Skip to main content

tv   Politics Public Policy Today  CSPAN  June 25, 2015 3:00pm-5:01pm EDT

3:00 pm
going to say does novel mean difficult? because it does seem to me if the petitioner's argument is correct this is not a racial choice for the state to make and they are being coerced and that you have to invoke the standard of constitutional voidance. >> what i was going to say justice kennedy, to the extent the court believes this is a serious constitutional question and this does rise to the level of something approaching coercion then i think the doct rib of constitutional avoidance becomes a powerful reason to read the statutory text our way because i do think and i do think with respect to the point your honor is making, it is not just a situation in which there is honorous conditions and consequences for state residence -- residents, there is a profound note, if you take the
3:01 pm
petitioner's reading the idea that the state -- you can't possibly justify this as adequate notice to the states. >> mr. -- general verrilli, we get a lot of amicus briefs from the states and we got two amica briefs from states. 34, i think are the number of states that declined or failed to establish a state exchange? >> correct. >> now if they were all caught off guard and they were upset about this you would expect them to file an amicus brief telling us that. but of the 34, only six of them signed the brief submitted by a number of states making that argument. 23 states, 23 jurisdictions submitted that brief. 17 of them are states that established state exchanges. only six states that didn't establish state exchanges signed the brief.
3:02 pm
how do you account for that. >> first, you have two 22 states in both camps, allm whom told you they didn't understand the statute that way. and as to the other states there is a quite important point that goes to their understanding. remember this is an irs rule we are talking about and irs put out a notice of proposed rule making and saying this is what we intend to do and several of the states oklahoma indiana and nebraska filed rule making comments in the proceeding and if you look at the rule making comments they address a number of issue and they say nothing nothing about the issue before the court now. and if they understood the statute as denying subsidies in states that did not set up their own exchanges that would have been front and center in the rule making comments but they said nothing about it and i think that tells you a good deal about what everybody understood this statute meant. >> there is another point on
3:03 pm
this point. when this argument comes up, a state has signed up for a federal program and say oh, my gosh, we don't realize what we had gotten ourself into. but here it is not too late for a state to establish an exchange if we were to adopt petitioner's interpretation of the statute. so going forward there could be no harm. >> well, let me address that directly and then would you like to make a broader point about statutory context in response. now, directly of course, i don't think it is possible to say there would be no harm. the tax credit will be cut off immediately and you'll have very adverse effects immediately for many people in the insurance market. >> i said going forward. after the current tax year. >> and then going forward. >> and would it not be possible if we were to adopt petitioner's interpretation of the mandate as we have done in other cases
3:04 pm
where we have adopted an interpretation of the constitution or a statute that would have very disruptive consequences such as the northern pipeline case. >> it would be up to the court whether it has the authority to do that. it would seem different than the northern pipeline. because this is money going out of the treasury. because if that is where the court is going and that would reduce the disruption but i think it is another important point to make here as a practical idea, all of the states will be able to, between the six months when the decision comes out and the new year for insurance purposes begin, to set up the exchanges and get everything up and running is unrealistic. >> how long has it taken. >> to give you an example of the current time line justice
3:05 pm
ginsburg to have the exchange approved for the 2016 year the approvals have to occur by may of 2015. so that gives you a sense of the time line that hhs is operating under. >> what about congress? do you think korgs is just going to sit there while all of the disastrous consequences ensue? how often have we come out with a decision, such as the bankruptcy court decision, congress adjusts and enacts a statute that takes care of the problem. it happens all of the time. why is that not going to happen here? >> well this congress, your honor -- of course theoretically. >> i don't care what congress you are talking about. if the consequences are as disastrous as you say, so many million people without insurance and what not yes, i think this congress would act. >> but the relevant question and i'll try to get back to the point i was trying to make in response to justice
3:06 pm
alito's question. the relevant question is what did the congress that enacted this action do did they really set up a system in which the states are subject to the kind of honorous situation that the petitioner claims and i think there are three testural indications that that cannot possibly have been the statutory scheme that congress tried to set up. first is the existence of the federal exchanges. it would make no sense -- no sense for congress to have provided for federal exchanges if, as mr. car vin suggests, the statutory design was to result in every state establishing the exchange. >> wouldn't it have been again, a mechanism for states to show that they had concerns about the wisdom and the workability of the act in the form that it was passed? >> so justice kennedy, i think
3:07 pm
it is promoted by our interpretation. because if that is indeed what a state thought and if a state really preferred not to have the state government participate in the implementation of this act for reasons that your honor identified, the structure of the act that congress put in place and we're advocating for today fully vindicates that concern. they decide not to purpose without having adverse consequences visited upon the citizens of the state and that is why our reading is the profederalism and it is their reading that is the federalism reading and to the second point which is related to what we're talking about justice kennedy which said this statute is designed for state flexibility. state flexibility. it would be a wellian sense
3:08 pm
because it is the polar opposite of flexibility. and the third point seems to me is the notice point. if indeed the plan was as mr. car vin said that every state would establish an exchange for itself and that would cure all of the massive statutory anomalies and testural anom illys and absurdities that his plan provides for and then the consequences would be in neon lights you would want to make absolutely sure that every state got the message but instead you have a sub clause in 36 b which is a provision that addresses the eligibility of individual taxpayers. >> this is not the most elegantly drafted statute. it was pushed through on expedited procedures and didn't have the kind of consideration by a conference committee for
3:09 pm
example, that statutes usually do. what would be so surprising, if among its other imperfections, there is the imperfection that what the states have to do is not obvious enough. it doesn't trike me as -- strike me as inconceivable. >> justice scalia i'm going to answer that talking about the legislative process because i think it is quite relevant and even to you with respect to the question we just asked. >> this language here in 36 b was not the product of some last-minute deal or the product of scrambling at the end. the language that emerged here, the statutory structure with the language of 36 b about tax credit and the language in 1311 and 1321 was the product of the senate finance committee markup which went on for weeks and weeks, it was a public hearing it frankly was covered by c-span and you can watch it on the
3:10 pm
c-span archives and you can see coming out of that is the clear understanding of what this statutory setup would result in subsidies being available in every state. >> there were senators were there not who were opposed to having the federal government run the whole thing because they thought that would lead to a single payer system which some people wanted. and the skplabation -- explanation for this provision is it prevents the federalization of the entire thing. >> justice -- >> there is certainly a plausible explanation as to why the provision is there. >> mr. car vin floated that and you suggested it was senator ben nelson who required that. there is no contemporaneous explanation that is what they wanted and how the states had the ochgs to set up their own
3:11 pm
exchanges with state by state federal draw backs and there is no contemporaneous evidence that anyone did and mr. car vin suggested this was the result to get votes so the act would get passed and i would suggest there is subjective proof that is not true. the provisions in the act that were negotiated at the end to secure the necessary votes on title ten of the act and if you look in the act, pages 833-924, that the title ten you can see the amendments, not a single one has anything to do with the statutory language before the court. >> well the puzzle that is created by your interpretation is this: if congress did not want the phrase, established by the state, to mean what that would normally be taken to mean,
3:12 pm
why didn't they say established under the act. why didn't they say established within the state. why didn't they include a provision saying that an exchange established by hhs is a state exchange when they have a provision in there that does exactly that for the district of columbia and for the territories that says they deem to be states for purposes of this act. why wouldn't they do that. >> the provision doesn't say established by the state with a period after state. it says established by the state under 1311. and our position textually and we believe this is clearly a better reading of the text. by cross-referenceingeing section 1311 effectively congress is saying is that exchanges established through whatever mechanism, set up by states
3:13 pm
