Skip to main content

tv   Politics Public Policy Today  CSPAN  June 25, 2015 5:00pm-7:01pm EDT

5:00 pm
is about the personnel records that are the incident at opm. >> okay. what i would like to get in writing is exactly what information came out of opm. what information came out of the contractors. is it the one and the same, are you the final data base. so i want to understand the connection and how the breaches occurred and how they interconnect and get it back to chairman chaffetz i think it is important information. >> thank you. now recognize the gentleman from ohio mr. turner for five minutes. >> miss choout and miss seymour, i just want to remind you that you are under oath and i have a series of questions that follow on to carolyn maloney's questions. it was reports in the wall street that a company named site teches that related they were involved in discovering the
5:01 pm
breach that apparently has been, according to this article, linked to chinese hackers. opm's press secretary said the assertion that site tech was responsible for the institution during a production demonstration is inadequate -- miss seymour, do i have your attention. that assert they were invited in by opm and their equipment was run on opm and their equipment indicated there had been an intrusion of your system and they notified you and your response from opm is it is inaccurate and i believe you asked the question and you said they were not involved and reminding you under oath. anybody want to change their answer. were they involved in the
5:02 pm
breach. >> no they were not. >> no they were not. >> reminding youer under oath was site tech brought in to runoy scan. >> they were engaged with opm and we were looking at using their tool in our network. we gave them -- it is my understanding that we gave them some information to demonstrate whether their tool would find information on our network and in doing so they did indeed find those indicators on our network. >> great. thanks, miss seymour. because i sit on the intelligence committee and ben cotton and john irving came in and briefed the intelligence committee staff and they relate they were given access to their system and ran their processes and i think you are confirming it and it was previously denied they didn't have any involvement. so relate again miss seymour
5:03 pm
what did site tech do. were they given access and run it on your system. >> here is what i understand. opm discovered this activity on its own. >> that wasn't the question, miss seymour. and i'm assuming you would have greater than an understanding that you would know considering you are the chief information officer and testifying as to how this happened and there is a news article on this so please tell us clearly what access was site tech given on your system. >> i'll be happy to answer your question in trying to explain to you how site tech had access. opm discovered the breach and we were doing market research and we had purchased some licenses foresight tech's tool. we wanted to see if that tool set would also discover what we had already discovered. so yes, they put their tools on our network and yes they found that information as well. >> so you were tricking them. you already knew this and you brought them in and says shazam you found this too. >> sir, we do research on
5:04 pm
deciding what tools to buy for our network. >> now at that point, you hadn't removed the system from your system? i mean you knew it was there and you brought them in and their system discovered it too which means it was continuously running and personnel information would have been still at risk, correct? >> nos. we had latent mal-ware on our system that we were watching and we quarantined. >> so it was no longer operating. >> that is correct. >> well clearly you're going to have to give us all an additional briefing and the intel committee staff a briefing on exactly how you did this because site tech relating what they did is very compelling and quite frankly what you say is highly suspicious, what you would bring them in and trick them and why would you need them if you discovered it and further trick them to say you don't really have the system on your
5:05 pm
system any more. it's just -- it contradicts in so many ways that defies logic. and on miss archuleta on the sf 86 forms that were compromised. when you say a form it sounds miner, but this is the form. this is the security form 86 that people looking on national security and to get clearance have to fill out. not just social security, but their number is all over there. and i have peterson air force base in my district and a number of people had to fill this out to serve their country and what are you doing about the additional information in this form being released and in there about these individuals. >> i filled out exactly the same form. >> i didn't ask that. i asked what are you doing -- this is not about identity theft. this is not just credit card and checking accounts what are are you doing about counseling and assisting them. >> i've just used that by way of
5:06 pm
understanding, i know what is in the form. prmly and by way of director of opm and as you know we do federal background investigations and i'm clearly aware of what is in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what information was taken from that -- those forms and how we can begin to notify the individuals who were effected by that. that form is very complicated and that is why i'm very very careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has p.i.i. and other information so we want to be sure that as we look as how we protect the individuals that completes those forms that we're doing everything we can and we're looking at a wide range of options to do that. that is an effort that we're working on together throughout
5:07 pm
government, not just opm. we're all concerned about the data that was lost as a result of this breach by these hackers who were able to come into our systems. and i will repeat again but for the fact that we -- that we found this this mal-ware would still be in our systems. >> chairman, i want to thank them for acknowledging that site tech did have access to their equipment and did run even though they previously did debbie site tech's involvement. >> thank the gentleman. recognize the woman from district of columbia for a minute. >> first i have a question for miss di camillo but first i want to ask miss archuleta, members are concerned about this 4.2 million numbers and you tried to straighten that record. that is not the final number and almost surely will go up.
5:08 pm
is that the case. >> there are two incidents. >> i understand that. >> the first incident. that number is 4.2 million. in the second incident we have not reached a number. >> so the number is going to go up. i understand and did -- and indeed i am receiving calls from federal employees about opm's promise of 18 months, i believe it is, free credit monitoring. is it true that federal employees must pay for this service -- >> no. >> after that time? >> well the services that we are offering is identity theft protection up to a million dollars that we're also offering credit monitoring for 18 months, which is the standard industry practice. as we look at the second notification, we're looking at our whole range of options.
5:09 pm
>> miss archuleta, there is a great deal of concern and not so much about who is to pay for it but the amount of time. 18 months may be too short of time given how much you don't know and we don't know. >> and we're getting tremendous information back from -- >> are you prepared to extend that time if necessary. >> i've asked my experts to include this feedback that we've received on a number of different considerations. >> i'm asking, are you prepared to extend the 18 months in light of what has happened to federal employees, if necessary. >> as i said we don't know the -- the scope of the impact of the -- the scope. >> precisely for that reason. i've got to go on. if the scope is greater as you get for information will you correlate that to extending the amount of time that federal employees have for this credit
5:10 pm
monitoring. >> congresswoman, i will get back to you as to how -- what range of options we have. >> will you get back to us within two weeks on this. miss archuleta we have people out there, all of us have constituents out there that have been directly effected and you won't even tell me that you are prepared to extend the time for credit monitoring what kind of satisfaction can they get from opm? i'm just asking you that if necessary? >> congresswoman, i'm as concerned as you are. >> in other words, you are not even willing to answer that question. are you willing to answer this question. the report having to wait long periods of time sometimes hours, to even get anybody on the phone from opm can you assure me that if a federal employee calls they can get a direct answer forthwith today if
5:11 pm
they call and if not, what are you going to do about it. >> we are already taking steps and what the contractor has implemented is a system similar to what social security is using and so if they get a busy tone they can leave their number and they will get a call back. >> within what period of time miss choout. >> for example, i heard a gentleman told me this morning that he left his number and was called back within an hour and he didn't have to wait on the phone. >> you let the chairman know before the end of this week what is the wait time for a returned call. that was a subject of great concern. >> we get those numbers every day. i'll get back to you. >> we can't even assure them that beyond 18 months they'll -- they're going to get credit monitoring. that is a very unsatisfactory answer i want you to know. i want to ask miss barron di
5:12 pm
camillo. we understand that much of this is classified and we are hearing we can't tell you because it is classified an the press is finding out lots of stuff. and law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that occurred at key point. so i want to ask you, miss barron di camillo and i don't want to discuss or ask about anything classified in the course of your own investigation, u.s. cert into key points data breach, did you find hackers were able to move around the company network prior to detection? >> in the case of the key point investigation? >> yes. >> yes ma'am, they were able to move around in the key point network. we had an interagency response team that spent time reviewing
5:13 pm
the key point network -- >> even to the domain level? >> correct. they had access -- we were there in august of 2014 and the on-site assessment team was able to discover -- >> what does that allow the hacker to do to get to the domain level. >> they had access to the level -- >> key point. >> key point. from that point in time through the fall of 2013. so during that time they were able to leverage certain mal-ware to escalate privileges for the entry point. so they entered the network. and we're not sure how. >> the gentle lady's time is expired. >> just final thing. >> can you finish that. >> can they get background on federal employees. >> no they could not. there was a p.i. loss aocean ated with 27,000 individuals associated with that case but it was potentially exposed because
5:14 pm
of lack of evidence we weren't able to confirm that because they had lack of access but we weren't able to confirm that data. >> thank you gentle lady. >> thank you. i now recognize myself for five minutes of questioning. let me ask miss archuleta, what do you believe was the intent behind the attack. we're talking about the attack. and so what do you think the intent was. >> would you have to ask the partners in cyber security about that. i don't know. i'm not an expert in what. >> miss seymour, maybe you could. >> i think that would be better placed with dhs and perhaps others. >> let me start with miss seymour -- as to the attack. >> opm does not account for atribusion or the purpose to which this data would be used. >> miss barron di camillo. >> i would be happy to discuss those further in a closed setting because the details for
