OPM chief fights to save her job

The director of the Office of Personnel Management (OPM) is coming under heavy fire on Capitol Hill, with lawmakers on both sides of the aisle demanding that she step down for what could be the most devastating data breach in American history.

Director Katherine Archuleta has taken a beating in a series of tense congressional hearings. Lawmakers have accused her of shifting blame for the hack and moving too slowly to correct persistent security problems that were apparently exploited by China in a breathtaking siege of U.S. networks.

{mosads}“The hurricane has come and gone and just now OPM is wanting to board up the windows,” said House Oversight and Government Reform Committee Chairman Jason Chaffetz (R-Utah) during a four-hour hearing Wednesday.

“Personal accountability is paramount,” added Chaffetz, who is leading a growing congressional chorus calling for Archuleta to be fired.

Archuleta at one point sparred with Rep. Stephen Lynch (D-Mass.) over who is at fault for the hack that has shaken the government.

“You also testified that no one is to blame, is that right?” Lynch asked.

“I believe the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our system,” Archuleta replied.

“I have worked since day one to improve …” she added before Lynch cut her off.

“Yeah I understand that,” he said. “You’re blaming the perpetrators.”

On the other side of the Capitol, Senate Majority Leader Mitch McConnell (R-Ky.) took to the Senate floor Wednesday to berate the agency head, though he stopped short of calling for her removal.

“Let’s be honest, this appears primarily to be a management problem,” he said, describing Archuleta’s testimony thus far as “world-class buck passing.”

The White House is standing behind Archuleta amid the firestorm.

“She’s obviously got a very difficult job and a very difficult challenge ahead of her,” White House press secretary Josh Earnest said Wednesday. “And the administration and the president continues to believe that she’s the right person for the job.”

For two weeks, the OPM and Congress have clashed over the extent of the breach.

When officials first announced the OPM intrusion, they said 4.2 million federal workers had been affected.

But just over a week later, the agency officials said they had uncovered a second breach of a separate system that housed background check information for security clearances — the basis for limiting access to some of the nation’s most closely guarded secrets.    

The second intrusion laid bare data on millions of military and intelligence community personnel and, potentially, people outside the government, such as friends and family members who were named in background investigations.

The second hack could have affected up to 18 million people, according to reports.

While the government will not say so publicly, it’s widely believed that Chinese hackers pilfered the data from both systems as part of a broader scheme to build a comprehensive database on U.S. government workers. The sensitive data accessed could be used to imitate officials, stage future cyberattacks or even recruit informants or blackmail administrators.

Despite repeated inquiries during hearings and classified briefings for the House and Senate, lawmakers had complained that the OPM was refusing to provide a specific number for the second breach, let alone provide details about exactly who was affected.

That started to change on Wednesday, with alarming results.

“It is my understanding that the 18 million refers to a preliminary, unverified and approximate number of unique Social Security numbers in the background investigation data,” Archuleta said before the Oversight Committee.

The estimate of 18 million people does not include friends and family members named in background checks, Archuleta cautioned, meaning the total could grow if the agency decides those people “should be considered individuals affected by this incident.”

Eighteen million “is a number I am not comfortable with at this time because it does not represent the total number of affected individuals,” she said.

Chaffetz pressed Archuleta to go further, citing an OPM budget request claiming the agency was “a proprietor” of personally identifiable information on 32 million federal employees and retirees.

“Are you here to tell me that information is all safe?” Chaffetz asked. “Or is it potentially 32 million records here that are at play?”

“We’re reviewing the number and scope of the breach,” Archuleta replied.

The revelation that the OPM both knew about the second breach and possessed the 18 million estimate when it announced the first breach has also raised questions about why the administration withheld those details.

“It’s frustrating,” Sen. Jerry Moran (R-Kan.) told reporters Tuesday while exiting a classified briefing on the hack. “We want information. I think it’s important for federal employees to know what danger they are in, what risks they now run as a result of these breaches.”

The OPM has maintained it waited to notify agencies and the public of the second attack until it had a “high degree of confidence” the information had likely been taken.

Archuleta finishes her testimonial gauntlet before the Senate Homeland Security and Governmental Affairs Committee Thursday morning.

Committee chairman Ron Johnson (R-Wis.) has stopped short of calling for Archuleta’s resignation but offered harsh words about her performance thus far. Thursday’s hearing could help sway him one way or the other, he said.

“I’d say across the board, this administration probably hasn’t taken cybersecurity of our own federal system seriously enough,” he told The Hill on Tuesday.

“It’s leadership,” he added. “It’s a lack of leadership.”

— This story was updated at 5:02 p.m.