have. >> thank you. mr. spires. >> good morning chairman and ranking member and members of the sub committee. i am honored to testify today and i hope my experience is valued regarding the recommendations i will make on how the federal government can more effectively safeguard data and improve a cyber security posture. most federal government agencies find themselves susceptible to data breeze to core i.t. systems because of thre primary causes. first, lack of i.t. management practices. the best defense is the result of managing your i.t. infrastructure and applications well. but beginning in the 1990s and up to the present the federal government has failed to effectively adapt with the changes in i.t. technology and

the evolving cyber security threat. as an example of the failures when i served in government we would all too routinely discover i.t. systems outside of the i.t.'s organization purview that had been deployed with the proper testing and accreditation. the approach across government, and i would point out mr. eser in his testimony already referred to the decentralization with the the opm environment itself, and it has led to the struggle with managing and maintaining this dispersed infrastructure and systems. the result in complexity of vastly different systems and underlying different i.t. infrastructures makes it impossible to secure such an environment. second lack of i.t. best security practices. while well-intention and appropriate for the time, the

2002 act skewed the approach for security. it looks at the controls for individual systems when in reality viewing systems in isolation hid the impact of the high security posture. further until recently, systems would be certified and accredited based on a three-year cycle which is a significant issue when looking at the rapid evolution of technology in the cyber threat environment. third, a slow and cumbersome acquisition process. when i was at dhs i was a proponent of the continuous diagnosics or mitigation program, but it is dismaying to see how long it took to implement stage one. sophisticated adversaries will exploit any and all

vulnerabilities and the government is more vulnerable when it takes months if not years to deploy new i.t. security capabilities. my recommendations to address these root causes. first, effectively implement the law that is meant to address the systemic problems in managing i.t. effectively and the main intent of the law is to empower the cio. congress can support these efforts by demanding aggressive implementation of tpau tarra by different agencies, and transparency in reporting ongoing progress. effective implementation of the management.

and second there have been positive movement with the updated law and the move for continuous monitoring yet i recommend the government rethink how it is measuring success with focus along three lines. there is a continuing need to have security rules to prevent intrusions and more importantly detect them when intrusions do occur occur. the root of all trust is verified identity and the government needs to step back and rethink how it is rapidly implementing yao bick wau tkus use of identification along with behavioral detection systems to identify insider threats or compromise credentials. finally the government needs to target protection of an agency's

information. the government contains high insurance that only the trusted parties have access to the party's most sensitive information, and this would go a long way against thwarting the major and damaging data breaches. the breaches are terrible for the government and for those millions of us that may be negatively impacted in the future. however, this episode and the need to implement tpau tarra and the new law could be needed for sustained change. it's critical to make enough progress to insure the commitment, to the needed changes in i.t. security are sustained into the next congress and administration. thank you for the opportunity to testify today. >> thank you mr. spires, for your testimony. at this time we are going to proceed to our questioning.

in fact we had planned on proceeding to our questioning where each senator will have seven minutes and i hope we have time to accommodate two rounds of questioning. what we would like to do is go ahead and suspend the running vote and come back and start immediately with the questioning period. so with that we will do that.

they are taking a break in this hearing as senators go to vote on the fast track trade measure, and we are going to look at comments yesterday by senator chris murphy on foreign policy. he is the ranking member of the

foreign relations sub committee dealing with issues in the near east and asia and counterterrorism. he spoke at the wilson center in washington, d.c. we're very pleased to have senator murphy with us today, and i am the executive vice president of the center, and the wilson center, as you know, is a trusted platform and space for nonpartisan dialogue on global issues as well as a place that does research on global issues and regional issues and issues of science and technology, and popular environment and women's leadership and many other areas. we are delighted to have senator murphy with us today. in the past couple weeks alone we had the pleasure of hosting many of his colleagues of the year, and including senator bob corker here a couple weeks ago,

and chairman ed royce was here a couple weeks ago. let me introduce the two speakers. i will introduce the senator second, and aaron david miller is our moderator today and will ask a few questions as well. he is the vice president for new initiatives here at the center and scholar, and he served in the state department where he helped to formulate u.s. policy in the middle east in the arab and israelie peace process. he is the author of a number of books and most recently, and i forgot to bring my copy of this but i like to show it because it's a fabulous book and i recommend it "the end of greatness," a book he published this fall, a few months atkpwoeu. senator chris murphy our main speaker is a junior united states senator for connecticut and elected in 2012, and he

serves on several committees and importantly for our discussion today the committee on foreign relations. prior to his election to the senate, he if served three terms in the house of representatives and serves in local politics in connecticut as well. it gives me great honor to welcome to the podium, senator murphy. welcome. thank you very much, andrew for that kind introduction and thank you to the wilson center for hosting me here today and i am looking forward to a conversation with aaron david miller in be a stepb shia, let me thank harmon as she is not here. very few people know this, but

president wilson started his academic career teaching at wesley university and many credit his positive experience with his teaching job there as an inspiration to keep him in the profession, and he spent as did his first wife, many of ore summers in connecticut, and she was part of a very well known artist colony there and he made some of the most important decisions about his political future sitting at florence griswold's kitchen table so we love the connections that we have to the wilson legacy and to this center and it's really wonderful for me to be here with you today. i remember this particular day that i am going to talk about like it was yesterday. it was the spring of 2011. i was in a small, small village called parmacon, afghanistan.

