information. >> so, social security numbers? >> yes, sir. social security number, date of birth, place of birth, typical pii, that would be in those types of files. >> miss seymour, it was reported on friday that in addition to this breach, hackers had reached highly sensitive information gathered in background investigations of current and former federal employees. is that true? >> yes, sir, that is. >> do you know how far back that goes? >> no, sir, i don't. these are -- the issue is that these are longitudinal records, so they span an employee's, you know, career, and so i do not know what the oldest record is. >> so it's possible that somebody could be working for the federal government for 30 years and their information over that 30 years could have been breached? >> yes, sir.

these records do span an employee's career. >> so what can you tell us about the type of information that may have been compromised in the second breach? >> i believe that would be a discussion that would be better had in our classified session this afternoon, sir. >> thank you, i'm going to come back to you. dr. ozment, these suspected cyber spies from a foreign state went after sensitive detailed information about federal employees. what could they do with this information? i'm talking to you, yes. >> ravening member, i'm going to have to defer that question to the intelligence community who will be participating this afternoon at 1:00. >> all right. experts advise taking steps to mitigate damage from cyber spying attacks by using tools such as data segmentation, data masking, and encryption. the chairman asked about encryption. i know from past opm testimony before the committee, that opm has been a leader in deploying those tools.

miss seymour, it's kind of hard to understand how cyber spies could have accessed more than four million records if you were using those tools to the fullest. and miss archuleta has a lot of faith and confidence in you as the chairman just stated. can you explain what happened? >> thank you, mr. cummings, for the question. a lot of our systems are aged. and implementing some of these tools take time, and some of them, we cannot even implement in our current environment. that is why under director archuleta's leadership, we have launched a new program where we are building a new environment, a gnaw architecture, a modern architecture, that allows us to implement additional security features. we have, in our legacy

environment, we have installed numerous technologies and that is how we discovered this breach in the first place. so we are shoring up what we have today, and then we are building for the future, so that we can become more secure and provide these types of protections to our data and our systems. >> well, in the meantime, if we're going to collect and store sensitive personal information, we must make it unusable to our adversaries so that cyber spies are unable to steal it? would you agree? opm has to do a better job protecting sensitive information. would you agree? >> yes, sir. >> miss seymour, do you have the tools now to do that? are you trying to tell me you don't? >> opm has procured the tools,

both for encryption of its databases, and we are in the process of implying those tools within our environment, but there are some of our legacy systems that may not be capable of accepting those types of encryption in the environment that they exist in today. that is why it's important for us to focus, very aggressively, very proactively on building out that new architecture, so that in the future, we will be able to implement all of those tools for all of our databases. >> when you talk about the future, are you talking about three months, three years if. >> we began our program after the march 2014 incident. we worked very closely with our inter-agency partners to devise a very aggressive and very comprehensive plan. we have been implementing that plan since then. we are delivering what we call our shelf which is the new architecture. we're delivering that this fall and we will begin looking at our business systems applications and how we can migrate those into the new architecture. >> miss seymour, this is the question.

we're collecting data right now. there are people's data that's out there, and i'm talking about in the meantime, where are we? in other words, i know you're trying to do some things. but that doesn't make federal employees feel pretty good. doesn't make me feel good. so, tell me more. are you saying that weigh are just vulnerable and we don't know when we're going to be able to deploy the types of systems that you just talked about? >> no, sir. we've done a number of things. >> i'm not talking about what you've done. i'm talking about -- again, i'm talking about what's going on today. >> that's exactly what i'm offering, sir. >> all right. >> we have implemented two-factor authentication for remote access to our network. that means that without a card

or some other type of device, that our users cannot log into our network remotely. we have implemented additional fire walls in our network, we have tightened the settings of those fire walls. we have reduced the number of privileged users in our account. and we have even further restricted the access privileges that those users have. we have made a number of other steps to increase the security of our existing network. we began that work back last march and it has continued. and we continue to work with dhs and our agency partners to test those systems and make sure that they are working appropriately. >> mr. esser, the office of inspector general conducted an audit in 2014, the chairman was talking about this, of opm's security information and programs and found several weaknesses.

can you briefly identify the weaknesses that you found? >> yes, sir. the most critical weaknesses that we identified in our report from 2014 were the continued information security governance problems that have existed since 2007, the decentralization of the controls over systems. that, however, is an area that is certainly close to being improved to a full extent. another area of weakness were the security area and authorize, which is, each system that opm owns, should go under an assessment every three years and be authorized for usage. we identified 11 systems at the end of 2014 that had not been authorized, that were due to be authorized. the technical security controls was another big area that we identified. while opm has implemented a number of strong tools and is improving in that area, our concern is that some of those tools were not being used properly and that they do not

have a complete and accurate inventory of databases and servers, that those tools should be applied against. >> so the chairman asked miss archuleta a question of how she'd thought she'd done. based upon that, what grade would you give? >> i don't know that i can give a grade. >> well, so of all the things that you just stated, there were certain things that were not done, is that right? >> yes, sir. >> did any of them lead to this breach, the things that were not

done? >> i don't know the exact details of how this breach occurred, so i really can't answer that question. certainly there's a lot of weaknesses at opm that they're in the process of trying to address. >> and last but not least, do you have a silver bullet to address this issue, sir? >> no, sir, i do not. there is very sophisticated attackers out there and there's no one silver bullet, i think, that can be applied that will prevent these types of things from happening. >> and you heard me ask miss seymour about the fact that we're constantly collecting information, and it seems as if we're just vulnerable, is that it? there are certain areas that we may not be able to defend

ourselves in? is that an accurate saying? >> certainly there's a lot of things that can be done to make our systems more secure. is there something that can be done to make them impenetrable? not that i'm aware of. >> thank you very much. >> now recognize the gentleman from michigan, mr. walberg, for five minutes. >> thank you, mr. chairman. i appreciate the witnesses being here. this morning, we've certainly heard that there's no silver bullet and i don't think we expected the answer to be yes, there's a silver bullet. we are concerned that, knowing what's been going on, having clear evidence that hackers have been attempting for quite some time, and at least those of us here who trust on agencies and people like yourselves who note

the issues, that some more efforts could have been successful in stopping the most recent attacks. we've heard today that networks aren't compartmentalizes, segmented, in certain cases encrypted, that with the recent attacks, exterior perimeter has been breached, the attacker often remains undetected for months, that's concerning. as a result of that, able to exploit vulnerabilities within the networks without passing through, this is most concerning to me, additional inspection or security measures. so, mr. scott, as i understand, in the private sectors, there have been shifts toward zero trust model. ultimately, given omb's role in setting metrics for agencies, my

question is, can you tell me, tell us, what omb is doing to set i.t. security metrics to limit the number of workloads, application tiers, to the networks? >> thank you for the question. i think there's a number of things that i would point to in addition to the measures that you just talked about. the first one is to share across the federal government, not only the lessons learned from opm, but what we see from other attacks, whether successful or not, private and public, approximate -- and make sure that all agencies are up to date on the methods of attack and the -- >> that's a weakness now? >> it has been historically, the ability for the government and the private sector to share information has been a hindrance in our ability to thwart these things.

but i'll say that the specific measure that you mentioned, the segmentation and zero trust, is something that is more easily applied to very modern architectures. it's not as easily applied to some of the oldest, and old legacy systems that we have. and i think that's going to be a challenge for all agencies, where the architecture itself just doesn't lend itself to the application of certain technologies. the best answer, i think, in terms of what we have and where we go, is a model that we're promoting and encouraging across the agencies, which is defense in depth. it's a number of different measures so that if one thing doesn't work, you have the next layer that helps. and if that doesn't help, you have next layer. zero trust is applicable in some of those environments and frankly is very difficult or possible to apply. >> how far are we from that? >> i would say years and years comprehensively. but one of the things we're working on right now is prioritizing based on the highest value assets that the

federal government has so we are going after the most valuable stuff fuft and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. >> miss seymour, with the f and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. >> miss seymour, with the i and make sure that is protects the best way we can. >> miss seymour, with the r and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. >> miss seymour, with the and make sure that is protects the best way we can. millions of current and former federal employees, a lot of them in my district, that sign on to do the work that we give to them, we appreciate the work, it is not something we make up, we ask them expect their life will be compromised, their history and their life will be compromised and when did they know about the risk of the breach to their lives. >> thank you for the question, sir. i, too, am a federal employee and it is serious and so i note appreciate that.

