Skip to main content

tv   Politics Public Policy Today  CSPAN  June 24, 2015 11:00am-1:01pm EDT

11:00 am
2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity that dated back to november of 2013, and i
11:01 am
also know that no pii was lost. >> no that's a different question. the question i asked is did they have access? whether they exfill traeutd it is a different question. >> i said there was add srau saeur annual activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your security? >> with the security systems, yes. >> so yes, it was a breach of security, yes? >> they were able to enter our systems. the security tools that we had in place at that time were not sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay but at the time at the time it was a breach of
11:02 am
security, right? >> yes there was a breach into our system. >> was there any information lost? >> as i just said to you there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information. >> you believe i have the information? >> yes. >> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfill traeutd pii i am asking you did they take any other information? >> i will get back to you -- >> i know you know the answer to
11:03 am
this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network and they did have access to documents and they did take documents from the network. >> what were those documents? >> outdated security documents about our systems and manuels about our systems? >> what kind of manuels? >> about the servers and environment? >> is that like a blueprint for the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel manuals manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel
11:04 am
manuals manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes i do. >> so ms. archuleta when we rewind the tape and look at the interview you did on july 21st you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said and i quote there was no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii. >> it was misleading and a lie and was not true. when this plays out we're going to find that this was the step that allowed them to come back
11:05 am
and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you mr. mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last hearing on this subject members on both sides wanted to ask for ms. archuleta's resignation and
11:06 am
i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right and we are being fair. this is my question. you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer. you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion
11:07 am
with regard to experts? do you understand what i am say? you have your set of experts and they have their set and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our committee to ask for ms. archuleta archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made recommendations and that those recommendations had been simply disregarded. can you help us with that mr. mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good.
11:08 am
you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely. of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on and they did, in my estimation as normal and usual an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give
11:09 am
a whole list of things that she is doing or about to do i think, naming a new cyber officer and whatever and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns. we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to explain your answer to that question is that we -- we are i guess, very frustrated that we asked answers of opm and it takes a long time to get the answers. we ask definitive questions and
11:10 am
we don't necessarily get definitive answers. we know for a fact that the things that we have reported are factual. we don't take a backseat to that at all. our people have done this for a long time they know what they are doing but, yes it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right. your company has a lot to answer. according to the justice department, usis perpetrated a multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital
11:11 am
police, and our integrities developed out tkoeld out bonuses. last week the committee invited the integrities chairman to testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other sub sid airies. do you know how they responded? >> i understand they declined. >> yes, they refused.
11:12 am
al teg raw tea is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me? >> i can ask. >> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from vacation from italy.
11:13 am
did you get a bonus by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in 2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again i am the chief information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than
11:14 am
16 months ago name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors. i know the chairman is steve duh leash. >> you are still working for usis is that right? >> how long will you be there? >> indeterm tphupbt but in the next month or so i will be departing. >> will you try to get me those names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta there has been a discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning,
11:15 am
you estimated about 2.4 million, is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees and that's 2.4 and then you add -- >> i don't know exactly, but it's about half and half. >> the second figure you started to debate about was 18 million which has been reported by the media, and that would deal with breach of social security numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir. >> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records?
11:16 am
>> that was the number he used yes. >> so you really don't know, then, how many records have been breached beyond the 4.2? >> no, sir that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached my staff, and then thinking about the other people downtown and the agencies and we have a responsibility to protect their personal information, and over the weekend in fact monday i spoke the day at an embassy being briefed on a bunch of issues, and then brought to my attention was people insensitive positions that they were notified by you all a breach of their records. so our overseas personnel
11:17 am
insensitive positions have also been subject to the breach sprebgt? >> employee personnel records -- >> how many data is there? address, and personal information about these individuals. you think a little bit about people in the glass places here and you want everybody safe. i was stunned to find out that some of the people, united states citizens serving overseas were notified that their personnel records have been breached and information is available on them and they are in possible situations that could be compromised by that information, but you have notified them, right? >> we have notified the 4.2 million -- >> those are the people. they mentioned to this me. i was there on other subjects, but they expressed concern -- >> i am as concerned as you are about this because these are
11:18 am
the individuals who have been -- whose data -- >> these people are on the front line, and they are overseas and representing us and i could hear concern in their voice about what has taken place. i have read sit chinese hackers, does anybody know? was it the chinese? do we know for sure? do you know for sure? >> that is classified information, sir. >> so you have some idea but it's classified? >> it's classified and i can't comment here. >> whether it's chinese or some group that could give this6é information to people who would want to do harm, then that means some of those people to me are at risk? >> sir, every employee is important to me, not whether they are serving in kansas city or overseas. >> no but yesterday morning before i left eye visited a site
11:19 am
of a terrorists act in one of the capitals and i saw well that place still had not been open and it has been months since that terrorists attack and our people are over there on the front lines and their information has been compromised. you have been there the longest ms. de-camille yo. >> what was that? >> you have been in position since 2012 at opm? >> no i work for department of homeland security. >> but you are responsible for overseeing opm's -- >> dhs is a shared cyber security, and we are working with partners and we work with them protecting the boundaries --xj1kf >> when did we first find out about the breach? >> it was notified by a third-party partner to us in march of 2014. >> 2014.
11:20 am
so when you came on ms. seymour, about 2014? >> i came onboard in december of 2013 sir. >> so you were there. they talked about his bonus. are you ses? >> yes. >> did you get a bonus, too? >> yes, sir, i did. >> howuv@ >> i do not know the exact amount but i believe it was about $7,000. >> whether you were private or public, you were getting a bonus while some of this was going on. >> we will recognize the gentle woman from new york for five minutes. >> thank you. i am trying to get this straight. opm was breached directly, is that correct? i will ask ms. seymour opm was breached twice? >> that's correct. >> and one occurred in december of 2014 detected in april of
11:21 am
2015, and then the security breach -- when were the two breaches? when were the two breaches, the dates? >> the first opm breach goes back to -- we discovered it in march of 2014 and the breach actually -- but the breach actually occurred in -- >> you discovered it in march 2014. >> yes, ma'am, and the breach actually occurred -- the adversary had access of november of 2013. >> and then the second breach was when? two breaches, correct? >> that's correct, ma'am. the second breach we discovered in april of 2015, and the date that that breach goes back to is act of 2014. -- i am sorry, june of 2014.
11:22 am
>> who discovered this breach? how did opm discover this breach? >> the first breach we were alerted by dhs. >> so you did not discover it the department of homeland security discovered it? >> yes, ma'am. >> the second one, who discovered it? >> opm discovered it on its own in april of 2015 and by then we put significant security measures in our network. >> now when did you report these breaches? who did you report them to? >> on april 15th when we discovered the most recent breach we reported that to us cert. >> who? >> the computer kwrurr readiness team.
11:23 am
>> did you report it to congress? >> we reported it to the fbi and made the notification to congress as well. >> that was the april 15th one. what about the first one? >> for the first breach, again, dhs notified us of that activity in our network and so they already knew about that one, and yes, ma'am we made notifications to congress of that one as well. >> when? >> i am sorry, ma'am i don't have that date in my notes. i would be happy -- >> could you get it back to the committee for us.
11:24 am
did you notify the contractors of the breach? >> at the first breach there was not an awareness that -- of what the adversaries were targeting and this may go beyond opm. i know our staffs at -- my staff, my security staff, had conversations with the contractor organizations and i know the indicators of compromise that dhs had were provided to other government organizations, were put into einstein as well as they have communications that they would -- >> but the breaches were direct. now, i want to understand the inner reaction with the contractors. now, when they breached you, did it go into opm? i am asking you both.