it was my third and really most memorable trip to afghanistan. president obama's afghanistan surge was under way and our delegation was sent to this tiny little village to say general petraeus's counter insurgency strategy in action. we went out to where we met with a group of 100 army commandos. they were widely impressive. there was no doubt that they had brought peace and stability to a province that had been under the thumb of the taliban just months ago. after a briefing in their headquarters, they led us on a heavily-guarded walk through the town along with a collection of village elders. it was a stunningly beautiful walk. rocky dirt roads surrounded by

ache acres and acres of the most beautiful showers i had ever seen. a half dozen workers were busy harvesting whatever crop these flowers provided a canopy for, and i finally asked one of the elders what the crop was, and it was poppy, and i said what do you do with it once you harvest it? we sell it we sell it to the taliban and comes and buys it for a pretty good price. that's what he said within earshot of u.s. soldiers who know doubt knew all about this arrangement and an arrangement for which they were sent to provide cover and protection. i can't say i was stunned because by this time i heard it all during my trips to afghanistan and iraq, but this was as clear-cut an indictment of our presence in those

theaters as you could imagine. 100 troops in far western afghanistan, they were buying us temporary space and we could credibly claim we purged the tal began from control of that town, but the taliban were lying wait and still surrounded the village and worse were marching into town that would collect the revenue that would fuel them when we left. we had done nothing meaningful to change the underlying long-term susceptibility to extremist influence and control. they still had no way to feed their families other than producing poppy that were being sold to the very guys we were being sent to eliminate. all signs pointed to the disturbing, but to me increasingly unsurprising reality that the military success was meaningless there if we did not have a strategy to

change the reality on the ground for these people. in iraq this contradiction played out with even more devastating results during and in the aftermath of the late bush administration surge. waves of u.s. troops and even bigger waves of u.s. cash provided a security blanket over parts of iraq. well political and economic progress went in the opposite direction. the u.s. handed out bags of cash to sunni tribal leaders, a practical strategy for the long term while al maliki waged war against the sunnis to the point when our troops left they were happy to align themselves with anybody willing to fight the central government in baghdad. today i am confident the vast majority of our dip laments fully understand the failing of the u.s. intervention over the last decade and last week a

battle hearted veteran of iraq said this when he was asked about calls to deploy troops back to the middle east to fight isis. he said quote, my worry is could i put 150,000 soldiers on the ground and defeat isis? yes, and then a year later it would be right back to where we are today. before we consider everything like that we need to solve the political problem. of course, secretary bob gates remarked upon leaving the defense department that any future president that contemplated sending troops back to the middle east should have their head examined, and we are on the verge of repeating the mistakes we should have learned. the architects of the war are back. the fight between mccain and rand paul is over.

republican senators right now are calling for thousands of american troops to march back in iraq and maybe syria too. and these senators are making an interesting claim, one we would not have thought possible a year or so ago. they are saying the american public is on their side and interestingly they have a few polls to back them up. a few recent surveys suggests americans are scared to death by isis and want washington to do something about it something dramatic and it answers with shock and awe that only america can muster so mccain and graham are right. these polls also have something else in common. they ask a battery of questions about how concerned they are with isis and how they feel about how president obama is handling the problem, and then when it comes to responses, they

can one question, do you support combat troops or not? send troops or effectively do nothing? and they choose to do the only something they are presented with. but polling and simple organic voter touch and feel tells us america is still very weary about war. witness the unexpectedly ferocious against the president's plan to bomb syria in 2013, and no matter what the presidential candidates say, the lessons have not gone away. i believe now more than ever americans want an alternative vision of how american can protect itself and there is something more than simple military intervention. americans will respond to a new forward-looking progressive strategy that meets these new threats with new tools rather than simply relying on interventions that were designed

for a time when armies marched against each other and to be political for a moment in a place i know is not supposed to be political, this is a moment for progressive democrats to seize the opportunity to lead. i would argue the congressional democrats over the last few years have been absent from a serious interesting debate over foreign policy. it's only president obama and the republicans attempting to offer a broad vision of how we engage in new and scary threats. maybe our vision silence has been understandable since we have been able to lean on a president that we broadly agree with. we read the president's may 2014 west point speech and in it there is little to argue with but we only have his cover for the next 18 months. i support secretary clinton and i support her foreign policy ideas, but in a 50/50 country we

can't hold our tongues and hope she wins and we have to show leadership and show it now so the american people have a choice when evaluating how to respond to the new enemies we face. this is the new context in which senator heinrich and i started to produce eight common sense principles we think should guide american policy and congress's foreign policy agenda as we try to meet these new challenges. let me take a few minutes to lay them out. first we argue that america's nonkinetic cool set is dangerously under resourced. we seem to have forgotten the lessons of post world war ii in which we were spending 3% of gdp on foreign aid. we learned the lessons from after world war i, and we rebuilt our friends and enemies

to use economic development to stomp out potential instability that could undo the postwar balance of power. today foreign aid is 4% of what it was in 1950 as a share of our economy, a 96% real time reduction. so we believe a new marshal plan for at risk regions can get us the kind of stability and win us the kind of allies that were produced by a nonmilitary plan. you can't justify any longer spending 15 times more money on military and military aid than we do on usaid on peace keeping. we work multilaterally to reduce the moral and practical burdens. just as importantly multilateral support can be a

check on american haoub russ. why shouldn't be question the wisdom of the intervention in the first place. yes, america is sometimes under immediate threat and we can't wait for partners to sign up, but as a rule with limited exceptions, our actions are more effective with coalitions. and significant military actions has to have clear goals and exit strategies and a plan to pay for it and has to be authorized by congress as our frame kwrrz of the constitution intended. fourth, we believe military action is only worthwhile when there is a political strategy to clean up the mess once the fighting ends. this is the caution and ours, too. the u.s. military is the most powerful in the world but even it has limits.