itself -- >> by cross-referenceing 1311 they mean 1311 and 1321. >> yes. and let me say why that is true. >> that seems to go in the wrong direction not the right direction. >> it goes in the right direction if you go with me. >> and your answer does explain why the state is in there. why didn't they say established by 1311. >> and the second point is wherever the provision is established in the act under 1311, it is doing work and the work is talking about the specific exchange established in the specific state as opposed to general rules for exchanges. if you look at the medicaid, it works the same way. >> why didn't they say in the state. that is the phrase you just used. why didn't they say in the state. >> they could have. but it worked perfectly well this way. if you look at the qualified individual provision it is clearly how they use the
3:14 pm
qualified individual provision and it says a qualified individual is a person who is located and resides in the state of the exchange and they are aring -- referencing the particular state and so it is doing that work and that is why it is in there. and now if i could go back to your point justice kennedy, it says established by a state under 1311, and section b 1 said it shall establish an exchange for the state. and it is not urging a state. it says each state shall establish. we know when congress used that language, each state shall establish, it must have meant something more inclusive than each state government itself shall set up an exchange and it set up a back drop against the
3:15 pm
tenth amendment and we know that because of section 1321 and it provides the means by which the 1321 b 1 is satisfied and it is satisfied by a state elected to meet the federal requirements for exchanges or can be satisfied in the event the state doesn't or tritries but comes up short by hhs stepping in and establishing -- >> and when it says each state shall establish it means the federal government shall establish and not the state shall establish. and if that were the correct interpretation you wouldn't need 1321 at all. >> and the right place to focus here is not on the who, but on the what? on the thing that gets set up and whether it qualifies on the thing set up by the state and these exchanges do qualify and the reason they qualify is
3:16 pm
because they fulfill the requirement in section 1311 b 1 that each state shall set up an exchange and b 1 tells you that when a state hasn't elected to meet the federal requirements and the hhs steps in and they set up the required exchange. it says such exchange which is referring to immediately prior to the exchange and the only exchange required under the act is 1311 b 1 and it has to be that what hhs is doing under the plain text of the statute that it is requiring that each state establish an exchange and it qualifies as an exchange established by the state and it is reinforced as the justice said requires an exchange established under 1311 and 1311 b 1 says each state shall
3:17 pm
establish an exchange and has to be that way and the petitioners say in page 22 of the brief, an exchange is to be the same exchange and petitioner's say function just like an exchange that the state sets up for itself. >> you are putting a lot of word on the word "such" and it seems the interpretation of such shall mean the government shull establish a state exchange but it means it shall be an exchange for the state than for the state. such must mean something different. it is something gobbledy -- >> it is not gobbledy goop.
3:18 pm
it is set up as an exchange qualified as an exchange established by the state for section 1311, you wouldn't change 36 b one iota and there wouldn't be any doubt that subsidies were available on federal exchanges and we're saying that reading 1311 and 1321 together is what the statute does and certainly that is a reasonable reading of the statute and the really only reading of the statute that allows you to be faithful to the text of 1311 b 1 the word shall and -- >> the word such means not just the exchange that the state was supposed to set up but it means the state exchange. >> it means an exchange that qualifies as satisfy -- as an exchange set up by the state satisfying the require of 1311 b
3:19 pm
1. >> your case hinges on the fact that the federal exchange is a state exchange. >> it hinges on a qualifying as the state exchange or equivalent to the state exchange for the purposes of the operation of the statute. that is a reasonable reading of the textual provisions and then you have to read it the way that we say it is to be read because it is the only way to make sense of the statute as a whole and the only way to bring it into harmony with the individual and the health plan provisions which do lead to what they say is an absurdity of the law. >> and you read there are provisions of the act where the exact same phrase established by the state has to be read to mean established by the state and not by hhs. there are some provisions like that. >> they have pointed out some and i think they are wrong by each one. >> let's take one.
3:20 pm
i'd be interested in your answer to it. 422 scw-2 h 1 c establish procedures with exchanges by the state established by the state, and if it is read to mean an hhs exchange, that means that the state in which that exchange is established is responsible for making sure that the federal exchange has a secure electronic interface. >> they are just wrong about that. it is completely wrong. the statute says -- first. it is established by the medicaid agencies and they shall establish procedures to ensure the coordination. hhs has issued regulations setting forth what that statutory provision requires of states in those circumstances. every state where there is an exchange has met the requirements and fulfilled them
3:21 pm
and it works perfectly fine. there is no anomaly there at all. >> and met the requirements of the regulation you say. but do the regulations track the statute. >> yes they do. >> do they give the state authority to say whether or not these conditions have been met. >> the requirements are imposed on the state medicaid end of the relationship and the regulations implement that statutory requirement and it is satisfied in every state. and of course as your honor reading it to me does say, it says each state shall. it doesn't say states that have set up exchanges for themselves shall. it says each state shall. it presupposes that there will be a exchange in every state and there is no anomaly there and if your honor wants to ask me about another one, that is fine. >> but i think i understand your answer to be that there are federal regulations telling the
3:22 pm
states what they have to do here and they have all done it but the fact remains the state has some obligations under the regulations to make sure there is a proper interface with the federal exchange. >> on the state side of the interface, yes. but that is the chip and medicaid agencies, those are government agencies and it is their side of the interface that the statute governs. >> and i want to focus on the qualified health plan and the qualified individual and because the statute is clear in 1311, in an exchange not established by the state, but an exchange can only sell a qualified health plan. it is forbidden from selling a plan that is not a qualified health plan. and a certified health plan is qualified and the exchange has to decide that it is in the interest of qualified
3:23 pm
individuals, and qualified individuals are persons who reside in the state that established the exchange. so if you read the statute and the laechk and the -- the language and the way mr. car vin reads it and the way we read it there are to qualified individuals. therefore the exchange cannot ser a qualified individual plan because there aren't any qualified individuals and there aren't any plans to lawfulfully be sold on the exchange. >> what is the provision that says only a qualified individual can be -- can enroll in a plan under an exchange. >> so let me -- i will address that but i want to make clear the provision i'm talking about with respect to the prohibition on selling a qualified health plan to anybody -- around anything other than qualified health plan on an exchange is 1311 d-2-b which is on page 2,
3:24 pm
and it is an exchange may not make any available that is not a qualified health plan. >> qualified health plan. but what is the provision you were referring to that you said an exchange may only enroll a qualified individual. >> what the statute says throughout is that qualified individuals are eligible to purchase onyx changes. and it is the necessary meaning of that phrase that if you are not a qualified individual, then you are not eligible to purchase health care on an exchange because other word the -- because otherwise the world qualified would not have any meaning and as a policy matter it wouldn't make sense because think of people who are not qualified, people who don't live in the state and people in prison and unlawfully documented. >> this is part of section 1312,
3:25 pm
a person qualified to purchase on a exchange must quote reside in the state. >> right. and there are no people qualified. and you've just rub in a -- run in a textual brick wall. >> i understand it is a loblg cal -- logical influence that only a qualified individual may purchase a policy but there is no provision that you could point to directly. >> that is what qualified means. if you are not qualified you are unqualified. and that is what it means. you are reading it out of a statute that way. >> qualified is suzed in the lay sense, it is not a technical term here. >> given the way it is defined. it is defined as a person who resides in the state. the statute is clear you cannot shop across state lines because that wouldin fringe across state
3:26 pm
lines and that would apply to prisoners and mr. car vin said yes, it does because they get out of prison and when you face a change of life circumstance such as getting out of prison you can sign up at that point. he makes the point about unlawfully present persons being unqualified and not being able to be covered but that is not surplus, that is there for an important reason someone can be lawful and lose lawful status and no longer be covered and none of that works for them. none of that works for them. but to really get to the fundamental point here that both at the level of text you have clearir resolvable context. >> is that a sin on em for ambiguity. >> i think so.