and we started the notification on june 8th and we will continue. we have not been able to do the analysis of the data involved with the background investigations incident. that is ongoing. and as soon as we can narrow the data that is involved in that incident, we will make appropriate notifications for that one as well. >> thank you. >> now recognize the gentle woman from new york, miss maloney for five minutes. >> i want to thank the chairman and ranking member for calling this hearing and the panelists for your public service. as one who represents the city that was attacked by 9/11, we lost thousands on that day and thousands more are still dying from health-related causes from

that fateful day. but i consider this attack, i call it an attack on our country, a far more serious one to the national security of our country. and i am would like to ask mr. ozment from homeland security, would you characterize this as a large-scale cyber spying effort? that's what it sounds like to me? what is it? >> i think to speak to whether or not this was a spying effort, we would have to talk to the understanding of who the adversaries were and what their intent was and that is a conversation better saved for -- >> do you believe it is a coordinated effort. they appear to be attacking health records, employment, friendship, family, whole background. it seems to be a large sphere of information not only from the government but private

contractors, individuals. and sometimes it appears targeted towards americans who may be serving overseas in sensitive positions. but would you consider this a coordinated effort or is that classified. >> thank you. would you defer that to the classified. >> thank you. i'll be at the 1:00 briefing. thank you. i want to refer to this article that i would like to place in the record and i think it is important one and it came from abc news and it reports, if i could -- >> without objection. it is so ordered. >> and it reports that this seem to be looking at and gathering information on an sf 18 form which is a standard form 18 which is required for any employee seeking classified security clearances. so that would be people in important positions in our government.

and i won't ask you questions. i'll just wait until later at this classified briefing. but i am extremely disturbed. this article also points out it is not only individuals that they are going after, they are going after contractors and those that serve the government. and it mentioned in other records lockheed martin where they went offer the secure i.d. program. is that true there ozment? >> i can't speak whether any adversaries have gone after private sector companies. >> then we won't get into that. then then they says northrup grumman, l-3, they were hit by cyber attacks and other government contractors. one that probably hit congress is one in 2013 where the fbi warned that a group called

anonymous hacked into the u.s. army department of energy, department of health and human services and many agencies by exploiting a weakness in adobe systems. now i have the adobe system in my office and so that means they could have hacked in my office and probably every other congressional office. and then they talk about going into health care. they go into the blue cross, blue shield system of all of the forward employees. so it seems they want a comprehensive package on certain millions of americans, many of whom are serving our country, i would say, at negotiating tables and commerce, state department, probably defense and every other aspect of american life and the world economy. but mr. scott, you have been before this committee before and you announced you were going to

review the agency's cyber security programs to identify risks and im -- implement gaps and i wonder if you could report on what you learned from this review. and any specific changes in cyber security policies, procedures or guidance, if you can report on that? or that may be classified too? but anything you can share with us on what you've been doing to act to build some fire walls? >> well sure. thank you for the question. so we're conducting regular cyber stat reviews with each of the agencies. and it is along the key lines of many of the topics we've talked about here. to factor patching, minimizing the number of system administrators, all of the -- i'll call it hygiene factors that we think lead to good cyber security.

>> my time is expired but anything you want to give to the committee in writing, we would appreciate it. >> we would be happy to, thank you. >> now recognize the gentlemen mr. meadows for five minutes. >> miss archuleta, let me come to you, you've been in your current position since 2013, is that correct? your mic? >> i was sworn in in november, 2013. >> so in 2013 you -- according to your testimony, made cyber the highest priority, i think that is how you opened up your testimony, that the security of federal employees was your highest priority, is that correct? >> yes, sir. >> all right. so help me reconcile then if it is your highest priority, how, when the most recent i.g. report

came out that took security from being a material weakness, is how it was characterized before you got there, to significant deficiency, how would you reconcile highest priority and significant deficiency as being one in the same? >> thank you for your question. as -- as i mentioned earlier, one of the first things that we did or i did for opm was to develop 100 -- within 100 days an i.t. strategic plan and the issues that the i.g. just mentioned in terms of the i.t. governance and leadership and i.t. agility and data and strategy were all components of the plan and the i.g. recognized the steps and the strategic plan that we developed. >> i only have five minutes so i can't let you ramble on with all of these things. so let me ask you, how, if he recognized that, would he still

characterize it as significant deficiencies? >> as we were instituting the improvements we were making, he was also at the same time conducting his audit. his audit was conducted in the summer of 2014, when we were beginning to implement our strategic plan. he has -- the i.g. has continued to work with us and we've taken his recommendations very seriously. >> you have taken them seriously.

have you implemented all of them? yes or no? yes or no. >> we have implemented many of them. >> have you implemented all of those? >> as i said sir, we've implemented many of them. >> so you will implement all of them. >> we're looking at each of them seriously. >> not implemented. can you assure the federal workers you are going to implement all of the recommendations that the i.g. recommended to you, yes or no. >> we are working very closely with the i.g. to --

>> i'll take that as a no. so let me go on further then. because i'm very concerned that here we have not even notified most of the federal employees that have -- we've known about it. they continue to not be notified and yet here you are saying that you have different priorities. because when chairman chaffetz asked why did you not shut it down, you said opm has a number of other responsibilities, is that correct. that was your answer to chairman chaffetz. >> we house variety data, not just personnel files but we house health care data and employ other records -- >> so you are saying it was better that you supplied that and put federal workers at risk versus making it -- according to your words -- the highest priority to make sure that the information was not compromised. if it is your highest bry ort, why didn't you shut it down like mr. chaffetz asked and like was recommended. why didn't you shut it down. >> in my opinion we were not able to shut it down in view of all of the responsibilities we hold at opm. we do take seriously --

>> so in your opinion protecting federal workers could not be your highest priority because there were competing priorities and you said it was better than you continue on with the others versus protecting the federal work force. >> as i said, the recommendations that the i.g. gave to us are ones we take very seriously, sir. i don't want to characterize that -- that we didn't. that, in fact, we did take -- >> okay. let me -- there is a quote that says what we occasionally have to look at, no matter how beautiful the strategy, we have to occasionally look at the results. and the results here are pretty profound that we've got security risk all over. and i would encourage you to take it a little bit more serious and indeed make it yu highest priority. i yield back. thank you mr. chairman. >> now recognize the jae from massachusetts mr. lynch for five minutes. >> thank you mr. chairman and i want to thank the panel for your help. i want to associate myself with the remarks of the ranking member and the chairman today which doesn't always happen. >> duly noted. >> i would like to ask unanimous consent if i might enter into the record the remarks of colleen m kelly, president of the nationalal treasury association -- excuse me, national treasury employees union and a letter from j.d.

cox, the president of the american federation of employees, afl/cio. >> without objection. >> i want to read the first plea paragraphs. this is a letter from the president of the american federation of government employees, afl/cio, j. david cox to the honorable cathleen archuleta. i'm writing in reference to the dahha breach announced by the office of personal management. and this is dated last week. in the days since the breach was announced, very little substantive information has been shared with us. despite the fact that we represent more than 670,000 federal employees and agencies throughout the executive branch. opm has attempted to justify the with holding of information on the breach by claiming that the ob going criminal investigation restricted your ability to inform us of exactly what happened. what vulnerabilities were exploited. who was responsible for the breach and how damage to affected individuals might be

repaired and compensated. based on sketchy information that opm has provided we believe that the central personnel data file was the targeted data base and the hackers are now in possession of all personnel data for every federal employees, every federal retiree and up to 1 million former federal employees. we believe the hackers have -- have every person's social security number veteran record, access brother date, health insurance, life insurance, e-mail, age, gender, race, unan status and a lot more and worst of all we believe the social security numbers were not encrypted. a basic cyber security failure that issin defensible and outrageous. and so were the social security numbers, were they encrypted in? >> opm is in the process --

>> is that an i don't know? >> i don't believe that those -- >> can we stick to a yes or no. this is one of those hearings where i think i'm going to less know coming out of this hearing than i did when i come in because of the dancing around we're all doing here. as a matter of fact, i wish that you were as strenuous and hard working at keeping information out -- out of the hands of hackers as you are keeping information out of the hands of congress. and forward employees. it is ironic. you're doing a great job stonewalling us, but hackers, not so much. so were the social security numbers, were they encrypted, yes or no. >> no they were not encrypted. >> there you go. there you go. now we're getting somewhere. that is pretty basic. en crypting social security numbers.

so all of this happy talk about the complex systems we're coming up with, you're not evenen crypting people's social security numbers. that is ashame. and now let mess ask about the stand and form 86. stand and form 6-is what we require employees to fill out if they are going to receive security clearance so people with sensitive information and we drill down on these folks. this is a copy of the application. it is online if you want to look at it. it is 127 pages online and we ask them everything, what kind of underwear they wear, and what kind of toothpaste, it is a deep dive and that is for a good reason. because we want to know when people get security clearance, that they are trustworthy and there is -- there is information here, have you ever been arrested, do you have -- you have financial information in here, there is a lot of information in this form. they hacked this. they hacked this. they got this information. on standard form 86.

