Congress digs deeper into OPM hack timeline
The House Oversight and Government Reform Committee is yet again pressing for answers to the massive Office of Personnel Management breaches — this time digging into the timeline of what happened before and after the breaches were announced.
Committee Chair Rep. Chaffetz, R-Utah, sent a pair of letters this week — one to acting OPM Director Beth Cobert and another to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, known as US-CERT, Director Ann Barron-DiCamillo — concerning breaches of OPM systems that have put the personal information of more than 22 million federal employees and Americans in jeopardy.
In the first letter, dated Aug. 18, Chaffetz presses Cobert to provide information on “exposed security documents and systems manuals that could be used by hackers to launch additional attacks on OPM’s networks.“
OPM Chief Information Officer Donna Seymour and former Director Katherine Archuleta testified June 24 about information accessed and exfiltrated during a breach discovered in March 2014. No personally identifiable information was taken in that hack, according to officials.
Seymour, however, told the committee the hackers “did have access to some documents, and they did take some documents from the network.” She further clarified that some of that accessed information was outdated security documents and system manuals, but despite its age, “it would be safe to say that that would give you enough information that you could learn about the platform, the infrastructure of our system, yes,” she said, according to Chaffetz’s letter.
“The fact that security documents and systems manuals were accessed and taken from the network as discovered in March 2014 heightened the need for OPM to protect its network,” the committee chair wrote in his letter.
Based on that, Chaffetz wants Cobert and OPM to give his committee any agency security documents, any information security protocols and a rundown of the documents accessed or taken by the hackers.
In the second letter sent a day later, Chaffetz changed his focus to what happened after the most recent hacks were announced, asking Barron-DiCamillo to elaborate on OPM’s incident response with US-CERT.
Specifically, Chaffetz wants to know the dates of OPM’s engagement with US-CERT, and to see any documents about the malicious agent used on the agency’s systems and any of the response team’s reports and recommendations.
Chaffetz gave the recipients of both letters until the beginning of September to respond. It’s possible that Barron-DiCamillo and Cobert could provide information that would spur another round of hearings concerning the breaches.
The committee chairman sent a previous letter to Cobert on Aug. 2 requesting Seymour resign from the role of CIO based on claims from OPM’s Office of the Inspector General that she interfered with its work investigating the hacks and provided misleading information.