3:27 pm
just right justin scalia -- excuse me justin kennedy. this is a stootute that will operate one way or the other and the question is how will it operate and when you read it their way -- >> if it is ambiguous then we think about chevron but it seems to me that a drastic step for us to say that the -- the department of in ternal retch and its director -- internal revenue and its director can make this call when there are billions of dollars of subsidies. >> yes. >> and it seems to me our cases say that if the internal revenue service is going to allow deductions to use these, they have to be very very clear. and it is -- it seems to me a little odd that the director of in ternal revenue didn't
3:28 pm
identify this problem and notify congress immediately. >> we do think chevron deference does identify the governance and we should resolve this statute in our favor even without resort to chevron deference and that is what it directs you to do and that is what it directs to you to and it is what the doctrine of constitutional avoidance directs to you do. and with direction to the chevron 36 bg of the statute directed to the irs the specific authority to make my provisions necessary to implement 36 b. and you don't have any ambiguity. congress said the irs should do this. it is a big question and as they
3:29 pm
said chevron applies to big questions as well as small. your hon raised this point about the need for clarity in a tax deduction in the statutory reading of tax deductions. there is a treat is that describes that as a false notion and it is not consistent with the court in mayo two terms ago that mayo applies to the tax code two terms ago. >> and you are right about a chevron, then a subsequent administration could change the interpretation. >> a subsequent administration would need a strong case to accept that was a reasonable judgment in view of the consequences. i think you should and could resoft this case because the statute has to be read when taken as a whole to adopt the government's position. >> if there are any tax attorneys in the courtroom today, i think probably they wrote down what you just said.
3:30 pm
when we get future tax cases the united states is going to argue we should not read them or no presumption that a tax credit is provided by that stootute. >> you should read it according to the terms and when you read the provision according to the terms and read it in context and against the background principals of federalism you have to read it against the interpretation. thank you. >> thank you. four minutes mr. car vin. >> very quickly on standing. mr. hurst would be subject to standing for tax absent 2014 and he and mrs. levi would be subject under 2014 under cardon chemical 2085 b and it is their address to subsequent it not us. the solicitor general greatly
3:31 pm
distorted the statute. it is printed in 64 a of their exhibit it says a state shall establish the procedure so it is obviously contrary to that. it says the state will identify people to enroll on their exchanges. they can't enroll anybody on their exchanges if there is no such exchanges in state. therefore by the plain language if you adopt the notion that the exchange established by the state means established by hhs all of them need to lose their medicaid funding. >> could i follow up on something the general ended with and justice kennedy referred to which is the need to read subsidies limited. but so -- in a limited way. but so is the need to read exemptions from tax liability are read in a limited way and
3:32 pm
under your reading we're giving more exemptions to employers not to provide insurance and more exemptions to states and others or to individuals and how does that work? you have two competing -- >> no. you do get more exemptions by employers under our reading and it is unambiguous. the dispute here is whether they win under ambiguity and the statute affords not to employ the tax credit. and under their view of the statute, the federal government gets to unilaterally impose on statutes there is an amicus from indiana stating this it implies the employer mandate to state. so under their theory, the states are absolutely helpless to stop this federal
3:33 pm
intervention into their basic personnel practices whereas under their theory they are able to say no. so the more intrusive view of the statute is theirs. in terms of the funding condition head on my short answer is as follows, there is no way to view this statute as more coercive or harmful than the version of medicaid approved by this court nfib and the dissenting opinion pointed to this decision as something that was an acceptable noncoercive alternative and even if there is a constitutional question as justice scalia pointed out, there is no alternative reading of the statute that avoids that because either way you are intruding on state sovereignty. in terms of qualified individuals, the solicitor general did not come up and tell you, yes, if we reveil they have to empty out the hhs
3:34 pm
exchanges and nor did he respond to my argument with respect to an exchange under the definitional section only applies to state exchanges so i think we can view this as a complete litigation position and not a serious statutory interpretation, in terms of the qualified health plan he discussed with you justice alito, the answer is that is in 1311. 13111 only talking about stat established exchanges and has no application to hhs exchanges and therefore it can't create an anomaly with those exchanges. >> thank you, council. the case is submitted. >> tonight we'll have a response from president obama on the health care subsidies. and oral argument from king versus burwell. and open up your phone lines and take your reaction on twitter and facebook. all tonight at 8:00 on c-span.