so they know all of the employees -- and everything about them that we ask them in the standard form 86, is that right, miss seymour? >> i believe that is a discussion that would best be held until this afternoon, sir. >> that is probably a yes. like i say, you know, i think you have to be honest with yu employees. and i think that we need -- in order to protect them, we need to let them know what is going on. because the e-mail addresses in here as well, several. your first, your second, your third e-mail address and all of that information is out there. so we need to be a little bit more -- we need to be more forthcoming with our employees. these are people that work for us. and a lot of them deserve more protection than they are getting right now from the united states of government and the office of personal management.

i see my time is expired. i appreciate the indulgence of the chairman and yield back. >> now recognize the gentleman from south carolina, mr. mulvaney for five minutes. >> thank you, mr. chairman. and many of us are uncomfortable asking questions in this type of setting because we don't want to ask questions the answers to which should be kept confidential so i encourage you in advance if i ask something that we should talk about in a different setting, that is a acceptable answer and mr. lynch, i don't know if i can get my hands around wra we are learning and i'll follow up on mr. meadows and miss archuleta and he asked if you will implement all of the i.g.'s recommendations and he asked and you said no and let me ask this, can you name the recommendations that you are pushing back against that you are not worth implementing. >> i don't have the specific list in front of me and i could come back and talk about that.

but i would like to say that as we look at the recommendations by the i.g., we work with him so we can fully understand where we have moved in our security efforts and also to understand his observations. and that is the normal audit process. and we continue to go through that with him. >> and i get that. >> on a regular basis. >> and we get i.g.'s in here all of the time and that makes sense. but what bugs me miss archuleta in the end of 2014, it was the third recommendation, that all active systems in the opm inventory have an active representation and you agree it is important to maintain up to date ipos but do not believe it rises to a material weakness, end quote. do you believe your opinion of that has changed since the end

of 2014, miss archuleta. >> i believe all of the information and the recommendations that the i.g. has given us and we'll continue to work with -- >> knowing what you know now, that that condition did not rise to the level of material weakness? >> sir, we are working with a legacy system that has the recommendations that he has made to us, we are working through those to the best of our ability. >> that is what frightens me, this is the best of your ability. let me see if i can get some summary information here as i go back and try to explain to folks back home. i heard it was just people in the executive branch. i hope this to anybody who could answer this briefly. are we still saying that the only people whose data was exposed are those who work in the executive branch of the government. >> this is an on going investigation and as we uncover

new information we're happy to share it with you. >> right. >> we are not necessarily restricted to the executive branch because there are people who work in the executive branch today who worked in the legislative branch. >> and i got that notice. and -- i got that notice and it said if you worked in the executive branch, there is a chance they got your data but if you didn't work in the executive branch, you don't have to worry. are you still comfortable with that statement. >> nos. this is an on going investigation and we're learning new facts every day. >> we heard 4 million. i heard 14 today. and what is the current estimate of the current or previous numbers that were effected. >> currently 4 million is what we are notified of today and we are making an investigation so we can understand that data and begin to make notifications there as well. >> i have a question, i don't think it has been asked yet and

i think it is for mr. ozment or whoever else understands the i.t. systems when we did this in the private sector, we differentiated between someone who hacked into our system and someone who stole something from us because there are two levels of involvement and so have you been able to make the distinction between where the hackers were and had access of where things were exposed and where they possibly downloaded data? >> thank you, representative. that is an important distinction and one we spent a lot of our investigative time examining. for the personnel records, the approximately 4.2 million records, the incident respond team led by dhs and the partners learned it was exfiltrated, meaning it was removed by the network by the adversary who took it and we are continuing to

investigative the information. >> i appreciate you. i don't mean to cut you off. and i wish we had more time. and i heard about the data and it heard about the social security numbers and that might have been exfultrated. and health data, do we collect health data on our employees. if i come to work for you, do i give you my health records? >> not the health records but the information regarding your health carrier -- not your health. >> not specific medications or conditions, just who my health insurance company is. >> exactly. >> thank you, mr. chairman. >> now recognize the gentleman from virginia, mr. connelly for five minutes. >> thank you. what is so jarring about this hearing is that in bloodless and bureaucratic language we're talking about the compromise of information of fellow americans,

and from the federal employee point of view, the most catastrophic compromise of personal information in the history of this country. social security records. miss archuleta, you mentioned not health information, but health carrier, that is a road map to other information hackers can get. security clearances. security clearances are deeply personal. and often involved, miss seymour, unconfirmed negative information, and even rumors. i think so and so has a drinking problem. that gets into that report, even if it is not confirmed, isn't that correct. >> sir, i'm not a federal investigator and not familiar with the precise data in those forms. >> let me confirm for you. it was a retorical question

really. it is correct. it is -- how do we protect our employees. dr. ozment when i heard your testimony it almost sounded like you were saying that the good news here is we detected the hack. but the object here isn't effective detection, though that is part of the process. it is prevention and preemption to protect our citizens, including federal employees. you talked about einstein and you championed its merits. was einstein in place at opm when this hack occurred? >> sir, i share your deep concern about the loss of this information and agree that that is a terrible outcome. >> a terrible outcome. >> absolutely. as a federal employee whose information is itself a part of the data base. >> it might even be personally devastated, dr. ozment, not just a terrible outcome. >> that is correct, sir.

what i would tell you on this is that einstein was critical in this incident. as opm implemented the new security measures and detected the breach. >> was einstein in place at the time of the breach. >> einstein one and two was in place and einstein three is not yet available for opm. >> i've only got two minutes. i want to understand your answer. so did it successfully detect a breach had occurred? >> it did not detect the breach that opm caught on their own networks because just as the cyber threat information sharing legislation we are focused on acknowledged, you first have to have the threat information. einstein one, once we had the threat information, we used einstein one and two to detect a separate breach we were able to work. >> i'm sure every federal employee who had his or her information compromised is comforted by your answer dr. ozment. miss archuleta, what was the time gap between discovering

there was a breach and the actual breach itself? >> we discovered the breach in april of -- >> of this year. and when did the breach occur? >> we -- we suspected it happened earlier, in 2014. >> so sometime late last year? >> yes, sir. >> okay. so whoever -- the hackers, presumably an agency of the chinese government, according to published reports, confirmed by u.s. officials, not a classified piece of information, the details of it may be, but our government, i believe, has confirmed without attribution in

public records that it was a systematic effort by the people's liberation army which is notorious for hacking all over the west, that got its hand on this data. so they had four months in which to do something with this data, is that correct, maybe five? >> i can't make a comment on the -- on the attribution. >> i didn't ask you to. i just asked whether they had four or five months to do something with this data? >> the period between when discovery of the -- the time that we believe the breach occurred and our discovery, yes. >> all right. i'm going to real quickly, if the chairman allows, mr. scott, one last question. the head of cert, the director of cert, said if the agency impleaed three steps we could provent 85 breaches and i'll hold in advance now technology because miss lease talked about new procedures and i didn't think they knew how to hack into cobalt.

so would you just comment, what is your take, professional take on the three recommendations? >> i think those recommendations are great. and there is a number of other things as well, some of which i've talked about today. i think the one point i would make is there is no one measure that you would say, that is going to prevent all attacks or even prevent a attack. it is really defense and depth is your best measure and that is what we're really looking at emphasizing. >> thank you, mr. chairman. >> thank you. and i'll recognize the gentleman from north carolina, mr. walker, for five minutes. >> thank you mr. chairman. i certainly agree with my colleague from virginia and his description this is a catastrophic compromise. miss archuleta, it appear that's opm did not follow the basic tsunami security best practices, such as network segmentation and

encryption of sensitive data. should the data had been encrypted, should you address that. >> that the data was not encrypted and as dr. ozment indicated, encryption may not have been a valuable tool in this breach. we are working to see what additional tools we can put into our system to -- >> and you said may not have been but that didn't answer the question. should it have been encrypted and would that be another line of defense. >> i would turn to my college to determine the use of encryption but it was not encrypted at the time of the breach. >> if an adversary has the credentials of a user on the network, they can have access to

