>> sir we are working with a legacy system. >> i didn't ask you that. >> as the recommendations that he's made to us, we're working through those to the best of our ability. >> that's what frightens me that this is the best of your ability. let me see if i can get some summary information as i go back and try to explain to folks back home. i've heard it was just people in the executive branch. i open this to anybody who might be able to answer. are we still saying that the only people's whose data was exposed are folks who worked within the executive branch of government? >> sir this is an ongoing investigation and we as we uncover new information, we are happy to share it with you.

>> right. >> we have -- we are not necessarily restricted to the executive branch because there are people who work in the executive branch today who worked in legislative branch -- >> and i got the notice and it says if you work in the executive branch or ever worked in the executive branch then there's a chance they got your data. but if you never worked worked with the executive branch you don't have to worry. are you still comfortable with that answer? >> no. we're learning new facts every day. >> is it still 4 million? i've heard 14 a couple of times. what is the current estimate of the number of current or previous employees who have been affected? >> approximately 4 million is the number that we're making notifications of today. we continue to investigation, especially in the back ground investigations incident so that we can understand that data and begin to make notifications there as well. >> i've got a question, i think

it's for mr. ozment or whoever else who understands the i.t. systems. when we used to do this in the private sector we used to differentiate between someone who hacked into the system and someone who actually stole something from us. i guess my question swb have you be able yet to make the distinction between where the hackers were and they had access and things were exposed and where possibly they downloaded data? >> thank you, representative. that issen a important distinction and one that we spend a lot of our investigative time examining. for the personnel records, the approximately 4.2 million records, the incident response team led by dhs has concluded with the high probability that that data was exfill traited meaning it was removed from the network by the adversary who took it.

we're continuing to investigate the information -- >> very briefly. i appreciate that. i don't mean to cut you off. let me ask this one question. i heard mr. lynch ask about the social security numbers. health data. why -- do we collect health data on our employees? ms. arch let that if i come to work for you do i give you your health records? >> not your health information but the information regarding your health carrier. not your health. >> not specific medications or conditions just who my health insurance company is. >> exactly. >> thank you, mr. chairman. >> now recognize the gentleman from virginia mr. connelly for five minutes. >> thank you. what's so jars about this hearing is in bloodless and bureaucratic language with we're talking about the compromise of information of fellow american pps and from the federal employee point of view, the most catastrophic compromise of

personal information in the history of this country. social security records. ms. archuleta you mentioned that not health information but health carrier. that's a road map to other information hackers can get. security clearances, security clearances are deeply personal and often involved with unconfirmed negative information, even rumors. i think someone has a drinking problem. that gets in the report even if it's not confirmed. is that not correct? >> sir i'm not a federal investigator and i'm not familiar with all of the precise data that's in those -- >> let me confirm for you. it was a rhetorical question really. it is correct. it is -- how do we protect our

employees? dr. ozment when i heard your testimony, it almost sounded like you were saying that the good news here is that we detected the hack. but the object here isn't effective detection, though that's part of the process. it is prevention and pre-emption to protect our citizens including federal employees. you talked about einstein and you championed its merits. was einstein in place at opm when this hack occurred? >> sir, i share your deep concern about this loss of this information and agree that that is a terrible outcome. >> a terrible outcome. >> absolutely as a federal employee whose information is itself a part of this database. >> it might be personally devastating, dr. ozment not just a terrible kout yom. >> that is correct, sir. what i would tell you on this is

that einstein was critical in this incident. as opm umpmented their new security measures and detected the breach -- >> was einstein in place at the time of the breach? >> einstein 1 and 2 have been in place at opm. einstein 3 is not yet available. >> i've only got two minutes. i want to understand your answer. so did it successfully detect a breach had occurred? >> it did not detect the breach that opm caught on their own networks because just as the cyber threat information sharing legislation legislation, we're focused on acknowledges. you first have to have the threat information. once we had the information, we used einstein 1 sean 2 to detect a separate breach that we were then able to work -- >> i'm sure every federal employ owe who had hair information compromised is comforted by your answer, dr. ozment.