if there is not a political answer on the ground to remove the impetus for terrorists organizations military gains are going to be temporary and rarely worth of lives and treasure. covert actions like mass surveillance and lethal operations have to be constrained. the intelligence operations after 9/11 needs greater oversight and strength. the usa freedom act is a step in the right direction, but more has to be done, like taking drones away from the cia for good. six, we believe strength at home leads to strength abroad. americans won't support more foreign aid spending if we are not addressing their own economic limitations. that makes sense in part because america leads best by examples. countries follow our lead because they look up to our track record and standard of record and as it slips so does our ability to lead. we need to watch what we say on

human rights and what we do about it. how can we tell other countries to treat others if we don't. finally, we believe that climate change has to be at the center of every international relationship we have. future generations will judge us by whether we elevated this discussion in every forum possible if we don't act, and the effects of climate change are already here with disastrous affects on political instability. i am not suggesting there is anything earth shattering or ground breaking in these principles but at least they will stay in contrast to the simple world view of the

neo-conservative composition. they argue for the defense budget and we say other things are important than military funding. they think terrorism exists in a military vacuum and we believe it exists in a political and economic vacuum and our policy should respond accordingly and they think it's a choice between protecting liberty and we believe they are co- dependant. for instance it sounds really good to say the american objective is to defeat isis. but should it be? frankly our policy should be to eliminate the ability of isis to attack the united states?

whether isis is going to be wiped from the face of the middle east is really a question for our partners in the region. if our goal is to end the threat of isis to the united states, then ground troops makes no sense. but it would argue for the massive humanitarian systems and our current levels are big and embarrassing insufficient, and it would argue for a row best partnership so long as the partnership is broad and deep. it wouldn't ever rule outgoing after high target values that present a threat to the united states, and a call for us to learn from the successes of those bags of cash that we handed out in 2007. it was the wrong tactic but a bigger and smarter assist budget could move mountains. on the night of our delegations visit, we were briefed, and he showed us a pyramid of pictures of the most wanted terrorists in

the region and at the top was, of course, the photo of bin laden. before and after our briefing, he was putting the finishing touches on the bin laden raid and the night after we left, connecticut-made blackhawk helicopters set off to take him down. despite what we saw, the bin laden raid was the reminder of the incapacity of the armed forces, our men and women in uniform. when you watch them work it's easy to understand why our influence in the world has been viewed through the prism of the u.s. military for so long. they are damn good at what they do. but president obama has warned us we can't view every problem as a nail because we have the most effective hammer in the world. disease epidemics can't be cowed by an air force and propaganda is hard to combat from a surface ship. today we are reading reports of attacks on the parliament building in kabul.

it's crushing to hear after over a decade of intervention in afghanistan, but last week a report noticed almost by nobody noted the taliban in fierce fighting had taken back four villages in afghanistan, in the district right next to parma parmagone. we need new rules for engagement and new allies in the endeavor. thank you to the wilson center for having me and i look forward to the discussion. >> senator, let me again welcome you to the wilson center. i did not know about the connecticut connection but it's an important one. wilson was our only phd president and the only one buried in washington, d.c. let me thank you for a thoughtful and thought-provoking discussion. there's a lot to impact here. i have a few questions for you and then we will go to audience

questions. i want to make several points not necessarily directed at your presentation, but there are sim layeries. first, i think the challenge for this republic is not so much trying to identify a progressive liberal or conservative foreign policy. the challenge, essentially, is to find a policy that obviously is designed to protect the national interests and also a policy that in essence should work. the dividing line for that policy and i worked for republicans and democrats and voted for republicans and democrats shouldn't be between left and right, liberal or conservative or republican over democrat, it should be between9 policies that are smart on one hand or alternative policies that are dumb on the other. if you want america to be on the smart side it seems to me we need to focus on substance and

effectiveness and not politics and on reality and look at the world the way it actually is before we get around to how we conceive we want it to be rather than on ideology, on tactics for sure but also on sound strategies and understand while american leadership is critical, it also has limitations too. second from my own personal experiences, documents and principles can be extremely effective when articulated clearly and with a measure of honesty, so congress understands the policy and so the american people understand the policy. the problem with doctrines and principles, of course, is they are limited in how they apply to a blueprint to navigate in what has become an hypocritical, cruel and unforgiving world.

think about it for a minute. we participated in military action in libya but not in syria. we claim to stand for democracy and human rights particularly in the wake of the arab spring and yet our most stable partners right now aren't democrats, they are authoritarians in the gulf and egypt and we are negotiating even now as we speak a nuclear deal with iran, and at the same time for whatever the reasons we can't, won't, or are unable to take a tough review on iranian refreshen at home or on their efforts to help the region. how do you reconcile these anomalies, and in fact do you need principles and do you also have to recognize that a principleless foreign policy for a great power may well be more

suited for the complicated policy. it would be finding a better balance between risk readiness of previous administration, perhaps one in particular, and the risk aversion, perhaps of the current administration and that is to say we abandoned the middle ground. we insist as looking at the world as all in or not in and the question is, is there a more effective balance between risk readiness and risk aversion, perhaps borrowing on some of your principles that might in fact serve and suit our interests. one final point, we have an extraordinary advantage over the rest of the world. we -- it's basically our location. we have nonpredatory neighbors to the north and south and fish

to the east and west. one historian brilliantly called them our liquid as sets, and the oceans literally create the framework in which we see the world. the committee will come to order. again, i apologize for the delay. the only thing we have to do around here is vote and so there is just no way of knowing, you know, you schedule these things and certainly that trumps everything which it should. director archuleta according to reports pertaining to the security systems hackers had sensitive data for a year. these contain family and financial information for current former and perfect sperbgtive federal employees and contractors. will a notification be provided to individuals whose information was potentially compromised in

the latest breach? >> yes, sir. we are working on determining the scope of that breach even as we speak and as we determine, and at the same time we are developing a notification process to reach those individuals. we're taking into account what we have learned from the first notification and looking at the wide range of options we would have in that notification process. >> notifications, will they be provided to family members and other individuals whose information is contained in the security system solely due to the applicant? >> we are taking into consideration all individuals, and i would welcome the opportunity to come up and detail it for you. >> how did you decide that 18 months of credit monitoring and identity theft -- >> this is an industry-best