the data and that did occur in this case so encryption would not protect this data. >> and let me ask this. what consequence should the cia meet for failing to meet such a baseline of cyber security on the network. may i hear your thoughts on that. >> i believe that the cio is responsible for the implementation of a solid plan and i believe that my cio has been doing that. we are working with a legacy system that is decades old and using all of our financial and human resources to improve that system. this is an effort -- this is a cyber security -- it is a government-wide effort and we all must work together to improve the systems that we have

government wide. >> and i'm not sure that the american people are content with the pace of how we are all working together. i want to speak a little bit to this einstein. i've heard several different comments today regarding it. and the question is even if einstein is a necessary component to defending the system, i believe the private sector is already moving on this kind of technology. is that a fair question and what is the dhs doing to keep pace with attackers. >> einstein is sufficient but not a good tool for detecting deficiency. and we are supplementing einstein with diagnostics and mitigations at the agencies and looking at einstein at taking what is is a signature focus system and adding capabilities to detect previously unknown intrusions but as you do that he receive more false positives and in other words you receive more indications that an in trugs occurred even if it did not occur and we have to do that

carefully so we are not overwhelmed by bad data. >> and it seems that you are more excited or more confident in the ieb stein -- einstein 3-a version and is that going to be more solid to keep the attackers out. >> it is a step forward. it is classified and modelled on a department of defense program. it is still a signature base program but it will rely on classified information to detect adversaries and block them from intrusion. >> and i heard you say how that system needs to be supplemented with others is that correct. >> that is correct. no single system here will solve this proegs. >> and in this lies my problem.

because even on the dhs wednesday and talking about einstein three it said it prevents malicious traffic from harming networks. if that is all inclusive, shouldn't we understand that before today's hearing. why are we now getting information that this should not be enough to prevent a catastrophic compromise. >> i can't speak about the web page you are referring to and i have been consistent in all of my interactions with congress to highlight we do need a defense in depth strategy and no one tool will be responsible for all of the problems. >> and who is responsible for posting this information on to the wednesday. >> we'll look into that and get back to you as necessary. >> thank you, i yield back. >> now recognize mr. cartwright for five minutes. >> thank you. and i thank the chairman and the ranking member for calling this hearing. director, archuleta, i know there have been much bigger data breaches than this one but i am concerned and i share the sentiment of mr. connelly from virginia, this is extremely troubling and we're talking about 4 million plus federal workers, people who dedicate their entire careers, indeed their entire lives to our

country and now their personal information has been compromised through absolutely no fault of their own. if i understand your testimony, the personal information of about 4 million current and former employees was potentially compromised and i want to ask you, as your investigation continues, do you believe that that number is going to be bigger than 4 million? >> thank you for your question. in my opening statement i described two incidences. >> no, it is a yes or no question or i don't know? >> no. because of the two incidences, the first is 4.2 million and an ongoing investigation led us to understand that the federal investigative -- >> you know what i mean is i say it is a yes or no question. >> yes, sir. >> do you think it would be more

than 4.2 million people. >> yes, sir. >> miss seymour, let me turn to you for more detailed responses. your i.t. professionals discovered the breach in april discovered the breach in april, and also as mr. connelly mentioned, they believe the hack may have begun back in december, am i correct in that? >> yes, sir. it began in 2014. >> and something else happened in december of 2014. opm's contractor key point revealed it was targeted in an earlier cyberattack. this is the contractor that does the majority of your agency's background check investigations, am i correct in that? >> they do a number of our background investigations, sir. i'm not sure of the numbers. >> and in that case the attack against key point was successful, personal information was, in fact, compromised, correct? >> yes, sir. >> on friday abc news issued a

report entitled "feds eye link to private contractor in massive government hack." this article says this, "the hackers who recently launched a massive cyberattack on the u.s. government exposing sensitive information of millions of federal workers and millions of others may have used information stolen from a private government contractor to break into federal systems." the article goes on. the hackers entered the u.s. office of personnel management, opm computer's systems after first gaining access last year of key point government solutions. it continues. "authorities, meanwhile, believe hackers were able to extract electronic credentials or other information from within key point systems and somehow use them to help unlock opm systems according to sources.

"the hackers rummaged through separate segments of opm systems and compromising the 4 million current and former federal employees." miss seymour, i know we're having our classifying briefing later and i thank you for coming to that, but can you comment on these reports? did these hackers get what they wanted in the previous attack against opm's contractor key point so they could then go after opm itself? >> i believe that is a discussion we should have in a classified setting, sir. >> fair enough. and we know the other contractor ufis was also breached last year and its information was also compromised. can you tell us if those hackers got information in the usis breach that they were then able opm. to use in the attack against opm. >> again, that is a discussion we should have later. >> i understand. i certainly don't want you to

disclose classified information here. but let me end with a final question to the whole panel. private companies are only as strong as their weakest link. last year we saw breaches of fine point and now agencies have leverage over contractors using the provisions in the contracts and the billions of taxpayer dollars they pay out to the companies, so i want to ask each of you, how can agencies use that leverage to improve cybersecurity practices of contractors so that they do a better job of safeguarding the information that they are entrusted with? go ahead. right on down the line. starting with you, ms. archuleta. >> what we can do with the contractors that we engage is to

make sure they have the security systems that match the federal governments and they are using the same sort of systems. in addition -- i want to be sure i understand your question, the contractors that we employee as individuals or as companies? >> the contractors as companies. >> that in our contracts with the companies, we are now working to make sure that they are adhering to the same standards that we have in federal government as outlined in our rules. >> dr. ozment. >> representative dhs for its own contract as one example has been working to build additional cybersecurity requirement and i would report you to the fed ramp, a government baseline security requirements for cloud contractors to the government.

>> mr. scott. >> yes, i think as my colleague ann wrung and i testified last week, we are are also strengthening the federal contract procurement language and creating contract language that any agency can use as a part of their standard contracts. >> thank you. miss burns. >> i think it is about beefing up the security clauses in all contracts so they cover the full extent of what we need and doing the monitoring and follow-up to make sure they are adhering to the clauses of the contract. >> miss seymour? >> i agree with everything my colleagues put forth and i will add that site inspections are important and that is something we do at opm and monitoring and looking at something every third year is not ample. and that is not a best practice and we need to move more toward looking at different security controls at different intervals of time. the other option that we do use is our i.g. also does inspections of our contractor companies.

>> mr. esser? >> i agree with what the other witnesses stated. and as miss seymour just said, we do go out and do audits of contractors, background investigation companies as well. so we can be used and see ourselves in that role. >> mr. chairman, i thank you for your indulgence. and i want to note that usis was invited here today -- >> i appreciate. you're almost 3 minutes over time. we have classified that we have to go to and members with questions. >> yield back. >> i now recognize mr. russell from oklahoma for five minutes. >> thank you, mr. chairman. i'm baffled by all of this. upon receipt -- or upon your appointment of directorship of opm, director archuleta stated

she wanted to build an inclusive work force and who would have thought that included our enemies. in testimony today we heard statements that we did not encrypt because we thought they might be able to decrypt or decipher. that is just baffling to me. there was another statement i heard earlier today that said had we not established the systems we would never have known about the breech. that is tantamount to saying if we would never waters the muddy flowerbeds we wouldn't have seen the footprints on the muddy sill this puts us at risk and foreign nationals that interaction. and at corner are the form 86

forms which i'm familiar with in my background prior to coming to congress. we had sean gallagher who summed it up probably best. >> would one of the considerations be encrypting social security numbers. does it take a degree in i.t. and cyber security to encrypt social security numbers? i didn't think so. did your cybersecurity strategic

plan include leaving half of opm systems without protection when you formulated it? was that part of the plan? >> no, sir. >> then why was it not made a priority? >> the systems that the ig referred to in our plan is that -- those systems that he recommended we shut down, he recommended that we shut them down because they were without authorization. all of our systems are now authorized and they are operating. i have to say that we are looking at systems that are very, very old. and we can take a look at encryption and other steps that can be taken and we are certainly doing that but as we look at this system we are also having to deal with decades of --

>> and i understand that. but i also understand there is an old saying that we had in the military, poor is the workman who blames his tools. missions can be accomplished, even with what you have. and measures could have been done had this been made a priority. and what i see now is why did opm have no multifaceted means. if they get into the system, they have free reign, is that correct? >> we have implemented multifactors and miss seymour has multifaceted with our remote users. >> and when was that put in place, before or after the breach. >> this began in january of 2015. >> so stolen credentials could still be used to run free in the system, is that correct? >> prior to the time of the two factor authentication, it would take -- it takes time to

implement all of these tools. i am as distressed as you are about how long the systems have gone -- have gone neglected when they've needed much resources. and it is my administration that we have put the resources to it. we have to act quickly, which we are doing, and we're also working with our partners across government. as i said before, cybersecurity is an issue that all of us need to address across the dish was a priority made to the outside systems that were most vulnerable that would allow the free rub. >> would you repeat the question. >> was a priority made to the outside accessing systems to the opm data access, that they have a free reign, a free run. >> yes. but as i said before, with the legacy systems, it takes time. >> it didn't take our enemies time. thank you, mr. chairman. i yield back.