ms. archuleta, what was the time gap in discovering there was a breach and the actual breach itself? >> we discovered the breach in april of -- >> this year. >> of twoi. >> and when did the breach occur? >> we suspected it happened earlier in 2014. >> so sometime late last year? >> yes, sir. >> okay. so whoever were the hackers, presumably an agency of the chinese government according to published reports confirmed by u.s. officials, it's not a classify piece of information, the details of it may be. but our government i believe has confirmed without attribution in public records that it was systemic effort by the peoples

liberation army which has been notorious for hacking a all over the west that got its hand on this data. so they had four months in which to do something with this data. is that correct?? maybe five? >> i can't make a comment on attribution. >> i didn't ask you to. i just asked whether they had four or five month to do something with this data. >> the period between when discovery of the time that we believe the breach occurred and our discovery, yes. >> i'm going to real quickly if the chairman allows, mr. scott, one last question. the head of c.e.r.t. says if agency implemented three steps we could prevent 85% of breaches and i'm going to hold in abay yans new investments new technologies. i had always hoped that the chinese didn't know how to hack into cobalt. but that's a different mat per.

three things are minimize administrative privileges utilize application white listing and continuous lie patch software which interestingly does not go on. what's your professional take on those three recommendations? >> i think those recommendations are great and there's a number of other things as well some of which i've talked about today. i think the one point i would make is there's no one measure that you could say that's going to prevent all attacks or even prevent an attack. it's really defense in-depth is your best measure. and that's what we're really looking at emphasizing. >> thank you, mr. chairman. >> now recognize the gentleman from north carolina, mr. walker for five minutes. >> thank you, mr. chairman. i certainly agree with my colleague from virginia in his description that this is a catastrophic compromise.

ms. archuleta it appears that opm did not follow the cybersecurity best practices, specifically such as network segregation and sensitive data. should the data have been encrypted? can you address that? >> that the data was not encrypted. and as dr. ozment indicated, encryption may not have been a valuable tool in this particular breach. as i said earlier we are working closely to determine what what sorts of additional tools we can put into our system to prevent -- >> you already said may not have been. but that didn'tens answer the question. should it have been encrypted and could that have been another line of defense? >> i would turn to my colleagues in dhs to determine the use of encryption but i would say it was not encrypted at the time of

the breach. >> i would note that if an ad very sarry hased a va siri has the credentials, they can access. encryption in this instance would not have protected this data. >> i want to delve a little further. what consequences should cio's fate for failing to meet such a baseline on their networks. may i hear your thoughts on that in. >> i believe that the cio is responsible for the implementation of a solid plan an i believe that my cio has been doing that. we're working with a legacy system that is decades old and we're using all of our financial and human resources to improve that system. this is an effort -- this is a a -- kinder security is a government wide efforts and we

all must work together. >> i'm not sure the american people are content with the pace of how we're all working together. u want to speak to einstein. i've heard several different comments today regarding it. my question is even if einstein is a necessary component to effectively defending the system, i believe the private sector is moving on this kind of technology. is that a fair question? what is the dhs doing to keep pace with its attackers. dr. ozment? >> einstein is necessary. we need a defense in-depth strategy. we're sup meant l einstein at the agencies and we're looking at einstein with taking what is currently a signature focused system and adding capabilityies to let us detect previously unknown intrusions. as you do that you receive more false positives, more

indications that an intrusion occurred even if it did not occur. we have to do that carefully. >> and it seems to be that you're more excited or more confident in the einstein 3 a version is that going to be more solid? >> it will be a significant step forward. it uses classify information. it is still a signature based program but will rely upon classified information obtained from the intelligence community to help us block them from -- >> >> i heard you say something earlier about even that system needs to be supplemented with others is that correct?? >> that is correct. no single system here will solve this problem. >> >> and this lies my problem. because even on the dhs's own website when talking about einstein it says it prevents malicious traffic from harming networks. if that's not all inclusive should we not be understanding

that before today's hearing? why are we just now getting the information that this may not be enough to prevent a catastrophic compromise? >> i can't speak to the web page you're referring to but i can say that we have been very consistent and i have been very consistent in all of my interactions with congress to highlight we need a defense strategy. >> who is responsible for posting this information on the website of the dhs? >> we'll look into that and get back to you. >> thank you, mr. chairman, i yield back. >> now recognize the gentleman from pennsylvania mr. cartwright for five minutes. >> i take the chairman and the ranking member for calling this haerk. corrector director archuleta, i am concerned and i share the sentiments of mr. connelly from virginia. this is extremely troubling. we're talking about 4 million plus federal workers, people who