11:25 am
when they went into that system did that connect to opm or was it held within your system? >> it was held within the intrusion of 2014 it was within our systems? >> within your systems? so the four identities they have and information they have, it came from opm or the contractors? are they one in the same or separate? i will go back to ms. seymour? >> these are separate incidents so with the breach as usis, the way opm does business with its contractors is different from the other way it's agency may do business with key point and usis, so there were approximately 49,000, i believe it was, individual we notified based on the key point incident and there were other agencies that made notifications based on the other incidents.
11:26 am
the 4.2 number you are getting is about the personnel records the incident at opm -- >> what i would like to get in writing is exactly what information came out of opm and what information came out of the contractors? is it one in the same? you are the final database so i want to understand the connection and how the breaches occurred and how they enter connect. i want to remind you you are under oath and i have a series of questions to follow-up to carolyn maloney's questions. it was reported in the wall street journal a company says
11:27 am
they were involved in discovering the breach that apparently has been, according to the article, linked to chinese hackers. opm's press secretary said the asuretion that sigh tech was somehow involved them -- ms. seymour, do i have your attention? they said they were invited in by opm and their equipment was run on opm and their equipment indicated they had been an intrusion of your system and they notified you but your response officially from opm is that it's inaccurate and they were not involved, and ms. archuleta archuleta, you said they were not involved. i remind you both you are under oath, so do you want to change
11:28 am
your answer? >> no, they were not. >> no, they were not. >> reminding you again you are under oath were they ever brought in to run a scan on opm's equipment? >> it was engaged and we looked at using their tool in our network, and it's my understanding we gave them some information to demonstrate whether they tool would find information on our network and in doing so they did indeed find those indicators on our network. >> thanks, ms. seymour. the ceo and vice president of technology officer came in and briefed the staff and they relate they were given access and ran their processes and they discovered it, and previously it was denied they had involvement.
11:29 am
what exactly did sigh tech do? were they given access to your system and run it on your system? >> here is what i understand, sir. opm discovered this activity on its own. >> that was not the question, ms. seymour. i am assuming you would have greater an understanding that you would know, considering you are the chief information officer and you are testifying before us how it happened and there already has been a news article so tell us clearly what access was sigh tech given to your system. >> i am trying to explain how he had access. opm discovered the breach and we were doing market research and we purchased licenses for their tool. we wanted to see if that tool set would also discover what we had already discovered. yes, they put their tools on our network and yes they found that information as well. >> so you were tricking them, and you already knew it and said shazam you got it too.
11:30 am
seems highly unlikely don't you think? >> we do a lot of research before we decide what tools we will buy for our network? >> at that point you had not removed the system from your system? you knew it was there and you brought them in and their system found it too which means it was continuously running and the personnel information was still at risk? >> no, we had latent malware on our system that we were watching and quarantined. >> so it was no longer operating? >> that's correct. >> okay. clearly you are going to have to give us an additional briefing and the intel committee staff exactly how you did this because sigh tech is relating what they did and it's compelling and quite frankly what you say sounds highly suspicious, that you brought them in and tricked them to see if they could discover it, something you already discovered it, and why would you need them
11:31 am
if you already discovered it and further tricked them to say you don't have the system on your system anymore, and 7 contradicts in so many ways it defies logic. on your sf84 form was comprised. you sound like it's minor. but this is the form, and this is what they have to fill out. their social security number is all over this. in my community there are a number of people who had to serve it out to be able to serve their country. what are you doing about the additional information in the form and being released and is out there about the individuals? >> i filled out exactly the same form -- >> i doesn't ask that. it's not just about identity theft. this is not just their credit cards and checking accounts. what are you doing about the rest of the information that is in here about counseling them and assisting them?
11:32 am
>> i just used that by way of example i understand what is in the form. personally and as the director of opm, and because at opm, as you know, we do federal background investigations and i am clearly aware of what is in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what information was taken from those forms and how we can begin to notify the individuals who were affected by that. that form is very complicated and that is why i am very very careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has pii and other information so we want to be sure that as we look at how we protect the individuals that completed those forms that we are doing everything we can and we are looking at a wide range of options to do that. this is an effort that has is
11:33 am
working together throughout government and not just opm. we are concerned about the data lost as a result of the breach by the hackers that were able to come into our systems. i will repeat again, but for the fact that we found this, this malware would still be in our systems. >> chairman i want to thank them for acknowledging that sigh tech did have involvement even though they previously denied their involvement. i have a question for ms. de-camille yo, but first i want to ask ms. archuleta, members have been concerned about this 4.2 million number that you have tried to straighten out for the record. that's not a final number and it almost surely will go up.
11:34 am
is that the case? >> there are two incidents. >> i understand that. >> in the first incident that number is 4.2 million. in the second incident we have not reached a number. >> so the number is going to go up. i understand -- and i am receiving calls from federal employees about opm's promise of 18 months i believe it is free credit monitoring. is it true that federal employees must pay for this service after that time? >> well, the services we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months, which is the standard industry practice. as we look at the second notification, we are looking at
11:35 am
our whole range of options. >> ms. archuleta, there's a great deal of concern, not so much about paying for it but about the amount of time, the 18 months may be too short period of time given how much you don't know and we don't know. >> we are getting tremendous information back from not only -- >> are you prepared to extend that time if necessary? >> i have asked my experts to include this feedback that we have received on a number of different considerations. >> are you prepared to extend that 18 months in light of what has happened to federal employees if necessary? >> as i said, we don't know the scope of the impact -- the scope of -- >> precisely for that reason, ms. archuleta. i have to go on. if the scope is greater as you get more information, will you correlate that to extending the amount of time that federal employees have for this credit
11:36 am
monitoring? >> congresswoman i will get back with you as to how -- what range of options we have. >> when you get back to us within two weeks on that. ms. archuleta we have people out there all of us have constituents out there and you won't even tell me you are prepared to extend the time for credit monitoring what kind of satisfaction can they get from opm? i am just asking you that if necessary? >> congresswoman i am as concerned as you are -- >> in other words you are not willing to answer that question. are you willing to answer this question. they report having to wait long periods of time, sometimes hours to even get anybody on the phone from opm. can you assure me that if a federal employee calls they can get a direct answer forthwith
11:37 am
today if they call and if not what are you going to do about it? >> we are already taking steps and what the contractor has implemented is a system similar to what social security is using, so if they get a busy tone, they also can leave their number and they will get a call back. >> within what period of time ms. archuleta? >> for example, i heard a gentleman told me this morning that he left his number and was called back in an hour, so that individual does not have to wait on the phone. >> you let the chairman know before the end of this week what is the wait time for a return call, and that was a subject of great concern? >> we get those numbers every day and we will be glad to. >> we need some assurances, and we can't assure them beyond 18 months they are going to get credit monitoring and that's a very unsatisfactory answer, i want you to know. i want to ask, we understand
11:38 am
that much of this is classified and we keep hearing we can't tell you things because it's classified. of course the press is finding out lots of stuff. they reported that law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that occurred at key point. i want to ask you -- and i don't want to discuss or am not asking anything classified, but you assert in key point's data breach, did you find hackers were able to move around the company network prior to detection? >> in the case of the key point investigation? >> yes. >> yes, ma'am, they were able to move around and the key point network. we had an interagency response
11:39 am
team that spent time reviewing the network after the customer technical -- >> even for the domain level? >> correct. they had access -- we were there in august of 2014. on onsightte team -- >> what does that allow a hacker to do if you get to the domain level? >> at that point in time through the fall of 2013, during that time they were able to leverage certain malware to escalate privileges for the entry point and they entered the -- >> they can get to background points. >> the time has 1çç÷expired. >> they could not. they were not -- there was no -- there was a pi loss associated with 27,000 individuals associated with that case, i
11:40 am
believe. it was potentially exposed and because of lack of evidence we were not able to confirm that but they had potential access but we were not able to confirm the exfiltration of that data. >> i now recognize myself for five minutes of questioning. let me ask ms. archuleta, what do you believe was the intent behind the attack? we are talking about the attack, so what do you think the intent was? >> you would have to ask my partners and the cyber security about that. i don't -- i am not an expert in -- >> ms. seymour maybe you could respond? >> that would be better placed with dhs and perhaps with others. >> let me start with ms. seymour do you have any idea as to the attack? >> opm doesn't account for the attribution or for which the information is used.