5:15 pm
that would be something for appropriate for a closed classified setting. >> miss archuleta how would you assess opm's communication with current and former federal employees regarding the breach? >> i believe. >> at this point in time how would you assess it. >> i believe that we are -- we want to work very hard with our contractor to make sure that we are delivering the service that we want. we have asked them throughout this process to make improvements. we've demanded improvements. we're holding them accountable -- excuse me sir -- to deliver the services we've contracted for. miss seymour is in communications with them. i do not -- i do not want our employees to sit and wait on a phone. i do not want them to have to wonder whether their data has been breached. i want to serve them in every way that we can and that is why we're demanding from our contractor the services that
5:16 pm
he -- that the contractor said they would deliver and we are working very hard on that and each day give them the appropriate feedback from what we're hearing from our employees. >> federal news radio conducted an online survey about the breach. you are probably aware of that. and one of the questions was to radio opm's response with the data breach and results shows that 78% of the respondents rated that opm's communication is poor. an additional 12% rated it as fair. and only 3% described it as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that. and we expect you to make sure that who you've contracted with improve that. >> those numbers don't make me happy sir and i will do everything i can to make sure that we're doing everything for our employees. i care deeply about our
5:17 pm
employees. >> let me move on. miss barron di camillo. some news reports indicate that attackers may now be in possession of the personal file of every employee, federal retiree and up to 1 million former federal employees and if true that means that means they have every person's effected social security sand job and pay history and more that could be there. for years we've been hearing about the risk of a cyber pearl harbor. is this a cyber pearl harbor. >> the impact of the data breach that was confirmed an the records taken out of the personal records what would we call in a severity scale a significant impact. >> significant impact. what does significant impact mean. >> meaning that the data, if it was correlated with other data sources could be -- could impact the environment as well as the
5:18 pm
individual. >> environment meaning? >> the fact that they were able to take the data out of the environment, that is a significant impact to the environment and ensuring that they are able to mitigate the ability that the attackers used to get into the environment and the fact that date was used to ex fold is a significant impact. >> sos had blowing up a lot of things. >> significant impact. >> protection security? it is a pearl harbor? >> that is not a term i'm comfortable with using. but in the severity scale -- >> it is pretty high scale. >> medium to high significance yes. >> let me ask miss seymour. do you think issuing a request for quotes on may 28th and establishing a deadline of
5:19 pm
may 29th to potential contractors was a reasonable opportunity to respond? >> sir -- >> in this significant issue of cyber security? >> our goal was to be able to notify individuals as quickly as possible and so we worked with the gsa schedule and we contacted schedule holders and also put it on fed biz ops for other opportunities. we received quotes from both schedule holders and nonschedule holders and so our goal was to make sure we could notify individuals as quickly as possible. >> well, that was quick. maybe too quick. my time is expired. i now recognize the gentleman from massachusetts, mr. lynch. >> thank you mr. chairman. and again i want to thank the witnesses for participating today. miss archuleta, you testified before the senate. let me ask you at the outset,
5:20 pm
who is ultimately responsible for protecting the personal identification information of employees at opm? >> the -- >> or that are offered by opm. >> the responsibility of the records is with me and my cio. >> okay. so you already testified that no one was to blame. is that right? >> i think my full statement sir, was that i believe that the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our systems. and i have worked the rest of my -- the rest of my testimony is i have worked since day one to improve legacy systems. >> i understand you are blaming the perpetrators, the people responsible, is that basically what you are saying. >> the action was caused by a
5:21 pm
very focused aggressive perpetrator. >> okay. i can't have repeated the same answers. let me just -- mr. mcfarland the assistant inspector general michael hesser testified that a number of the systems that were hackered -- hacked were not the older legacy systems, but the newer systems. so this isn't the old stuff this is the new stuff. >> yes that is correct. >> and the irs and the department of homeland security said that the breaches were bound to happen given opm's failure to update its cyber security. is that your assessment mr. mcfarland? >> well, i think without question it exacerbated the possibility, yes. >> and this is a quote, he said if i had walked in there as the chief information officer and i
5:22 pm
saw the lack of protection for very sensitive data, the first thing we would have been working on is how do we protect that data. i'm concerned as well about the flash audit that you just put out. and your ultimate determination was that you believe that what they are doing will fail. >> the approach that their taking i believe will fail. they're going too fast. they're not doing the basics. and if that's the case, then we're going to have a lot of problems down the road. >> let me ask you so very crudely describing this they are creating a shell, a protective shell, and then we're going to right rate applications
5:23 pm
in under the shell and because they'll be under the shell they'll be resistant or impervious to hacking. it doesn't seem like we should have to wait until the last application is under the shell before we find out whether or not the shell is working. is that -- is that -- will that give us an opportunity to look at the early stages of this project? >> i'm not sure if it will give us that opportunity or not. what is important i think from our perspective is that they have the opportunity opm has the opportunity right now to do certain things that will increase the security a great deal and that shouldn't be abandoned and just in place of -- and i don't mean to imply it is abandoned but it should not be in place of speeding through -- the rest of the
5:24 pm
project to get it done. the crisis part -- it may not seem this way to a lot of people, but the actual crisis at opm was with the breach that part is over. the best thing to do is safeguard the system as it is right now and then move appropriately for full restructuring. >> okay. do you think that the opm estimates of $93 million is accurate? >> i don't think it is anywhere close to accurate. >> i don't think so either. it doesn't seem to include the whole migration function when they pull all of the information in. >> as an example. >> the financial system we have, sea bus, in 2009 we had to migrate that information. >> right. >> and in so doing it had a lot
5:25 pm
of over site and it went pretty well. in fact, our office was part of that over site. but just that one system took two years and $30 million. >> right. and that is a small fraction of what we are talking about here, right. a very small fraction. >> very small. >> i yield back. >> now recognize the gentleman from south carolina. mr. gowdy for five minutes. >> mr. chairman i want to read a regulation, i would ask the panelists to pay attention. it is tedious but important. if new threats are discovered by the government or the contractor or if existing safeguards have ceased to function the discoverer shall immediately bring the situation to the attention of the other party. that is a regulation. mr. hess, mr. giannetta, were there also contractual obligations in this realm
5:26 pm
between you and the government? >> there are. >> and they would be what? similar to that? a in the provision? >> i don't have an immediate recollection of the exact text but it is similarly worded. >> okay. i think it is help self-sometimes to define terms, particularly for those of us that are liberal arts major. what is a new or unanticipated threat or hazard. mr. hess? >> that would be an indication of compromise of a system or a failure of any of the system protections. >> oh, so when chairman chaffetz was having a difficult time getting the answer to that question because the focus was on the loss of personal information, that is not really what that phrase means, it is just a threat or a hazard, it doesn't actually have to be a loss, does it? >> not the way i would define it. >> me either. what about existing safeguards have ceased to function.
5:27 pm
what does that mean? mr. hess? >> sir it is pretty explanatory. >> it did strike me as being self-explanatory. mr. giannetta, is it self-explanatory to you. existing safeguards have ceased to function. >> yes. >> and i'll let both of you weigh in on this one because it is tough. what does the word "immediately" mean. >> without delay. >> it does. is there another definition you are familiar with. >> i think that is consistent. >> and so there is a regulatory obligation if new or unanticipated threats are discovered by other the government or the contractor or if existing safeguards shall seize to function the discoverer shall immediately bring the attention to the -- bring it to the attention of the other
5:28 pm
party. and i heard about a march 2013 breach. did i hear that right. >> yes. >> and when did you bring that to the attention of congress. >> i would have to bring that back to you. i don't have it in my notes. >> well do you know if it was immediately? >> i would -- i would expect that it was immediate. >> let's find out. miss seymour do you know? >> nos., i don't. but i certainly don't think we immediately notified a contractors of a breach to our network because at that time we did not have any questions as to whether it was effecting them. it was to our network at that time. >> mr. hess mr. giannetta, is that your understanding, they were under no duty to bring that to your attention?
5:29 pm
not all at once. it's your contractual language and you are looking at the regulation. do you think you should have been notified because of the march breach. >> absolutely. >> why? i heard one say she didn't know and another one said it was none of your business. why should you know despite the contractual language. why do you think it was important you be notified? >> so that we could take appropriate or more appropriate actions to protect data. >> were you notified? >> i was not. >> were you notified immediately? >> no. >> huh. what do you have to say about that miss seymour? >> i believe that's accurate sir. >> well i'm with you there. but i guess my question is why. why, despite the plane language of the contract and the regulation, why did you not
5:30 pm
immediately notify the contractors? >> we worked with dhs and partners to understand the potential compromise to our system so that we could make the proper notifications. >> was dhs one of your contractors? >> no, sir. >> well, i didn't think so. well that doesn't help me understand the regulation. it says contractor and not dhs. why didn't you notify the contractor. >> and that time we were trying to understand what happened to our network. >> what does the word immediately mean to you. >> without due. >> does it mean after you understand what happened or talk to dhs. that is not in my version of the regulation, is it in yours. >> i have not read that version of the regulation. >> you know why you haven't. because that one doesn't exist. the one that says notify dhs or try to figure it out.