dedicate their entire careers, indeed their entire lives to our country. and now their personal information has been compromised through absolutely no fault of their own. if i understand your testimony, the personal information of about 4 million current and former employees was potentially compromised compromised. and i want to ask you, as your investigation continues, do you believe that that number is going to have bigger than 4 million? >> thank you for you question. in my opening statement i described two ib accidents. the first incident -- >> it's a yes or no question or i don't know. >> no. because the two incidents, the fist incident is 4.2 million and an ongoing investigation led us to understand that the federal investigative -- >> you know what i mean when i say it's a yes or no question right? >> yes, sir. >> do you think it could be more

than 4.2 million? >> yes, sir. >> ms. seymour, let me turn to you for more detailed responses. your i.t. professionals discovered the breach in april. also as mr. connelly mentioned, they believe the hack may have begun back in december, am i correct in that? >> yes, sir, it began in 2014. >> and now something else happened in december of 2014, opm's contractor key point revealed that it was targeted in an earlier cyberattack. this is the contractor that does the majority of your agency's background check investigations. am i correct in that? >> they do a number of our background investigations, sir. i'm not sure of the numbers. >> and at that point the attack against key point was successful. personal information was in fact compromised, correct in. >> yes, sir. >> on friday abc news issued a

report entitled "feds eye link to private catter is massive government hack." this article says this, the hackers who recently launched a massive cyberattack on the u.s. government exposing sensitive information of millions of federal workers and millions of others may have used information stole frn a private government contractor to break into federal systems. the article goes on. the hackers entered the u.s. office of personal management were personnel management opm's computer systems after first gaining access last year to the systems of key point government solutions. it continues. authorities meanwhile believe hackers were able to extract electronic credentials or other information from within key point's systems and somehow use them to help unlock opm's systems according to sources. the hackers then rummages through separate segments of

opm's systems potentially compromising personal information of not only the 4 million current and former federal employees. ms. seymour, i know we're having our classify briefing later and i thank you for coming to that but can you comment on these reports? did these hackers get what they wanted in the previous attack against opm's contractor key point so they could then go after opm itself? >> i believe that's a discussion that we should have in a classified setting, sir. >> fair enough. now we know that opm's other contractor usis was also breached last year and its information was also compromised. can you tell us if those hackers got the information in the usis breach that they were able to use in the attack against opm? >> again, that's a discussion we should have later. >> i understand. i certainly don't want you to disclose classified information

here. let me close by asking a final question to the whole panel. federal sergeancies and private companies are only as strong as their weakness link. last year we saw breaches of two contractor ps. now we have reports that these hackers are getting into opm information because of what they learned in those hacks. agencies have leverage over their contractors using the provisions in the contracts and the billions of taxpayer dollars that they pay out to the company. so i want to ask each of you how can agencies use that leverage to improve cybersecurity practices of contractors so that they do a better job of safeguarding the information that they're entrusted with? go ahead, right on down the line. starting with you ms. archuleta. >> what we can do with the contractors that we engage is to make sure that they have the security systems that match the

federal governments and that they're using the same types of systems. in addition with the -- i want to be sure that i understand your question, the contractors that we employ as individuals or as companies? >> the contractors as companies. >> that in our contracts with our -- with the companies we are now working to make sure that they are adhering to the same standards that we have in federal government as outlined in our rules. >> dr. ozment. >> representative dhs for its own contract has been working to build an additional cybersecurity riernlts. i would point you to the fed ramp effort, government-wide effort to establish a baseline of security requirements for cloud contractors to the government. >> mr. scott? >> yes. i think as my colleague testify last week we also are

strengthening the federal contract procurement language and creating contract language that any agency can use as a part of their standard contracts. >> thank you. ms. burns? >> i think it is about beefing up the security clauses in all contracts so that they cover the full extent of what we need and then doing the monitoring and follow-up that you need to do to ensure that the contractors are adhering to those clauses of the contract. >> ms. seymour? >> i agree with everything that my colleagues have put forth but i will add that site inspections are also important and those are some of the things that we do at opm with our contractors, as well as continue use monitoring. looking at a system every third year is not ample. that is not a best practice and we need to move more towards looking at different security controls at different intervals of time. the other option that we do use is our ig does inspections of

our contractor companies. >> i agree with what the other witnesses say. we as the ig go out and do audits or contractors health insurance companies, the background investigation companies as well. we can be used and see ourselves in that role. >> mr. chairman, i thank you for your indulgence. i want to know that usis was invited here -- >> you're almost three minutes over time. we have classified that we have to go to. >> yield back. >> appreciate it. i now recognize mr. russell from oklahoma for five minutes. >> thank you, mr. chairman. i'm baffled by all of this. under the directorship of opm, director archuleta stated that she was committed to building an exclues i workforce.