practice. we are, again, in the second notification really examining that to see what the range of options may be. >> will opm offer the same protection to individuals whose information was stored on clearance data bases, or does it warrant extra poe techtions? >> this is what we are looking at with our partners across the government to make sure we examine the wide range of options we need to consider. >> what additional steps do you plan to take to protect the victims the breaches pose? >> we are looking at not only with the notification and also looking at the steps that we can take to protect their data. i am as upset as they are about what has happened and what these perpetrators have done with our data and so we are examining not only the notifications we must do and also what are the protections and remedies we must

put in place. >> those are the kinds of things that we are getting from our federal workers. i know you will have more questions related to that but it's so important that we try to get information to those that have been affected. >> i understand. >> mr. spires, the administration has ordered a 30-day sprint to perform vulnerability testing and patch security holes. is 30 days sufficient time to correct more than a decade of negligent outdated systems? >> i am sure you would not be surprised for me to say, no, it's not sufficient time to fix the systems and the situation we find ourselves in. i think it is a good thing though, to put in place a process by which planning should take place so that we can start to get our arms around what should be done agency by agency to put us in a much better posture. >> as we get into these things

mr. spires, and mr. eser, do you expect us to find significant problems as far as breaches with the other agencies? >> well, first i should say you will find significant problems with them not following i.t. security best practices and not that that alone would necessarily indicate breaches but given the situation we find ourselves in across most federal agencies i would expect you to find significant breaches, yes. >> mr. eser? >> i would concur with mr. spires. we have been seeing brief after breach this year, health care companies and background investigation contractors and government entities so it would not surprise me to see more. >> mr. spires again, looking at the scope of the problem how

long do you feel like it will take the government you know, to actually do the things that we need to protect ourselves from these outside threats? >> well, let me say, i think we should take a ordered approach this this problem, so in my mind what agencies should first be doing is identifying the sensitive data sets they have and putting those in some kind of bucketed priority order and coming up with plans to protect those sensitive data sets. the reason i say it that way is to think that we can go into these large agencies that have, as i said, decades of mismanagement and of essentially decentralized i.t. and fix that quickly is, i think, naive. this notion of doing it by protecting the data sets, and there's technology data today and encryption to do that at the

document level and you have to worry about the identity problem. it does no good if you encrypted the data but then the credentials that can get to the data have been compromised and you have to work on the identity problem, and that's where things like multifactor authentication models come in. there's many new technologies that make it faster and easier to roll out than four or five years ago. also the notion that says even if somebody has been authenticated and authorized that doesn't mean their behavior is correct. the insider threat problem we have to watch this. the ways in which we can monitor behavior particularly of privileged users, those that have root access to the systems and data are the ones that frankly we need to monitor. >> very good. director archuleta, we have heard numerous accounts and

frustrations with csid including website crashes and inaccurate information reported to victims. what steps are you taking to over see the services provided by the contractor? >> csid has tremendous experience in these types of notifications and they served sony, as you know with their large breach and we believe they have the capability and capacity to handle this. >> but when you call in now, the wait times are very very long. >> yes, sir. >> you might have great experience otherwise, but i don't know they have experienced anything of this magnitude? >> i am as angry as you are about that and i want to make sure they are doing everything they can to reduce those wait times and that's why i instructed by cio and her tame team to work with my contractor. employees should not have to experience that and that is why we are demanding from our contractor that they improve their services.

i do believe, sir, because of the two incidents, we have had a unusual and high number of phone calls, and that's not an excuse our contractor should be able to perform to that number and we are demanding it do so. >> thank you. ms. archuleta if they had completed the i.t. upgrades, would the breach had been prevented? >> my cio advised me that even if we had been -- if there had been 100% physician ma compliance, there is no guarantee, there will not be a beach, and that's why the implementation of an i.t. man is so important, and risk

mitigation is what we need to do detect and mitigate and that's what our plan is designed to do as we move from the legacy system to the new shell system. i believe we need to act very rapidly to move from the decade's old system to a new system. we need to make sure that we are tracking, that we are documenting and justifying all that we do and we also need to be sure that we are acting as quickly as we can to protect the records that have been entrusted to us. >> ms. archuleta, of all the folks that have been affected and i many a particularly concerned about federal law enforcement officers and their families because they have credible reasons to be concerned, the criminals they previously apprehended or investigated might have motivation to seek out their homes or families. what are you doing specifically

to promptly respond to their enquiries enquiries, as they have legitimate pressing concerns. >> what i can assure you, senator, we are working with agencies across the government to analyze the scope of this breach. we will be able to discuss more with you in the classified session, but i can tell you that we are working very closely with our law enforcement partners. >> i am eager to follow-up with you on that and to get reassurance about the swiftness with which gravely concerned federal employees of all backgrounds are able to get updates and more information about their path forward. your fy '16 budget wasj- submitted before the discovery of the most recent incidents and before we had information about the its scope, and is there anything you need to deal with the critical issues that are now widely known

and how might you seek an amenment to the budget request? >> thank you for that question. we are analyzing with omb and my cfo to determine whether our -- what the requests might look like and i hope to be able to get back to you by the end of the week. >> thank you. >> last question for you, if i might, if you had actually encrypted federal employee social security numbers or the personal identifying information, would that have prevented the disclosure of the information to hackers once they compromised your system? >> this is a question that has been asked of my colleagues who are experts in cyber security, and they have informed me that indeed in this particular case the encryption would not have prevented this breach. encryption is an important tool and that's why we continue to build the encryption methods within our systems but in this particular case it would not have prevented it. >> my question is not whether it

would have prevented the breach but the accessibility and use of personal identifying information once the system was breached? >> no, not in this case. >> and the questions about compliance and if i.t. upgrades were completed, mr. spires, any difference of opinion or any insight you can offer whether that would have produced a different outcome here? >> i stated in my verbal testimony, sir, the issue with physician ma the old 2002 hrou was it was around technical controls that would have been ex checked every three years, and given the environment we live in that is not close to appropriate. and moving towards the correct model where you are monitoring all your systems and your complete environment looking for intrusions and improper behaviors, but i would even echo the point that even that is not