11:41 am
>> i would be happy to discuss the details and it's more appropriate for a closed classified setting. >> ms. archuleta, how would you assess opm's information with current and former employees regarding the breach, at this point in time how would you assess it? >> i believe that we are very -- we want to work very hard with our contractor to make sure that we are delivering the service that we want. we have asked them throughout this process to make improvements. we have demanded improvements and are holding them accountable, excuse me sir, to deliver the services we contracted for and ms. seymour is in communications with them, and i do not want our employees to sit and wait on a phone and do not want them to have to wonder whether their data has been breached and i want to
11:42 am
serve them in every way we can and that's why we are demanding from our contractor the services the contractor will deliver. we are working hard on that and each day give them the appropriate feedback for what we are hearing from our employees. >> federal news conducted an online survey about the data breach, and one of the questions asked what to rate opm's communication with current and former federal employees about the data breach. the results showed that 78% of rerespondants indicated it was poor, and 3% described it as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that, and we expect you to make sure that who you have contract with improves that that >> those numbers don't make me happy, sir. >> those are terrible numbers. >> i will do whatever i can.
11:43 am
i care deeply about our employees. >> let me move on. some news reports indicate attackers may now be in possession of information of every federal employee and retirie and up to one million former federal employees. if that is true they have the information of date of birth and job history and more that could be there. for years we have been hearing about the risk of a cyber pearl harbor. is this a cyber pearl harbor? >> the information associated with the dayta breach that was confirmed is what we would call on a severity scale a significant impact. >> a significant impact. what does significant impact mean? >> meaning the data if it was correlated with other data sources, it could impact the
11:44 am
environment as well as the individual. >> environment meaning? >> the fact they were able to take the data out of the invinement that is a significant impact on the environment and insuring they were able to mitigate the ability the attacker kwraougsattack er used to get into the environment. >> so it has blown up? >> sorry? >> it has blown up a lot of things protection, security? it's a pearl harbor. >> that's not a term i am comfortable with using, but when the severity scale -- >> it's pretty significant? >> yes, medium to high significance, yes. >> let me ask ms. seymour, do you think issuing a request for quotes on may 28th and
11:45 am
establishing a deadline of may 29th to potential contractors was a reasonable opportunity to respond in this significant issue of cyber security? >> our goal was to be able to notify individuals as quickly as possible. we worked with the gsa schedule and contacted the schedule holders, and put it on fed bizops for other opportunities. so our goal was to make sure that we could notify individuals as quickly as possible. >> that was quick. maybe too quick. my time has expired and now i recognize the gentleman from massachusetts, mr. lynch. >> thank you, mr. chairman and thank you to the witnesses for participating today. ms. archuleta you testified
11:46 am
before the senate. let me ask you on the outset, who is ultimately responsible for protecting the information of employees at opm or that are covered by opm, the federal employees? >> the responsibility of the records is with me and my cio. >> so you also testified that nobody was to blame. is that right? >> i think my full statement, sir, was that i believe that the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our systems, and i have worked the rest of my team was i have worked since day one to improve legacy systems -- >> i understand you are blaming the perpetrators that those are the people responsible, is that
11:47 am
basically what you are saying? >> the action was caused by a very focused aggressive perpetrator. >> i can't have repeated the same answers. mr. mcfarland the assistant inspector general testified a number of the systems that were hacked were not older legacy systems but they were newer systems. is that your understanding? this is not the old stuff this is the new stuff? >> yes, that's correct. >> the former chief technology officer at the irs and department of homeland security said the breaches were bound to happen given opm's failure to update its cyber security. is that your assessment, mr. mcfarland? >> i think without question it exacerbated the possibility,
11:48 am
yes. >> this is a quote. if i walked in there as a chief information officer and saw the lack of protection for the sensitive data the first thing we would have been working on is how do we protect that data. i am concerned as well about the flash audit that you just put out, and your ultimate determination was that you believe what they are doing will fail. >> the approach that they are taking, i believe will fail. >> okay. >> they are going too fast. they are not doing the basics. and if that's the case then we're going to have a lot of problems down the road. >> let me ask you, so very crudely describing this, they are creating a shell a protective shell, and then we
11:49 am
are going to my great applications in under the shell and because of the shell they will be resistant or impervious to hacking. doesn't seem like we should have to wait until the last application in under the shell before we find out whether or not the shell is working. is that -- is that -- will that give us an opportunity to look at the early stages of this project? >> i am not sure if it will give us that opportunity or not. what is important i think from our perspective is that they have the opportunity opm has the opportunity right now to do certain things that will increase the security a great deal, and that should not be abandoned and just in place of. i don't mean to imply it is
11:50 am
abandoned but that should not be in place of speeding through the rest of the project to get it done. the crisis part may not seem this way to a lot of people, but the of people but the actual prices at opm was with the breach. that part is over. the best thing to do is safeguard the system as it is right now, and then move appropriate ly appropriately for full restructuring. >> do you think opm's estimate of $93 million is accurate? >> i don't think it's anywhere close to accurate. >> i don't either. >> it doesn't seem to include the whole migration information where they pull the information in. >> as an example, the financial system that we have, in 2009 we had to migrate that information.
11:51 am
>> right. and in so doing, it had a lot of oversight and went pretty well. in fact,our office was part of the oversight. but just that one system took two years and $30 million. >> all right. and that's a small fraction of what we are talking about here right? a very small fraction. >> very small. >> i yield back. >> you recognize the gentleman from south carolina. >> mr. chairman, i want to read a regulation i would ask all the panelists to pay attention. it's a little tedious. if new or unanticipated hazards are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverer shall immediately bring the discovery to the attention of the other party. that's a regulation. mr. hess, mr. jgianetta were
11:52 am
there also things between you and the government? >> there are. >> they would be similar to that? a notice provision? >> i doint have the exact text but it is similarly worded. >> i think it's helpful sometimes to define terms, particularly for those that are liberal arts majors and don't deal with this. what is a new or unanticipated threat or hazard? mr. hess? >> that would be an indication of a compromise of a system or failure of any of the system protections. >> oh, so when chairman chafeus was having a hard time getting answer to that because the focus was on the loss of personal information, it's just a threat or hazard. it doesn't actually have to be a lorks does it? >> not the way i would define it. >> me either.
11:53 am
>> what about existing safeguards have ceased to function. what does that mean? mr. hess? >> sir it's pretty explanatory. >> it did strike me as being self-explanatory. is it self-explanatory to you? existing functions have ceased to function? what is the word immediately mean? >> without delay. >> without delay. is there another meaning that you are familiar with? >> that's a good definition. >> so you had a contractual obligation with the government and a regulatory obligation that if new or unanticipated threats are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverier shall immediately bring the situation to the attention of the other party. ms. archuleta, i've heard this
11:54 am
morning about a march 2014 data breach. did i hear that right? >> whyyes, sir you did. >> when did you bring that to their attention? >> i would have to get that information. i don't have it in my notes. perhaps ms. seymour would know. >> do you know if it was immediately? >> i would expect that it was immediate. >> let's find out. ms. seymour do you know? >> no sir, i don't. i don't think we immediately notified our contractors of a breach to our network because at that time we did not have any question as to whether it was affecting them. it was to our network at that time. >> mr. hess mr. gianetta is that your understanding that they were under no duty to bring
11:55 am
that to your attention? not all at once. it's your contract yowl language. do you think you should have been notified because of the march breach? >> absolutely. >> why? i just heard one person say they didn't know and the other it was really none of your business. why should you have been notified despite the plain contractual language? why do you think it was important that you be notified? >> so that we could take more appropriate actions to protect data. >> were you notified? >> i was not. >> were you notified immediately? >> no. >> huh. what do you have to say about that ms. seymour. >> i believe that that's accurate, sir. >> well i'm with you there. i guess my question is why? why despite the plain language of the contract and the
11:56 am
regulation why did you not immediately notify the contractor? >> we worked with dhs and partners to understand the potential compromise to our system so that we could -- >> was dhs one of your contractors? >> no, sir. >> i didn't think so. that doesn't really help me understand the regulation because this says contractor, not dhs. why didn't you notify the contractor? >> we were still investigating what happened in our network. >> what does the word immediately mean to you? >> without undo -- >> did you do so? >> no, we did not. >> does it say as soon as you figure out what happened or after you talk to dhs? that is not in my version of the regulation. is it in yours? >> i have not read that regulation. >> that one doesn't exist. the one that says notify dhs or try to figure it out.