who would have thought that would have included or enemies. in this testimony here today we heard statements that we did not encrypt because we thought they might be able to decrypt or decipher. that's baffling to me. there's another statement that said had he not established the systems we would have never have known about the breach. that's tantamount to saying if we had not watered our flowerbeds, we would have never seen the muddy foot prints on the open window sill. this puts the americans at risk. a particular concern are the sf 86 forms of which i'm very familiar with their background prior to coming to congress. we had sean gallagher who summed it up probably best. he said this breach was a result

of inertia, a lack of internal expertise and a decade of neglect. director archuleta, why did you not shut down 11 of the 21 systems that had no security assessment and authorization? >> there, as i mentioned before, there are numerous priorities that go into employee safety and security including making sure that our retirees receive their benefits or that our employees get paid. there's numerous considerations that we had -- >> would one of those considerations be encrypting social security numbers? i mean does it take a degree in u.t. and cybersecurity to encrypt social security numbers? i didn't think so. did your cybersecurity strategic

plan include leaving half of opm's systems without protection when you formulated it? was that part of the plan? >> no, sir. >> why was it not made a priority? >> that -- the systems that the ig referred to in our plan is that -- is those systems that he recommended that we shut down. we have -- they are -- he recommended that we shut them down because they were without authorization. all of our systems are now authorized and they're operating. i have to say that we're looking at systems that are very very old. and we could take a look at encryption in and other steps that could be taken and certainly we are doing that. but as we look at this system we're also having to deal with decades of -- >> well, and i understand that. but i also understand there's an old saying we had in the military. poor is the workman who blames his tools.

missions can be accomplished even with what you have and measures could have been done had this be made a priority. and what i see now is why did opm have no multifactor awe then fie occasion for members using the system outside of opm. there was no multifacetted means. if they get into the system they have free reign is that correct?? >> we have implemented multifactors. ms. seymour mentioned it with the remote users. >> when was that put in place, before or after the breach? >> this began if january of 2015. >> so stolen credentials could still be used to run free in the system is that correct?? >> prior to the time of the two factor awe then fie occasionuthentication, it takes time to implement the tools.

i am as distressed as you are about how long the systems have gone un -- have gone neglected when they've needed much resources. and it's my amendment that we've put the resource to it. swre to act quickly in which we're doing. and we are also working with our partners across government. as i said before, cybersecurity is an issue that all of us address across -- >> was the priority made to the outside systems that were most vulnerable that would rely the free reign. >> i'm sorry repeat the question. >> was the briarty made to these outside system to opm's database, that once they get in them they have a free reign. >> it was a priority sir. but as i said before legacy systems, it takes time. >> it didn't take your enemies time. thank you, mr. chairman. i yield back. >> now recognize the gentleman from california, mr. lieu for five minutes mplg thank you mr.

chairman. >> director archuleta under your watch last march opm database containing the crown jewel containing american intelligence was breached. this year the same daytabase was preached. the igis said that at opm your technology systems are materially weak or seriously deficient. my question to you a simple yes or no, do you accept responsibility for what happened? >> i accept responsibility for the administration of opm and the important role of our i.t. systems in delivering the services. and i take very seriously my responsibilities in overseeing the improvements to a decades old legacy system. >> i don't really quite know what that means. i asked for a yes or no. i really want to know -- but that's fine. you've answered it. i'm going to reserve the bhans of my time to make a statement.

having been a member of this oversight committee and as a computer science major it's clear to me there is a high level of technological incompetence across many of oush federal agencies. we've held hearings that show that federal agencies couldn't procure and deplait i.t. systems without massive bugs. one federal agency in the case the fbi had a fundamental misunderstanding of technology where they continue to believe they can put in back door to encryption systems just for the good guys and not for hackers with, which you cannot do. we had over 10 federal data system breaches last year. so there is a coacher problem. and there is a problem of civilian leadership not understanding we're in a cyber war. every day we're getting attacked in both the public and private sector. the u.s. military understands this. that's why they stood up an

entire u.s. cyber command. the military leadership understanding the issue. let me give you examples of the problem. there was unencrypted social security numbers. that's unacceptable. a failure of leadership. look at the reports over the years showing material weaknesses and look at last year's report page 12 that says a as of november last year opm had not yet done a risk assessment. that is ridiculous especially since you knew in march your system was breached. that is a failure of leadership. and this goes beyond just opm. now mr. scott you've only been here a few month pps you're going to get a pass on this. why was it that it wasn't until last friday that agencies were ordered to put in basic cybersecurity measures? why wasn't this done last year? why wasn't this done years before?