5:31 pm
and the only one exists is notify the contractor and you didn't do it and my question is why. >> i can't answer that question. >> who can? >> i will take that back and get you -- >> to whom will you take it? >> i believe -- i would take it back to my staff to see if we have processes in place. >> do you think it is staff's responsibility to notify the contractor? >> we have processes in place for making notifications when we find these -- >> who is ultimately responsible for that process? who failed to meet the contractual and regulatory obligations? >> i would have to read that regulation. i'm not family with it -- familiar with it. >> i just read it. >> i would have to read the full context of it. >> you think it is different than what i just read. how about the contract. have you read the contract. >> i have read most of the parts of the cop tract. >> i can't speak for the
5:32 pm
chairman but my guess is he and the others would like to know who honored the letter of the spirit of the obligation and the regulation. i yield back. >> thank you. how recognize the gentleman mr. lieu from california. >> it looks like what happened here went recklessness or nelgs it was fraud and i want to know how far up knew about it and i want to know if the hedge fund managers knew about it. and i want to begin with mr. mcfarland. as you know there was a lawsuit filed against and according to the justice department filing and i quote, beginning in at least march of 2008 and continuing through september 2012 usis management deviced a scheme to circumvent
5:33 pm
contractual quality reviews of completed background investigations to increase the company's revenues and profits. and you assisted in the investigation in this case. is that correct. >> that is correct. >> and as i understand it the parent account integrity company paid bonuses that amounted to nearly $30 million. to your knowledge has usis or integ rit paid the government back for those bonuses? >> i'm not positive, but i believe not. >> and let me enter into the record an article by the "wall street journal" entitled executives got payout. if i could enter the record into the record. >> so be entered. >> and i so enter another one entered on friday in bankruptcy
5:34 pm
court from usis the parent company entered this monday. >> without objection, so ordered. >> and let me ask miss barron di camillo, to prevent these breaches it would have cost less than $30 million is that correct. >> not entering specifically the breath and depth of all of the companies, we were focused on usis network the estimates were higher than the $30 million and that could be as high as $50 million. >> got it. thank you. i appreciate that. and i want to ask mr. giannetta about the bonuses awarded during the alleged fraud. who on the board reviewed the deplorable performance of a ceo and decided to award him with a bonus during the 4.5 years usis was defrauding the government.
5:35 pm
>> my role began in august of 2013 as the chief information officer. i don't have any knowledge direct or indirect of who approved or disapproved. >> so you don't know if it was the patient company or the hedge fund manager. >> i don't. >> and so we'll send you written questions after today's hearing and i want your written commitment to answers within 30 days, will you commit to at least that. >> yes. >> and we shall call jeffrey campbell the president of integrity as well. and you issued two reports one in november of 2013 and one in november of 2014, correct on opm, mr. mcfarland. you issued two reports, date november 2013 and november 2014. >> automatic sorry i didn't hear the first part. >> you issued to reports dated
5:36 pm
november 2013 and november 2014 on opm. >> you are speaking on fisma. yes. >> so these two i.g. reports. would you agree with me the 2014 report is quite similar to the 2013 report because opm failed to implement many of your recommendations. >> i think there were many carry overs, yes. >> and would you agree this isn't a difference of opinion, you had them violating standards the administration had put in. in 2014 your report on page 24 said opm is not compliance with the office of management and budget 2011 that required opm was not complaint and saying they should do a risk assessment. you agree they were not following these standards, correct. >> yes. >> okay.
5:37 pm
dr. archuleta do you take responsibility for not following omb guidance and guidance from the national institute of standards which, had you followed, could have prevented these breaches. >> well, sir -- >> yes or no, do you receive responsibility, for those two failures. >> it can't be a yes or no answer. >> it is a yes or no answer. >> do you accept not following the guidance and the omb -- [ overlapping speakers ] >> i am not. >> i want to know if you do. >> i have to take into consideration when an audit is conducted by an auditor i have to make an informed decision about his recommendations. it is not an issue of whether i disagree with him. >> this is not the auditor. it is omb. it is this administration's guide abc. >> and we have worked closely with omb to make sure we are tracking documenting and justifying all of our steps. >> my time is up. i take it you don't take
5:38 pm
responsibility. i yield back. >> thank the gentleman. now recognize the gentleman from north carolina mr. meadows for five minutes. >> thank you mr. chairman. miss seymour, let me come to you, because there seems to be some conflicting information before this committee on april the 22nd you had indicated that it was the adversaries modern technology and the opm's antiquated system that helped thwart in your words, thwart hackers at the first opm attack, is that correct? >> yes, sir. >> okay. last week you testified repeatedly that it was the opm's antiquated systems that were the problem and the chief reason that the system was not secure and you didn't do just the basic cyber security measures of in
5:39 pm
corruption and network protection and so i guess my question to you miss seymour, which is it? is it the fact that the old system helped you or the old system hurt you? those are two conflicting pieces of testimony? >> i don't believe that they are conflicting sir. in the first incident, the old technology thwarted the actor because they didn't know what they were doing in that environment. we immediately put in place a plan to provide. >> so you caught them immediately, is what you are saying? >> no sir, i said we immediately put in place a plan to improve the security posture. what we did was we moved to build a new architecture to put additional security controls. we also, at the very same time put security controls in our current environment. we did not wait. >> well you say you didn't wait once you found the problem.
5:40 pm
>> sir are we going back to the day that i came on board -- >> let me ask the question. is there in the security i.t. cyber security technology chief operators, is there anyone who would apply for a job who would suggest not to do encryption of sensitive data? >> encryption is not a panacea. >> i didn't ask that. is there anybody in your job or a similar job who would come in and say we're going to protect everything let's leave it unencrypted. can you think of anyone? because i've been asking all over the united states. i can't find anybody. >> so i'm trying to explain the situation to you. our data bases are very, very large. our applications are not always able to work properly anden crypt and decrypt that data. >> so you are saying this was a
5:41 pm
volume problem not a management problem because you are under oath and that is concerning. >> yes, sir. >> because you are saying that you just didn't have the resources to handle the large volume of information? >> it is not a resource issue it is whether the applications are built so that they can -- >> so they are not encrypted today. >> we are purchased the tool set, sir, and we are there the process of encrypted pieces of the data base as opposed to the entire data base. we are focusing on the sensitive information. >> i agree we need to focus on the sensitive information. so what do we tell the millions and millions of federal workers that now because their system has been breached now you are going toen crypt it. do you feel like you've done your job? >> i do, sir. i came on board and i recognized these issues and i worked with director archuleta to put together a plan. >> you both came in in 2013. >> at the end of 2013, yes, sir.
5:42 pm
>> how long did it take you to buy equipment to start encrypting? simple answer. >> june of 2014. >> all right. so you bought equipment in june of 2014. so when did you start encrypting? >> we have a couple of data bases that are encrypted already. >> out of how many. >> we have numerous. >> sir it tames time and resources. >> and miss archuleta, let me come to you. when you applied to the job and you were going through your senate confirmation you said you would make i.t. technology your number one priority. again, in this committee you said that it was your number one priority, can you explain to the federal workers and all of those that have had their personal information breached how making it your number one priority when
5:43 pm
you were confirmed in 2013 is still to be believed or was it just what you said during a confirmation hearing and you really never intended to act on it. >> i believe that the record will show i have acted on it. that i am dealing with a legacy system that has been in place for 30 years. and we are working as hard as we can. in 18 months we have made significant progress. but so have our aggressors. cyber security is an enterprise responsibility and i'm working with all of my partners across government and i've shown that we have prioritized this even as early as 2014 and 2015 in the budgets and in the resources we've directed toward that. i do not take this responsibility lightly. and as i pledged in my confirmation hearing and as i pledged to you last week and as i pledge to you today, i take it extremely seriously and i'm as
5:44 pm
upset as you are about every employee that is impacted by this. that is why we're dedicating -- we're dedicating resources throughout government. not just at opm but at every level of government to be sure this does not occur again. we're working very hard. i am serious about it. >> i appreciate that and i appreciate the patience of the chair. >> thank you mr. meadows. i would like to recognize my colleague from the great state of new jersey miss watson coleman. >> thank you, mr. chairman. thank you for you're being here today and i would like to ask a few questions and the shortest answer as possible. so with regard to the breach that regards the 4.2 million employees, those are employees and retirees and that is a closed system. we know how many that is. with regard to the individuals whose information was in a system because background checks were being done with them, a., we don't know how many.
5:45 pm
b., every one of those individuals didn't ultimately get a job so we have some people's information who aren't even employed by the federal government, is that chew miss kmooul. >> yes, that is true. if there was a background information requested. >> so if the second breach of the universe that is so large. that information was breached through a breach in the security of key point. is that true, miss archuleta? >> yes. there was a credential that was used and that is the way they got in. through way of key point. >> so who is trying to identify all of the universe that has been compromised through the latter breach. is it key point or opm? >> no. we have a total enterprise wide security forensic team doing the
5:46 pm
forensics on this. >> so mr. mcfarland has made a number of observations and recommendations and i believe that i was left with the feeling that he didn't believe that opm was moving in the right direction on the right path to get to where it needs to go and so i was also informed that his recommendations or his findings are a result of auditors and specialists in this area. so i have two questions for you miss archuleta. number one is, are you using experts in the same kinds of skillsets that mr. mcfarland is using in looking at the same things that he's looking at number one. and number two, do you agree with his recommendations and if not, on what areas do you disagree? >> the audit i can take by way of example.
