Federal government agencies face a number of challenges in addressing threats to their cybersecurity. That was the conclusion of several Congressional hearings in June following revelations that hackers accessed the U.S. government personnel records of as many as 18 million employees.
At a House Homeland Security subcommittee hearing on June 24, Gregory Wilshusen, the director of Information Security Issues at the Governmental Accountability Office (GAO), an independent watchdog arm of Congress, identified several cybersecurity challenges that federal agencies face in securing their systems and information. Those include designing and implementing a risk-based cybersecurity program, enhancing oversight of contractors providing IT services, improving security incident response activities, responding to breaches of personal information, and implementing cybersecurity programs at small agencies.
“Until federal agencies take actions to address these challenges – including implementing the hundreds of recommendations we and inspectors general have made – federal systems and information will be at an increased risk of compromise from cyber-based attacks and other threats,” Wilshusen stated in his written testimony.
The focus of Congressional scrutiny, however, was on the Office of Personnel Management (OPM), which announced on June 4 that it had identified a cybersecurity incident potentially affecting the personnel data of about 4.2 million current and former federal employees, and then on June 12 announced that hackers may have accessed a second set of U.S. government personnel records, including information from background investigations.
At a June 16 hearing of the House Oversight and Government Reform Committee, Michael Esser, OPM’s assistant inspector general for audits, said his office had been warning OPM for eight years that there had been shortcomings in the area of data security. He wrote in testimony that reports issued from his office from fiscal year 2007 through FY 2013 noted that the lack of data security policies and procedures at the OPM was an area of “material weakness.”
“OPM has a history of struggling to comply with [Federal Information Security Management Act] requirements,” he said. “Although some areas have improved, such as the centralization of IT security responsibility within the [office of the chief information officer], other problems persist.”
OPM Director Katherine Archuleta elaborated on the potential size and scope of the hacking incidents during a June 25 hearing of the Senate Homeland Security and Governmental Affairs Committee. Responding to reports that 18 million Social Security numbers may have been compromised, she said the figure refers to a “preliminary, approximate number of unique Social Security numbers” in “one of the compromised systems.”
She added that even that number is “incomplete and it does not provide an accurate picture of the final number” of federal employees who may have been affected. “For these reasons,” Archuleta said, “the 18 million figure may change.”
“We must acknowledge we have a significant cybersecurity problem in the federal government, especially at the OPM,” said Senator Tom Carper (D-DE). “This intrusion on the OPM’s networks is only the latest of many against the agency, and the OPM has become a case study in the consequences of inadequate action and neglect.
“There’s a bullseye on the back of USA.gov,” Carper continued, referring to the interagency government information and services portal, “and it does not appear this administration is devoting enough attention to this reality.”