3:35 pm
>> here are some featured programs. on saturday night on issue spotlight, we'll look at the government and culture of iran and the rell algsship -- relationship with the u.s. and profile interviews with two presidential candidates. first rand paul and then vermont independent bernie sanders. on book tv on c-span 2, author nelson dennis on the history of puerto rico and the turbulent relationship with the united states. on sunday night at 7:45, america's 40th president ronald reagan. and on c-span 3 on saturday night a little after 9:00, commemorating the 8 hundredth anniversary of the magna carta, brenda hail on how the document
3:36 pm
influenced both countries from the lights of liberty and property and limits on executive power. an on sunday night at 6:00, the french ship that brought america. and in york town virginia to see the replica of the french ship and hear from the crew and the officials. get the official schedule at c-span.org. when congress is in session. c-span 3 brings you more coverage of korgs, hearings and key public affairs and every weekend it is american history tv traveling to historic sites discussions with authors and historians and eyewitness accounts of events that define the nation. c-span 3, coverage of congress and american history tv. next a look at the cyber
3:37 pm
security breaches which chaffetz said may have compromised contractors and called for the resignation of the opm director. eric hess told lawmakers there is no evidence his company is responsible for the breach. >> good morning. the over site committee is coming to order. our hearing today is about the opm data breach. this is part two. $529 billion -- $529 billion is how much the federal government has spent on i.t. since 2008. roughly 80% of the money has
3:38 pm
been spent on legacy systems. and we're in a situation here where the hurricane has come and gone and just now opm is wanting to board up the windows. that is what it feels like. this is a major, major security breach, one of the biggest if not the biggest we have ever seen. this demands all of our attention and great concern about what happened, how we're going to prevent it from happening in the future and what are we going to do with the information now. because there is no simple easy solution. but i can tell you, often times it feels like one good trip to best buy and we could help solve this problem and it would be better than where we are today. there are a lot of questions that remain about what happened last month. and the uncertainty is very disconcerting to a host of people and unacceptable to this committee and to congress. the most recent public reports
3:39 pm
indicate many more americans were breached. and many deserves answers on the scope of the breach and the types of personal information compromised. because of these many outstanding questions we still don't understand the extent to which the breach threatens our national security. however, according to the intelligence community the risk is significant. only the imagination limits what a foreign adversary could do with details information about a employee's education, career health, family friends and personal habits. i ask to enter into the record a letter we received on june 16th from the faerld law enforcement officers association. i want to read part of it. here are the concerns about the office of personal management data breaches. a list of questions that remain unanswered unanswered. they represent some 20,000 current and retired federal law enforcement officers and special agents from over 65 different agencies. this is what they wrote. opm turned his back on federal
3:40 pm
law enforcement officers when they failed to protect sensitive information from a breach and the opm delay and aloof response to effected americans. the very lives of federal law enforcement officers are in danger and the safety and security of innocent people and including families are now in jeopardy because of opm's obismal failure and continued ignorance and the severity of the breach. the information loss includes personal, financial and location information of these officers and their families, leaving them vulnerable to attack and retaliation to terrorists currently or formerly investigated by the united states. without objection, i'll enter this into the record. opm is attempting to overhaul the infrastructure but without interpretation of the scope of the project. and they kept the project from the inspector general for more than a year. the chief information officer
3:41 pm
quote initiated this project without a complete understanding of the scope of the opm pending infrastructure or the scale and cost to mitigate it to the new environment, end quote. because of these concerns, the project is quote possibly making opm environment less secure and increasing costs to taxpayers, end quote. the i.g. raised questions about why they opened a sole source contract without going through the process of full and complete competition. a fact i would like to enter into the record without objection this -- this article from the washington post. this is may 13th. defense firm that employed drunk high contractors in afghanistan may have wasted $135 million in taxpayer dollars. these are the recipients of a sole source contract to help clean up this mess. they were formerly known as
3:42 pm
george science and now imperittous and now maybe this is the right decision. but when it is a sole source contract, it does beg a lot of questions. to doubt we need to move fast, but this organization has had a lot of problems in the past and it begs a lot of questions. in addition to data security problem, we have a data management problem. it is unclear why so much background information related to security clearances was readily available on the opm system to be hacked. it is unclear why there is a need for sf 6-it is the standard form 86 or perspective employees fill out. why was this background information on the network if the applicant isn't being investigated. part of the reason we are on this mess and we have this mess in our hands is the information in background checks that we're not engaging in was still on the
3:43 pm
system. if information isn't accessible on the network it can't be hacked. so if a security clearance isn't under investigation, it is a best practice other use and probably should have been used in this situation as well. we have to do a better job of anticipating our adversaries and protect unnecessary exposure. one concern is the legacy system we are using is -- is a cobalt. the language used is coball. and i enter into the world a "wall street journal" record from april 22, 1963. co-ball, government spurred progress. 1963. i wasn't even bosh yet and that is the -- born yet and that is the system we are operating when technology is changing moment by
3:44 pm
moment, minute by minute. without objection, i'll enter that into the record. yesterday miss archuleta stated no one is personally responsible and instead blamed the hackers. hackers certainly have a lot of culpability on their hands. there is no doubt that there are nefarious actors that will be attacking the united states on a moment by moment basis. we literally take millions of hits on a daily basis. that is not new news. but i disagree that nobody is held personally responsible. people have roles and responsibilities and they are charged with the personal fid fid -- fiduciary responsibility. and misser chuleta is personally responsibility. and she was called on by the president and confirmed by the
3:45 pm
senate to maintain the information by opm. during her confirmation in 2013 she stated that i.t. modernization is one of the main priorities but it took a security breach in march of 2014, five months after the confirmation to develop a process a plan to fix the problem. that was the beginning of the start to think about how to fix the problem. and yet the shift in blame is just inexcusable. i really hope we hear solid answers. it the not good enough to say we'll get you that information, it is under investigation. there is a security -- no we're going to answer questions. federal work force the people effected. they need to hear that. we are different in this world and unique in this world because we are self-critical and because we have hearings like this. and i would ask to enter two records into the record. one was a flash audit done, june 17th of this year, from patrick mcfarland the inspector
3:46 pm
general, the flash audit u.s. office of personal management improvement project. i will enter that into the record. and ask to enter into the record the june 22nd response by the director of the office of personnel management, miss archuleta and enter that into the record, without objection so ordered. we also have some contractors here and appreciate their participation. they have answers -- or we have questions that need to be answered as well. we need their corporation to figure this out. a lot of what was done by opm was contracted out. and there are very legitimate questions in particular that mr. comings and others have asked and that is why i'm pleased to have them as well.
3:47 pm
so it will be a full and row best hearing. and as i concludes. the chair is authorized to declare a recess at any time. i should have said that -- without objection so ordered. i should have said that at the beginning. >> would like to recognize the distinguished ranking member without objection. >> and thank you very much. and this is a very important hearing. and we're here today foreign cyber spies are targeting millions of our federal workers. opm has made it clear that every month there are 10 million efforts to pierce our cyber space. these folks are hacking into our gatea system to get information -- data system to get information about our private information about employees and their family and friends and all of their
3:48 pm
acquaintances and they pry try to use that information in their espionage information in technologies. chairman i want to thank you. last week we held a hearing on cyber attacks against opm and this week we have an opportunity to hear from opm's two contractors that also suffered major data breaches. usis and key point. some people in your shoes might have merely cite sized the agency without looking at the whole picture. but you agreed to my request to bring in the contractors and you deserve credit for that and i thank you. on monday night, i received a letter from usis for representatives finally providing answers to questions. i asked for than sevens months ago, mr. gee annetty.