5:47 pm
i want to say that i respect the inspector general's opinion in overseeing this topic and there are areas of agreement and there are areas that i think we need to have further conversation about. in terms of the existing contractors and the use of full and open competition, i would like to assure the i.g. that the processes we used toward the existing contractors have been perfectly legal and we will continue to ensure our contracts and processes entered into will also be legal. i understand he's concerned about the source contract of tactical and shell that he spoke about. i understand his concerns and i would like to remind him that the contractors for migration and clean-up have not yet been awarded and we'll consult with him as we do that. where we have areas that we need to consider together and, and by the way, the i.g. and i meet on a monthly basis and our staff
5:48 pm
pleat on a weekly basis or biweekly and i look forward to discussing the major i.t. case so we can figure out what the practical time lines should be. >> thank you. i get the drift then. tell me what you think is the time frame for the i.g.'s office and your office and mcmr. far land you might weigh in are necessary to get to where we need to get. not all of the these things will be implemented but we agree on what needs to be done? are we talking about three months from now, 30 days from now, six months from now? do we have any idea? >> i would ask donna to talk about the tactical and the shelf processes we're doing, we are trying to do that as rapidly as possible so we can move out of the legacy network. the issue about the migration and the clean-up we will continue to discuss but we're
5:49 pm
trying to rapidly move toward that shell. >> do we still have contracts with q -- key point. >> yes. >> and how many contracts with how many departments do you have? >> our primary contractors are through homeland security and opm. >> okay. and so are you -- are your contracts, active contracts coming to an end, are you at the end of the contracts. >> they're all active contractors. >> mr. mcfarland, should we be ceasing our relationship with key point? >> based on what i know at this point, i have no reason to believe that we should. >> that we should. >> no i have no reason to believe that we should cease. >> should cease. >> should not cease.
5:50 pm
>> miss archuleta do you agree with that? >> i do agree. key point has taken the steps necessary to mitigate any key questions and they have been very active in working on that. >> my question is should we cease contracting with them. mr. mcfarland said yes. >> i said no. >> thank you very much. mr. mcfarland last question to you. what are the three important things we need to do just to get us back on the right track and how long do you think it should take? and that will be the end of my question, mr. chairman, thank you very much. >> i'll give you four, if i could. first, we'd like to see the implementation of multi-factor authentication using pvi cards. then develop a comprehensive
5:51 pm
inventory of information systems, servers and databases. and further protect existing data with encryption and data loss prevention technique tools. and then proceed with the infrastructure overhaul with the discipline project management approach. and i have no idea how long that will take for discussion. >> thank you. i'd now like to recognize mr. desantas from florida for five minutes. >> thank you, mr. chairman. this is a really, really frustrating hearing and obviously a colossal failure. we have a government that will tell us how much water we can have flushing in our toilets how much corn we have to put in the gasoline we use to drive our cars and boats and the government will tell us the type of health insurance we can and cannot buy.
5:52 pm
yet on the core functions of government, the things we need the government to do it seems to me it fails habitually. this is a major example of that. the numbers of people affected when miss archuleta talked about we don't know on the clearance side. yeah, we don't know. you know why? it's not just the person who filled out the form who is at risk of that. you have friends family members, associates, foreign nationals who you may know who china would like to know who those foreign nationals are. you're talking about an exponentially larger number than simply the number of people who filled out those forms. and yet it seems to me that we just have bureaucratic paralysis. nobody is really accountable. miss archuleta members have called for you to resign. you've rebuffed that. you still committed to serve in
5:53 pm
your position. >> i'm more committed than ever to serve this administration. i am working really hard. >> do you accept responsibility? >> i accept the responsibilities that are given to the director of opm, and i have fulfilled those responsibilities by making sure that we have the right people in the right places and seek g seeking the resources we need to do the work. that they can do the work they are expected to do. again, we have a legacy system that is 30 years old. >> i appreciate that. i've been here for statements and i've heard you make that point. but if not you, then who, if anybody, in opm should be held accountable for this colossal failure. >> i'm responsible for opm for a number of different responsibilities. i take very seriously as i
5:54 pm
said, in my confirmation hearings and many after including today. >> i'll tell you what they will tell me. they will say, ron, we have people mess up in the government all the time and nothing ever happens. that's not the world that our constituents live in where there's usually consequences. you're not committing that anybody will be fired or held accountable because of this. correct? >> i am committing to you that we're going to do the best job we can. >> i appreciate that. that, quite frankly is not something the american people have confidence in right now given what's happened. let me ask people have been warning about the risk of a cyber pearl harbor. obviously ig warned ibm about vulnerabilities in their system for years. does this constitute a cyber pearl harbor? >> that question was asked to me
5:55 pm
earlier. i don't know if you were here. we use a severity scale the severity based on data impact, getting back to a good healthy state. we would consider this medium to high level kind of event based on the kind of data possibly exposed and the ability for the mitigations we put in place as part of the plan we provided post assessment. >> but those are mitigations for the system itself correct? the mitigations you performed don't include mitigations for any of the capabilities that some of the people whose identityies may have been for our country, correct? >> i'm cyber security operations and we're focused on helping agencies, critical infrastructure ensure the protection of their networks. when we do an event like this, we do mitigations to help them back to a healthy state as well as prevent these kind of things. which they are targeted again
5:56 pm
which at loaf times they are help detect activity quicker so they can contain it and clean that up. >> so if china gets blackmail information that they could use against people serving in our government in important positions, if china is able to identify foreign nationals, chinese foreign nationals who are friendly with the united states and with people there's no way you can calculate the damage that that causes, correct? >> i'm a cyber security operator. that's clearly a question for intelligence. >> i think it's a very important question. i think the damage to this is very, very severe and i yield back the balance of my time. >> thank you sir. i want to recognize my colleague from virginia, mr. connelly. >> i thank my good friend for allowing me to go at this moment, because i have to chair a meeting at 12:30. let me just say, you know i was
5:57 pm
listening to my colleague from florida. it's easy to make a scapegoat out of somebody or something that isn't to ab solve people of responsibility. but what we're facing is a much bigger threat than a management snafu. we are facing a systematic, organized, financed, pernicious campaign by the chinese government in the form of the people's liberation army with a trained unit to penetrate weak spots in our cyber world. that includes the federal government and may include retail and commercial enterprises, certainly banks among them. to pretend somehow this is miss archuleta's fault is to really miss the big picture, and frankly a disservice to our country. we have a bigger threat.
5:58 pm
whether we want to acknowledge it or not, we now are engaged in a low level but intense new kind of cold war, a cyber war certain adversaries including china and russia. and it is every bit as much a threat to the security and stability of this country, and we need to gird our selves for this battle. and it's not okay to dismiss testimony that resources were denied. this committee led the effort and i proudly come sponsored the bill to try to modernize how we purchase and manage its and federal government. is that important? why are these people here today before us? because it is important. congress has neglected it. we can't have it both ways.
5:59 pm
so while we certainly hold miss archuleta responsible head of opm how they are managing this breach and we have every right to question how it occurred. to make a scapegoat in this "alice in wonderland" world we've created here sometimes, where the answer is off with your head. how easy. what a cheap headline that gets. and it does get a headline every time. but it begs the question, which is far more fundamental, far more profound and mar more disturbing as a threat. that's ultimately what we need to deal with it seems to me. mr. mcfarland last week your office issued an alert, to raise serious concerns over ibm's overhaul of it's infrastructure.
