Senate Majority Leader Mitch McConnell (R-Ky.) took to the floor of the upper house on Wednesday to declare that the massive data breach at the Office of Personnel Management was strictly an agency “management problem”—a claim that’s belied systemic digital weaknesses looming over all federal IT systems.
McConnell accused OPM Director Katherine Archuleta of “world-class buck passing” on Wednesday, claiming that testimony she gave before a Senate Appropriations Committee on Tuesday projected a “complete lack of accountability and urgency.”
A number of lawmakers have come forward to call for the resignation of Archuleta, who was appointed to head the agency in May 2013, and failed to heed numerous warning from OPM’s own inspector general about security weaknesses.
“More money isn’t going to solve a management problem,” McConnell said, adding, “Let’s be honest, this appears primarily to be a management problem.”
Although securing the ouster of an Obama administration official could provide the Majority Leader with short-term bragging rights, his rhetoric over the data breach could hinder efforts to prevent future compromises since similar cyber weaknesses exist in other government agencies.
During a House Government Oversight Committee hearing on Wednesday, for example, Chairman Jason Chaffetz (R-Utah) submitted for the record a 1963 Wall Street Journal article reporting the adoption of COBOL IT systems by the US government—systems that are still in place today at OPM.
“In 1963, I wasn’t even born yet,” Chaffetz said. “And that’s the system that we’re operating on in this day and age,” he added in pointed remarks to OPM Director Archuleta.
The Government Accountability Office in 2012, however, revealed that outdated systems are ubiquitous and account for roughly 70 percent of the entire government’s IT budget.
As was noted in earlier Congressional hearings on the breach, these so-called “legacy systems” are vulnerable because, in many cases, they are incompatible with encryption.
“That’s a problem across the board with our federal systems,” digital privacy expert Amie Stepanovich said on District Sentinel Radio. “We hear often about the number of federal systems that are still running Windows XP.”
Stepanovich, the US Policy Manager at Access, a Washington, DC-based digital rights organization, cautioned against a myopic response to the data breach.
“It’s amazing the number of old systems that are being deployed by very important agencies in the federal government and we need the investment to build new systems to invest in new software to make sure these computers are up to date, that the information can be encrypted and protected,” she said.
The hack is believed to have originated at the beginning of 2014. Over the course of a year, intruders targeted at least two separate OPM databases containing information on current, former, and prospective government employees. One of the breaches affected a database containing sensitive information related to background checks for employees with security clearances.
As many as 18 million current, former, and prospective government employees may have been affected.
Both the upgrade of legacy systems and a change in management, however, might not have prevented the breach. It’s believed that intruders initially gained access to OPM systems by using credentials belonging to one of the agency’s IT contractors, KeyPoint. A representative from the company denied the allegations at Wednesday’s hearing.
“Did they get the keys to OPM’s networks from this contractor?” Rep. Elijah Cummings (D-Md.) asked during the proceedings.
Rep. Cummings reminded Chairman Chaffetz that the committee explored “the risks of third party contractors to our nation’s cyber security” during a hearing in April and that “multiple experts explained that federal agencies are only as strong as their weakest link.”
“The weak link in this case was KeyPoint,” Cummings said.