11:57 am
the only one that exists says to notify the contractor. you didn't do it and my question is why? >> i can't answer that question. >> who can? >> i will take that back and get you -- >> to whom will you take it? >> i believe i would take it back to my staff to see if we have processes in place. >> do you think it's staff's responsibility to notify the contractor? >> we have processes in place for making notifications when we find these -- >> who is ultimately responsible for that? who failed to meet the contractual regulations? >> i'd have to read that regulation. i'd be happy to read it. i'd like to read the full context of it. >> you think the context is different than what i read? >> i'd want to read the -- >> have you read the contract? >> i have read most of the parts of the contract, sir.
11:58 am
>> i can't speak for the chairman but my guess is he and the other members would be responsible to learn who failed to honor the letter and spirit of the contractual obligation. with that, i yield back. >> we'll recognize the gentleman from california. >> thank you, mr. chairman. i have concerns not just about the failures of opm leadership but its contractors. in it usis. it looks like what happened here wasn't just recklessness or negligence. it was fraud. i want to know how far up this fraud went. the hedge fund managers that funded these companies knew about it. let me begin with mr. mcfarland. the department of justice joined the lawsuit for defrauding the government under its contract with opm. and according to justice department filing, beginning in at least march 2008 and through september 2012 usis management
11:59 am
de devised and schemed quality reviews much backgrounds -- >> the u.s. assisted in this investigation, correct? >> yes. >> the parent company paid bonuses during the period of the fraud that aamounted to $30 million. has usis paid the government back for those bonuses? >> i'm not positive, but i believe not. >> let me enter into record mr. chairman if possible, an article from "the wall street journal" entitled "executives got payout before screener went bankrupt." if i could enter the article into the record. >> without objection. >> i ask a second one be entered. an article in "the washington post." the justice department filed a motion in this case on friday seeking $44 million from usis'
12:00 pm
parent company. that's from this monday. >> without objection, so ordered. >> now let me ask ms. dicamillo for usis to have these breaches it would have cost less than $30 million, correct? >> not having investigated specifically, the breadth and depp th of all the parent companies we were focused on the usis network. they were higher than $30 million for the recommendations we provided to them. that number could be as high as $50 million. >> thank you. i appreciate that. now i want to any mr. gianetta about the bonuses awarded. who on the board reviewed the performance of the ceo and decided to award him with bonuses during the 4 1/2 years
12:01 pm
usis was defrauding the government? was it the board? >> since my role began at usis in 2014 as the chief information officer, i don't have any knowledge direct or indirect of who approved -- >> you don't know if it's the parent company or hedge fund managers. we don't know who did this? >> we'll send you written questions after this. i want your commitment that usis or autegrity will provide a response to our questions within 30 days. will you commit to that? >> yes. >> i also think the committee should call the prltesident of autegrity as well. you issued two advisory reports one in november 2013 and november 2014, correct? on opm. mr. mcfarland? you issued two ig reports dated november 2013 and november 2014. >> sorry. >> so you issued two reports
12:02 pm
dated november 2013 and november 2014 on opm? >> you're speaking on fisma, yes. >> these two ig reports would you agree the 2014 report is quite similar to 2013 report because opm actually failed to implement many of your recommendations? >> i think there were many carryovers, yes. >> would you agree this is a difference of opinion? you had opm violating standards that the administration had put in. for example in 2014 your report on page 24 says opm was not compliant that required to factor authencation. on page 12 you also said that opm was not complying with international institute standards. you would agree opm was not following these standards
12:03 pm
correct? >> yes. >> do you take responsibility for not following omb guidance as well as guidance from national institute of standards which had you followed, could have prevented these breaches? >> well, sir -- >> yes or no. do you accept responsibility for -- >> it can't be a yes or no. >> this is a yes or no. you don't have to accept responsibility. i just want to know if you do. >> i have to take into consideration when an audit is conducted by the auditor. i have to make an informed decision about his recommendations. it's not whether i disagree with him. >> this is omb. it's this administration's guidance. >> and we have worked very closely with omb to make sure that we're tracking, documenting and justifying all of our steps in -- >> my time is up.
12:04 pm
i take it you don't actually take responsibility. i yield back. >> i now recognize mr. meadows. >> ms. seymour let me come to you because there seems to be some conflicting information before this committee. on april the 22nd you indicated it was the adversary's modern technology and the opm's antiquated system that helped thwart in your words, thwart hackers at the first opm attack. is that correct? >> yes, sir. >> last week you testified repeatedly that it was the opm's antiquated systems that were the problem and the chief reason that the system was not secure and didn't do just the basic
12:05 pm
cybersecurity measures of incryption and network protection. so i guess my question to you ms. seymour which is it? is it the fact the old system helped you or the old system hurt you? those are two conflicting pieces of testimony. >> i don't believe they are conflicting, sir. in the first incident the old technology thwarted the actor because they did not know what they were doing in that environment. why immediately put in place a plan to provide better -- >> so you caught them immediately? >> no we immediately put in place a plan so that we could improve the security posture. what we did was we moved to build a new architecture where we could put additional security controls. we also at the very same time put security controls in our current environment. >> okay. >> we did not wait. >> well, you say you didn't wait
12:06 pm
once you found the problem, but is there a -- >> sir -- >> hold on. let me ask the question. is there in the security i.t. cybersecurity technology chief operators, is there anyone who would apply for a job who would suggest not to do incryption of sensitive data? >> incryption is not a panacea. >> i didn't ask that. is there anybody in your job or similar job that would say we're going to protect everything. let's leave it unincrypted. can you think of anyone? because i've been asking all over the united states. i can't fund anybody. >> i'm trying to explain the situation. our databases are very large. our applications are not always able to work properly and incrypt and decrypt that data.