and when there is a culture problem, what have we done in the past? especially in the area of national security. you can't have the view that this is a legacy system. we have these excuses. in national security it's got to be zero tolerance. that's got to be your attitude. we can't have these breaches. the cia cannot go around and stay every now and then our data bags is going to get breached. when you a culture of a problem, in the past when agencies have had this leadership resigns or they're fired. at the dea, leadership left. we had this happen at the secret service, we had this happen to veterans administration and we do that for two reasons. one is to send a signal that the status quo is not acceptable. we cannot continue to have this attitude where we make excuse after excuse. and you know, i've heard a lot of testimony today. the one record i haven't heard is the word sorry. when is opm going to apologize

to over 4 million federal employees that just had their personal data compromised. when is opm going to apologize to the federal employees who had devastating information released. i haven't heard that yet. when there's a culture problem we send a signals to others that the leadership has to resign. we want new leadership in that is more competent. so i'm looking here today for a few good people to step forward, accept responsibility and resign for the good of the nation. i yield back. >> thank the gentleman. well said. now recognize the chairman of the i.t. subcommittee, mr. hurd of texas for five minutes. >> thank you, mr. chairman. it's my hope that every agency head and every cio of these agencies are listening or

watching or will read the testimony of this event. and that the first thing they do when they wake up tomorrow is pull out the gao high risk report that identifies areas that they have problems with. they read their own ig report and take and start working to address those remediations. you know, i've been at this job for 21 week similar to mr. scott. and one of the things you hear from people, they're frustrated with their government. intentions are great. ms. archuleta, you said at the beginning that security of federal employee status is paramount. i believe you believe that, right? but the execution has been horrific. you know intentions are not enough. we have to have execution. and this is the thing that scares me. so my question -- let's start with you, ms. archuleta. did the hackers use vulnerability to get into your

network? >> i think that would be better answered in a classified setting. >> well if it wasn't the zero vunl rablt i hope everybody has been notified of this, not only the government but the private sector. we shouldn't be keeping secret zero vunl rablt. i know something about protecting secrets. i spent my adult life in the c ix a doing this. what i've heard is that einstein did detect the breach after the appropriate indicators of compromise was loaded into it. so my question is how long did the federal government did somebody have access to these indicators of compromise and why did it take however much that time to get it into einstein's system and was it -- has that been promoted to every other agency that's using einstein 2? >> representative, opm once implemented their security measure and discovered the

preach breach gave it to us and we load it in to einstein 2 to detect and looked through history to see if any traffic back in time indicated a similar compromise. that is how we found an intrusion into opm related to this incident that led to our discovery of the breach of the personal records. we also put into einstein 3 so that agencies covered by einstein 3 would be protected against a similar activity moving forward. then we held a call with all of the federal cios and asked them to search their networks. >> has that been done? >> that has been done. >> ms. seymour you talk about legacy systems and the difficulty of protecting those. who are some of those legacy systems and what programming software is used to develop toez

systems. >> these are systems that have been around for going close to 25, 30 years. >> so it was written by cobalt? >> they are cobalt systems. one of the things i would like to offer is director archuleta and i actually were brought here to solve some of these problems. >> when did you start your job? >> in december of 2013. >> and why did we wait to implement two factor awe then occasion until after the hack? >> we have not waited. >> so it was being deployed prior? >> these are two decades in the making. we're not going to solve them all in two years. >> that's where i disagree with you. okay? because again we've got to stop thinking about this that we have years to solve the problem. we don't. we should be talking about this in days. ms. archuleta how much overtime have you signed on since this hack of people that are dealing with the compromise?

>> the -- my cio team works 24/7. >> so if i walk into your building at 8:00 p.m. al night there's going to be people drinking red bull working furiously in order to solve this problem? >> i'm very proud of the employees working on this issue and they have been working 24/7. >> mr. scott, you've inherited a mess, my man. and we're looking for you and whatever this committee can do to help you ensure that things like this don't happen, to ensure that these agencyies and the cios are implementing the recommendations. we're going to continue to drag people up here and answer these questions because that's our responsibility and we have to say -- look. i recognize that, you know you're not going to stop anybody from penetrating your networks. how quickly can you identify them, quarantine them and kick them off the network? i yield back the time i did not