3:49 pm
seven months ago. seven months ago. the letter disclosed that the breach at usis affected not only dhs employees, but our immigration agencies, our intelligence community, and even our police officers here on capitol hill. but it took them seven months -- the night before the hearing -- to give me that information. but not only to give me the information, but members of congress that information. my immediate concern was for the employees at these agencies. and i hope that they were all alerted promptly. but there is no doubt in my mind that us is officials never would have provided that information unless they were called here to
3:50 pm
testify today. so i thank you again mr. chairman. i have some difficult questions for usis. i want to know chairman. i have some difficult questions for usis. i want to know why this company paid millions of dollars in bonuses to its top executives after the justice department was sued against the company for allegedly defrauding the american taxpayers of hundreds of millions of dollars. i can hardly wait for the answer. i want to know why usis used these funds for bonuses instead of investing in adequate cybersecurity protections for highly sensitive information our nation entrusted to it. mr. giannetta, i want to know if you as the chief information
3:51 pm
officer of usis received one of those bonuses and i would love to know how much it was and what the justification for it was. i understand that you just returned from italy. welcome back. so this is probably the last place you want to be. i also understand you're leaving the company in a matter of weeks. but i want to know why usis has refused for more than a year to provide answer to our questions about the board of directors. mr. hass, i also have different questions for you were for keypoint. at least week's hearing i said one of our most important questions is whether the
3:52 pm
cyberattackers were able to penetrate opm's networks using information it obtained from one of its contractors. as i asked last week, did they get the keys to opm's networks from its contractor. yesterday director archuleta answered that question. appearing before the senate appropriations committee, she testified and i quote, the adversary leveraged a compromised keypoint user to gain access to keypoint. the weak link in this case was keypoint. mr. hess, i want to know how this happened. i appreciate that opm continues to have confidence in your company. but i also want to know why keypoint apparently did not have adequate logging capabilities to mon for the extent of data that was stolen. why didn't you invest in these safeguards.
3:53 pm
mr. chairman, to your credit, one of the first hearings you called after becoming chairman was on the risk of third-party contractors to our nations cybersecurity. at that hearing on april 20th, multiple experts explained that federal agencies are only as strong as their weakness link. if contractors have inadequate safeguards, they place our government systems and our government workers at risk. i understand that we have several individuals here sitting on the bench behind our panel of witnesses who may be called to answer questions if necessary. mr. jobe who is the cio of keypoint. thank you for allowing them to be here. as we move forward it is critical that we work together. we need to share information, recognize what outdated legacy systems need to be updated and
3:54 pm
acknowledge positive steps when they do occur. above all, we must recognize that our real enemies are outside of these walls. they are the foreign nation states and other actors that are behind these devastating attacks. and with that i yield back. >> thank the gentleman. i'll hold the record open for five legislative days for any members who would like to submit a written state. we're pleased to have representative barbara comestock. i ask you now to consent that our colleague from virginia be able to fully participate in today's hearing. no objection so ordered. we now recognize the panel of witnesses. i'm pleased to welcome katherine archuleta, director of office of personnel management. we have patrick mcfarland, the office of personnel management, ms. dana seymour, chief information officer of the
3:55 pm
office of personnel management, ms. anne baron -- help me here decamilo, emergency readiness team at the united states department of homeland security. mr. eric hess is the chief executive officer of keypoint government solutions and mr. rob giannetta is the chief information officer at usis. all witnesses are to be sworn before they testify. so if you will please all rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, the whole truth and nothing but the truth? thank you. let the record reflect that all
3:56 pm
witnesses answered in the affirmative. in order to allow time for discussion, please limit your verbal testimony to five minutes and obviously your entire written statement will be made part of the record. we will start first with the director of the office of personnel management, ms. archuleta first. you're now recognized for five minutes. >> chairman, ranking member cummings and members of the committee, thank you for the opportunity to testify before you again today. i understand and i share the concerns and the frustration of federal employees and those affected by the intrusions into opm's i.t. systems. although opm has taken significant steps to meet our responsibility, to secure personnel data of those we serve, it is clear that opm
3:57 pm
needs to dramatically accelerate those efforts. as i testified last week, i am committed to a full and complete investigation of these incidents. and we continue to move urgently to take action to mitigate the long standing vulnerabilities of the agencies systems. in march of 2014 we released our plan to secure the aging legacy system. we began implementing the plan immediately and in fiscal years 2014 and 2015 we directed nearly $70 million towards the implementation of new security controls to better protect our systems. opm is also in the process of developing a new network infrastructure environment to improve the security of opm infrastructure and i.t. systems. once completed, opm i.t. system wills be migrated into this new environment from its current legacy networks. many of the improvements have been to address critical
3:58 pm
immediate needs such as security vulnerabilities in our network. these upgrades include the installation of additional fire walls, restriction of remote access without two-factor authentication, continue use monitoring of all connections to and sure that legitimate connections have access and deploying anti-malware software to prevent the cyber crime tools that could compromise our net works. these improvements led us to the discovery of the malicious activity that had occurred and we were immediately able to share the information so that other agencies could protect their networks. i also want to discuss data encryption. opm does currently utilize encryption when possible. i've been advised by security experts that encryption in this instance would not have
3:59 pm
prevented the theft of this data because the malicious actors were able to steal privileged user accounts and credentials and could decrypt the data. our i.t. security team is actively building new systems with technology that will allow opm not only to better identify intrusions but to encrypt even more of our data. in addition to new policies that were already implemented to centralize i.t. security duties under the cio and to improve oversight of new major systems development, the i.t. plan recognize that further progress was needed and the oig's '14 report credited opm for progress in bolstering our security process and procedures and for committing critical resource to the effort. with regard to information security governance, the oig noted that opm implemented significant positive changes and removed its designation as a
4:00 pm
material weakness. this was encouraging as i.t. governance is a pillar of the strategic i.t. plan. regarding the weaknesses found with authorization, the oig has recommended that i consider shutting down 11 out of the 47 opmi.t. systems because they did not have current and valid authorization. shutting down systems would mean that retirees could not get paid and that new security clearances could not be issued. of the systems raised in the 2014 audit, 11 of those systems were expired. of those, one, a contractor system is presently expired. all of the system raised in the '14 audit have been extended or provided a limited authorization. opm is offering credit monitoring services and identity theft information with csit for the approximately 4.2 mill your
4:01 pm
current and former civilian employees. our team is continue to work with them to make the online sign-up experience quicker. they're expanding staffing at call centers. i've taken steps to ensure that greater i.t. restrictions are in place even for privileged users. that includes removing remote access for privileged users and requiring two-factor authentication. we're looking into further protections such as tools that mask and redact data that would not be necessary for a privileged user to see. i want to share with this committee some new steps that i'm taking. first, i will be hiring a new cybersecurity adviser that will
4:02 pm
report directly to me. that cybersecurity adviser will work with opm's cio to manage on joining response to the incident, complete development of the plan and assess whether long term changes to the architecture are needed to ensure that its assets are secure. this individual is expected to be serving by august 1 president second, to ensure that the agency is leveraging private sector best practices and expertise, i'm reaching out to chief information security officers at leading private sector companies that experience their own significant cybersecurity challenges and i will host a meeting with these experts in the coming weeks to help identify further steps the agency can take. as you know, public and private sectors both face these challenges and we should face them together.