enough in today's environment. you need to bring in the data protection like the encryption capabilities and the capabilities to better understand who is actually accessing your system. those are all critical necessities in order to protect data today. >> was it -- would it be reasonable for us to have expected opm could have achieved the resources they currently have available to them? >> i am not sure i am in a good position to answer that question. i will go back to my point. a focused effort on protecting the sensitive data with the right inscription and right access control capabilities, if you put the focus there i think most federal agencies would have the funds have the resources to be able to accomplish that. >> we have seen significant data breaches for home depot, jpmorgan and target and sony and

neiman marcus just to name a few, and many of them invested in the systems and is the private sector having any more success in mitigating cyber breaches in the other sectors? >> i think it depends on a lot of the actual company and it varies greatly. i would say, to make another point, i think one of the big differences between the government and the private sector the private sector has the ability to acquire the newest capabilities being offered by the cyber security, if you will, product companies or industry. one of the things that i would like to see is the government agencies be able to bring in, be able to pilot new capabilities as they come to market. that would really help government agencies to adopt the newest capabilities. >> you referenced in the previous testimony slow and

cumbersome procurement and i will discuss that with you in the next round of questions. >> thank you. >> we have a lot to be able to cover for this to be able to not only resolve things in the future but impact what has happened in the past. there are several comments you made, and what is the most pressing discovery based on the vulnerabilities that exist and i am not asking you to expose public vulnerabilities that still exist but how many things on the list still need to be address and need to be addressed immediately? >> i think one of the most important things that needs to be addressed is the two factor authentication to access systems. this has been a longstanding problem at opm. they have made improvements and

implements this to affect work station access, but the actual systems that are being used by employees need to be also implemented and required. >> i saw from your report the same thing listed in 2012. the initiative to require personal identity verification credential authentication to access the agency's network as of the end of 2014 95% required personal identity verification access for the network. however, none of the agency's 47 major applications require personal identity authentication identification. is that still correct? >> to the best of our knowledge it still is. >> two points there. the multi factor authentication

for remote users is we are 100% at that point now. as with regard to all other users we are working rapidly to increase that. i asked my cio to increase that effort and i would be -- i don't have the percentages in my mind but i would be glad to get back to you where we stand but i know we are working rapidly to do that. >> 95% figure you think is pretty close as far as the work station and 100% for those working remote. it is still 47 major applications that still are exposed, i guess? >> i would like to get back to you on that to give you the full details on it. >> there is a question on the issue of security assessment and authorization. of that obviously that is a requirement from omb. this ongoing issue of this 47 different groups that are here it says on this 11 of them were

not completed in time or operating without a valid authorization. what can you tell me about that? >> i can tell you that all but one of those systems has been authorized. they are operating with authorization and we are working on the final one with the contractor. >> there is also a systemic problem there, obviously, of trying to find out why they weren't through the authorization issues. to make sure that authorization is on time and on schedule is that fixed? what about the process for the future to make sure those continue to be done on time? >> i would like to have my cio get that information so i can get it back to you. >> i would be glad to have that. give me a timeframe. >> by the end of the week. >> there is an outstanding letter sent to your office june 10 on the chairman on the committee of homeland security

affairs as you and i have discussed in the past. june 10 i sent a letter yet to be acknowledged. there was very basic questions still unanswered on it, none that require classified setting but there are basic responsive answers. i have letters on the record from faa, for instance and a tremendous number of employees that live in my district that have asked very basic questions. the folks from afge have asked very basic questions. they have yet to get a response to say it has been acknowledged. they want to know timing. i know the letters have gone out nationwide but people want to know there is someone working on the other issues because there will be many for a while. >> i apologize to you if you have not received that response. i know that i have asked my staff to respond to that and i know that it is forthcoming. i will make sure that you have that letter today. >> thank you. let's talk about cost issues dealing with appropriations side. do we have a ballpark cost to

opm yet to contact the letter that has gone out to contact everyone to let them know possibly your information has been breached so there is really two cost factors sitting here that our committee has to consider. one is the cost of distributing the letter and the cost for the credit report credit screening and protection that has been extended. do you have a cost estimate? >> i have a general cost as we take a look at the take up rate on the credit monitoring and that will adjust it. it is approximately anywhere between 19 to $21 million. >> $19 to $21 million. what is the estimated cost on the letter going out? >> that's the total cost between e-mails and letters. i don't have the break dune. i would be glad to get that for you. >> are you aware that some agencies, the website you link people to get more information some agencies have blocked that

internally so those individuals when they try to go are blocked from that for fear there may be phishing scams. >> worked closely with departments and agencies. we have worked closely with them and their cios and other top officials. >> this issue of the inventory of servers and databases and different work stations that are out there. the central control issue is important obviously for keeping up security and technology upgrades and making sure software is upgraded. when there is any server independent there it creates tremendous vulnerabilities. they just have to find one of those. how is it going with unifying that structure? that is not a legacy issue but inventory issue. >> i respect the inspector general's opinion on this. my cio has told me we have an inventory of systems and data and i welcome the opportunity to

discuss this with you and with him further. >> great. we will look forward to getting that report. that is one of the significant vulnerabilities. >> thank you. thank you for conducting this hearing. welcome to our three witnesses. i'm going to begin with you. i just have a series of questions that i hope are relatively short responses and i will work my way through them as quickly as i can. what is the current estimate of the total number of files or employees breached? >> under the employee personnel files we estimate that to be a little over 4 million. >> and that is at least according to press reports those numbers they grow. what else may occur? >> it's an ongoing investigation. we will continue that investigation with our partners. so at this point we know that it is a little over 4 million. >> are those words