have. >> thanks, mr. desantis of florida is recognized for five minutes. >> thank you, mr. chairman. ms. archuleta, in your testimony you said, we have now confirmed that any fed roll employee from across all branches of government whose organization submitted service history records to opm may have been compromised even if their full personnel file is not stored on the system. what do you mean by service history in. >> their careers, they may have been in a different position earlier than perhaps as they move around government. so it may be someone who current -- whose job would not be -- current job would not be in the system but because of their service history their information would be dated back. and it's for retirement purposes. >> okay. so potentially broader breach. i'll tell you, with sf 86 i remember filling that out when i

was a young officer in the navy. and it is by far the most intrusive form that i've ever filled out. it took me days. i had to go do research on myself to try to figure out. and it's not just that you're doing a lot of personal and sensitive data about the individual applicant. the sf 86 asks about family members, it asks about friends, spouse, relatives where you've lived, who you knew when you lived in these different places. also asks you to come clean about anything in your past life. and so to me, now know, people said this is crown jewels material in terms of potential blackmail blackmail. and so this is a very very serious breach. my question for ms. archuleta were cabinet level officials implicated in this breach?

>> sir, this type of information would be better discussed in a classified setting. >> understood. what about people in the military and intelligence communities? >> as i mentioned earlier, i believe that this is something that we could respond to in a classified setting. >> and so you don't disagree with my characterization of the sf 86 in that the compromise let's just say theoretical if you don't want to say what actual i happened here that that is a major major breach that will have ramifications for our country? >> as i said we'll discuss this with your in the classified setting. >> sf 86 forms require applicants to list foreign nationals with whom they're no close contact with. china has a list of chinese citizens worldwide who are in close contact with american officials. they can and will obviously use that information for espionage purposes. what are the security implications of that type of

information falling into enemy hands? that could be for anybody. >> sir, that is a question that we will discuss in the hearing this afternoon. >> okay. now, some reports say that not only were the hackers pursuing information on federal employees but also password and encryption keys used for trade secret threat. at lease for this forum can you say that that is a significant risk, that is not the type of information that we would want the enemy to have and it can in fact be very damaging, correct? >> again, sir, we're going to defer discussion of that until the classified briefing. >> and i get that. and i'm -- i will be there and i will listen intently. but it really concerns me because this is a really a treasure trove for her enemies

potentially. and the fact that this system was hacked and we didn't even know about it for a long time. you know that is really, really troubling. and i think that the american people -- i mean, if you ask people to want to serve in these sensitive positions and they think that by filling out these forms they're actually going to put themselves or their family potentially at risk because the government is not competent enough to maintain that secretly, that is a major problem as well. so the information can be used against the country. then you're also i think, going to have a chilling effect on people wanting to get involved if we don't get a handle on this. i look forward to hearing from the witnesses in a classified setting and i yield back the balance of my time. >> recognize the gentleman from alabama, mr. palmer for five minutes. >> thank you mr. chairman. ms. seymour, does the employee exposure extend to only those that filled out standard form 806 or others as well. >> our investigation is ongoing,

sir. >> ma'am apparent lit it does because vi two employees who have never filled out a standard form 86 and they have a letter from you informing them of the possibility that their data may have been compromised. i'll ask you again, and it's a yes or no. does it extend beyond the people who filled out an sf 86? >> my answer to that is yes, sir. there are two incidents we've come here to talk to you about today. >> why didn't you answer yes to start with? >> you were talking about sf 86s sir. >> i made it clear i asked you did the exposure extend beyond those who filled out sf 86. and you said the investigation was ongoing. apparently you've investigated enough to send a letter to employees who didn't fill out those forms. so thank you for your yes answer. is there -- in your judgment,

ms. archuleta, how likely is it that the hackers were able to access these personnel files through an employee account? >> sir, we'll be able to discuss that with you during the classified session. >> let me be a little more specific. are you familiar with "the wall street journal" article that indicated that it was possible that the breach occurred through personal e-mail accounts, because employees were using the federal system. and that early in 2011 the immigration customs enforcement agency noticed a significant uptick in infections and privacy spills and they asked for a directive or put out a directive that federal employees could not use the federal system to access their personal e-mails. but the american federation of government employees filed a grievance with the federal