>> now recognize the gentleman from california, mr. lieu, for five minutes. >> dr. archuleta, under your watch, last march, opm data was breached. and this year the same database was breached and a third data breach contained over 4 million federal employee database information was breached and my question to you, it is a simple yes or no, do you accept responsibility for what happened? >> i accept responsibility for the administration of opm and the important role of our i.t. systems in delivering the services, and i take very seriously my responsibilities in overseeing the improvements to a decades old legacy system. >> i don't really quite know what that means. i asked for a yes or no. but that is fine. you've answered it. i'm going to reserve the balance of my time to make a statement.

having been a member of this oversight committee and computer science major, it is clear to me, there is a high level of technologic incompetence across many of our federal agencies. we've held hearings showing federal agencies couldn't implement or deploy i.t. systems without massive bugs or massive cost overruns. we've held hearings where one federal agency, the fbi, had a fundamental misunderstanding of technology where they continue to believe they could put in back doors to encryption just for the good guys and not for the hackers, which you cannot do. we had over 10 federal data breaches last year. so there is a culture problem and a problem of civilian leadership not understanding we're in a cyberwar. every day, we're getting attacked and both the public and the private sector. the u.s. military understands

this and that is why they stood up an entire u.s. cyber command. and until we understand the gravity of this issue we'll continue to have more data breaches. let me give you some examples of this problem. you said there was unencrypted social security numbers. that is unacceptable. and we see at the data breaches and then look at page 12, it says as of november of last year, opm had not yet done a risk assessment. that is ridiculous, especially since you knew in march your system was breached. that is a failure of leadership. and this goes beyond just opm. mr. scott, you've only been here a few months so you'll get a pass on this. why was it that it wasn't until last friday the agencies were

ordered to put in basic security measures and why wasn't this done last year or years before and that was a failure of leadership above opm and when there is a culture problem what have we done in the past in especially in the area of national security? you can't have the view this is legacy system and we have these excuses. in national security it has to be zero tolerance. that's got to be your attitude. we can't have these breaches. the cia can't go around saying every now and then our system will have spies and data breaches. that can't happen. and when you have a culture problem as we have had here, in the past when agencies have this, leadership resigns or their fired. at the dea leadership left. we had this happen at the secret service and at the veterans administration and we as the government have this, one to send a signal that the status quo is not acceptable. we cannot continue to have this attitude where we make excuse after excuse. and i've heard a lot of testimony today but the one word i haven't heard is the word sorry. when is opm going to apologize

to over 4 million employees that just had their personal data compromised. and when are they going to apologize to the employees that had personally devastating information released through the form 86. i haven't heard that yet. and when there is a cultural problem, we send a signal to others that the status quo is unacceptable and we want new leadership. so i'm looking here today for a few good people to step forward, accept responsibility, and offered to for the good of the nation. i yield back. >> thank you to the gentleman. well said. now recognize the chairman of the i.t. sub-committee, mr. hurd of texas, for five minutes. >> thank you, mr. chairman. it is my hope that every agency head and every cio of these agencies are listening or

watching or will read the testimony after this event and that the first thing they do when they wake up tomorrow is pull out the gao high risk report that identifies areas and read their own report and work to address those remediations. i've been at this job for 21 weeks, similar to mr. scott, and one of the things you hear from people, they're frustrated with their government. one, intentions are great. ms. archuleta, you said at the beginning, that the security is paramount and that is paramount. i believe you believe that. but the execution has been horrific. intentions are not enough. we have to have execution. and this is the thing that scares me. so my question, and let's start with you ms. archuleta, did the hackers use a zero vulnerability to get into your network?

>> i think that would be better answered in a classified setting. >> well, if it was a zero vulnerability, i hope everybody has been notified of the zero day, not only the government but the private sector. we shouldn't be keeping secrets as zero day vulnerability. i spent almost my adult life in the cia doing that. that is something we need to get out. and if we haven't -- because i read that einstein did detect the breach after the appropriate indicators of compromise was loaded into it. so my question is, how long did the federal government did somebody have access to these indicators of compromise and why did it take however much of that time to get it into the einstein system and has that been promoted to every other agency that is using einstein, too? >> representative, opm once they itchmented their security measure and discover the breach,

gave us the indicators of compromise immediately and we loaded it into einstein immediately. that is we loaded into einstein 2 to detect and looked back through history to see if any other traffic back in time had indicated a similar compromise. that is how we found an intrusion into opm that led to the discovery of the breach of the personal records. and we also put into einstein 3 so agencies covered by einstein three would be protected against a similar activity moving forward and we held a call with all of the federal cio's and disseminated them and asked them to search their networks. >> has that been done? >> that has been done. >> so ms. seymour, you talk about legacy systems and the difficulty of protecting those. what are some of the legacy systems and what programming software has been used to develop those systems? >> these are systems, sir, that

have been around for going close to 25, 30 years. they are -- >> so it was written by cobalt? >> -- cobalt systems. one of the things i would like to offer is that director archuleta and i actually were brought here to solve some of these problems. >> when did you start your job? >> in december of 2013. >> and why did we wait to implement two factor awe then authentication until after this hack? >> we have not waited. >> so it was being deployed prior. >> these are two decades in the making. we're not going to solve them in two years. >> that is where i disagree with you. because, again, we have to stop thinking that we have years to solve the problem. we don't. we should be thinking about this in days. ms. archuleta, how much overtime have you signed off on since

this happened, of people that are dealing with the compromise? >> my cio team works 24/7. >> so if i walk into your building at 8:00 p.m. at night there's going to be people drinking red bull working furiously in order to solve this problem? >> i'm very proud of the employees working on this issue and they have been working 24/7. >> mr. scott, you've inherited a mess, my man. and we're looking for you and whatever this committee can do to help you ensure that things like this don't happen, to ensure that these agencies and the cios are implementing the recommendations of the ig and the gao. recommendations. we're going to continue to drag people up here and answer these questions because that's our responsibility and we have to say -- look. i recognize that, you know, you're not going to stop anybody from penetrating your networks. but how quickly can you identify them, quarantine them and kick them off the network? those are the three metrics we should be using about the health of our systems, and we're

woefully inadequate. i yield back the time i did not have. >> thanks, mr. desantis of florida is recognized for five minutes. >> thank you, mr. chairman. ms. archuleta, in your testimony you said, i think this is the direct quote, we have now confirmed that any federal employee from across all branches of government whose organization submitted service history records to opm may have been compromised even if their full personnel file is not stored on the opm system. what do you mean by service history? >> there may be -- their careers. they may have been in a different position earlier than perhaps as they move around government. so it may be someone who current -- whose job would not be -- current job would not be in the system but because of their service history their information would be dated back. and it's for retirement purposes. >> okay. so potentially broader breach. i'll tell you, with sf86, i

remember filling that out when i was a young officer in the navy. and it is by far the most intrusive form that i've ever filled out. it took me days. i had to go do research on myself to try to figure out. and it's not just that you're doing a lot of personal and sensitive data about the individual applicant. the sf86 asks about family members, it asks about friends, spouse, relatives, where you've lived, who you knew when you lived in these different places. it also asks you to come clean about anything in your past life. and so to me, you know, people have said this is crown jewels material in terms of potential blackmail. and so this is a very, very serious breach. my question for ms. archuleta, were cabinet level officials implicated in this breach?