interchangeable? 4 million employees and 4 million files mean the same thing? >> approximately 4 million people. >> what is the total amount possible for number of employees? you say we are estimated to be at 4 million. what is the maximum number of files that could have been breached? >> i want to separate incident one and incident two. incident one is the one describing, employee personnel files. we estimate that to be a little over 4 million. >> what is the total number of employees that could be affected? >> that is the number. as we look at the second incident. >> a federal background investigation file may have a

number of different names and pii within it. that's why i can't give a specific number on that one. we are working to get that number and i will bring it to you as soon as i have it. >> let me ask this one more time and make sure you and i are on the same page. >> i apologize. >> it may be the inarticulation on my part. you have a certain number of files within your agency subject to this kind of breach. what's the total number of files that potentially could be breached? >> that's what we are investigating right now, sir. >> how many files are there at opm? >> millions of files. we are a data center. there are millions of files the background investigations contain numerous names. that's why i want to be careful to make sure the number i give to you i'm confident about. >> you indicated you have taken

significant steps. and i etthe oig says only 3 of 29 recommendations have been closed and indicates -- let me look at his testimony. only three of these 29 recommendations are closed and 9 are long standing issues that were rolled forward from prior year audits. how do you reconcile we have taken significant steps and yet the oig's report says there are long standing problems and only 3 of 29 have been addressed? >> we work very closely. as i said before we work with him to make sure that we have complete and open transparency with him. we meet on a regular basis. he continues to assist us in identifying the areas of improvement and the issues he has brought to us we are working through. in 2014 audit that he has

performed for us and provided to us we are working through the steps that he has outlined for us. i know we're not in agreement with all of them but we do believe that that conversation and the transparency that we have between us will be helpful on resolving all of them. >> do you agree that the agency has taken significant steps to correct its problems? >> yes. i do. i think they have made great strides over the years to improve some of the issues that we have reported. for example the decentralization issue which went back to 2007 in this past year's audit we decreased our severity of that finding from material weakness to significant deficiency. there is a number of other areas where they have put in tools and made strides to improve security. that said, there are a number of long standing issues in our

reports that are open and we hope to see movement on. >> let me take this and give you abopportunity. if you were still in the former capacity at this agency instead of the irs or the homeland security, let me first start with the broader question. based upon your understanding of the facts involved here and your best judgment was the breach or breaches that have occurred at opm, were they predictable based upon what we knew looking at the -- for example, the oig report. if you saw those reports is this an outcome that could be expected? >> i think it is an outcome that could be expected sir. >> and do you have a sense based upon either testimony or your independent knowledge and what you heard in the reports that

would you say that the opm officials have taken significant steps to solve their problems? >> it does sound like they are doing a number of the things correctly. i think the centralization of i.t. is a very good step. they are talking about a modernization program that would upgrade their i.t. infrastructure. that being said i'm going to go back to my earlier point that if i had walked in there as a cio -- i'm speculating a bit -- and i saw the kinds of lack of protections on very sensitive data, the first thing we would have been working on is how do we protect that data? not even talking about the systems. how is it we get better protections and then control access to that data better? i think that is probably where the focus needs to shift here based on what i'm hearing. >> meaning that ought to be the

priority. does anyone at opm take personal responsibility for these breaches? or is this just considered a problem with the system? is this a problem with individuals not performing their duties or is it just more that this is the system we inherited and we are working on it and no one in particular is responsible for the outcome. >> i think mr. esser and mr. spires said it correctly. this is decades of lack of investment in the system that we inherited when i came in. from the very beginning of my tenure i have been focused on this. we are working to install not only the architectural strategies but also to install the detection systems and be able to remediate. but as both of my colleagues have mentioned we have legacy systems that are very old. often times we have to test to

be sure we can even add those protection systems into the legacy system. so those tools into the legacy system. if there is anyone to plam it is the perpetrators. they're concentrated, very well funded focused aggressive efforts to come into our systems not just to opm but as both of my colleagues have said across the whole enterprise is one that we are concerned about and one we are working with our colleagues. it is -- we are going to take every step we possibly can at opm to continue to protect. that is why we are trying to move out of the legacy system. >> to date you don't consider any of your staff or employees or people responsible at opm for i.t. and its security to be personally responsible. it's a problem with the system that has been inherited?

>> this is an enterprise wide problem and cyber security is a responsibility to all of us. with tony scott's assistance we are going to address this on an enterprise wide. >> no one is personally responsible? >> i don't believe anyone is personably responsible but we are working as hard as we can to protect the data of our 'em because that is most important. i take it seriously and am angry as you are that this has happened to opm and i'm doing every i can to move as quickly as i can to protect the systems. >> thank you very much. >> ms. archeleta mentioned theb prs with the legacy system which we understand. isn't it true that several of what was breached were not legacy system, but were the

right tools in place had not have been breached. >> based on our audit work -- >> the idea that this is all legacy is really not the case? >> well there are many legacy systems at opm. i don't want to give the wrong impression. that's a fact. but based on the work that we have done in our audits and ongoing work that we are doing it is our understanding that a few of the systems that were breached are not legacy systems. they are modern systems that current tools could be implemented on. >> very good. i think that's really important. concerns have been raised about the contracts to provide credit monitoring service to victims of the first breach. we don't yet know the scope of the second breach and what services will be provided for additional victims. in your flash audit you raised

concern about opm's contract to manage infrastructure, improvement project related to subsequent phases of the project. do you have additional work planned to oversee opm's security practices? >> it is certainly something that we are monitoring and following the reports and gathering information. we have not planned any audits of that at this time. it's something that we may do. >> very good. mr. spires, you describe a number of root causes that led to this and a number of recommendations. can you tell us again a couple key recommendations that would make a difference over the next year? >> i would really like to reemphasize cu reemphasize. we need to figure out how to manage our i.t. more effectively.