4:03 pm
i would like to address now the confusion regarding the number of people affected by two recent related cyber incidences at opm. first, it is my responsibility to provide as accurate information to congress, the public and more importantly the affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affected individuals as quickly as possible. third, we face challenges in analyzes the data due to the form of the records and the way they are stored. as such, i have deployed a dedicated team to undertake this time-consuming analysis and instructed them to work, make
4:04 pm
sure their work is accurate and completed as quickly as possible. as much as i want to have all of the answers today, i do not want to be in a position of providing you or the affected individuals with potentially inaccurate data. with these considerations in mind, i want to clarify some of the reports that have appeared in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individual to 18 million individuals. other press accounts have asserted that 4 million individuals have been affected in the personnel file incident and 18 million individuals have been affected in the background investigation incident. therefore, i am providing the status as we know it today and reaffirming my commitment to providing more information as soon as we know it. first, the two kinds of data that i am addressing, personnel
4:05 pm
records and background investigations were affected in two different systems in the two recent incidents. second, the number of individuals with data compromised from the personnel records incident is approximately 4.2 million as reported on june 4th. this number has not changed and we have notified those individuals. third, as i have noted, we continue to analyze the background investigation data as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definitive report on this issue. that said, i want to address the figure of 18 million individuals that has been cited in the press. it is my understanding that the 18 million refer to a preliminary unverified and approximate number of unique social security numbers in the background investigations data. it is a number that i am not comfortable with at this time because it does not represent the total number of affected individuals. the social security number
4:06 pm
portion of the analysis is still under active review and we do not have a more definitive number. also, there may be an overlap between the individuals affected in the background incident and the personnel file incident. additionally, we are working deliberately to determine if individuals who have not had their social security numbers compromised but may have other information exposed should be considered individuals affected by this incident. for these reasons i cannot yet provide a more definitive response on the number of individuals affected on the background investigations data intrusion. and it will -- it may well increase from these initial reports. my team is conducting this further analysis with all due
4:07 pm
speed and care. and again i look forward to providing an accurate and complete response as soon as possible. thank you, mr. chairman, for this opportunity to testify to you today and i'm happy to be here, along with my cio, to address any questions you may have. >> thank you. mr. mcfarland, you are not recognized for five minutes. >> chairman, ranking member cummings and members of the committee. good morning, my name is patrick mcfarland and i'm the director
4:08 pm
of the office of personnel management. thank you for inviting me to testify here. i would like to note to my colleague, the deputy inspector general is here with me. with your permission, he may assist in answering technical questions. in 2014 opm began a massive project to overall the i.t. environment by building an entirely new infrastructure called the shell and migrating all of its system to the shell. before i discuss the recent examination of this project, i would like to make one point. there have been multiple statements made to the effect that this complete overall is necessary to address immediate security concerns because opm's current legacy technology cannot be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has already taken to see cure the
4:09 pm
agency's current i.t. environment. i just wanted to emphasize that whale we agree that this overall is necessary, the urgency is not to great that the project cannot be managed in a control manner. last week my office issued a flash audit alert discussing two significant issues related to this project because my written testimony describes these issues in detail, i will give only a summary for you this morning. first we have serious concerns with how the project is being implemented. opm is not following proper i.t. project management procedures and does not know the true scope and cost of this project. the agency has not prepared a project charter, conducted a feasibility study or identified all of the applications that will have to be moved from the existing i.t. infrastructure to the new shell environment. further, the agency has not prepared the mandatory omb major business case formally known as exhibit 300. this is important in the step in the i.t. project and the proper
4:10 pm
vehicle for seeking approval and funding from omb. it is also a necessary process for enforcing proper project management techniques. because opm has not conducted these very basic planning steps, it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm has estimated that this project will cost $93 million. however the amount only includes strengthening the agency's current i.t. security posture and the creation of a new shell environment. it does not include the cost of migrating all of opm's almost 50 major i.t. systems and numerous sup system to the shell.
4:11 pm
this migration will be the most costly phase of this project. even if the $93 million figure was an accurate estimate, the agency does not have a dedicated funding stream for the project. therefore, it is entirely possible that opm could run out of funds before completion leaving the agency's i.t. environment more vulnerable than it is now. opm also has set what i believe to be an unrealistic time frame for completion. the agency believes it will take 18 to 24 month to migrate all of its system to the shell. it is difficult to imagine how opm will meet the goal when it does not have a comprehensive list of all of the systems that need to be migrated. further, this process is inherently difficult and there are likely to be significant challenges ahead. the second major point discussed in the alert relates to the use of sole source contract. they've got a single source vendor. unless there's an kppgs, federal contracts must be subject to
4:12 pm
full and open competition. however there's an exception for compelling and urgent situations. the first phase of this project, which involves securing opm's i.t. environment was indeed such a compelling and urgent situation. that phase addressed a crisis, namely the breaches that occurred last year. however the later phases, such as migrating the applications in the new shell environment are not as urgent. instead they involve work that is essentially a long term capital investment. opm should step back, complete its assessment of the opm architecture and develop a major i.t. business case proposal. when omb approval and funding has been secured, they should move forward with the project. opm cannot afford to have this project fail.
4:13 pm
i fully support opm's effort to modernize the environment and the director's long term goals. however if it is not done correctly the agency will be in a worse situation than it is today and millions of taxpayers will have to be -- many -- and millions of passenger pair dollars will have been wasted. i'm happy to answer any questions you may have. >> thank you. ms. seymour, was your statement with ms. archuleta or do you have one yourself? >> it was with the director, thank you sir. >> i would ask unanimous consent to enter into the record a letter that was given to us this morning from the office of personnel management, dated today, signed by ms. archuleta dealing with the number of records. without objection, we'll enter into into the record. we'll now recognize ms. barron decamilo for five minutes. >> good morning. my name is anne barron decamilo.
4:14 pm
i appear here to talk. dr. andy osment is here with me to answer me questions. like many americans, i too am victim of these incidents and concerned about the continued cyber incidents at numerous government and private sector entities. i understand the scope and the problem we face and the challenges in securing critical networks. cybersecurity is a true team sport. there are many agencies response, including intelligence community, law enforcement, department of homeland security as well as individual system others and individual end users as well. my organization within dhs is
4:15 pm
part of the national cybersecurity center. we focus on analyzing the risks, sharing information about responding to significant cyber incidents. we work with trusted partners around the world and focus on threats facing the government in critical sector networks. our role is largely voluntary. we build and rely upon trusted relationship to share information and respond to incidents. when an entity believes they've been a victim of a significant cyber incident, they invite us to help them assess the scope of my intrusion as well as provide recommendations op how they can mitigate the incident and improve their security posture. our current involvement with opm began in march of 2014 when they learned there was a potential compromise within the opm networks. from march to may, we part of of
4:16 pm
the team that remediated the intrusion. throughout that time we shared information that we had learned about the intrusion with our governmental partners as well as private sector partners so they could better protect themselves. on may 28, 2014, the intraagency response teamed concluded that the malicious actor in question from that event had been removed from the network. we also provided opm with recommendations on what steps they could take to increase their security. there is no silver bullet or magic solution. most government agencies and their private sector counter parts are making up for years of underspending on security the information technology development. the internet was designed with's of use rather than security in mind. the status of opm networks in may of 2014 was not unlike other
4:17 pm
similarly situated agencies. opm did some things well and was weak in other areas. i understand that opm had at the time under its new leadership started an effort to improve its cybersecurity. the incident report for opm included several recommendations, some of which could be implemented quickly and others of which would take longer. opm made a concerted effort to adopt the recommendations beginning last summer. it was opm who in april of 2015 discovered the new intrusion. this is how the malicious access to opm data at the data center was discovered. this newly discovered threat information was also quickly shared by us with our private sector partnered and other trusted partners around our communities. the intraagency response team has been working with opm since april of 2013 to assess the scope and nature of the
4:18 pm
incident. there are a few things i can share. we were able to use the einstein capability to detect the presence of malicious activity on the department of interior data center which houses the opm personnel records. further on-site investigation revealed that some personal information was compromised. this is the 4.2 million number that director archuleta referenced today. as a result of what we learned from the april 2015 investigation, opm continued to conduct forensic investigations into its own environment. en in that process opm discovered evidence of an additional compromise on its own network. we then led into intraagency response team to assess opm's networks and in early june found that background investigation data that been exposed and possibly exfiltrated. that's currently under investigation. we learned at the time that they had precluded further access. the protected measure may have mitigated any continued effects of the intrusion. the work is on going and we
4:19 pm
continue to assess the scope of the potential compromise. although i'm appearing today redid to provide information, i do so with some concern. we rely on voluntary cooperation from agencies and private entities who believe they may be victims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us, the whole of government of future incident. we need private companies to continue to work with government and share information about cyberthreats. thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging.