12:07 pm
>> so you're saying this was a volume problem not a management problem. because you're under oath and that's concerning because you're saying you just didn't have the resources to handle the large volume of information? >> it's not a resource information. it's whether our applications are built so that they can -- >> so they aren't encrypted today? >> we have purchased the tool set, sir, and we are in the process of encrypting pieces of our databases as apposed to the whole database. >> we need to focus on the sensitive information. what do we tell the millions and millions of federal workers that now because their system has been breached now you're going to encrypt -- do you feel like you've done your job? >> i do sir. i came on board and recognized these issues and worked with director archuleta to put in a plan --
12:08 pm
>> you both came in in 2013. >> at the end of 2013, yes, sir. >> how long did it take you to buy equipment to start encrypting? >> simple answer. >> june of 2014. >> okay. so you bought equipment in june of 2014. so when did you start encrypting? >> a couple of databases encrypted already. >> a couple out of how many? >> we have numerous. >> that's my pontint. >> it takes time and resources. >> when you aplidplied for the job and were going through your senate confirmation you said you'd make i.t. your top priority. again in this committee you said that it was your number one priority. can you explain to the federal workers and all those that have had their personal information
12:09 pm
breached how making it your number one priority when you were confirmed in 2013 is still to be believed? or was it just what you said during a confirmation hearing and you never intended to act on it? >> i believe the record will show that i have acted on it. that i am dealing with a legacy system that's been in place for 30 years. and we are working as hard as we can. in 18 months we have made significant progress. but so have our aggressors. cybersecurity is an enterprise responsibility. i am working with all of my partners across government. and i have shown that we have prioritized this even as early as 2014 and 2015 in our budgets and in the resources we directed towards that. i do not take this responsibility lightly. as i pledged in my confirmation hearing and last week and as i pledge to you today, i take it
12:10 pm
extremely seriously and i am as upset as you are about every employee that is impacted by this. that is why we're dedicating resources throughout government. not just at opm, but at every level of government to make sure this does not occur again. we're working very hard. >> i appreciate that. i appreciate the patience of the chair. >> thank you, mr. meadows. i'd like to recognize my colleague from the great state of new jersey ms. coleman. >> thank you for your being here today. i have a couple of questions. with regard to one breach that involved the 4.2 million employees, those are actual employees and retirees. that's a closed system. we know how many that is. with regard to the individuals whose information was in a system because background checks were being done with them, "a,"
12:11 pm
we don't know how many. every one of those individuals didn't ultimately get a job so we have some whose information aren't even employed by the government. >> yes if there was a background investigation requested. >> in that second breach of that universe that's so large, that information was breached through a breach in the security of keypoint? is that true, ms. archuleta? >> yes. >> someone who had credentials with -- >> there was a credential used, and it was -- that was the way they got in. >> so who is trying to identify all the universe that's been compromised through the latter breach? is it key point who is trying to clean up its mess or -- >> no no, we have a total enterprise wide security team or
12:12 pm
forensic team that is doing the forensics on this. >> mr. mcfarland has made a number of observation and recommendations. and i believe i was left with feeling that you didn't believe opm was moving in the right direction on the rootight path to get to where it needs to go. i was also informed his recommendations or findings are a result of auditors and specialists in this area. i have two questions for you ms. archuleta. number one is are you using experts and the same kinds of skillsets that mr. macfarland is using and looking at the same things he's looking at. and do you agree with his recommendations? and if not, on what areas do you disagree? >> the audit i can take by way of example.
12:13 pm
first of all, i respect the inspector general's diligence in overseeing this topic. and there are areas we have areas of agreement and areas that i think we need further conversation about. in terms of the existing contracts and use of full and open competition, ides like to assure the ig that the processes we used toward the already existing contracts have been perfectly legal. and we're going to continue to ensure that our future contracts and processes entered into will also be legal. i also understand that he's concerned about the sole source contract of tactical and shell he spoke about. i understand his concerns and i'd like to remind him that the contracts for migration and cleanup have not yet been awarded and we'll consult with him as we do that. where we don't -- where we have areas that we need to consider together and, by the way, the ig and i meet on a monthly basis
12:14 pm
and our staffs meet on a weekly basis or biweekly, i look forward to sdusing with him the major business case so we can figure out what the practical timeline will be. >> tell me what you think is the time frame for the ig's office and your office and mr. mcfarland you might weigh in necessary to get to where we need to get. not that all these things are going to be implemented but we agree on what needs to be done. are we talking about three months from now, six months from now? do we have any idea? >> i would ask donna just to talk about the tactical and shell processes. the reason we're trying to do that as rapidly as possible so we can move out of the legacy network. the issue about the migration and the cleanup will continue to
12:15 pm
discuss but we're trying to rapidly move toward that shell. >> do we still have contracts with q point? >> yes. >> and q point this is to mr. hess, i b2=ñbelieve, how many contract with how many departments do you have? >> our primary contracts through homeland security and opm. >> and so are you -- are your contracts, active contracts coming to an end or are you at the end of these contracts? >> they're all active contracts. >> they're all active contracts. >> mr. mcfarland should we be ceasing our relationship with key point? >> based on what i know at this point, i have no reason to believe that we should. >> that we should? >> i have no reason to believe that we should cease relationship. >> that we should cease. >> no that we should not -- >> should not?
12:16 pm
do you agree with that ms. archuleta? >> i do agree. key pount has taken the steps necessary to mitigate any security questions they have been very active in working with us on that. >> should we cease contracting with them? mr. mcfarland says yes and you said -- >> no, he said no. >> i said no. i'm sorry. thank you very much. mr. mcfarland last question to you, what are the three important things we need to do just to get us back on the right track and how long should it take? and that will be the end of my questioning, mr. chairman. thank you very much. >> i'll give you four, if i could. first, we'd like to see the implementation of multifactor authencation using pvi cards and
12:17 pm
then develop a comprehensive inventory of information systems, servers and databases. and further protect existing data with encryption and data loss prevention tools. and then proceed with the infrastructure overhaul with disciplined project management approach. and i have no idea how long that will take for discussion. >> thank you. now i'd like?rhb to recognize mr. de santos from florida for five minutes. >> this is a really really frustrating hearing and obviously, a colossal failure. we have a government that will tell us how much water we can have flushing in our toilets how much corn we have to put in the gasoline we use to drive our cars government will tell us the type
12:18 pm
of health insurance we can and cannot buy yet on the core functions of government, the things we need the government to do it seems it fails habitually. this is a major example of that. the numbers of people affected when ms. archuleta talked about we don't know on the clearance side. we dont know because it's not just the person that filled out the form. you have friends family members, associates, foreign nationals you may know who china would like to know who those foreign nationals are. you're talking about a larger number than the number who filled out those forms. yet it seems to me that we just have bureaucratic paralysis. nobody is really accountable. ms. archuleta members of this committee have called upon you to resign. you've rebuffed that. do you still believe you should remain in your position? >> i am more committed than ever
12:19 pm
to serve the employees of this administration. i am working very hard. and i think -- >> do you accept responsibility? >> i accept the responsibilities that are given to the director of the opm and i have fulfilled those responsibilities by making sure we have the right people in the right places and seeking the resources we need to do our work and make sure the systems we have in place can do the work that they are expected to do. again, we have a legacy system that is 30 years old. we have dedicated money -- >> and i appreciate that. i've been here for your statements and heard you make that point. but if not you then who, if anybody in opm should be held accountable for this colossal failure? >> i am responsible as the director of opm for -- >> is anybody going to be held responsible? >> for a number of different responsibilities. i take very seriously, as i said
12:20 pm
in my confirmation hearing and many other hearings after, including today -- >> what about responsibility? >> i accept -- i have -- >> they'll say, ron we have people mess up in the government all the time and nothing ever happens. and that's not the world that our constituents live in where there's usually consequences. so you're not committing that anybody will be fired or helda akontable because of this? >> we're going to do the best job that we can. >> i appreciate that but that is not something that i think the american people have confidence in right now given what's happened. now let me ask ms. di camillo people have been warning about the risk of a cyber pearl harbor. obviously the ig warned the opm about vulnerabilities in their system for years and years. does this institute a cyber
12:21 pm
pearl harbor. >> that question was asked to me earlier. we use a severity scale. based on the impact to data and the network and getting back to a known healthy state, we'd consider this a medium to high severity. and the ability for the mitigations we put in place as part of the plan we provided to opm post assessment. >> those are mitt gaugsigations for the system itself. they don't include mitigations for any of the capabilities that some of the people whose ident hit identities may have. >> ensure the protection of their networks. we provide mitigations to help them get back to a known good healthy state and prevent these
12:22 pm
things, and if they are targeted again, helping them detect that activity sooner so they can detect it and clean that up. >> if china gets blackmail information they can use against people serving in our government in important positions, if china is able to identify chinese foreign nationals maybe who are friendly with the united states and people there's no way you can calculate the damage that causes? >> i'm a cybersecurity operator. that's clearly a question for intelligence. >> i think it's a very important question, and i think the damage to this is very very severe. i yield back the balance of my time. >> i'd like to recognize the chairman from virginia mr. connolly. >> thank you for allowing me to go at this moment because i have to chair a meeting at 12:30. let me just say, you know, i was
12:23 pm
just listening to our colleague from florida. it's easy to make a scapegoat out of somebody or something. that isn't to absolve people of responsibility. but what we're facing is a much bigger threat than a management snafu. we are facing a systematic organized, financed pernicious campaign by the chinese government in the form of the people's liberation army with a trained unit to penetrate weak spots in our cyberworld. and that includes the federal government and it may include retail and commercial enterprises, certainly banks among them. to pretend somehow this is miss archuleta's fault is to really miss the big picture. and, frankly, a disservice to
12:24 pm
our country. we have a bigger threat. whether we want to acknowledge it or not we now are engaged in a low level but intense new kind of cold war, a cyberwar, with certain adversaries including china and russia. and it is every bit as much a threat to the security and stability of this country and we need to gird ourselves for this battle. and it's not okay to dismiss testimony that resources were denied. this committee led the effort, and i proudly co-sponsored the bill, to modernize how we purchase and manage i.t. assets in the federal government. is that important? why are these people here before us? because it is important. and congress has neglected it. we can't have it both ways.