i would say that is the single root cause that has led to these situations we find ourselves in with these data breaches. it's not that i'm just wanting to say we need to have all of the power reside with the cio. we need cios that have the authority to really bring best practices and not to allow systems or practices to continue that jeopardize the security of our data and our systems. and that has been the problem for decades. and we still have real cultural problems. i'm out of government now for two years but based on many discussions i have had with brethren that are still cios in government, the cultural issues we need to take this incredibly seriously. i urge you as a subcommittee to provide your own oversight of implementation. >> do we need additional

legislation? >> i'm not convinced. i think we need the general cyber legislation about how we better share information between the government and the private sector. i think that is something that congress should continue to work on. i think we have between the act and between the updated act kr think we have enough tools on the legislative side. i think it is now a leadership and management set of issues within the administration with the proper oversight of congress. >> mr. esser, along the same line what would you comment on in regard to again the most significant weaknesses, underlying causes, what do you see as the priority that we need to be doing in the next years? >> well, specific to opm i think that the project that they are

undertaking to modernize the i.t. systems is the right way to go. that definitely needs to be done. we fully support that project. we do have some concerns as expressed in our flash audit alert regarding some of the project management related to it, the sole source contracting, but in general we think it's definitely the right path to follow. >> and so you will be -- how will you all be involved? mr. spires talked about oversight. certainly that is something we can do in regard with this committee. how will you be involved in the process? >> we are continuing our oversight of the modernization project. the flash audit alert was issued this week and it was just an interim report, so to speak. we are going to continue our audit work throughout the length of this project.

>> mr. spires, the administration's cap cyber goals are an effort to drive significant improvement changes. yet that is not working. do you recommend changes? >> i would first comment that i think having goals is certainly appropriate. let's take one example. this notion we have all talked about to be able to much better protect credentials of those that use these systems. yet when you look at the cyber goal and the use of the and trying to get the 75% usage within the civilian federal agencies as the goal, let's go back to the adversaries. they only need one way in. 75% just doesn't cut it in this world anymore. and so we need to rethink i

think, the objectives there. go back to the prioritizuation about protecting data, those should be the highest goals. that does not mean that we shouldn't be working to continue to bring in the right kinds of capabilities to better protect our systems. we need to do that, as well. i think it is time to rethink those goals and to reset them along those sets of priorities. >> you mentioned at opm that one of the findings you found was we didn't know exactly what entails assistant. what they have. has that been corrected? we still don't know the number of units and servers? >> based on our latest work that's still our understanding. director archeleta commented

they have a complete system. we would be more than happy to work with them and look at that and do our audit work related to that. >> if that is the case that has just recently happened? >> yes, sir. i will defer to the vice chair. >> thank you very much. mr. spires, could you tell me have karpesky been penetrated? >> i mean i don't have anymore information than what i read in the news but i read that as well. >> which indicates that this is an international problem and really shows that even despite best efforts of highly skilled professionals that is not to excuse where we are. your advice to us is get with it and get with it pretty quick. >> i think you have summed it up

very well. >> would you also recommend that this be across all government agencies that opm was hit et cetera? >> my experience having served on the federal cio council and worked with many of the agencies is that opm is not some outliar here. many of the federal agencies have very similar issues to what opm facts as far as i.t. management and cyber security posture. >> thank you very much sir. now, the federal employees maryland is home to 130,000 federal employees from national institutes of health to the national security agency. most people are civilian employees. what do i tell my employees because they're quite apprehensive? what is the impact of this on

them? can you talk about this? and what is the impact on them? how are you in communication? and should they be afraid that another shoe will drop and that it could drop on them and their credit ratings or whatever? >> and i do want to say i care very much as you do vice chair woman about our federal employees. and what this breach has done has exposed their data, as you know. i am very concerned about that. that's why in terms of the first incident we have been working hard to begin and improve our notification system and to provide both identity threat and credit monitoring for them. we have received much feedback from our employees and we are using that -- >> so pretty apprehensive. >> and i am angry, too.

i am angry that this hasp haenned. i have worked very hard towards correcting decades, as i have said before of inattention and i will continue to do so. and i will tell you that i am very concerned about protecting the data of our employees and that as we move into incident two i will use their feedback their concerns to inform us so we can look at wide range of options that we will have available to us with these notifications. >> do you have kind of a council of federal employees organizations that you meet with that can kind of tell you the view from the employer up so that you really hear what they are saying? people like myself, we are very proud of the fact that the capitol region is the home to so much talent that works on so

much pressing national interests from the cure for cancer to protect our country against predatory attacks and now are worried about predatory attacks against them. do you meet with them and get this advice so that we can at least while we are trying to sort out the best way to have a cyber shield? >> we are doing several things. thank you for that question. we are working with our human capital officers. for each of the agencies as well as all of the department heads and leaders and we try to adjust the notification system so that it's customized to the employees. we are also listening to our

unions, our union representatives and seeking their input and other stakeholder groups to see how we can better improve our notification system not in a long term but doing this period from june 8 to june 19 is to take their feedback every day around call centers about how we can provide faqs on websites, how we can work directly with department heads and agencies so that they are assisting us in the notification process. we take very very seriously what we owe to our employees and i will continue to do that and to make sure that in the second incident that we are using their input. >> i think it is absolutely crucial. mr. chairman, i would like to thank you for having the i.t. at the table. when i chaired the committee it was my habit or really my administrative procedure that all of my subcommittees either had an i.t. come or hot spots

for agencies or at least submit written testimony. the fact that you are utilizing that is really crucial. we will have a lot to talk about this afternoon. thank you so much for your service. we so value the work of our inspector generals. they have been enormously helpful to me both as chair and now vice chair of the committee to get value for our dollar to identify management to hot spots and we really want to thank you for the identifiuation of the problem and recommendation for solutions. thank you very much and all the i.t.s. >> you're very welcome senator. >> thank you, senator. senator langford. >> thank you. mr. spires, you said coming from the cio council before that many federal agencies have similar issues. two fold question. one is define what issues mean on this and then the second is give me a percentage when you

say many other agencies. again, i'm not asking you to articulate what are the security issues and specifically where our vulnerabilities, not asking you to do that. give me a guess of how many agencies we are dealing with and what those issues are. >> i would say many of the federal agencies have a similar kind of problem that mr. esser eluded to about decentralization of i.t. in and of itself is not necessarily a bad thing. it has been very difficult for many of the agencies rolled out systems and then have to support the systems. the complexity factors have grown so significantly that it is very very difficult for them to get their arms around systems. we would do at dhs to call out dhs specifically we would do inventories and try to if you will, find all the systems that we had. and i think we did a relatively good job at that.

