Boozman Discusses Data Security For Federal Employees At D.C. Hearing

A data breach involving millions of current or former federal employees unveiled several major cracks in the armor of the federal government’s information systems, several witnesses told Sen. John Boozman, R-Ark., on Tuesday.

Federal officials originally placed the number of employees who may have had their information hacked at over four million. However, a report Tuesday showed that the number could be as high as 18 million and growing.

Boozman, who chairs the Senate Appropriations Committee subcommittee on Financial Services and General Government, held the hearing to learn more about the breach at the Office of Personnel Management.

Boozman said in his opening statement that the problem has been rampant over the years.

“The massive breach of OPM systems may have been the most devastating cyber-attack in our nation’s history. Unfortunately, while the news reports about these incidents have been shocking, they should not be surprising. The OPM incident follows several across government and is only the latest example of the federal government’s inability to protect itself from cyber security threats,” Boozman said. “Today’s hearing before the Subcommittee on Financial Services and General Government is intended to elicit further information about the recent OPM data breaches. It is also a time to discuss the enormous challenges facing the federal government as it attempts to ensure this does not happen again.”

Katherine Archuleta, director of the United States Office of Personnel Management, told the subcommittee that the Obama Administration has worked to increase funding for the programs as well as improving technology.

“Over the last eighteen months, OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks. For Fiscal Years (FY) 2014 and 2015 we have committed nearly $70 million towards shoring up our IT infrastructure. In June 2014, we began to completely redesign our current network, while also protecting our legacy network to the maximum extent possible in the interim,” Archuleta said. “These projects are ongoing, on schedule, and on budget. The first phase of this project was to deploy the tools required to address critical vulnerabilities on the existing network. As part of this effort, in January 2015 we implemented state of the art practices, such as additional firewalls, two-factor authentication for remote access, and limited privileged access rights. Currently, we are also increasing the types of methods utilized to encrypt our data. These methods cover not only data at rest, but data in transit, and data displayed through masking or redaction.”

Another witness – Richard Spires, who is the former chief information officer for the Department of Homeland Security and the Internal Revenue Service – said the issue is systemic.

“In fact, I would urge Congress and the Administration to avoid a tactical approach that addresses narrow technical fixes based on these latest breaches – the weaknesses that led to these types of breaches are deeply rooted and require sweeping changes in our approach to IT and cybersecurity management and practices. Further, the weaknesses in the federal government’s IT security posture are almost always based on IT practices that have been in place over many years. I served in the Bush and Obama Administrations and saw the same systemic problems in both. This should not be viewed as a political issue, but a call to action to fix a set of issues that can not only have a beneficial impact on securing data and systems, but improve IT management and delivery of systems as well.”

However, Boozman said that money alone cannot and will not solve the problem.

“Nineteen of 24 major federal agencies have reported deficiencies in information security controls. Inspectors general at 23 of those agencies cited information security as a major management challenge.

How many headlines of serious data breaches will it take to implement the steps necessary to protect ourselves? And at what point do some in Washington recognize that growing the bureaucracy without actually governing is a recipe for this type of disaster,” Boozman said.

“The Obama Administration views the federal government as capable of tackling almost every problem the nation faces. Yet, while attempting to grow the size and scope of the federal government at every turn, the Administration fails to follow-thru on the tasks it is already responsible for. If you bounce from one big government solution to another – without carrying out your basic responsibilities – this is what happens.

“It is easy to suggest more money is the solution. That seems to be the response the Administration leans on every time there is a problem. But it is often the wrong choice, especially in situations like this where it appears that the problem is something much greater than a lack of resources.

The American people have lost faith in their institutions. The last thing they will do is trust Washington to solve a problem when it can’t even protect the personal information of those it employs. There needs to be a dramatic change in the status quo,” Boozman said.