12:25 pm
so while we certainly hold ms. archuleta responsible as the head of opm for how they are managing this breach, and we have every right to question why the breach occurred, to make a scapegoat in this alice in wonderland world we've created here sometimes where the answer is off with your head. how easy. what a cheap headline that gets, and it does get a headline every time. but it begs the question, which is far more fundamental, far more profound and far more disturbing as a threat. and that's ultimately what we need to deal with. mr. mcfarland last week your office issued a flash audit alert to raise awareness of serious concerns over opm's ongoing overhaul of its entire i.t. infrastructure. according to that flash alert
12:26 pm
your office stated, in our opinion the project management approached this overhaul and is entirely inadequate and introduces a high risk of project failure. if i understand correctly you are saying the project won't do what we need it to do. is that correct mr. mcfarland? >> no i'm not saying the project wouldn't ultimately do what is hoped for. i'm saying the potential for problems exist and it's very high. >> i want to use the word in the report. entirely inadequate. introduces a very high risk of project failure. that doesn't say -- that doesn't say to me there's the possibility of failure. it predicts it's more likely than not. >> high risk for sure. >> you also indicated it will cost too much. you want to expand on that a
12:27 pm
little bit? >> $93 million that's set aside at this point won't come close. migration itself is going to be an extremely costly measure. one would note the cia used an outside vendor. i think they spent $600 million but their system seems to be working, but it cost $600 million over ten years if i'm not correct. ring a bell? sound right? >> i'm not familiar with that. >> worth looking at. they partnered with the private sector rather than try to find all the answers inside. ms. archuleta, what's your response to that ig flash audit alert? >> the ig brought up some process issues that were very important. i think some that we don't agree with but there are other areas we do agree with. the important thing is to underscore the relationship we have with our ig and we'll continue to value his opinion
12:28 pm
and bring forth his ideas in to the considerations that we make. i do believe that we have to move carefully, but we have to work swiftly. as you've said, these aggressors are spending a lot of money. a lot of money to get into our systems. we need his assistance. we will seek his guidance. we will listen carefully to his recommendations, and certainly consider those as we move forward. >> i just, mr. chairman i introduced the data breach notification act of 2014. although we blended that on a bipartisan basis into the safe and secure federal websites act, the senate did ñ not act. had we acted we would have had protocols in place for dealing with this at least after the fact to reassure the victims who
12:29 pm
are federal employees and federal retirees. i'd hope this committee once again will help prod the system as it did last year, only this time getting the senate to act. thank you to my dear friend from pennsylvania. >> now the chairman of the subcommittee on i.t. mr. hurd for five minutes. >> thank you mr. chairman. my mama always told me you can always find the good in any situation. let me try to start off with that. dhs caught them caught the problem. that's a good thing. when they were engaged, we found it. wish it was sooner, but we caught the problem so that's good. i also got a letter from the chief information officer of opm. dear mr. hurd the u.s. office of personnel management recently became aware of a cybersecurity
12:30 pm
incident affecting its data and you may have been exposed. we have determined the data compromised in this incident may have included your personal information such as your name, social security number date and place of birth and current or former address. i know ranking member cummings and mr. micah were talking about how could an adversary use this information. i spent nine years as an undercover officer in the cia. if it was the chinese, any federal official traveling to china, former official, someone there, is a subject of being targeted for elicitation of information about what's going on in the federal government. if it was the russians this information is going to be sold and used against them to drain people's bank accounts, create new access codes to get private information. if it was narcotrafficantes in
12:31 pm
mexico, it's the home addresses of men and women in border patrol, people that are keeping us safe. the threat is huge. the impact is fantastic. one thing my dad always said was it never hurts to say you're sorry. following thus letter it says -- nothing in this letter should be construed as opm accepting liability for any other matters covered by this letter or for any other purpose. later it says, we regret this incident. i'm sorry actually goes a long way. i agree with what my colleagues from virginia had said about this long committed attack by advanced persistent threats and my issue is not with how we responded to the threat. i think the immediate technical steps that were taken were good things right? and i believe all the folks involved in the mitigation of
12:32 pm
the immediate threat were doing some things that can be used in other places. what i have a problem with is everything before this. if you were in the private sector, the head of a privately traded company and ernst & young was doing your yearly audit and you had at least five years of audit information saying that your digital infrastructure had some high risk to it and needed to be immediately fixed, the board of directors would be held akontable for criminal activity. by multiple years. i would penetrate the networks of companies and identify the problems they had. a lot of times if there was a high risk issue we'd call the customer immediately and say this has to be fixed right now. the company and customer would do that immediately. then we'd issue our report saying here was the high risk report but it was fixed. because a company like ernst & young doing an audit would probably not put this
12:33 pm
information in an audit to go to the board because it's guys you've got to fix. so my problem is these high-risk issues identified by the ig haven't been addressed. key point. my first question is ms. ann di camillo, have they reviewed key point's network? >> we were on site at key point's network in loveland colorado with our inner agency partners. we went there in an abundance of caution baseod the event that happened at usis and opm. we needed to look at contractors performing background clearance. this was done out of an abundance of caution. so our team did an assessment. some results came back that
12:34 pm
caused some concern. so we sent an instant response team on site and reviewed their network. we were there for a couple of weeks. >> when we hire contractors, are they subject to the same standards of network hygiene that u.s. government networks are? >> our contractors subject to the same? it would be part of the contract language associated with requirements that are for any kind of network that houses government data there are certain requirements per the fisma law of 2002. >> in his opening remarks ranking member cummings read some of director archuleta's comments to the senate committee. the adversary leveraged a compromised key pont user credential to gain access to opm's network. when the written information that key point submitted said we have seen no evidence of a connection between the incursion at key point and opm breach that's the secretary of this
12:35 pm
hearing. mr. hess, feedback? >> congressman hurd, it is true that the key point incursion, we've seen no evidence of the connection with the opm -- >> are you saying ms. archuleta is lying? >> she is correct from the knowledge that i have been given. there was an individual who had an opm account that happened to be a keypoint employee and that the credentials of that individual were compromised to gain access to opm. >> thank you. i yield back. >> we'll now recognize the gentlewoman from the virgin islands. >> thank you very much. good afternoon, everyone. i think that it's very interesting. i was listening to the ranking member cummings talking about the vulnerability of government contractors and the questions of my colleague mr. hurd regarding whether or not companies that
12:36 pm
have government contracts must keep the same level of security and care that the opm or other agencies would have to in terms of preparing for cyberattacks. mr. gianetti, i have a letter that was sent from usis to ranking member cummings on december 5th of 2014. and the letter says that the federal agencies had the failure of the company. and i wanted to ask you some assertions that you made in that letter. it says their council wrote the critical cyberattack defense information only flowed in one direction, from usis to the government. is that correct? >> in the discussion we had earlier about the shared responsibility to notify from a contractor to the government and the government to the contractor, that is correct. >> what you're qualifying it