arbitrator claiming that was something that needed to be bargains and needed to be part of the collective bargaining agreement. and the arbitrator dismissed security arguments in 75 words claiming the law didn't give federal agencies exclusive discretion to manage the security systems. i.c.e. wasn't able to shut that off. do you have any comment on that? >> no, sir. again those are issues that we'll be able to discuss in the classified hearing. >> well it's being discussed in "the wall street journal." i think for now, since we need to head to the hearing i will yield the balance of my time. thank you, mr. chairman. >> now recognize the gentleman from georgia mr. hice for five minutes. >> thanky you, mr. chairman. what are the risks associated with not having a valid system authorization? >> the risks are evident that not having a valid authorization

essentially could be a symptom of weak controls over operating systems and applications. and lead to things such as a breach. >> okay. with all the things that we're talking about here today, and ms. seymour you were obviously fully aware of these risks and opm were aware of the risks? >> yes, sir. i was aware of these reports. >> okay. now, this is -- i kind of hate going back to this because it's come up several times already today. but still, i'm waiting for an answer. the inspector general of course put out his report last november expressing great alarm recommending that opm consider shutting down the systems because of the risks that you knew about. ms. archuleta knew about.

and yet these recommendations were ignored. i'm going to come back to you with this because quite frankly ms. archuleta has tried to dodge this question and dance all around it. i want to come straight up with you, why were those recommendations not followed? >> two seasonreasons, sir. one is an authorization to operate is merely the documentation of the security controls of a system and their effectiveness. that does not mean simply because you don't have an authorization that those tools don't exist. the other effort is as the ig was doing its audit, we were taking all of those vulnerabilities into play. we had already developed a security plan that we were in the process of implementing. and the ig admits in their report that we were in the prowess is of implementing many of those controls. >> did the plan that you were in the process of implementing

work? obviously it didn't. would shutting it down have worked? >> the controls that we put in place allowed us to stop the remote access to our network and they also allowed us to detect this activity that had occurred prior to the ig report. >> but the vulnerability was still there. and your plan failed. >> there are vulnerabilities in every system. what we do is a risk management process, sir, where we look at the vulnerabilities as well as the business that we must conduct. >> mr. esser, let he come back to you. what currently are the consequences of owners of opmi.t. system currently what are the consequences now if they operate without a valid authorization? >> there are essentially no

consequences consequences. we report that in our audits. but but other than that, there are no official sanctions in place. it is something that gets publicized and that's the extent. >> it sounds to me like this thing is still not being taken seriously. no consequences for operating without authorization. why in the world are we still operating without authorization or is that occurring? >> sir i have extended the authorizations that we had on these systems because we put a number of security controls in place in the environment. we have increased the effectiveness of the security around those systems. >> but there's in consequences for not operating on a system with authorization? so how serious are you taking it? >> there are consequences. >> what are they? >> those consequences are if you, if you aren't doing the assessments, documenting them is while that is evidence that those assessments have been

done, the assessments themselves are more important. the scanning of the network, the tool -- >> that's not the consequences. what are the consequences. you said there with consequences. i want to consequences that we have are we report to omb on a quarterly basis about the status of our security and our network. >> that doesn't sound like consequences. that sounds like just reporting that you're required to do anyway. there's no consequences involved in those reports. all right. mr. esser again are there measures that need to be taken to get the whole thing up to the standard it ought to be? i mean, is there anything that you would recommend? >> yes, yes. we do recommend that the cio, the agency, take the steps that in a lot of cases they're

beginning to take. the centralization of the i.t. governance is well along the way. what they also need to do is get a full inventory of the assets that they're responsible for protecting. and the shell project that miss seymour has alluded to earlier is also something that we support. we also have some concerns about the way it's been -- the project has been started and managed, but overall we support the idea behind the shell project. >> we appreciate the gentleman. i now recognize the gentlewoman. >> thank you mr. chairman. thank you for having this important hearing. i want to thank the panel for taking this conversation and these questions so seriously. in new mexico, we're one of the

states that has one of the largest percentage or per capita federal employees in the country, in the top five. so i've got 50,000 federal employees in my home state. and i am on their side by being incredibly concerned about this and quite frankly many other data breaches. the growing sophistication, frequency, and impact on both public and private entities by cyber attacks continue to be a very serious threat. in fact, two days after my first election, one of the key briefings by one of the national labs which is in my district is the continuing growing concern with cyber security issues and their aggressive responses, both to be proactive as much as they can be and to appropriately be reactive once you've got an identifiable breach. and given the data breach at opm