6:00 pm
according to the flash, stated project approach major sflas is entirely inequality and introduces a high risk of project failure. if i understand correctly what you're saying the project won't do what we need it to do. is that correct, mr. mcfarland? >> no i'm not saying that the project wouldn't ultimately do what is hoped for, i'm saying that the potential for problems exist and is very high. >> i want to use the word in the report. entirely inadequate. introduces a very high risk of project failure. that doesn't say to me there's the possibility of failure. it kind of predicts it's more likely than not. >> high risk for sure. >> you also indicated it will cost too much. you want to expand on that a little bit? >> well, the $93 million set
6:01 pm
aside at this point won't come close. migration itself is going to be an extremely costly measure. >> right. one would note that the cia used an outside vendor, and i think they spent $600 million but their system seems to be working, but it cost $600 million over 10 years if i'm not correct. ring a bell? sound right? >> i'm not familiar. >> worth looking at because they partner with the private sector rather than try to find all the answers inside. miss archuleta, what's your response to that ig flash audit alert? >> the ig brought up some process issues that were very important. i think some we don't agree with but there are other areas we do agree with. i think the important thing is to underscore the relationship that we have with our ig and we will continue to value his opinion and bring forth his
6:02 pm
ideas into the considerations that we make. i do believe that we have to move carefully but we have to work swiftly. as you've said, these aggressors are spending a lot of money to get into systems. we need his assistance. we will listen to his guidance. we will look into his recommendations and certainly consider those as we move forward. >> mr. chairman i introduced federal agency data breach act of 2014. we blepded that in bipartisan basis into the seiche and secure federal websites act, the senate did not act. had we acted, we would have had protocols in place for dealing with this kind of breach after the fact so we could reassure victims who are federal
6:03 pm
employees and federal retirees. i would hope this committee once again will help prod the system as it did last year, only this time getting the senate to act because that's important. thank you, mr. chairman. my time is up. thank you to my dear friend from pennsylvania. >> thank you. >> now recognize the gentleman from texas, subcommittee on i.t., mr. herd for five minutes. >> thank you, mr. chairman. my mama always told me you can always find the good in all situations, so let me try to start off with that. dhs caught them, caught the problem. i think that's a good thing. they were engaged found it. wish it was a little bit sooner but we caught the problem so that's good. also got a letter from chief officer of opm. mr. herd, writing to inform you u.s. department of management recently became aware of cyber security incident affecting some data and you may have been
6:04 pm
exposed. you're receiving this notification because we have found data compromised in this incident may have included your personal information such as your name, social security number date and place of birth and current or former address. i know ranking member cummings and mr. micah were talking about how could an adversary use this information. i spent nine years as undercover in the cia. i think i have a little idea and perspective on this. if it was the chinese, any federal official traveling to china, former official, someone there is the subject of being targeted about what is going on in the federal government. if it was the russians, all this information is going to be sold and used against them to drain people's bank k, use it to create new access codes, private information. if it was narco traffic in mexico, which have the capability of doing cyber attacks, it's the home addresses
6:05 pm
of men and women of border patrol, men and women keeping safe. the impact is fantastic. one thing my dad always said was it never hurts to say you're sorry. in the letter, nothing in this letter should be construed as opm or federal government accepting liability for any matters covered in this letter or any other purpose. later it says we regret this incident. i'm sorry actually goes a long way. i agree with what my colleague from virginia said about this long attacks about advanced system threats. my issue is not how we responded to the threat. i think the immediate technical steps that were taken were good things, right? and i believe all the folks involved in the mitigation of the immediate threat were doing
6:06 pm
some things that i think can be used in other places. what i have a problem is is everything before this. if you were in the private sector, head of a publicly traded company, and they were doing your yearly audit and you had at least five years of audit information saying your digital infrastructure had some high-risk to it and needed to be immediately fixed the board of directors would be held accountable for criminal activity. multiple years. i did this for a living, penetrate networks of companies and identify the problems that they had. a lot of times if there was a high-risk issue we would call the customer immediately and say this has to be fixed now. the company and customer would do that immediately. so then we would issue our report saying it was a high-risk report but it was fixed. a company doing an audit would probably not put this information into an audit report
6:07 pm
going to the board because it was, you've got to fix it. my problem is high-rick issues identified by ig haven't been addressed. key point. i guess my first question is to miss ann di camillo. >> did they? >> we were there in colorado with interagency partners and did an assessment of the network. we went there in abundance of caution based on the event that happened at opm. it was decided by leadership we needed to take a look at contractors performing background so it wasn't an indication that led our teams to go on site, with opm, done out of bund an of caution because of the target we saw associated with background information. so our team did an assessment, some results came back that caused some concern, so we sent
6:08 pm
an instant response team on site and reviewed their network. we were there a couple of weeks last summer. >> when we hire contractors, are they subject to the same standards of network hygiene that u.s. government networks are? >> our contractor subject to the same it would be part of the same language with requirements that are for any kind of network that houses government data, there are certain requirements per the law in 2002. >> mr. chairman, my last question, in his opening remarks, ranking members cummings read some of director archuleta's comments on the senate committee. the adversary leveraged a compromised key point user credential to gain acses to opm's network. then the written information that key point submitted we have seen no evidence of incursion at key point and the opm breach that is the subject of this hearing.
6:09 pm
mr. hess. >> it's true the key point incursion -- >> are you saying miss archuleta is lying? >> no, i'm saying she's correct from knowledge i have been given. there was an individual who an opm account that happened to be a key point employee. the credentials of that individual were compromised to gain access to opm. >> thank you. i yield back. >> thank the gentleman. now recognize the gentlewoman from virgin islands. >> thank you very much. i was listening to ranking member cummings talking about vulnerability of government contractors and the questions of my colleague, mr. hurd regarding
6:10 pm
whether comes that have government contracts must keep the same level of security and care that the opm or other agencies would have to in terms of preparing for cyber attacks. mr. gianaughty. i have a letter from 2014. the the letter says the federal agencies had the failure of the company. i wanted to ask you some assertions in that letter. the kritd cal attack cyber attack only flowed in one direction, from you uses to the federal government. >> the question earlier about the shared responsibility to notify from a contractor to the government and government to the contractor that is correct.
6:11 pm
>> you're saying in terms of -- >> i'm suggesting that we were required and obligated by our contract to notify opm that we had an incursion, which we did immediately. in the discussion held earlier opm recognized they did not notify usis or i believe, key point of their intrusion of march 2014. >> so in terms of this cyber defense information, was it one way or did it go both ways. >> in my humble estimation both ways. >> what would have been estimation of opm and others towards you. >> i'm not a lawyer or contract expert. i don't have the contract in front of me. but my understanding is that there's a requirement to notify, to say we've got an issue, here is what the issue is. so there's a free flow and
6:12 pm
sharing of information. >> so if you have an issue you're supposed to let them know, correct? >> that's correct. >> and that's what you felt you did? >> absolutely. >> and then you sir -- what did they do with the information you gave them? >> the cert team? >> yes. >> we invite the the team formally via a letter. the cert team arrived shortly after receiving that letter and enumerated our network and understood through discussions with our technicians as well as a third party that we hired what had transpired from the 5th of june through the time they arrived. >> so why does your letter also state that usert has not provided usis information it may have uncovered under its limited review. >> let me be clear i did not
6:13 pm
write the letter you're oefrg -- >> you're here testifying for your company. i'm an attorney. i would not write a letter without the entire company agreeing with that. >> i'm testifying i didn't write the letter. >> you're here to testify before the veracity of the letter. >> the findings they had vis-a-vis the intrusion. >> let's ask cert since they are here. >> i didn't finish. we did receive recommendations relative to what we might do. >> that's not a review? >> our invitation to cert requested their assistance in identifying threats to our network and we did not receive that. >> let's ask miss baron. >> our time on site, including our law enforcement partners. we worked part of the instant
6:14 pm
response team, what we do work with system administrators and daily we're informing them every day at the end of the day -- >> how many days did you inform them on a daily basis? >> we were there for about two weeks. i'd have to go back and get the specific timeframe. >> that's 10 reports. >> we worked through the weekend, ma'am. >> through the weekend. >> yes. >> that's 14 reports they were given asserting -- >> the daily findings and they can change. >> did you find something and did you give them ideas about what needed to be done? >> we were able to discover that there was malicious malware on the network compromised credentials. >> how did that happen? how did those compromise credentials? what were the two areas found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this kind of intrusion. but because of the lack of logging we weren't able to find the initial point of entry. >> can you talk about that, lack
6:15 pm
of logging. >> there's a number of types of logs we look up forensically that can look up network. >> why west nile they there. >> a number of reasons. risk decision base decision. >> a risk and cost decision made by the company itself? >> it can be because it can require quite a bit of storage associated with the kinds -- >> so the government contractor that we hired to do government work for us decided a risk and assess and cost decision on their part did not require them they didn't put in the logins that were necessary. >> i can't answer specifically. i can give you reasons i've seen people are not continuing to have historical logs because of the volume of data. there's millions of net flow records that happen a day and that does require storage. >> so the letter that was send by usis to ranking member cummings? >> no daily report as well as
6:16 pm
final findings report. we went over that with the team and provided a mitigation report. i have documented evidence of all of that. >> thank the gentlewoman. did you want to respond to that? >> if i may. it's my understanding from our forensic investigator strauss freeberg it was found by the cert team vis-a-vis miss barron was not information they hadn't already discovered. >> so the log-ins to go do a deeper forensic was something they already knew? >> forensic evidence of third party partner. i believe what he's saying sounds a bit of -- it was a confirmation. we were able also to confirm the compromise credentials associated with third party forensic firm they had in there and able to discover additional
6:17 pm
findings. >> we'll have to further explore that. for now recognize gentleman from alabama, mr. palmer for five minutes. >> thank you, mr. chairman. miss archuleta last week i brought up a letter to my legislative staffers received warning them their personally identifiable information may have been compromised in the cyber security act. i bring this up again because earlier you disputed the number of people that are affected by this. when miss seymour admitted after i questioned her about the letter she signed that this goes beyond the people who filled out the form 86. i just want to know, considering the fact that a vast amount of personally identifiable information was vulnerable due to login credentials, was it likely exposed by foreign contractors, outsourced by opm
6:18 pm
and opm's failure to communicate and abide by ig's recommendations? >> i'm sorry. can you repeat that question. >> i'm just asking you, can you -- let me rephrase it. do you stand by your assertion this is limited to a smaller group than is being indicated in the media and might be indicated by the fact this extends beyond the people who filled out the form 86? >> thank you for clarifying the question, sir. i think it's really important not to conflate the two incidents. the first incident was the employee personnel records, $4.2 million. >> i'm just asking. >> and the second incident, we haven't determined the number yet of the scope of that incident and the number of employees that would have been affected by that. >> so the answer is yes, that it's more.
