Nominee Explains OPM's Recovery from Massive BreachCobert Testifies Before Senate Panel Considering Her Confirmation as OPM Director
The Office of Personnel Management is systematically addressing three core cybersecurity deficiencies identified by the agency's inspector general as contributing to a data breach that exposed the personal information of 21.5 million individuals, Beth Cobert told a Senate panel considering her confirmation as the new OPM director.
See Also: Ransomware: The Look at Future Trends
"Focusing on cybersecurity, protecting OPM systems and data, and providing services to individuals who were affected had been my highest priority since joining OPM; it will remain my highest priority if confirmed," Cobert, who President Obama appointed as acting head of the troubled agency in July, told the Senate Homeland Security and Governmental Affairs Committee. Obama nominated Cobert to serve as OPM director in November.
The cordial atmosphere at the Feb. 4 confirmation hearing contrasted sharply with the combative nature of congressional hearings delving into the breach - believed to have originated in China - featuring then-OPM Director Katherine Archuleta, who resigned under pressure last summer.
Cobert, who previously served as deputy director for management in the Office of Management and Budget, outlined the methodical approach OPM is taking to address the cybersecurity deficiencies. But lawmakers did not ask about a timetable for when they would be resolved. The deficiencies include weak IT security governance, systems operating without valid authorizations and weak technical security controls.
Cobert told the committee that when she joined OPM as acting director last year, she initiated a thorough process of reviewing the IG's recommendations as well as those from others who worked on the agency's information systems, including the Department of Homeland Security and DHS's United States Computer Emergency Readiness Team.
"We have put in place changes around IT security governance, including the creation of a new chief information security officer position, and have a process for continuing to manage and build those capabilities," Cobert said. "We are working through the specifications of the authorizations and have a team in place to work through those in a prioritized way, starting with the high-value assets. We're going through each one systematically. We have been able to close some of the [IG's] FISMA recommendations from the past few years, and we're committed to just keeping at it until we get through every one of them. "
FISMA, the Federal Information Security Management Act, is the law that governs federal IT security. It requires agencies to meet specific IT security standards as well as to have their security standing reauthorized every three years. The IG, in a 2014 audit, recommended that Archuleta shutter systems that did not acquire valid authorizations required by OBM. At a June House Oversight and Government Reform Committee hearing, Archuleta explained that she didn't order the systems shut down because of other agency priorities, such as ensuring retirees received their benefits and that employees got paid.
Seeking Improved Cooperation
Lawmakers did not view Archuleta as being cooperative with OPM's inspector general or the two congressional panels that provide oversight to the agency, and several senators at Cobert's confirmation hearing pressed her repeatedly about whether she would be cooperative with the IG and Congress. Cobert said she would, noting that she met with the IG on her first day on the job and continues to meet with him regularly. She also pledged to respond to congressional inquiries.
Still, Sen. James Lankford, R-Okla., pointed out that the House Oversight and Government Reform Committee on Feb. 3 had issued a subpoena seeking documents related to the OPM data breach, saying such action by a congressional committee is typically a "last resort" when cooperation fails. House Oversight Committee Chairman Jason Chaffetz characterized Cobert as "not cooperating with the committee's investigation."
The documents being subpoenaed would supposedly shed light on whether the government discovered the breach through its Einstein intrusion detection system - as Archuleta contended - or by a vendor demonstrating a digital forensic product (see Report: OPM Breach Found During Demo).
Cobert said she has yet to fully review the subpoena but wants to be cooperative with the House committee. "We have been in discussions with them. We have produced hundreds, thousands of documents and briefings as requested. And we're going to be continue to be as cooperative as we can be," she said.
Relying on DHS
As OPM responded to the breach, Cobert said DHS, and, in particular, the team from U.S.-CERT, were "invaluable resources to OPM."
Cobert also testified that OPM is working closely with the intelligence community to address the concerns of breach victims, many of whom either hold or sought classified security clearances. Those concerns include possible blackmail threats and potential misuse of fingerprint data pilfered in the breach.
"We continue to work with the intelligence community to understand what help they need from us," Cobert said. "We continue to ... support whatever efforts they have underway. It's an ongoing partnership with them, with law enforcement. It's an ongoing dialogue as we collectively try to respond."
The committee will vote on Cobert's confirmation soon, paving the way for consideration by the full Senate.