are in the market saying how did that move the needle with a high profile person coming on as transgender. getting people who can do positive portrayals is really important moving except as forward. [inaudible] >> i don't have that number. it is in the field right now. >> inevitably when you have court cases come down it's a top-down decision as opposed to a groundout. how do you avoid the perception

that a court or some other body is pushing an idea of a populace that may or may not have agreed with that. it might as a great question. 39 states now have a marriage equality is over majority obviously. that doesn't seem very top down. it seems bottom-up when you look at the landscape and how we fight for marriage equality over a decade. it has been gradual and slow building to this moment now. it has been very much a bottom-up strategy and also if you look at statistics 50% of americans are pro-marriage equality for the community. so it's definitely a bottom-up move. >> certainly nationwide.

state to state as a bottom-up? >> when you go state to state each state could be its own country practically in america. we often sometimes say that. the people of america have spoken and are ready this with over 60% saying they are for marriage equality. i think the states are ready. i think we have our work cut out for us and accelerated acceptance across the country and state word might be slower to move in that direction. overall bre place. -- overall bre plays. [inaudible] -- but you don't have to in the states have resisted doing that.

but not basically legalize it because all people would have to do is go out of state and they would have the benefits of marriage. >> yes. in theory correct. there are people who can't pay their states, whether they are sick whether they don't have the means to you. it could get into a socioeconomic issue at that point as well and it's not fair to those people who live in the states. in theory yes, but in practice i think it is very way of marriage equality in the state. we will be pushing for that if we do get the second ruling we talked about. >> i know clive has scored the media on a spur trail of gay characters in film and television. in 2015 is the per trail of gay characters are the media

industry a plus, minus her wash? >> it all depends what media you are talking about. the networks do a very good job of media per trail in incorporating lgbt people into storylines and into storylines into the diverse viewpoint of the community. when they get the community, one show right now the bold and the beautiful is a soap opera that is exported more than in the united states that has the only recurring transworld. we have to pick up the representation. when we look up at the studios studios don't do a good job. they are very low numbers separate trails and they are usually still the joke. the lgbt community is made fun of, victimized, killed, all of those things. i think the news media does a

pretty good job at per trails. i think there are some media institute for a new segment that can do better. overall news is fairly good. >> what two or three things that the film industry to to improve their record -- what two or three things could glaad do to get the newsmaker to turn around? what other things can they do to get the film industry to change the mindset as far as lgbt community is concerned? >> i would love for them to take a page from corporate america who understands diversity and inclusion is better for business. the film industry with it's

better for business as well. one of the things we are doing is not only do we measure them every year so we have a base and to have the conversation. the other thing is we are compiling the past representation of lgbt people in film to feel how negative it really is. if we play it back for them they will see what we are talking about versus handing them a report every year. talking about places where they could incorporate more lgbt carrots yours in the movies. it takes longer to see the effects of that. i also think they are going to start looking at the streaming content providers. the amazon of the world to see the successes they are having with diverse and inclusive

storyline. >> do you think the reason the film industry has been slow in coming around and acceptance of the lgbt community is possible blowback from the general public? do you think they see this particularly if they show movies in the south. years ago there were movies in which african-americans, tv shows that did not appear in the south. so could they be looking at that and saying we put a gay, bisexual or train a in a movie that will decrease the box office because the south -- if shown in the south they will be shown in very few hitters.

do you think that's part of the mindset? >> i think the mindset is these are various and said to me. once you get one you can't fix about that match. you can add it and they are formulaic in the way they've done a year-over-year and try and work the formula. to step outside of the formula is scary for them because there's millions of dollars on the line. for them to step outside the formula and see success will get us where we need to go. i think they most likely get caught up in their own cycle of formula and big money. these are expensive to ship inexpensive to expensive to ship inexpensive to add it and all of that. it's important to look at different ways to be inclusive because they will add to their bottom line, not detract.

>> recently ireland became the first country in the world to accept gay marriage. is there anything glaad can learn from the irish experience as well as the experience of other countries that have a better acceptance of gay marriage the lgbt community we do. >> what is interesting is that with a popular vote. i don't believe the minority's rights should be voted on by a majority. that being said, it went very well. we worked on not. when we do global work we train advocates on the ground. we work to help get the questions right, answers right and get as much media around big advances possible. i think we should take a page from their book. i don't think voting on it is

the page to take but a very catholic country has beaten america to the punch here is why i'm cautiously up domestically will get a positive ruling from the supreme court. we just saw in mexico last week. we see a lot of positive affirming lgbt movements globally as we see much resist and then i don't want to downplay that because it is still criminal. >> our country generally speaking is very strongly bright yet still they move to the left. how do you do that? how do you take these traditionally right or left position and get to where you want to get in places without

necessarily say we are moving the left on the issues. >> i don't think it is a left right issue. it is an issue of love and family and that is one thing for ireland to quote we do really well. when we first started on marriage equality road we talked about rights and protections. emotions resonate with people. restart attack in about love and family and appealing to what we have in our nature to part type our family, love our family. ireland took that and opted a notch in some of the campaigns were sheer brilliance for they had a grandson: his grandmother in coming out to her and her responding in the positive. it is really about love but we are talking about, not left