6:19 pm
i think it's very evident that this attack on the federal employees personally identifiable information not only puts those workers at risk but also puts secondary groups at risk. for instance if they have their personal e-mail addresses as it's pretty evidence as i pointed out last week that some of the breaches occurred through personal e-mail addresses. all these employees, and their secondary relationships, is it possible certain information was exposed there as well? >> yes. the team that is working on the analysis of the scope is exactly why we're taking our time to make sure that it's accurate. the sf 86s we talked about earlier. the data in there includes not only the employee but may include other information, npii for other individuals. that's why we're being very, very careful about that and
6:20 pm
looking at the data, because it could be that there was no -- >> beyond the fs-86s, i'm talking about where the breach occurred as well through personal e-mail addresses particularly at immigration enforcement agency reported to the "wall street journal." i brought this up to you last week. i'll be happy to provide this information to you for you to see it. where they got in on personal e-mail addresses that would expose everybody and their e-mail. >> i understand your question. >> let me go onto something else. you received a letter last week from senator mark werner with make specific questions about a contract you awarded to "csi" d. have you responded to senator werner's letter yet? >> i'd have to check with my staff, sir. i know we were attempting to respond as quickly as possible yes. >> have you personally read his letter? >> i have read his letter.
6:21 pm
i don't know our response has made it through the system yet. >> all right. he raises a question in here about whether or not -- about how quickly this contract was awarded to csid. it didn't go through the normal process. it was awarded in 36 hours i think is what center werner said. was it intentionally steered to csid? >> no. >> who made the decision. >> i would ask to talk about the process we used. it was a fair and competitive process. >> fair and competitive process. >> our contracting officer made the selection on the contract. >> duval wait the management of csid. >> i did evaluate technical and cost proposals. >> duval wait the people who run the company? >> i had resumes for the people
6:22 pm
or for the key personnel that they provided in the proposal. >> are you familiar with their board of directors? >> no, sir, i'm not. >> do you noe owen lee, one of their directors? >> no, sir i don't. >> okay. >> mr. chairman my time has expired. i yield the balance. >> from start to finish how long was it from when you got the proposal that you awarded the contract? >> i would have to go back to exactly when we released the rq, but i believe -- i don't want to misspeak. let me go back and find out when exactly we released the rfq and exactly when we awarded the contract. i don't have that data with me. >> but it was less than 48
6:23 pm
hours, right? >> i think it was about in that timeframe, sir? >> the award is how much money? >> the contract is about $21 million for the services that we're providing for credit monitoring notification and identity theft insurance. >> yield. >> why was it so fast? >> we wanted to -- >> what was there -- do just as good job and figure out how we got that. >> we received a number of proposals. we evaluated them based on the government's needs. several requirements that we had put in the rfq that the companies responded to. we evaluated all of those proposals we received against this criteria and provided the best value to the government based on those requirements.
6:24 pm
>> will you also copy when you give senator werner the answers to his questions, will you send a copy of that as well? >> yes. yes. >> thank you. i think he raises more important questions as to mr. palmer here and we will continue to pursue that. now recognize the gentleman from pennsylvania, mr. cartwright. he's been waiting five minutes. >> thank you mr. chairman. i find myself utterly dissatisfied with the explanations we've heard today. i want to train my attention on you, mr. hess. you have made some fine distinctions about what that employee of your company haas doing, the one that got hacked and working on opm's systems at the time. because of that hack, that employee became a victim and lost personal information and that led to the successful hacking of opm's systems. have i broadly described that
6:25 pm
correctly, sir? >> we actually do not know how the employees credentials were compromised. >> a key point employee. >> that's correct. >> you are the ceo of key point. >> that is correct. >> you are denying accountability for that hack, for the opm hack. what you said was the employee was working on opm's systems at the time not key point. that's what your testimony is. >> that is correct. >> so we have an individual's opm credentials that were taken. that individual happened to be a key point employee. did that key opponent employee have opm credentials as part of his or her scope of employment with key point? >> correct. >> it wasn't a coincidence this employee had key point credentials, it was part of his or her scope of employment with your company. >> that is correct. >> all right. and it was key point paying this
6:26 pm
person as part of the system. >> that is correct. >> you understand in traditional concepts of the law, key point is responsible for the act of its employees acting within the scope and course of their employment with your company. you understand that, don't you? >> i'm not familiar with that construct. >> all right. >> mr. hess you're here today because cyber espionage operation succeeded in breaching very personal information that your company was entrusted with on january 6, 2015. my ranking member mr. cummings sent you a letter requesting information about the data breach. his letter requested a number of documents. did you get the letter? >> immediately upon receiving the letter key point counsel reached out to ranking member staff to arrange for a briefing and we tried to have a date and time set up. we are still waiting for a confirmation on that. >> you got the letter right?
6:27 pm
>> yes, sir. >> and more than five months later, you haven't responded with documents, am i correct in that? >> we've reached out immediately to the ranking member staff to brief the staff. >> let's go through requested a log of all successful cyber intrusion into your company's network in the last four years. that's a reasonable request, isn't it mr. hess? >> i don't find it unreasonable. >> will you provide this to the committee? >> i will take that back to my team and let you know. >> you're the boss there, aren't you? >> i am the ceo. >> all right. but you're going to get permission from your team who worked for you. is that it? >> i'm going to take it back and discuss it with my team. >> let's go to next request copies of forensic reports concerning data breach including findings about vulnerabilities
6:28 pm
to malware. when will you provide these documents to the committee? >> i'll take that request back to my team and let you know. >> ranking member cummings requested a list of all federal customers affected by data breach. we provide those with the committee. >> take that back to my team and let you know. >> mr. hess. your company exists because of the largesse of the united states federal government. we expect you to respond to requests from this committee. mr. cummings does not write letters because he enjoys writing letters. he's concerned about the security and safety not only of federal employees but of the united states public. this is important. would you please treat it as such? >> i do. congressman cartwright, we responded immediately to congressman cummings request by calling the staff, having our counsel. >> by responding and calling but
6:29 pm
not providing the documents, we want the documents, mr. hess. i yield back. >> i just want to clear this up. you talked about things with my staff. my understanding you did get back with us. months you did not get back to us because you all did not want to agree to the scope of the meeting. then just recently because of this hearing you finally said scrap limitations on the meeting, scope, and we'll meet. i don't know whether you have the information or what but i want you to be accurate. >> that's not the information i have. >> your information isn't accurate. >> i'll research that mr. hess, is it reasonable by the end of this week to provide us the information on the communication over the lack of the meeting in the last several months.
6:30 pm
is that fair by the end of the week? >> i will take that back to my team. >> you're the ceo. >> brief those. >> brief the minority staff. >> that didn't happen. i just want to see the documentation. is that fair? no, i want an answer from you. i want to know when you will provide that information to this committee. >> no. i want -- you give me the date. when is it reasonable? you're the ceo? >> no. >> i'll take take to my -- >> we'll sit here all day. you want me to issue a subpoena? i'll sign it. i'll sign it today. give me a date that's reasonable. >> i need to take that information back to my staff.
6:31 pm
>> sir seriously, when are you going to provide that information? >> i'm trying to be helpful, chairman. i did a briefing last week and we did reach out to congressman cummings staff immediately on receipt of the letter. we did not receive -- >> am i asking for anything unreasonable to provide the correspondence and interaction? they are going to have their half, i just want to see your half. i'm trying to give you a reasonable opportunity here. >> i understand, sir. >> when is a reasonable date? >> let me get back to you with this information. >> no, i want you to decide before the end of this hearing. we're going on with the questioning, you can counsel with the people behind you, it's a reasonable question. it's not unreasonable. so if you think it is tell me. i just want to see the correspondence. counsel all you want while we ask the next set of questions but i suggest you lend an hear
6:32 pm
over the next five minutes. >> two comments before i ask questions. first of all, this is kind of a follow-up on what i think congressman hurd was trying to get at. it surprises me you folks are not more contrite over what happened. it seems like you don't understand the enormity of the disaster that's happened here. secondly, sadly this is all too often common for government. it's something i think everybody in this institution should remember as we pass bills having the government have these huge data banks of education, medical information, what have you because the people in charge of these banks of information don't display more sense of urgency than you folks the possibility of this having other agencies is someone we should be considering. but now i have some questions for miss seymour.
