The boss of the US government's thoroughly ransacked Office of Personnel Management has – rightly – come in for a rough ride from members of the House Committee on Oversight and Government Reform.
Politicians on both sides of the trenches tore strips off the lamentable state of security in the agency, which was raided by hackers who accessed sensitive dossiers on millions of federal workers – including their application forms for national security clearance passes.
"You failed, utterly and totally," the committee chair Rep. Jason Chaffetz (R-UT) told Katherine Archuleta, who has led the OPM since December 2013.
"OPM's data security posture was akin to leaving all the doors and windows open in your house and expecting that nobody would walk in and nobody would take any information. How wrong they were."
The investigating committee heard that IT security at the OPM has been identified as lacking in every report by the inspector general since 2007, and that while some advances had been made, the state of the agency's network security was embarrassing.
Archuleta acknowledged that the none of the 4.2 million social security numbers stolen in the hack were stored in an encrypted form; that two-factor authentication was only used consistently by remote workers; and that it would be impossible to secure some of the OPM's older legacy systems.
Admittedly, encrypting a database isn't much use if a hijacker has gained full control of your application servers, but the lack of two-factor authentication, and other protection mechanisms, is telling.
"It was not feasible to implement [encryption] on networks that are too old," she said, adding that her assessment was that once an attacker gained access to a network they could decrypt the data anyway.
"Advanced tools take time," she said. "Cybersecurity problems are decades in the making and the whole of government is responsible."
A visibly uncomfortable Archuleta frequently refused to answer questions from Congressfolk about what exactly was stolen in the attack, citing national security concerns. A separate closed session of the committee will meet this afternoon to go over those points, but her constant deferment of questions and somewhat stilted answers angered some.
"I think I know less going out of this briefing than I did coming in," said a testy Rep. Stephen Lynch (D-MA). "You're doing a great job stonewalling us, but hackers not so much."
But she did let slip that it appears the attackers did access a server holding completed copies of Standard Form 86 (SF86). This is a 127-page form filled out by those requesting national security clearances, and so lists extensive personal information required for background checks.
Such information would be a goldmine for foreign spies seeking to blackmail or coerce American citizens, Lynch said, and questioned Archuleta repeatedly as to what had been stolen from the SF86 database. She referred such questions to the closed session.
Let's spend our way out of this mess
Archuleta said her agency had done what it could when it came to securing older systems, but that a comprehensive revamp was needed to build a network capable of running modern security tools. She said the OPM was asking for an additional $21m over the next year to do just that.
Certainly, the state of OPM systems described by Dr Andy Ozment, assistant secretary at the Office of Cybersecurity and Communications National Program Preparedness Directorate, is pretty dire.
The latest audit shows 11 out of 47 computer networks run by the OPM lack the ability to handle basic two-factor authentication – but that figure could be wrong since the agency isn’t sure quite how many systems and servers it is running.
While steps have been made to add encryption where possible, its use is sporadic at best, he said. While automated security sweeps are made to ensure patch management is up to date, improper configuration means at least a fifth of the OPM's servers are never checked using automated systems.
Donna Seymour, the OPM's chief information officer, said that, in the meantime, the agency was doing what it could. The number of administrative accounts has been reduced, and the access privileges of the rest were being reviewed, and extra firewalls have been added to the system. ®