and at home depot and target anthem, it's clear to me that not only does the federal government have a role in protecting federal employees and the information that you arehave, but we have a role in working to protect the public in general from these serious and continuing series of cyber attacks. but i recognize also that this is a very challenging effort and that there's not a simple solution. if there was we could stop this hacking altogether and have the magic bullet. as much as i want you to do that, i don't want to minimize the fact that i recognize that's more difficult to say than do. no, it's easy to say, not so easy to do. my concerns are growing given that even the best in the country are facing significant cyber attacks, including the lab who we are relying on for innovative and appropriate

technologies to implement. so given that and all the questions you've had about accountability, the serious nature, here's really my question. federal government is not known for being and i mean no disrespect by this just stating the facts it's not a very proactive, reactive body just by the nature of how broad it is how large our mission is and how we are dependent on whatever the resources are and the priorities are at any given time. given that climate and the role to protect the general public and your role to protect federal employee information what can you do that's different that puts you in a position to be much more proactive particularly given the nature of cyber attacks and quite frankly they're already hacked in as you're making the next modifications. anyone on the panel. i mean mr. scott that may be a

question that's primarily for you, but i'd be interested in anybody's response. >> sure. i can think of several things in the short run that, you know, actually we already have under way. but probably long term the biggest thing is to double down on replacing these legacy sort of old systems that we have. one of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats. it's, you know, in some cases very, very hard to sort of duct tape and band-aid things around these systems. it doesn't mean there's nothing you can do, but fundamentally, it's old architectures that need to be replaced and security needs to be designed into the very fabric of the architecture of the hardware the software, the networks, the applications. the faster we can do that the

faster we're on a better road. >> and given your role to do that in federal government, i'm not clear today what percentage of legacy systems and old architecture platforms we're still operating under and which departments are more at risk than others. what is the time frame for getting that done, and what's a reasonable course for this committee to take to make sure we've got accountability in federal government to move forward exactly in that effort? >> well, i think first thing is we're going to be very transparent with you in terms of the omb reports, in terms of where we're at on that journey as we go through our work over the course of the year. several of the members of this committee have said they're going to pay very close attention to that which i encourage. >> the gentlewoman -- our time is so tight to our 1:00 briefing. we would like a full and complete answer. there will be questions for the record, and we will continue to follow up. i hope you understand. >> be happy --

>> we need to give time for the gentleman from wisconsin. now recognized for five minutes. >> i'm glad we established that the federal government is not a proactive, reactive body. it's something for us to always remember no matter what bill moves around here. something to remember about the federal government. be that as it may, first question i have for you guys this is kind of a significant story here. just out of curiosity, to see how the federal government operates, has anybody lost their job over this? has there been recriminations in that regard? sure, we'll give you the question. >> no, sir. >> okay. next question i don't care who answers it. as i understand it took months for the state department to root out the russian hackers and their unclassified systems. now, apparently the chinese hackers are known for leaving behind time-delayed malware. do we know for sure that these people are out of the system by

now, or could they still be poking around? >> representative we have a joint interagency team led by dhs with participation by the fbi and national security agency who have worked with opm and the department of interior on this incident. they have assessed that they have fully removed the adversary from these networks but it is extremely difficult to have 100% certainty in these cases. >> okay. so it could be, but you think probably out. >> yes, sir. >> okay. final question. apparently the rumors people are now selling some of these files. is this a threat or do we know if it's going on? and if it's going on are we going anything to counter that? >> sir, i think that's -- the impact and such questions are better suited for the classified briefing we're about to have. >> okay. i yield the remainder of my time. >> thank you. i want to thank the panelists and everybody here. i think you understand on a

bipartisan basis how serious we take this situation. to those federal employees who are affected, one of the things that should come out is in the very end of the letter if you receive one of these letters, if does note that the office of personal management is not going to call you. they're not going to contact you to provide additional information. there will be some very bad actors that are going to try to take advantage of this bad situation and exploit it for their own personal gain. they've already done that. they're going to do it again. and there are going to be others that are going to try to do that. so all of our federal employees please do not fall victim yet again to somebody who's going to send you an e-mail or make a call and try to prey upon you further. it was noted in the letter. it's worth noting here from the pulpit. again, we look forward to the 1:00 classified briefing. we're going to have to hustle. the committee now stands adjourned. thank you.

e lie za johnson was 54 years old and an inhave lid when she was thrust into the role of first lady. determined to be a help mate to her husband andrew johnson as he navigated the end of the civil war, reconstruction in the south, and his own impeachment. eliza johnson, this sunday night at 8:00 p.m. eastern on c-span's original series "first ladies," examining the public and private lives of the women who filled the position of first lady and their influence on the presidency. from martha washington