6:33 pm
you're going to be in charge of the whole overhaul of this whole i.t. thing, correct? >> yes, sir. >> do you feel you've got the skill set to oversee something of this hag tud. >> i don't ever think i have the skill set top something this large, that's why i ploy people with the skill set in those areas. i don't have all the technical skills i would need to do something like this. it takes a team. >> okay. do you, in your past positions have you overseen -- what are the largest projects you've overseen, i.t. projects in your experience. >> i've overseen some very large projects, sir, both in my past employment with the department of defense as well as the department of transportation. systems that were certainly
6:34 pm
enterprise wide and served large populations of people like opm. >> sizewise similar to -- >> yes, sir. sizewise similar. >> and how quickly were they able to complete these projects? >> some of them took -- some of them were much faster than others. you know depended on when i came into them. some of them were delivered within a year. some of them took years multiple years to deliver. i think sometimes the way that we're changing the way we deliver i.t. solutions now we're trying to be much more agile. we're trying to find what we call minimal viable product. we're trying to find segments of capability we can deliver in shorter term. we're trying to deliver capability within six months, six month segments and build on that to get to a whole system. >> how quickly do you think
6:35 pm
you'll be able to complete this project? do you have a goal or expectation? >> when we started the project, sir, we kind of divided it into two pieces so we could understand it. first we called our tactical phase, which was shoring up the network we had today. we'll put a great number of security tools into our current network. that's what allowed us to find this adversarial activity this yore. the second piece of this was building the shell. we estimated that it would take us approximately a year to be able to deliver that. that project is on schedule and it ises on budget, and we'll be delivering the shell environment this fall. the next phase is migration. we recognized from the very beginning that we did not have a full enough scope, certainly not from my tenure on board back to june of 2014 did i have enough scope or understanding of exactly the opm the full opm
6:36 pm
environment to be able to assess what it would take to do this migration. that's why we only contracted for the first two pieces. we said as we worked through this project to understand it, we'll be able to better estimate and understand what needs to move into that shell. but we knew from the beginning that there were some systems very old, 30 years old we were going to have to my great into that shell so we focused on those first. >> one other question. last year before this committee you referred to the fact you deal closely with iag. last time you had a major ig project you did not notify him of that. do you a reason for that? >> i'm not aware of a
6:37 pm
requirement to notify ig of every project we take on. certainly we included in our budget request for 2016. we talked through this project and documented it in that arena. we also discussed on a couple of occasions with the ig this project, because they have an interconnection with our network. some of our systems, we host some of their systems. they have to come along with us on this project if we're going to continue to provide those services. >> an undertaking of this size maybe not something you normally tell the ig about, but you would not have felt necessity to notify them what's going on here? >> sir, it's just based on my experience that if i -- no, sir. i would not normally advise the
6:38 pm
ig of a project that we're doing. that doesn't mean i'm holding the information from them, but i also do know we discussed with the ig on a number of occasions the fact that we were taking on this project and they needed to modernize their systems and upgrade their systems to be able to meet the security requirements for this project. >> i thank the gentlewoman. next from new mexico. >> thank you mr. chairman. i just got back down to this hearing after a meeting in my office with the leadership of one of the five national labs sandia laboratories which is in my district, albuquerque, new mexico. the theme of many of those meetings are the constant threats of every second of every minute of every day they are clear that someone something is entertaining a cyber security
6:39 pm
attack and it's a constant threat. they are clear that that's the environment they work in. they are also clear they need our support an recognition to be proactive and to do something about these problems both internally and externally. i appreciate their constant surveillance and awareness of this critical problem. i, too before i ask my question am extremely disappointed in the reaction from this panel at this hearing that we know that these are issues that we have to deal with, that we are, in fact accountable, and in fact, you are liable. what i hear is that none of those really are occurring. if you don't provide us the answers at this hearing and the answers we're requesting in the documents, you cannot help us assure we're protecting or adequately identifying the scope, which means you become
6:40 pm
part of the problem again. i find it incredibly offensive that that's what is occurring in this hearing. what we all ought to be doing is assuring we're protecting not only thousands of federal employees in my district and the hundreds of thousands of employees around the country, and the millions of employees who are affected we are all scrambling to figure out who is most accountable and who is most responsible and who is most liable. i'm expecting much better cooperation. there's a lot of work to do in accountability, identifying the scope, doing something about the legacy systems, making sure we're prepared for the next potential breach. as we do that, i do want to focus on how we're treating these employees. director archuleta, i hold in my hand one of the letters many of my employees and constituents
6:41 pm
are getting. i'm concerned about some of the aspects of the letter and want you to talk me through some of the concepts identified in the letter and how you came to these conclusions and what we might do to broaden those. for example, in the letter you say your information to an employee could have been compromised, that potentially affected -- i don't know when you'll find out about that -- receive prescription for identity theft for 18 months. what happens if you have an issue after 18 months? is that individual going to be covered? >> the individual on the identity theft yes. >> so even though the letter says you've got an 18 month when are we going to know in writing in because these are lifetime issues. unfortunately they don't go away. once that's been compromised, that's the problem. you're compromised. i don't think these consequences are just 18 months.
6:42 pm
i was interested in how you came with that framework. it seems to me people know they are going to be protected by you and supported irrespective of the timeframe. >> i understand your concerns. i understand the responsibility that we have to our employees about their pia, i take that responsibility very, very seriously. i want to say that there are in the letter -- the first sentence you wrote the difference between exposure and ex filtration. it could be their data was exposed and not examinefill traited. we feel strongly we need to offer the same protections to those employees whose data may have only been exposed. >> i got it. know you're going to be responsible and support these employees. >> absolutely. >> not just in the short-term but long hall. they can expect maybe another letter, something that says we're here, because the other thing i'd like you to consider and i appreciate that response, is that if you look at the
6:43 pm
letter again and i read it carefully, we're pushing folks, i got also i agree to the right kinds of experience i hope contractors to provide that support and identity restoration. i'd like more clarity about what that will involve. in addition you've got to call these outside numbers. have you to call all these credit agencies. have you to enroll yourself. i would strongly encourage you that there ought to be a phone number i can call to opm. >> they have to enroll in the -- >> i understand that part. in terms of managing and supporting employees, i expect the organization the source of the breach would be available to me and not just outside numbers. i don't know if you've done any mystery shopping with mystery numbers. we're calling these credit folks and there's an interesting long waiting period. i would strongly suggest we step up hr and there's a quick and
6:44 pm
immediate response in your own department. >> thank you. i appreciate your comments. i agree with you totally we need to hold our contractor responsible for their response. we're also instituting new ways they can respond to employees. i think i mentioned before you got here we're using ssa model where we, in fact, are able to call them back. no one has to wait online. >> thank the gentlewoman. now recognize gentlewoman from virginia miss comstock for five minutes. >> thank you, mr. chairman. thank you for letting me sit on this hearing. i think as i've already talked with opm, we do plan on doing some hearings in the science and technology subcommittee which i chair also. like some of my colleagues have already mentioned, and they have had that experience, i've received the same letter as how, more importantly tens of thousands of my constituents in northern virginia like mr. connelly. i also had the unfortunate
6:45 pm
experience of also getting a letter from the irs saying my tax information had been compromised but that's probably another hearing, mr. chairman. but when i'm concerned about is i'm not hearing leadership here. i know when i visit the visa data center in my district, and i see all the things they have in place and the leadership they are exerting there and the leadership that comes from the top there, i see a very strong culture of leadership in their cyber security and how they are attacking it. so my question, miss archuleta, now, when you came here 18 months ago, you understood we had a very real threat from china and other bad actors this was constant like the congresswoman was talking, constant, something every day you're going to face. do you understand that? okay. and so in doing that because i think really what we know here from what mr. connelly said and what we've all recognized, they are at war with us.