>> sir, this type of information would be better discussed in a classified setting. >> understood. what about people in the military and intelligence communities? >> as i mentioned earlier, i believe that this is something that we could respond to in a classified setting. >> and so you don't disagree with my characterization of the sf86 and that the compromise, let's just say theoretical if you don't want to say what actually happened here, that that is a major, major breach that will have ramifications for our country? >> as i said, we'll discuss this with you in the classified setting. >> sf86 forms require applicants to list foreign nationals with whom they're in close contact with. china has a list of chinese citizens worldwide who are in close contact with american officials. they can and will obviously use that information for espionage purposes. so what are the security implications of that type of information falling into enemy hands?

that could be for anybody. >> sir, that is a question that we will discuss in the hearing this afternoon. >> okay. now, some reports say that not only were the hackers pursuing information on federal employees but also password and encryption keys that could be used for trade secret theft and espionage. i guess you'll have more to say about that in a classified setting. at least for this forum, can you say that that is a significant risk, that is not the type of information that we would want the enemy to have and it can in fact be very damaging, correct? >> again, sir, we're going to defer discussion of that until the classified briefing. >> and i get that. and i'm -- i will be there and i will listen intently. but it really concerns me because this is a really a treasure trove for our enemies

potentially. and the fact that this system was hacked and we didn't even know about it for a long time, you know, that is really, really troubling. and i think that the american people -- i mean, if you ask people to want to serve in these sensitive positions and they think that by filling out these forms they're actually going to put themselves or their family potentially at risk because the government is not competent enough to maintain that secretly, that is a major problem as well. so the information can be used against the country. then you're also, i think, going to have a chilling effect on people wanting to get involved if we don't get a handle on this. i look forward to hearing from the witnesses in a classified setting and i yield back the balance of my time. >> now recognize the gentleman from alabama, mr. palmer, for five minutes. >> thank you, mr. chairman. ms. seymour, does the employee exposure extend only those that filled out standard form 86, or does it include others as well? >> our investigation is ongoing, sir. >> ma'am, apparently it does

because i have two employees who have never filled out a standard form 86 and they have a letter from you informing them of the possibility that their data may have been compromised. i'll ask you again, and it's a yes or no. does it extend beyond the people who filled out an sf86? >> my answer to that is yes, sir. there are two incidents we've come here to talk to you about today. >> why didn't you answer yes to start with? >> you were talking about sf86s, sir. >> i made it clear. i asked you did the exposure extend beyond those who filled out sf86. and you said the investigation was ongoing. apparently you've investigated enough to send a letter to employees who didn't fill out those forms. so thank you for your yes answer. is there -- in your judgment,

ms. archuleta, how likely is it that the hackers were able to access these personnel files through an employee account? >> sir, we'll be able to discuss that with you during the classified session. >> let me be a little more specific. are you familiar with "the wall street journal" article that indicated that it was possible that the breach occurred through personal e-mail accounts, because employees were using the federal system, and that early in 2011 the immigration customs enforcement agency noticed a significant uptick in infections and privacy spills and they asked for a directive or they put out a directive that federal employees could not use the federal system to access their personal e-mails. but the american federation of government employees filed a grievance with the federal

arbitrator claiming that that was something that needed to be bargained and needed to be part of the collective bargaining agreement. and the arbitrator dismissed the security arguments in 75 words claiming the law didn't give the federal agencies exclusive discretion to manage the i.t. systems. i.c.e. wasn't able to shut that off. do you have any comment on that? >> no, sir. again, those are issues that we'll be able to discuss in the classified hearing. >> well, it's being discussed in "the wall street journal." i think for now, since we need to head to the hearing, i will yield the balance of my time. thank you, mr. chairman. >> now recognize the gentleman from georgia, mr. hice, for five minutes. >> thank you, mr. chairman. mr. esser, what are the risks that are associated with not having a valid system authorization? >> the risks are evident that

not having a valid authorization essentially could be a symptom of weak controls over operating systems and applications and lead to things such as a breach. >> okay. with all the things that we're talking about here today -- and ms. seymour you were obviously fully aware of these risks and opm were aware of the risks? >> yes, sir. i was aware of these reports. >> okay. now, this is -- i kind of hate going back to this because it's come up several times already today. but still, i'm waiting for an answer. the inspector general, of course, put out his report last november expressing great alarm recommending that opm consider shutting down the system because of the risks that you knew about, ms. archuleta knew about, and yet these recommendations

were ignored. i'm going to come back to you with this because quite frankly ms. archuleta has tried to dodge this question and dance all around it. i want to come straight up with you, why were those recommendations not followed? >> two reasons, sir. one is an authorization to operate is merely the documentation of the security controls of a system and their effectiveness. that does not mean simply because you don't have an authorization that those tools don't exist. the other effort is as the ig was doing its audit, we were taking all of those vulnerabilities into play. we had already developed a security plan that we were in the process of implementing. and the ig admits in their report that we were in the prowess is of implementing many of those controls.

>> did the plan that you were in the process of implementing work? obviously it didn't. would shutting it down have worked? >> the controls that we put in place allowed us to stop the remote access to our network and they also allowed us to detect this activity that had occurred prior to the ig report. >> but the vulnerability was still there, and your plan failed. >> there are vulnerabilities in every system. what we do is a risk management process, sir, where we look at the vulnerabilities as well as the business that we must conduct. >> mr. esser, let he come back to you. what currently are the consequences of owners of consequences of owners of opm i.t. system, currently what are the consequences now if they operate without a valid

authorization? >> there are essentially no consequences. we report that in our audits. but other than that, there are no official sanctions in place. it is something that gets publicized and that's the extent. >> it sounds to me like this thing is still not being taken seriously. no consequences for operating without authorization. why in the world are we still operating without authorization, or is that occurring? >> sir, i have extended the authorizations that we had on these systems because we put a number of security controls in place in the environment. we have increased the effectiveness of the security around those systems. >> but there's no consequences for not operating on a system with authorization? so how serious are you taking it? >> there are consequences. >> what are they? >> those consequences are if you, if you aren't doing the assessments, documenting them is while that is evidence that those assessments have been

done, the assessments themselves are more important. the scanning of the network, the tool -- >> that's not the consequences. what are the consequences? you said there are consequences. i want to know what they are. >> the consequences that we have are we report to omb on a quarterly basis about the status of our security and our network. >> that doesn't sound like consequences. that sounds like just reporting that you're required to do anyway. there's no consequences involved in those reports. all right. mr. esser, again, are there measures that need to be taken to get the whole thing up to the standard it ought to be? i mean, is there anything that you would recommend? >> yes, yes. we do recommend that the cio, the agency, take the steps that in a lot of cases they're beginning to take.

the centralization of the i.t. governance is well along the way. what they also need to do is get a full inventory of the assets that they're responsible for protecting. and the shell project that ms. seymour has alluded to earlier is also something that we support. we also have some concerns about the way it's been -- the project has been started and managed, but overall, we support the idea behind the shell project. >> we appreciate the gentleman. i now recognize the gentlewoman from new mexico, michelle luhan grisham for five minutes. >> thank you, mr. chairman. thank you for having this important hearing. i want to thank the panel for

taking this conversation and these questions so seriously. in new mexico, we're one of the states that has one of the largest percentage or per capita federal employees in the country, in the top five. so i've got 50,000 federal employees in my home state. and i am on their side by being incredibly concerned about this and quite frankly many other data breaches. the growing sophistication, frequency, and impact on both public and private entities by cyber attacks continue to be a very serious threat. in fact, two days after my first election, one of the key briefings by one of the national labs, which is in my district, and kirtland air force base, is continuing growing concern with cybersecurity issues and their aggressive responses, both to be proactive as much as they can be and to appropriately be reactive once you've got an identifiable breach. and given the data breach at opm

and at home depot and target, anthem, it's clear to me that not only does the federal government have a role in protecting federal employees and the information that you have, but we have a role in working to protect the public in general from these serious and continuing series of cyberattacks. but i recognize also that this is a very challenging effort and that there's not a simple solution. if there was, we could stop this hacking altogether and have the magic bullet. as much as i want you to do that, i don't want to minimize the fact that i recognize that's more difficult to say than do. no, it's easy to say, not so easy to do. my concerns are growing given that even the best in the country are facing significant cyber attacks, including the lab

who we are relying on for innovative and appropriate technologies to implement. so given that and all the questions you've had about accountability, the serious nature, here's really my question. federal government is not known for being, and i mean no disrespect by this, just stating the facts, it's not a very proactive, reactive body just by the nature of how large it is, how broad our mission is, how we are dependent on whatever the resources are and the priorities are at any given time. given that climate and the role to protect the general public and your role to protect federal employee information, what can you do that's different, that puts you in a position to be much more proactive, particularly given the nature of cyberattacks and quite frankly they're already hacked in as you're making the next modification. anyone on the panel?