12:37 pm
now. so you're saying -- >> i'm not qualifying it. i'm suggesting that we were required and obligated by our contract to notify opm we had an intrusion, which we did immediately, and in the discussion that was held earlier, opm recognized they did not notify usis or, i believe, keypoint of their intrusion of march of 2014. >> in terms of the cyberdefense information, was it one way or did it go both ways? >> in my humble estimation it was one way. >> it was from yours to the others. what would have been your estimation been the requirement of opm or the others toward you? >> well i'm not a lawyer or -;(j i don't have the contract in front of me but my understanding is that there's a requirement to notify, to say we've got an issue. here's what the issue is so that
12:38 pm
there's a free flow and sharing of information. >> so if you have an issue you're supposed to let them know correct? >> that's correct. >> that's what you felt you did. >> absolutely. >> what did they do about that information that you gave them? >> the cert team? >> yes. >> we invited the cert team to our facilities in grove city, p.a. formally via a letter. the cert team arrived. shortly after receiving that letter. and enumerated our network and understood through discussions wuths our technicians as well as the third party we hired what had transpired from the 5th of june through the time they arrived. >> why does your letter also state that cert has not provided usis with any findings it may have recovered during its review. >> i didn't write the letter --
12:39 pm
>> you are here testifying for your company. i am an attorney. i'd never write a letter as an attorney forra a company without the entire company agreeing. >> you are here to testify for the veracity of the letter. was the letter correct? >> we did not receive a briefing from cert as to the findings they had vis-a-vis the intrusion. >> then let's ask cert since they're here. >> we did receive some recommendations relative to what we might do to -- >> that's not a review? >> our invitation to cert requested their assistance in identifying threats to our network. and we did not receive that. >> okay, well let's ask ms. barron dicamillo. >> our team was on site. an uner agency response team including law enforcement partners. we worked part of the incident
12:40 pm
response team. we're working with the system administrators daily. informing them every day of -- >> how many days did you inform them on a daily basis? >> we were there about two weeks. >> that's at least ten report ooze. >> we worked through the weekend. >> that's 14 reports they were given asserting what -- >> the daily findings. and they can change. >> did you find something and give them ideas of what needed to be done? >> why we were able to discover there was malicious malware on the network and compromised credentials, specifically -- >> how did those compromised credentials -- what were the two areas you found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this. we weren't able to find the
12:41 pm
initial point of entry. >> can you talk about the lack of logging. >> there's logs that can help us piece together what happened within your network. >> why weren't those there? >> it's a risk-based decision. it can cost a lot of money -- >> it's a risk and cost decision made by the company itself? >> it can be. it can require quite a bit of storage. >> the government contractor we hired to do government work for us decided a risk and cost decision on their part did not require them -- they didn't put in the log ins necessary to protect the system. >> i can't answer that specifically. i can just give you some of the reasons that people are not having the historical logs because of the volume of data. there's millions of net flow records that happen a day. >> the letter sent by usis to ranking member cummings, would you agree with that? >> we provided daily reports and
12:42 pm
a findings report. we went over that with the team and provided a mitigation report and i have documented evidence of all of that. >> did you want to respond to that? >> if i may. >> sure. >> it's my understanding from our forensic investigator strauss freedburg that was was found by the cert team vis-a-vis ms. barron di camillo's comments was not information they hadn't already discovered. >> so the log ins that were needed for them to be able to go and do a deeper forensic was something they already knew? >> that's -- >> yes or no. >> -- the forensic evidence of the third party partner. what he's saying is it was a confirmation and whye were able to confirm the credentials with the third party forensic firm in
12:43 pm
there and discover additional findings through the assessment we did. >> for now we'll recognize the gentleman from alabama, mr. palmer, for five minutes. >> thank you, mr. chairman. ms. archuleta, last week i brought up a letter from two of my legislative staffers received warning them their personally identifiable information may have been compromised in the cybersecurity hack. i bring this up again because earlier you disputed the number of people that are affected by this when ms. seymour admitted after i questioned her about the letter that she signed that this goes beyond the people who filled out the form 86. and i just want to know considering the fact that a vast amount of personally identifiable information. was it likely exposed by foreign
12:44 pm
contractors, outsourced by opm and opm's failure to aed by by the ig's recommend agss? >> can you repete that question? >> let me rephrase it. do you stand by your assertion this is limited to a smaller group than is being undicated in the media and this extends beyond the people who filled out standard form 86? >> thank you for clarifying the question, sir. i think it's really important not to conflate to the two incidents. the first incident was the employee personnel records, which is the 4.2 million -- >> i'm just asking -- >> and the second incident, we haven't determined the number yet of the scope of that incident and the number of employees that's would have been affected by that. >> so the answer is yes, that
12:45 pm
it's more. i think it's very evident that this attack on the federal employees personally identifiable information not only puts those workers at risk but also puts secondary groups at risk. for instance if they have their personal e-mail addresses as it's evident from as i pointed out last week that some of the breaches occurred through personal e-mail addresses. that all of these employees and second -- their secondary relationships is it possible that certain information was exposed there as well? >> yes. the team is working on the analysis of the scope. it's exactly why we're taking our time to make sure it's accurate. the sf-86s we've talked about earlier. the data in there is -- includes not only the employee but may include other information and pii for other individuals. that's why we're being very,
12:46 pm
very careful about that and looking at the data because it's -- it could be that there was no pii for -- >> beyond this i'm talking about where the breach apparently occurred as well through personal e-mail addresses, particularly at the immigration, customs enforcement agency that was reported in "the wall street journal." i brought this up to you last week. >> yes. >> but where they got in on personal e-mail addresses that would expose everybody in their e-mail chaun and i think we've got -- >> i understand your question. >> you received a letter from senator mark warner with some specific questions about a contract that you awarded to csid. have you responded to senator warner's letter yet? >> i have to check with my staff, sir. we were attempting to respond as kwuk quickly as possible.
12:47 pm
>> have you personally read his letter? >> i read his letter but i don't know his response made it through our system yet. >> he raises a question about how quickly this contract was awarded to csid. you didn't go through the normal process and it was awarded in 36 hours, i think is what senator warren says. was it intentionally steered to csid? >> no, sir. >> who made the decision? >> i would ask donna to talk about the process that we used. it was a fair and competitive process. >> fair and competitive process. >> our contracting officer made the selection on the contract. >> did you evaluate the management of csid? >> i did evaluate the technical and cost proposals. >> are you -- did you evaluate the people who run the company? >> i had resumes for the
12:48 pm
people -- or for the key personnel that they provided in the proposal. >> are you familiar with their board of directors? >> no sir, i'm not. >> do you know owen lee, one of their directors? >> no sir i don't. >> okay. mr. chairman my time is expired. i yield the balance. >> from start to finish, how long was it from when you got the proposal that you awarded the contract? >> i would have to go back and look at exactly when we released the rfq but i believe it -- and i don't want to misspeak. let me go back and find out when exactly we received the rfq and when we awarded the contract. i don't have that data with me.