6:46 pm
we aren't up to pead. we aren't responding in kind in terms of the problem. now, what i'm hearing is blaming actor here. they are bad actors. we know that. that's part of the job. what i need to know in the 18 months, how many meetings have you had yourself personally, where it's been exclusively about cyber security and you've had those meetings and who have they been with? >> i've had those meetings with individuals through our government. i've had those almost on a daily basis with my own staff and cio. i would say that since the 18 months that i arrived, i recognized the same problem that you did. we have taken tremendous steps. but as you say, there are these actors, and they are aggressive and they are well funded and they are persistent. and the first thing i did was to implement an i.t. strategic plan with a focus on i.t. security. >> i appreciate that. we've gone through those
6:47 pm
details. have you visited private sector data center and seen what the private sector does to compare. >> i've had discussions with the -- >> have you visited someplace to -- >> i have visited other companies. the issue of cyber security was not the one that we discussed but it's the plan that i out lined this morning is that we're holding a summit in the very near future to bring those private individuals who are facing the exact same threat that we are so we can learn from them. >> in the past 18 -- >> we need to access experts. >> in the past 18 months, you had not done that. >> i have not met personally on cyber security issues. >> with the private sector. >> with the private sector. my colleagues from across government have, tony cross and others, federal cio. i've been the benefit of those conversations and his experiences as well as other people throughout government. we recognize that cyber security is the enterprise issue for all
6:48 pm
of us in government. it's not just one person who has to take responsibility. all of us across government have to. >> i appreciate. the point has been made by leaders in the field, the person at the very top has to take that roll. i would not that when target, when they had this breach, this problem, it wasn't just their cio that lost their job, it was the ceo who lost their job. that's how that was responded to in the private sector. so i want to continue with some of the points that have been made by mr. mcfarland. have you sat down with mr. mcfarland to discuss his recommendations personally. >> i sat with mr. mcfarland. he brought some of those to my attention. i also with the flash audit i've not had the opportunity because of the time period that it was released. but it's my full intention not only to talk with him about the flash audit but also to engage him as we move forward as we
6:49 pm
always have. >> now, when i sent you the letter you had sent back, really one of the questions i had in there was how many people in my district have been impacted by this. i think it's a fairly simple question because you sent out 4.2 million letters. letters usually have a zip code. so when you ask -- you should be able to tell us how many people we have in our districts that have been impacted by this. so i've certainly been hearing from many. they have a lot of questions. i would like to also mention i would like to submit for the record questions from american federation of government employees and a lot of incoming questions that have come. obviously we don't have time here. just a simple question that did not get answered how many constituents do i have impacted by this. >> i'd be able to get you that information from our data and we'd be glad to share it with you. >> okay. thank you, mr. chairman i yield back. >> thank the gentlewoman. we now recognize the gentlemen
6:50 pm
from california. >> thank you mr. chairman. apologize for having had to leave. very troubling. i have what may be a character flaw of this committee. i tend to give the benefitdoubt so ms. archuleta, i would like to give you the benefit of the doubt but the flash report is concerning to me. mr. mcfarland, says, the project management approach for this major infrastructure overhaul is entirely inadequate and introduces a very high risk of project failure. having sat here and listened to multiple hours in this hearing would you say that your level of confidence in opm is heightened or do you stand by that comment? >> i stand by that comment. >> and you also asked for responses from opm. it says you asked for it june 2nd of 2015 and asked for comments by june 5th and later extended that to june 10th.
6:51 pm
by june 17th we had still not received comments or indication that comments would be forthcoming. did you ever get comments back before the hearing? >> i think we may have gotten comments back that day. >> okay. i got something this morning, u.s. office of personnel management strengthen cyber security and protect critical i.t. systems. it doesn't have a specific date. june 2015. ms. archuleta, is this the response that you provided to i.t. or is this for the committee? it's a seven-page report. >> no, i'm familiar with it, sir. the action plan you received today is an action plan that i've developed along with my staff in response to the very serious issues and threats we're facing right now. it outlines what we've done and what we will be doing. the response to the i.g. on the flash audit, he has received, as i said before, mr. mcfarland and
6:52 pm
i have not had the opportunity because of the time period that -- where we've been engaged with other things. but it's our intent as is in the plan, to ensure he's engaged with us alongside us and that we value his opinion and the work of his staff. >> so, mr. mcfarland, heretofore you haven't gotten that impression. at least that's my impression from your testimony. sorry, you were distracted for a second. ms. archuleta just said she valued your input and looked forwarded to working with you, but you haven't gotten that from what i ascertain from your comments and the written commentary. >> well, what is on paper is exactly what i -- >> so do you have any heightened confidence that what ms. archuleta said about your relationship will improve? it doesn't seem there's any evidence to that. >> well, i think in general we have a good relationship.
6:53 pm
just, i mean truly, i think we have a good relationship. regarding this matter, i think we're worlds apart. >> that's fairly significant. as you said to mr. lynch, $93 million, you said, isn't even close to the amount needed in your opinion and that the ability to succeed there's a high risk that these efforts will ultimately be unsuccessful given how horrible the consequences of what's already happened, doesn't really give me a lot of confidence that going forward anything's going to improve. as a matter of fact, it sounds like it's going to get worse. >> i think going forward at the right -- at the right pace and concentration might be very successful. what i think is planned by opm, i think, is dangerous. >> would you like to respond to that, ms. archuleta? i can only imagine how difficult it is coming in here, but i must
6:54 pm
tell you, just sitting here and being willing to give you the benefit of the doubt, you appear to come across as petulant, defensive and evasive. >> i don't mean to do that at all. i take very, very seriously what has happened. >> you say that over and over again. with all due respect, i believe you, but it doesn't appear to be the truth. >> well, i do -- what i have tried to do today is convey to the members how seriously i take this and that we are garnering all the resources, including the opinion of the i.g. we disagree on some issue, but we do have other areas of agreement. we also have areas that would benefit from discussion between me and the i.g. i think that's an important step. i.g.s work very closely with their administrations to make sure we're doing the best job we can. i take his information very seriously. i do not want to convey that i'm angry or petulant about it.
6:55 pm
what i am is respectful for the position he holds and value the input that he gives but i do feel passionately about what has happened. i feel very passionate about the employees. i am a champion and have worked very hard throughout my entire career. and if i sound passionate about it, i -- i have to say that i am. >> i just -- personal observation. sometimes you can feel passionate about things but not be capable of doing what you desire to do, and i think we need to have a serious conversation. i know the chairman has these concerns about -- to be perfectly honest -- whether the current administration is competent enough to protect this information from people who would hack us. thank you. >> gentleman yield? >> yeah. >> gentleman yield. i think the gentleman gets to the point that i was trying to get to a little bit earlier. and the question becomes, we've
6:56 pm
got mr. mcfarland saying that -- i think he used the word "dangerous." is that what you said? >> that's correct. >> we're heading down a dangerous path. >> i believe so. >> and when you say dangerous, i mean, you -- you're saying we're headed for some very serious trouble. is that a fair definition of dangerous? >> absolutely. >> so, ms. archuleta, our problem is this. we sit here and we've got an i.g. who we believe in and trust. the i.g. is saying that you need to take his advice and what you're doing is not going to get us there. as a matter of fact, may harm us. am i right, mr. mcfarland? >> that's correct. >> so you put us in a kind of difficult situation. we've now been given notice as
6:57 pm
members of congress that we're headed down this path by somebody who we rely on. you disagree with them, but then you expect us to be supportive of you. no, no, no, no, listen to me. that's a problem. because now you put us in a kind of bad position. that means that if this happens again, problems get worse, then people say, well, wait a minute, chaffetz cummings, you all were sitting there. you heard what the i.g. said. i mean, why did you let this go on? that's the position we find ourselves in. and so i don't care whether you like each other or not. that doesn't matter to me. a lot of people get along. the question is, it sounds like you are refusing -- no, no, answer me now. i'm going to give you a chance.
6:58 pm
-- to do what he's asked you to do because you disagree. but on the other hand, he's saying that we're going down a dangerous path. i mean, come on now. do you have a comment? >> yes. i just want to be sure. the flash audit identified issues. a flash audit is meant to alert the administration about concerns. it merits an opportunity for the i.g. and his staff and the -- my staff to sit down and find out where his concerns are. if he says it is a dangerous path, i want to know specifically why he's -- >> mr. mcfarland, have you told her that before? is this new? >> as far as the word "dangerous," i probably didn't use -- >> yeah, but you told her the urgency of the moment.
6:59 pm
>> absolutely. >> and the problems that we're having. and where you see it heading. >> yes, in a letter. >> well, come on now. >> he sent the letter. attached to the flash audit, and we have not had the opportunity to sit down with him. and i take very seriously his concerns, mr. cummings. >> will the gentleman yield? >> and the opportunity, if he uses the word dangerous, i need to understand clearly from him and his staff why he attaches that word. and the flash audit needs the scrutiny of both him and i together to protect the employees and to protect our data and to protect our system. >> with all due respect -- and i know you're fairly new to this position, but the audits have been coming from the inspector general's office since 1997. they come in year in and year out. they have happened and happened and happened and happened. i mean, i started the other hearing by reading through all the comments that have come
7:00 pm
along. so this is a flash audit. you haven't had time to talk about it. you haven't had time to go through it. and yet you can award a multimillion dollar contract in less than 48 hours. that's what we don't understand. we're going to go through that in a minute. we're almost done with this hearing. this isn't just one audit. this isn't just one observation. the good people in the inspector general's office have been warning about this since the '90s. and it was never taken care of. >> thank you for pointing that out. and i appreciate it. and acknowledge that. i've been here 18 months and i took seriously the audits that came before me and that is why i have done and taken the steps. >> we don't believe you. i think you're part of the problem. i think if we want different results, we're going to have to have different people. and if you want to refresh the deck and we want to put mr. osmond or somebody else like that in charge let's do it. because you know what? we have a crisis. that hurricane has come and blown this bui

59 Views

info Stream Only

Uploaded by TV Archive on