4:20 pm
i'm president and chief exec ty officer of keypoint government solutions. since 2004 keypoint has provided field work services for the background investigation to a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat every present and ever changing cyberthreats. we're committed to the highest levels of protections. the recently announced breach of the opm is the focus of this hearing. i would like to make clear that we see no evidence suggesting that keypoint was in any way responsible for the opm breach. there are recent media reports suggesting that the incursion
4:21 pm
into the opm is what breached. there is no evidence that keypoint was responsible for that breach. press reported that hackers stole opm credentials assigned to a keypoint employee and leveraging to access opm's systems. there is no evidence suggesting that keypoint is responsible for or directly involved. the employee was working on an opm system, not a keypoint system. i know that throughout the hearing, the incursion of the keypoint system discovered last september will be discuss. can point has continuously maintained its authority to operate ato from opm and dhs. this means that we met the stringent information and security requirements imposed
4:22 pm
under our federal contracts. keypoint only maintains information that is required. we like government agencies face aggressive, well funded and ever evolving threats. let me say a few words about the earlier incursion of keypoint. in december of 2013 the washington post noted that it would notify 48,000 federal workers that they personal information may have been exposed. i emphasize the word may because in the report after the extensive analysis of the incursion, we find no evidence of exfiltration of personal day tap. last august following public reports of that data security preach at another federal contractor providing background
4:23 pm
checks, donna seymour asked keypoint to invite the us-cert to test keypoint's network and keypoint agreed. the department of homeland security and technical services conducted risk vulnerabilities tests including internal maps. they provided a number of findings at the end of the engagement which were resolved while the team was on site as well as recommendations for the future. while they found issues, they were resolved and the team found no malware on keypoint's system. however then in september the hunt team informed keypoint that it had found indications of sophisticated malware undetectable. the team provided keypoint with mitigation recommendation to remove the malware from our environment and other recommendations for hardening
4:24 pm
its network to prevent future compromises. keypoint immediately began implementing the recommendations. they conducted an internal investigation of the data security more about the opm breach and in the opening setting i cannot go into details presented in that briefing however i can reiterate we have seen no evidence between the incursion of keypoint, and we are always striving to make sure our defenses are as strong as possible. we have also been working closely with opm to improve our information security posture in light of the new advanced persistent threats. we have been working diligently to make our systems more resilient and stronger by implementing the recommendations
4:25 pm
and a number of the most significant improvements have been full deployment of the authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our atos, and this includes an audit from an independent party. we will continue to fortify protections of our systems. our adversaries are constantly working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing keypoint to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes. >> thank you.
4:26 pm
my name is robert giannetti, and i am currently the chief investigation officer of usis. i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014, usis performed background investigation work for the united states office of personnel management. when i started to working at usis, they would perform background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the comprehensive response plan per response to the plan. usis' responses included the investigations firm to lead the investigation and remediation efforts.
4:27 pm
usis instructed them to leave no stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant
4:28 pm
technical details about how the attack occurred, what the attacker did within the systems and when data was compromised. this was shared with opm and other government agencies. in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable
4:29 pm
information for how many federal employees and retirees? >> we have -- >> move your microphone closer, please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no, i asked you -- you have personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees, and personally identifiable information within the files depends on whether they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get at? >> i will ask mrs. seymour -- no, come on, you are the head of
4:30 pm
the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will. you wrote as a proprietor of sensitive data including personal identifiable information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier in my testimony, mr. chairman, we are reviewing the number and the scope of the breach and the
4:31 pm
impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86, that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified, if you fill out an sf86, how many people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a sampling of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database, and they are also identifying other individuals, i would like to know on average how many people that is. is that fair? >> we are not calculating on
4:32 pm
average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request, it was because you had 32 million employees identified and former employees, correct? >> that -- the number of employees that we have, yes, we are asking for support for our cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory as we can, sir. that changes on a daily basis? >> changes on a daily basis? you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program
4:33 pm
since then, and we know where those are and we know the pii in them. >> to my members of the committee here, we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm became aware of an attack on its networks. i would like to enter into the record, a chinese attack, 2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity, the data to that number, none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013, and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identification information? >> i am not a forensic expert but we have the forensic team with us right here on this panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is adversarial activity that dated back to
4:34 pm
november of 2013, and i also know that no pii was lost. >> no, that's a different question. the question i asked is did they have access? whether they exfiltrated it is a different question. >> i said there was adversarial activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your security? >> with the security systems, yes. >> so yes, it was a breach of security, yes?
4:35 pm
>> they were able to enter our systems. the security tools that we had in place at that time were not sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay, but at the time, at the time it was a breach of security, right? >> yes, there was a breach into our system. >> was there any information lost? >> as i just said to you, there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information.
4:36 pm
>> you believe i have the information? >> yes. >> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfiltrated pii, i am asking you, did they take any other information? >> i will get back to you -- >> i know you know the answer to this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network
4:37 pm
and they did have access to documents and they did take documents from the network. >> what were those documents? >> outdated security documents about our systems and manuals about our systems? >> what kind of manuals? >> about the servers and environment? >> is that like a blueprint for the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel
4:38 pm
manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes, i do. >> so ms. archuleta, when we rewind the tape and look at the interview you did on july 21st, you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said, and i quote, there was no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii. >> it was misleading and a lie and was not true. when this plays out we're going
4:39 pm
to find that this was the step that allowed them to come back and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you, mr. mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last hearing on this subject, members on both sides wanted to ask for ms. archuleta's resignation, and i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right
4:40 pm
and we are being fair. this is my question. you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer. you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion with regard to experts?
4:41 pm
do you understand what i am say? you have your set of experts and they have their set, and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our committee to ask for ms. archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made recommendations and that those recommendations had been simply disregarded. can you help us with that, mr. mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good. you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely.