i mean, mr. scott, that may be a question that's primarily for you, but i'd be interested in anybody's response. >> sure. i can think of several things in the short run that, you know, actually we already have underway. but probably long term the biggest thing is to double down on replacing these legacy sort of old systems that we have. one of the central problems here is you have old stuff that just was not designed or built in an era when we had these kinds of threats. it's, you know, in some cases very, very hard to sort of duct tape and band-aid things around these systems. it doesn't mean there's nothing you can do, but fundamentally, it's old architectures that need to be replaced and security needs to be designed into the very fabric of the architecture of the hardware, the software, the networks, the applications. the faster we can do that, the

faster we're on a better road. >> and given your role to do that in federal government, i'm not clear today what percentage of legacy systems and old architecture platforms we're still operating under and which departments are more at risk than others. what is the time frame for getting that done, and what's a reasonable course for this committee to take to make sure we've got accountability in federal government to move forward exactly in that effort? >> well, i think first thing is we're going to be very transparent with you in terms of the omb reports, in terms of where we're at on that journey as we go through our work over the course of the year. several of the members of this committee have said they're going to pay very close attention to that, which i encourage. >> the gentlewoman -- our time is so tight for our 1:00 briefing. we would like a full and complete answer. there will be questions for the record, and we will continue to follow up. i hope you understand. >> be happy --

>> we need to give time for the gentleman from wisconsin, mr. grothman. now recognized for five minutes. >> i'm glad we established that the federal government is not a proactive, reactive body. it's something for us to always remember no matter what bill moves around here. something to remember about the federal government. be that as it may, first question i have for you guys, this is kind of a significant story here. just out of curiosity, to see how the federal government operates, has anybody lost their job over this? has there been recriminations in that regard? sure, we'll give you the question. >> no, sir. >> okay. next question, i don't care who answers it. as i understand, it took months for the state department to root out the russian hackers and their unclassified systems. now, apparently the chinese hackers are known for leaving behind time-delayed malware. do we know for sure that these people are out of the system by

now, or could they still be poking around? >> representative, we have a joint interagency team led by dhs with participation by the fbi and national security agency who have worked with opm and the department of interior on this incident. they have assessed that they have fully removed the adversary from these networks, but it is extremely difficult to have 100% certainty in these cases. >> okay. so it could be, but you think probably out. >> yes, sir. >> okay. final question. apparently the rumors people are now selling some of these files. is this a threat, or do we know if it's going on? and if it's going on, are we doing anything to counter that? >> sir, i think that's -- the impact and such questions are better suited for the classified briefing we're about to have. >> okay. i yield the remainder of my time. >> thank you. i want to thank the panelists and everybody here. i think you understand on a bipartisan basis how serious we

take this situation. to those federal employees who are affected, one of the things that should come out is in the very end of the letter, if you receive one of these letters, it does note that the office of personal management is not going to call you. they're not going to contact you to provide additional information. there will be some very bad actors that are going to try to take advantage of this bad situation and exploit it for their own personal gain. they've already done that. they're going to do it again. and there are going to be others that are going to try to do that. so all of our federal employees, please do not fall victim yet again to somebody who's going to send you an e-mail or make a call and try to prey upon you further. it was noted in the letter. it's worth noting here from the pulpit. again, we look forward to the 1:00 classified briefing. we're going to have to hustle. the committee now stands adjourned. thank you.

president obama delivered a statement earlier today congress last night's shooting at the emanuel ame church in charleston, south carolina that resulted in the deaths of nine people. the suspect is in custody and federal officials are treating the investigation as a hate crime. in his brief remarks the president expressed frustration over the many times he's had to issue statements following a mass shooting and the frequency with which they occur in the united states. vice president joe biden appeared with president obama in the white house briefing room. good afternoon, everybody. this morning i spoke with and vice president biden spoke with mayor joe riley and other

leaders of charleston to express our deep sorrow over the senseless murders that took place last night. michelle and i know several members of emanuel ame church. we knew their pastor, reverend clementa pinckney who, along with eight others, gathered in prayer and fellowship and was murdered last night. and to say our thoughts and prayers are with them and their families and their community doesn't say enough to convey the heartache and the sadness and the anger that we feel. any death of this sort is a tragedy. any shooting involving multiple victims is a tragedy.

there is something particularly heartbreaking about a death happening in a place in which we seek solace and we seek peace. in a place of worship. mother emanuel is, in fact, more than a church. this is a place of worship that was founded by african-americans seeking liberty. this is a church that was burned to the ground because its worshipers worked to end slavery. when there were laws banning all black church gatherings, they conducted services in secret. when there was a nonviolent movement to bring our country closer in line with our highest

ideals, some of our brightest leaders spoke and led marches from this church's steps. this is a sacred place in the history of charleston, and in the history of america. the fbi is now on the scene with local police and more of the bureau's best are on their way to join them. the attorney general has announced plans for the fbi to open a hate crime investigation. we understand that the suspect is in custody, and i'll let the best of law enforcement do its work to make sure that justice is served. until the investigation is complete, i'm necessarily constrained in terms of talking about the details of the case. but i don't need to be constrained about the emotions that tragedies like this make. i've had to make statements like this too many times. communities like this have had to endure tragedies like this too many times. we don't have all the facts, but

we know that once again innocent people were killed in part because someone who wanted to inflict harm had no trouble getting their hands on a gun. now is the time for mourning and for healing. but let's be clear, at some point, we as a country will have to reckon with the fact that this type of mass violence does not happen in other advanced countries. it doesn't happen in other places with this kind of frequency. and it is in our power to do something about it. i say that recognizing the politics in this town or close a lot of those avenues right now. but it would be wrong for us not to acknowledge it.

and at some point it's going to be important for the american people to come to grips with it. and for us to be able to shift how we think about the issue of gun violence collectively. the fact that this took place in a black church obviously also raises questions about a dark part of our history. this is not the first time black churches have been attacked. and we know the hatred of the cross, races and faith poses a risk to our democracy and ideals. i'm confident the outpouring of unity and strength and fellowship and love across charleston today from all races,

from all faiths, from all places of worship indicates the degree to which those old vestiges of hatred can be overcome. that certainly was dr. king's hope just over 50 years ago after four little girls were killed in a bombing at a black church in birmingham, alabama. he said they lived meaningful lives and they died nobly. they say to each of us, dr. king said, black and white alike, that we must substitute courage for caution. they say to us that we must be concerned not merely with who murdered them but about the system, the way of life, the philosophy which produced the murderers. their death says to us that we must work passionately and unrelentingly for the realization of the american dream.

and if one will hold on, he will discover that god walks with him and that god is able to lift you from the fatigue of despair to the buoyancy of hope and transform dark and desolate valleys into sunlit paths of inner peace. reverend pinckney and his congregation understood that spirit. their christian faith compelled them to reach out, not just to members of their congregation, or to members of their own communities, but to all in need. they opened their doors to strangers who might enter a church in search of healing or redemption. mother emanuel church and its congregation have risen before from flames, from an earthquake and other dark times to give

hope to generations of charlestonians and with our prayers and our love and the buoyancy of hope, it will rise again now as a place of peace. thank you. her are some of our featured programs this weekend on c-span networks. 8:00 eastern ruth bader ginsberg on national issues like gay right, race relations in america and the production of a new movie about her life and career. and sunday night at 6:35, a profile interview with presidential candidate texas senator ted cruz. on book tv on c-span 2, saturday morning at 10:00 eastern we're live for the annual roosevelt reading festival. authors include christopher

o'sullivan o'sullivan, sheila collins and her book "when government helped." on sunday night at 9:00 on afterwards mona on the need of a sexual revolution in the middle east. this weekend on american history tv on c-span3 we're live from the gettysburg college civil war instituten annual conference saturday morning beginning at 8:30 eastern. at 1:00 on abraham lincoln and the press. and sunday morning we continue our live coverage beginning at 8:30 with city college of new york history professor gregory downs on the consequences of the civil war. later at 11:00, a discussion about treason and loyalty during the civil war. get our complete schedule at c-span.org.

former secretary of sate madeleine al bright and stef hadley led a discussion recently marking the launch of their middle east task force. the purpose is to make recommendations for u.s. policy in the region. they spoke at an event in washington, d.c. for about 90 minutes. good afternoon. good afternoon. on behalf of the chairman of the board of the atlantic council, john huntsman, on behalf of the vice president of the atlantic council, director of the rafee career center for the middle east, frank richard doney and all of us from the atlantic council, welcome to the launch of the atlantic council's middle east strategy task force. i'm fred kemp, president and ceo of the atlantic council.