12:49 pm
>> but it was less than 48 hours. >> i think it was in about that time frame. >> and the award is how much money? >> the contract is about $21 million for the services that we're providing for credit monitoring notification and the identity theft insurance. >> why was it made so fast? >> we wanted to -- >> and what was there other companies that could do just as good job? trying to figure out how we got that company. >> we received a number of proposals and evaluated them based on the government's needs. several requirements we put in the rfq that the companies responded to. and we evaluated all of those proposals that we received against that's criteria and they provided the best value to the government based on those
12:50 pm
requirements. >> will you also copy when you give senator warner the answers those questions, will you also send us those answers as well? >> yes.sir. >> yes. >> i think he raises a number of important questions as to mr. palmer here and we will continue to pursue that. now recognize the gentleman from pennsylvania, who's been waiting patiently, mr. cartwright. >> thank you, mr. chairman. find myself you the lerly dissatisfied with the explanations we've heard today. i want to train my attention on you, mr. haas. you have made some fine distinctions about what the employee of your company was doing, the one who got hacked and who was working on opm's systems at the time. and because of that hack, that employee became a victim and lost personal information and that led to the successful hacking of opm's systems. have i broadly described that
12:51 pm
correctly, sir? >> we actually do not know how the employee's credentials were compromised. >> but it was a key employee am i correct in that? >> that is correct. >> you are the ceo of key point? >> that is correct. >> and you are denying accountability for the opm hack and what you said is the employee was working on opm systems at the time, not key points, that's what your testimony was, correct? >> that is correct. >> we have an individual's opm credentials that were taken. that individual happened to be a keypoint employee. did that keypoint employee have credentials as part of his or her scope of employment with keypoint? >> correct. >> it wasn't a coincidence this keypoint employee had credentials. it was part and parcel of his scope with your company, is that correct? >> that is correct.
12:52 pm
>> and it was keypoint paying this person as the person was working on opm systems at the time, am i correct in that? >> that is correct. >> and you understand under traditional concepts of the law, keypoint is responsible for the acts of its employees acting within the scope and course of their employment with your company, you understand that don't you? >> i'm not familiar with that construct. >> all right. >> mr. hess, you're here today because of cyber espionage operation succeeded in breaching very personal information that your company was entrusted with on january 6, 2015 my ranking member, mr. cummings sent you a letter requesting information about the data breach. his letter requested a number of documents. did you get the letter? >> immediately upon receiving the letter keypoint counsel reached out to ranking member's staff to arrange for a briefing. and we tried to have a date and time set up. and we are still waiting for
12:53 pm
confirmation on that. >> you got the letter, right? >> yes, sir. >> and more than five months later you haven't responded with documents, am i correct in that? >> we've reached out immediately to the ranking member's staff to brief the staff and we have not received a spoons on it a time and date to do so. >> let's go through the document request that mr. cummings made. he requested a log of all successful cyber entrugss into your company's networks in the last four years. that's a reasonable request, isn't it, mr. hess? >> i don't find it unreasonable. >> will you provide this to the committee? >> i will take that back to my team and let you know. >> you're the boss there, aren't you? >> i am the ceo. >> all right. but you're going to get permission from your team who work for you is that it? >> i'm going to take it back and discuss it with my team. >> next question copies of all forensic analyses and reports concerning the data breach including findings about
12:54 pm
vulnerabilities to malware. when will you provide these documents to the committee? >> i'll take that request back to my team and let you know. >> ranking member cummings requested a list of all affected customers affected by the data breach. will you provide that to the committee? >> i'll take that back to my team and let you know. >> mr. hess, your company exists because of the largess of the united states federal government. we expect you to respond to requests from this committee. mr. cummings does not write letters because he just enjoyce writing letters. he's concerned about the security and safety not only of federal employees, but of the united states public. this is really important. will you please treat it as such? >> i do, congressman cartwright. we responded immediately to the the -- to congressman cummings' request by calling their staff having our counsel -- and i
12:55 pm
would also -- >> by responding and calling, but not providing the documents. we want the documents, mr. hess. i yield back. >> gentleman yields. >> let me take a second. i just want to clear this up. because you just said some things that you talked about my staff. >> yes sir. >> it's my understanding they did get back to us, but for months, for months, back and forth because you all did not want to agree to the scope of the meeting. and then -- then just recently, because of this hearing, you finally said, scrap the limitations on the meeting, the scope, and we'll meet. and so i don't want you to, you know, i don't know whether you have the information or what, but i want you to be accurate. >> that's not the information that i have, sir. >> well, then your information's inaccurate. >> i will research that. >> mr. hess, is it reasonable by the end of this week to provide us the documentation on the communication and lack of the
12:56 pm
meeting over the last several months? is that fair, by the end of the week? >> i will take that back to my team. >> you're the ceo. >> it can't be that difficult. >> chairman, i was asked last week, on wednesday, to -- >> you were asked months ago to brief the minority staff and that didn't happen. i just want to see the documentation. is that fair? >>ly take that request back. >> no i want an answer from you. i want to know when you will provide that information to this committee. >> i will take that back to my -- >> no i want -- you give me the date. when is it reasonable? you're the ceo. >> i understand, sir. ly take that request back to my team. >> no. i need an answer from you. we'll sit here all day. you want me to issue a subpoena? is that what you want me to do? i'll sign it today. give me an information that's reasonable. >> i need to take that
12:57 pm
information back to my staff. >> seriously, when are you going to provide that information? >> i'm trying to be helpful, chairman. i did do a briefing last week and we did reach out to congressman cummings' staff immediately upon receipt of the letter. and we did not receive by the information that i -- >> why -- am i asking for anything unreasonable to provide the correspondence and the interaction? i mean, they're going to have their half. i just to want see their half. i'm trying on give you an equal opportunity here. >> i understand that, sir. >> when is it a reasonable date? >> let me get back to you with that information. >> no. i want you to decide. before the end of this hearing. we're going to go to the next set of questioning. you can counsel with all the people sitting behind you, but it's a reasonable question. mr. cartwright said is not unreasonable. so, if you think it is tell me. but i just want to see the correspondence. counsel all you want while we ask the net next set of questions, but i expect you keep an ear to mr. grothman we're
12:58 pm
going to recognize for five minutes. >> thank you. two comments before i ask questions. first of all, this is kind of a follow-up on what i think congressman hurter was trying to get at it surprises me there's not -- you folks are not con trite over what happened. it seems like you don't understand the enormity of the disaster that's happened here. secondly, sadly this is all too often common for government and it's something that i think everybody in this institution should remember as we pass bills, having the government have these huge databanks of educational information or medical information or what have you, because if the people in charge of these banks of information don't display more sense of urgency than you folks, i think, you know the possibility of this happening in other agencies is something we should be considering. i now have some questions for
12:59 pm
ms. seymour. you're going to be in charge of a whole overhaul of this whole i.t. thing, correct? >> yes sir. >> do you feel you have the skill set to oversea something of this magnitude? >> you don't believe i have the skill set to do something this large and that's why i employ people who have a broader skill set or different skill set than me in various areas. i don't have all the technical skills that i would need to do something. it takes a team. >> do you in your past positions, have you overseen -- what are the largest projects you've overseen, i.t. projects n your prior work experience? >> i've overseen some very large projects, sir, both in my past -- past employment with department of defense as well as the department of transportation.
1:00 pm
systems that were certainly enterprisewise and served large populations of people like opm. >> sizewise similar to -- >> yes, sir. sizewise similar uh-huh. >> and how quickly were they able to complete these projects? >>. >> some of them took -- some of them were much faster than others. you know, depended on when i came into them. some of them were delivered within a year and some of them took years -- multiple years to deliver. the way we're change the way we deliver i.t. solutions now we're trying to be much more agile. we're trying to find what we call a minimal viable product. we're trying to find segments of capability we can deliver in shorter term, so we're trying to deliver, you know, capability within six months -- six-month segments and then build on that to get to a whole system.


info Stream Only

Uploaded by TV Archive on