How Beth Cobert resurrected OPM IT after historic cyber breaches
The Office of Personnel Management that acting Director Beth Cobert will leave behind is vastly different than the one she was abruptly handed almost two years ago.
OPM — an agency that rarely made headlines for its IT operations, outside of the systems that provide key HR and benefits functions for the federal workforce and agencies — was devastated by a series of data breaches on its personnel and background application systems in late 2014, leaving the personal information of more than 20 million current and former federal employees, and security clearance applicants and their references in the hands of an outside intruder, ultimately labeled Chinese hackers.
Not long after the breaches were made public in June 2015, Cobert’s predecessor Katherine Archuleta resigned amid the fallout and congressional campaign to hold someone accountable for the millions of compromised identities. The same day, July 10, 2015, Cobert was asked at a President’s Management Council to leave her post as deputy director for management at the Office of Management and Budget and lead OPM through the aftermath of the cyberattacks, she explained in a recent episode of the Gov Actually podcast, produced by FedScoop.
In just a-year-and-a-half’s time, Cobert took OPM from the agency that suffered the biggest hacks in the history of the federal government and built it into a model of federal cybersecurity capabilities and systems modernization.
“We have made significant improvements in our cyber posture, and we have more work to do,” Cobert told FedScoop in her OPM office during one of her final interviews as director. She’s stepping away after Friday’s inauguration.
Cobert listed achievements her CIO’s office has made: two-factor authentication on every network; progress encrypting data; and piloting many of the Department of Homeland Security’s continuous monitoring tools, to name a few.
“We were the first customer to put in place all of the DHS continuous diagnostics and mitigation tools,” she said. “My goal for OPM is to be DHS’s best customer and the first customer to take advantage of every tool they put out there, and we’re on the path to doing that.”
But largely, it’s not the patches or new tools that have led OPM to be more cyber-secure — it’s the focus on cultural change, Cobert said.
No longer can agencies simply “bolt on” security to old systems. They have to modernize, she said.
“We fundamentally need new systems,” Cobert explained. “You can bolt on everything you want, but if you have systems that weren’t designed for the world we’re in today, it will always be a challenge to do cyber. You need systems designed for a world where cyber is an issue and they’re built into the systems to protect the data.”
Moreover, it’s about making cybersecurity a mission that touches all parts of an organization, she said.
“Cybersecurity is not a problem for the IT shop — it is a leadership problem. … It’s a whole-of-agency problem,” Cobert said. “That’s the only way we’re ever going to tackle this problem collectively. There is no one at OPM who is not aware. We do drills in partnership with DHS, people think about these issues, we think about it when we design processes, we think about it when we operate our systems, we think it is a leadership responsibility of everyone.”
Surrounded by talent
It’s also about the people, Cobert said. She has hired a team of career IT leaders who will remain at OPM under President Donald Trump, ensuring the recent efforts and progress continue. That team includes new CIO Dave DeVries, a relatively new CISO, Cord Chase, and Clifton Triplett, Cobert’s senior adviser for cyber and IT.
OPM’s improvements around cybersecurity and IT are “being driven by a high-talent set of career folks who are staying,” Cobert emphasized. “We’ve focused on making this something that is institutional and can last.”
Those people also extend outside the agency to Cobert’s federal IT and cybersecurity colleagues, like U.S. CIO Tony Scott and the CIO Council, with whom she’s partnered closely over the past 18 months to get OPM back on its feet. (Scott tweeted that Tuesday was his last day in the job.)
“Among the good decisions I made in my time in government, bringing Tony Scott on to work as the federal CIO when I was at OMB is up there on the top part of my list,” she said. “He’s been a terrific leader. And what I liked about Tony when we were trying to get him to join, and what I’ve seen all along the way, is he understands both what modern, good practice looks like… he understands the complexity of moving from the old systems, and he understands the need to bring everybody along in that process.”
A huge fan of Scott’s proposal for an IT modernization fund, Cobert believes that even as he departs the federal government with her amid the change of administration, his impact on federal IT modernization and arguing for it as a top-level concern will live on.
“There’s nothing that gets done in the federal government today, pretty much, without IT…It is embedded in what we do,” she said. “One of the things that Tony has done and the whole IT digitization effort has really been to transform and reiterate the importance of leaders owning their technology. You as a program lead have to own your technology, just like your IT team does, then you can figure out what’s important, then you can figure out how to do it in a way that’s secure, then you can understand what your users need. And that change in mindset and elevating the role of IT, the decision-making around IT, will be an incredibly important lasting legacy [of Scott’s]. That’s how IT just has to operate.”
Emphasis on acting
Cobert will leave Friday as acting director of OPM after never receiving Senate confirmation and being held political hostage in Louisiana Republican Sen. David Vitter’s campaign to block her confirmation until she addressed a contentious ruling OPM issued in 2013 on how the Affordable Care Act applies to members of Congress. Vitter charges that OPM essentially exempted lawmakers from the ACA rules; Cobert was not with OPM when that ruling was issued.
Despite that, she said she always took her title of “acting” literally, “meaning I’m supposed to be acting,” she said. “So I acted. I did things, and I think we just decided we were going to get work done. We had the opportunity and the authority to do it, so we did.”
Her lack of a Senate confirmation didn’t necessarily affect her position to advocate for funding to spur the necessary IT modernization and cyber enhancements, she said. However, Congress’ inability to pass a complete budget — particularly one in which the president called for a “meaningful increase” in IT funding for the agency — makes it difficult for OPM to execute on its vision for IT modernization, Cobert explained.
“We are now in the space where we have a [continuing resolution]. We don’t know how that’s going to get resolved,” she said referring to the legislation funding the government into April. “We are absolutely committed to continuing the investments we’ve made in cyber. That is a priority for how we’re prioritizing our budget as an agency. But to modernize our systems — to get them to the place where they need to be — we need funding. And in the context of a CR, we are living at 16 levels. You can’t get that done that way.”
Cobert hasn’t nailed down her next move after leaving OPM. She told OPM employees in an email Tuesday she’ll move back to Denver to live with her husband and family and sort out her next steps.
“I am hopeful that my path will continue to include service to my community and my country,” the email said. “Wherever I go, I will tell the story of OPM and the incredible 2.1 million men and women of the federal workforce who come to work every day without praise or fanfare and do the hard but necessary work of improving the lives of the American people.”
Chief Management Officer Kathleen McGettigan will lead OPM in Cobert’s absence until the Senate confirms a director appointed by Trump.