it would not be that every year we would find more. try to secure that and i would say that is the first thing is that most agencies i believe have that problem. i don't want to put a percentage on it because i don't know how to measure that. i would say most of the major agencies have this problem that the cio would not be able to sit here and say they have a good handle on their true inventory of i.t. systems. >> what about user credentials? >> i give all the world credit to d.o.d. for having rolled out that card years ago and having the leadership and wherewithal to make it happen. most government agencies are struggling to roll out what we call the hspd 12 program and then use it for logical access control. it's still an issue. you look at where we are at. it's still an issue of most of

the agencies. >> authorization? >> again, i think you are hitting the hot spots here. many systems we would find we would either not have authorizations because they were out in the field and not under control or what i also didn't like which is you could do an interim authority to operate. some of those would last way too long. you wouldn't be, if you will there would be weaknesses in the systems and it would be very difficult to clear those weaknesses. i can't put numbers on that but hopefully i have given you a sense where i feel many agencies fit today. >> my question to that related to appropriations. none of those seem like big dollar items. those are management of current process, hygiene for our

systems. am i hitting that? >> if we have to monitor i get it we have old systems out there. i'm asking the initial security side of this seems to be the first rung how we are handling the information in the inventory. >> i would agree with your sentiment that says we could manage this a lot more effectively and we don't need new dollars to do that. some of the issues, though, that go to true modernization you do need investment. >> let me ask you a question. you had in your written testimony and your oral testimony, as well, kind of talk through the timeline of how things went. some areas you were very specific of how things moved. there were a couple of terms that jumped out to me. it just says as a result of efforts to improve security posture april 2015 an intrusion that predated adoption of

security controls affecting i.t. systems and data was detected. opm immediately contacted the department of homeland security and federal bureau of investigation. can you give me a definition of immediately? >> same day. >> great. and then you had same issue there we talked about the scope and impact of the intrusion shortly thereafter opm notified congressional leadership. what is our timeframe? >> a seven day requirement. >> so met it within that seven day. >> thank you. the contractor that was involved in this that had the responsibility for strategic i.t., who was that contractor and what were the assurances that they gave early on during the conversation that contracting process to say we'll provide security structure, management? i'm kind of looking for what they said they would do and what they actually did. >> i think i want to be very clear that while the adversary

leveraged compromised key point user credential to gain access we don't have any evidence that would suggest as a company was responsible or directly involved. we have not identify a pattern that resulted in the compromise of the credentials. since last year we have been working with key point and they have taken strides in securing its network and have been proactive in meeting the additional security controls that we have asked them to use to protect all of the background data. >> so the question is with key point the security controls they put in now were the security controls discussed earlier that were not fulfilled or are these things that were considered? >> we are discussing -- i think i understand but let me be sure. our detection in april detected an intrusion in late 2014.

the detection was 2015. we detect an intrusion in late 2014. >> so what i'm trying to drive at is then there were changes in security protocol. were those recommended before? >> these are ones that we had planned and were installing as we progressed through our improvements. and unfortunately, we didn't have them in place soon enough. we are working, as i said with the legacy system. we were testing many of our security tools. as a result of actually being able to install this particular security tool we were able to detect it. >> that plan had been in place how long? >> it is part of our security plan which we developed -- >> 2014. >> thank you. >> thank you, sir.

>> thank you. you are in the midst of a major i.t. modernization project. how much do you expect that total project to cost and what elements are included? >> there are four steps that we're using for that plan. what are the tools that we are going to need to protect our systems even as we move forward? we are building a new shell system which will be the platform. as the third and fourth are the migration and then the disposal of the legacy system. we are at the step right now in june of 2014 we hired a contractor to assist us in the development of the shell. and we are moving towards that. we, as i have said, have identified $67 million in 2014 and 2015 that would enable us to move towards that and we are asking for an additional 27

million in the 2016 budget to aid us. i have -- we are working closely with omb to determine if another request should be made. >> has a major i.t. business case been prepared as opm requires? >> it has and we worked very close with omb. this is a point that auditor brought out in his flash audit. i can assure that we have been working very very closely with omb. this is an urgent issue. we are moving as fast as we can making sure that we track, justify and document all that we are doing consistent with omb standards given to us. a budget that we have worked very closely with omb to deliver. >> in response to the ig audit

one confirm was sole source contract to a single contractor to manage all four phases of this very large project. what type of contract is it? is it fixed cost and what steps are you considering? >> as i said before, there is often times places where we have areas of agreement and areas where would we like to have further consideration. in the flash audit the specter general encouraged use of either existing contracts or use of full and open competition. i would like to assure you that the processes followed in awarding existing contracts have been perfectly legal and we continue to assure that further contracts and processes will be perfectly legal. he also expressed concern that the contract used in the tact tactical and shell phases should

not be used for cleanup phases y. understand his concerns and i would like to remind the inspector general that the contracts for migration and clean up have not yet been awarded. where we would like to have further discussion with the inspector general is the practical timeline for major i.t. business case. he is suggesting that we move that out into fiscal year 2017. i would like to move that much quicker given what we have already experienced. i assure the inspector general and everyone here that all of our decisions are being tracked, documented and justified. he has made a number of recommendations regarding contracting and standards that rely on external sources for assistance and i believe that the federal government and the good work that tony scott is providing to