we're pleased to by joined by some of the task force's senior advisers as well as many of our friends from middle eastern and european diplomatic communities. as you can see by looking around you, we have a full house but we also have a virtual full house. so welcome, also, to our viewers around the world. this event is live streaming on our website in arabic translation as well, and a full video of today's event, both in arabic and english, will be posted on the council's website following the event. this is an innovation for us. i believe, frank, this is the first event we've done with live translation, live streaming from the career center. we now have this capability and we will do this more often. we encourage you to interact online by following @acmideast

and tweet #acmest, as well. acmest is the hashtag for this website. i want to particularly greet, welcome and salute the founder of the rafi career center for the middle east, baha hari, who is in washington today with us for the launch of this group. on behalf of all of us, baha, i want to thank you for your vision without which this center would not exist and this task force would not exist. and thank you for entrusting to us the legacy of your great father, prime minister rafi kariri. today after more than a year of behind the scenes groundwork, we're proud to announce the former u.s. secretary of state madeleine allbright and former u.s. national security adviser steven hadley will co-chair the middle east strategy tack force in the bipartisan manner for which the atlantic council has become known. it's an ambitious project to

advance the public policy discussions toward a new global consensus on how to address the challenges and opportunities confronting the middle east. in a moment, i'll invite secretary albright to the stage to tell us more about the task force's work. but let me first give you some context on how this task force fits in the atlantic council's larger mission of working together with our friends and allies around the world to secure the global future. throw the ideas we develop and the communities we convene, we emphasize an active approach to policy communities around the world with a premium on highly relevant and impactful policy recommendations. over the last several years, we've seen a growing need for well-developed actionable strategy for addressing the world's problems. for too long, the united states and its global friends have focused on tactics, jumping from crisis to crisis without a

larger plan for leading the world to a better future with our friends and allies. to begin answering that need, the atlantic council this spring launched a comprehensive strategy initiative led by our brent scrocrotf center on national security using a multi approach to guide american foreign policy irrespective of the outcome of the 2016 elections, a foreign policy led by our interests and the interests of our friends and allies around the world for a better future. the middle east strategy task force that we announced today, led by the rafi career center for the middle east, is an element of that larger effort with a specific goal of advancing the strategic collaboration among americans, among our closest friends and allies in europe, and among our closest friends and allies in the middle east about the future of the middle east. this is not americans talking to americans about what others ought to do.

this is -- this is a multi-stakeholder conversation about what those in the middle east believe their future ought to be and then how do we help them get there. the task force will explore alternative policy approaches and convergences that can lead to the breakthroughs to a more stable and prosperous region. rarely is the world confronted with challenges more intractable than those in the middle east today. but i'm equally confident that there's rarely been an initiative better equipped to address those challenges, nor leaders more capable in cultivating the right kind of change as we find in this task force. with two of the great foreign policy strategists of our times, secretary albright and mr. hadley, chairing the project alongside the incredible energy and diplomatic savvy of frank reacher doney and a network of advisers and supporters that spans the globe. i think there's a real

opportunity for impact. we certainly are going to give it our best try. it's now my pleasure to invite the task force cochairs to the stage to kick off the event. executive vice president of the board of the atlantic council. the other is an honorary director of the atlantic council, both dear friends of this organization. since leaving office, both secretary albright and former national security adviser steve hadley have remained deeply engaged in the issues of the middle east. steve serves as the chair of the u.s. institute of peace which has been deeply engaged in trying to mitigate conflict in the region at national and local levels. he's also chair of rand's middle east board one of their many bipartisan collaborations since leaving office was a cfr task force on turkey, collaboration between the two of them. as the chair of the national democratic institute and of

partners for a new beginning, an organization that seeks to build new understanding between the u.s. and the muslim world, secretary allbright has been a champion both for political and economic development in the region. her 2007 book, the mighty and the all mighty was a front-runner in calling for reassessment of u.s. strategy toward the world, specifically citing the independence of politics and the region. so secretary allbright, this stage is yours. [ applause ] >> i do lack some of fred's height. thank you very much, fred, for your kind words and my thanks so you and the atlantic council for bringing us together to examine one of the most complicated and sailant issues of our time. and i'm particularly gratified to see so many distinguished members of the diplomatic core in this audience.

your presence here today underscores the global perspective that we want for this project and our -- and our emphasis today on listening to voices from the region reflect our determination to incorporate the views of your citizens in our research. as fred mentioned, it was last year that steve hadley and i began discussing the need for a focused effort to better understand what is happening in the middle east. and i would like to say what a pleasure it is to work with steve hadley on this project and many others. the reasons are simple. yet compelling. and this is a region of tremendous importance to the united states and to the world and it's facing a set of overlapping crises unlike any we have witnessed in generations. policymakers here in washington have been working around the clock to navigate these crises and protect america's full range of interests. but having both served in the

government, steve and i know how easy it is for the inbox to get overrun. and there is rarely the opportunity to take a step back and consider the deeper issues at hand. to get at the root causes of the crises and to develop an effective and enduring long-term approach in concert with people from the region. so the important part is to take the time and step back but look forward. that is, in part, what we hope to accomplish with this bipartisan project. it's an ambitious effort, but we begin in a strong position because we can leverage the considerable resources of the atlantic council's rafik harare center for the middle east. and for that reason, i also would very much like to take a moment to acknowledge and thank mr. baha hariri whose generosity has made this effort possible and who has done so much to advance the causes of progress

and peace that were so dear to his father's heart. thank you so very, very much. i would also like to thank the hariri center's director and my very dear friend, ambassador frank richard doney, with has been one of the finest diplomates the united states has had. thank you, frank. we're all lucky that after a long and distinguished diplomatic career, frank has chosen to stay involved in the public policy debate and it's really his vision that has helped shape this into a distinctive and compelling project. and i say that it is sdingtsive distinctive for a few reasons. first, while it will be housed here at the atlantic council's hariri center, we are engaging with a wide range of think tanks and involving a diverse range of academic experts, foreign policy practitioners and civil society leaders. we've established five working groups led by experts from

brookings, the stimson center, the united states institute of peace as well as an independent researcher and i would note that two of our working group conveners geneive abdo and chris schroeder are here with us today. these working groups have already begun to explore their topics and i'll just list what they include. security and public order, religion, identity and countering violent extremism, refugees, recovery and reconciliation. politics, governance and state society relations and economic recovery and revitalization. so you can see that we are fully covering many of the issues that we see as root causes of some of the disruptions. and looking at ways to deal with the issues. in the coming months, the working groups will analyze these topics in depth and issue reports which will then feed into a final task force report that will be drafted here at the hariri center and reviewed by a

distinguished panel of senior advisers. this group of advisers some of whom are here with us today include eminent diplomats and experts from the united states, europe, and most importantly, from the region. in fact, a majority of these advisers are from outside the united states. and that's another thing that i believe makes this project especially distinctive. we're not just going to look how to simply codify the inside the beltway consensus. we want to engage with people on the ground in the region and incorporate their perspectives into everything we do. and in short, we want to listen more and listening to voices from the region is what today's event is really about. so with that, let me invite my friend and co-chair steve hadley to step forward and set the stage for our discussions. [ applause ]

>> secretary albright, thank you very much. it's a pleasure to be with all of you here this afternoon. i want to thank especially madeleine for the opportunity, pleasure and privilege to work with you once again on one of our bipartisan policy initiatives. it's going to be an important and i think exciting prospect. what we want to distinguish this project from others is to start with the views, perspective and interests of the citizens and leaders in the regions on the problems of the region and the challenges it faced. and for that reason, the theme of today's public event is a view from the region and we want to start that process, which we hope will address a number of questions that will be the basis of our work.

what are the underlying causes of the current crisis in the middle east? why have so many countries seen their governments collapse or be overthrown? what explains the rise of extremism in the region? what sort of government would people in the region be willing to support? and fight for? what do the people of the region need to do to help resolve the current crisis? and how can the united states, europe and the rest of the world help? this isn't your typical panel event today, so let me walk through what's going to happen this afternoon. first, we are going to watch a brief video of on the street interviews produced exclusively for this project by sky news arabia. next, we will hear some polling data presentations by jim zogby

and mohamed younis. then we will turn to rabab elmadi from cairo to participate in our panel. we'll have a brief conversation among the three speakers with madeleine albright and myself presiding, and then we will bring our in-house and twitter audience into the conversation for a q&a session. so let me first introduce the panel that you will see on this stage after the video. first is james zogby who has had a four decade career working on u.s.-arab relations, and bringing an arab and arab-american perspective into the washington policy conversation. he is the managing director of zogby research services author of the book "arab voices" and founder of the american -- arab-american institute.

next will be mohamed younis. he is the glop organization's subject matter expert on the middle east and north africa. his research at gallup focuses on employment in the muslim world and focuses on relations between the muslim majority and western societies. and finally, coming with us from cairo will be rabab el madi. she is associate professor of political science at the american university in cairo. her research interests cover the areas of state civil society relations, social movements and resistance and the political economy of social policy. so now, if we may, let us turn to the short video of the -- on the street interviews with citizens in beirut, cairo, ramala, and tunis, explaining what future they want for themselves and their country.