4:42 pm
of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on, and they did, in my estimation, as normal and usual, an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give a whole list of things that she is doing or about to do, i think, naming a new cyber officer and whatever, and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns.
4:43 pm
we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to explain your answer to that question is that we -- we are, i guess, very frustrated that we asked answers of opm and it takes a long time to get the answers. we ask definitive questions and we don't necessarily get definitive answers. we know for a fact that the things that we have reported are
4:44 pm
factual. we don't take a backseat to that at all. our people have done this for a long time, they know what they are doing, but, yes, it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right. your company has a lot to answer. according to the justice department, usis perpetrated a multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital police, and our integrities doled out bonuses. last week the committee invited
4:45 pm
the integrities chairman to testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other subsidiaries. do you know how they responded? >> i understand they declined. >> yes, they refused. altegrity is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me?
4:46 pm
>> i can ask. >> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from
4:47 pm
vacation from italy. did you get a bonus, by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in 2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again, i am the chief information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than 16 months ago, name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors.
4:48 pm
i know the chairman is steve duh leash. >> you are still working for usis, is that right? >> how long will you be there? >> indeterminate, but in the next month or so i will be departing. >> will you try to get me those names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta, there has been a discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning, you estimated about 2.4 million,
4:49 pm
is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees, and that's 2.4 and then you add -- >> i don't know exactly, but it's about half and half. >> the second figure you started to debate about was 18 million, which has been reported by the media, and that would deal with breach of social security numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir. >> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records? >> that was the number he used, yes. >> so you really don't know,
4:50 pm
then, how many records have been breached beyond the 4.2? >> no, sir, that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached,
4:51 pm
>> how much data, is there an address, there is personal information about these individuals. you think a little bit about people down in the glass places here and you want -- everyone said -- i was stunned to find out the people -- the united states citizens serving overseas were notified that their personnel records were breached and information is available on them and they are in -- in possible situations that could be compromised by that information. but you have notified them, right? >> we've notified the 4.2 million people -- >> well those are the people. they mentioned this to me. i was there on other subjects, but expressed concern. >> and i'm as concerned as you are sir, about this because these are the individuals who have been -- whose data have been taken by these attackers.
4:52 pm
>> these are on the front lines overseas, and their representing us and i could hear concern in their voice about what -- what has taken place. now i've radar it is chinese hackers, does anyone know? was it chinese? do we know for sure? >> that is classified information. >> but you have some idea but it is classified. >> it is classified information. i can't -- >> whether it is chinese or some group that could give this information to people who would want to do harm, then that means some of the people to me are at risk. >> sir every employee is important to me. not whether they are serving in kansas city or overseas every employee is important to me. >> this people yesterday morning before i left i visited the site
4:53 pm
of a terrorist act at a capitol and it still hadn't been open and it was monthed res since -- months since that terrorist attack and those people are on the front lines and you've been there the honest, mostly sunny barron di camillo, since about '12. >> i'm sorry, what was it? >> you have been in position since 2012 in opm. >> no i work for department of homeland security. >> oh, homeland security. but you're responsible for overseeing opm. >> so dhs has shared responsibility for cyber security and we ensure the.gov and we work with them protecting the boundaries as well as. >> when did we first find out about the breach. >> it was notified by a third party partner to us. >> when. >> in march of 2014. >> 2014. >> so when you come on miss
4:54 pm
seymour in 2014. >> i came on board in 2013. >> so you were there and they talked about his bonus. and finally are you usis. >> yes. >> and did you get a bonus? >> yes. >> and how much. >> i don't know how much, but about $7000. >> and so while you were private and public people getting a bonus while this was going on. >> and i now recognize the lady from new york miss moleony for five minutes. >> opm was breached directly, i'm trying to get this correct. opm was breached twice, is that correct. >> yes, ma'am, that is correct. >> and one occurred in december of 2014, detected in april 2015
4:55 pm
and then the security breach -- when were the two breaches, the two breaches the dates? >> the first opm breach goes back to -- we discovered it in march of 2014 and the breach actually -- but the breach actually occurred in -- >> you discovered it in march 2014. >> yes, ma'am. and the breach actually occurred the adversary had access back to november of 2013. >> and the second breach was when. there was two breaches correct. >> that is correct ma'am. the second breach was in april of 2015 and the date that breach goes back to is october of 2014. >> okay who -- >> i'm sorry june of 2014. >> who discovered this breach?
4:56 pm
how did opm discover this breach. >> the first breach, we were alerted by dhs. >> so you did not discover it. the department of homeland security discovered it? >> the first breach in march of 2014. >> in 2014 -- wait a minute. i think this is important. homeland security discovered it. >> yes, ma'am. >> okay. and then the second one, who discovered it. >> opm discovered it on its own in april of 2015. by then we had put significant security measures in our network. >> now when did you report these breaches? and who did you report them to? >> on april 15th when we discovered the most recent breach, we reported that to us cert. >> to who? >> to u.s. -- the computer emergency and readiness team, and dhs. >> did you report it to congress.
4:57 pm
>> we reported it to the fbi and then we made the his ma required -- fisma required notification as well. >> that was the second one. what about for the first one. >> again dhs notified us of that activity in our network and so they -- they already knew about that one. and yes ma'am we made notifications to congress of that one as well. >> when? >> i'm sorry ma'am, i don't have the date in my notes. would you be happy to. >> would you get back to the committee for us. now did you notify the contractors of the breach?
4:58 pm
>> at the first breach, there was not an awareness of -- of what the adversaries were targeting and that this may go beyond opm. i know that our staffs -- my staff, my secret staff had -- security staff had conversation with the security staff at the contractor organizations and the compromise that dhs had that other organizations were put into einstein as well as communications that would normally -- >> but the breaches were direct. now i want to understand the interaction with the contractors. now when they breached you, did it go into opm? i'm asking both mr. hess and mr. giannetta. when they went into your system did that connect into opm or was it held in your system?
4:59 pm
>> in our in trugs in june of 2014, it was within our systems. >> so it was within your system. so the 4 million identities that they have and information they have it came from opm or it came from the contractors? are they one in the same or are they separate? and i'll go back to miss seymour. >> no, ma'am, these are separate incidents. so with the breach at usis, the way that opm does business with its contractors is different from the way other agencies may do business with both key point and with usis. and so there were approximately 49,000, i believe it was individuals who we notified based on the key point incident. there were other agencies who made notifications both on the usis and the key point incidents. the 4.2 number you are getting to, ma'am, is about the personnel records that are the
5:00 pm
incident at opm. >> okay. what i would like to get in writing is exactly what information came out of opm. what information came out of the contractors. is it the one and the same, are you the final data base. so i want to understand the connection and how the breaches occurred and how they interconnect and get it back to chairman chaffetz i think it is important information. >> thank you. now recognize the gentleman from ohio mr. turner for five minutes. >> miss choout and miss seymour, i just want to remind you that you are under oath and i have a series of questions that follow on to carolyn maloney's questions. it was reports in the wall street that a company named site teches that related they were involved in discovering

20 Views

info Stream Only

Uploaded by TV Archive on