Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  June 17, 2015 1:00am-3:01am EDT

1:00 am
we need money. we are dying. we are dying. we need money. we have to do it. we need the right people. so, ford will come back. they will all come back and i will say this -- this is going this will be an election based on confidence. thank you, darling. somebody said to me the other day, a very nice reporter -- mr. trump, you are not a nice person. >> we don't need nice! mr. trump: that is true. actually, i think i am a nice person. people that know me, like me. does my family like me? i'm proud of my family. speaking of my family -- vanessa, tiffany, ivanka did a great job. [applause]
1:01 am
mr. trump: jared, laura, eric -- i'm very proud of my family. they are a great family. so, the reporters said to me the other day mr. trump, you are not a nice person. how can you get people to vote for you? i said, i don't know. i said, i think that number one, i am a nice person. i give a lot of money away to charities. i think i am actually a very nice person, but i said this is going to be in election -- an election that is based on confidence because people are tired of these nice people and they are tired of being ripped off by everybody in the world and they are tired of spending more money on education than any nation in the world per capita than any nation in the world and we're 26th in the world. 25 countries are better than us in education and some of them
1:02 am
are like third world countries. we are becoming a third world country because of our infrastructure, airports and roads. one of the things i did -- i said -- a lot of people said he will never run. he does not want to give up his lifestyle. you are right about that. number two, i'm a private companies so nobody knows what i am worth. when you run, you have to announce and certify to all sorts of government authorities your net worth. that's ok. i'm proud of my net worth. i started off in a small office with my father in brooklyn and queens. my father said -- i love my father. he was a great negotiator.
1:03 am
i learned so much sitting at his feet, playing with blocks and listening to him negotiate with subcontractors. i learned a lot. he used to say, donald, do not go into manhattan. that is the big leagues. we don't know anything about that. i said i have to. i have to build big buildings. i have to do it. after four or five years in brooklyn, i ventured into manhattan and made a lot of good deals. i was responsible for the convention center on the westside. i did it early and young. i love what i am doing. they all said, a lot of the pundits on television, donald will never run. and one of the main reasons is he is private and he is probably not as successful as everybody thinks. i said to myself, you know nobody will ever know unless i
1:04 am
run because i'm really proud of my success. i really am. i have employed tens of thousands of people over my lifetime. that means medical, education, everything. my accountants have been working for months because it is big and complex. they have put together a statement. a financial statement. it is a summary, but everything will be filed eventually with the government and we don't need extensions or anything. we will file it on time. we don't need anything. and, it was even reported incorrectly yesterday because they said he had assets of $9 billion. that is the wrong number. not assets. they put together this and i have to say this. i made it the old-fashioned way.
1:05 am
it is real estate. it is labor, unions -- some good and some bad. lots of people that are not in unions. it is all over the place and the world. i have assets, big accounting firm, one of the most highly respected -- $9,240,000,000. i have liabilities of about 500. long-term debt, very low interests. one of the big banks came to me and said i don't have enough borrowings. they asked to loan me money and i said i don't need it or want it. i have been there. i don't want it. in two seconds, they give me whatever i wanted. i have a total net worth -- it
1:06 am
will be well over $10 billion. here a total net worth of at billion dollars -- not assets, a net worth. after all debt, all expenses the greatest assets -- trump tower, bank of america building in san francisco, 40 wall street, sometimes referred to as the trump building -- many other places all over the world. the total is $8,737,540,000. [applause] mr. trump: i'm not doing that to brag because i don't have to, believe it or not. i'm doing that to say that that is the kind of thinking our country needs. we need that thinking. we have the opposite thinking.
1:07 am
we have losers. we have losers. we have people that don't have it. we have people that are morally corrupt. we have people that are selling this country down the drain. i put together this statement and the only reason i am telling you about it today is because we really do have to get going because if we have another three or four years -- we are at a train channeling dollars now -- $18 trillion now. according to the economists who i am not big believers in, they say $24 trillion, we are very close. that is the point of no return. $24 trillion. we will be there soon. that is when we become greece. that is when we become a country that is unsalvageable. we will be there very soon. >> make america strong!
1:08 am
mr. trump: just to sum up, i would do various things very quickly. i will repeal and replace the big lie, obamacare. [applause] i will build a great wall -- nobody builds walls better than me. i will build a great, great wall on our southern border and i will have mexico pay for that wall. mark my words. nobody would be tougher on isis than donald trump. nobody. [applause] mr. trump: i will find within our military, i will find the general patton or i will find general macarthur. i will find the right guy, the guy that will take that military and make it really work. nobody will be pushing us around.
1:09 am
[applause] mr. trump: i will stop iran from getting nuclear weapons. we will not be using a man like secretary kerry that has absolutely no concept of negotiation, who is making horrible deals, to was being tapped along as they make weapons right now and goes into a bicycle race at 72 years old and falls and break his leg. i will not be doing that. i will never be in a bicycle race. [applause] mr. trump: i will immediately terminate president obama's illegal executive order on immigration, immediately. [applause] mr. trump: fully support and backup the second amendment. [applause] mr. trump: very interesting.
1:10 am
today, i heard it. through stupidity in a very hard-core prison, interestingly named clinton, two vicious murderers, people escaped and nobody knows where they are. a woman was on television this morning and she said, mr. trump -- she was telling other people. i called her. she said, mr. trump, i always was against guns. i did not want guns and now since this happened my husband and i are finally in agreement. we now have a gun at every table. we are ready to start shooting. i said very interesting. so, protecting the second amendment. [applause] mr. trump: end common core. common core is a disaster.
1:11 am
bush is totally in favor of common core. i don't see how he could possibly get the nomination. he is weak on immigration and in favor of common core. how the hell can you vote for this guy? you just can't do it. education has to be local. rebuild the country's infrastructure. nobody can do that like me believe me. it will be done on time, on budget, way below cost, way below what anyone ever thought. i look at these roads being built all over the country and i say i can build those things for one third. what they do is unbelievable. we are building on pennsylvania avenue the old post office. we are converting it into a great hotel. it will be the best hotel in washington, d.c. we got it from the general services administration. the obama administration, we got it.
1:12 am
it was the most highly sought after -- i think the most highly sought after project in the history of general services. we got it. people were shocked -- trump got it. i got it because we are really good and we had a really good plan. we also had a great financial status. general services who are great people and talented they wanted to do what great job and made sure he got billed. we have to rebuild our infrastructure -- our bridges, roadways and airports. you come into it laguardia airport, it is like we are in a third world country. you look at the patches and the 40-year-old floor they put down -- you look at these airports, we are like a third world country. i come in from china, qatar, different places and they have the most incredible airports in the world. you come back to this country
1:13 am
and you have lax, disaster -- all of these disasters airports. we have to rebuild our infrastructure. save medicare, medicaid and social security without cuts. have to do it. get rid of the waste and abuse but say that. people have been paying it for years and now many of these candidates want to cut it. you save it by making the united states rich again and take back all the money that was lost. renegotiate our foreign trade deals. [applause] mr. trump: reduce our $18 trillion in debt because we are in a bubble. we have artificially low interest rates. we have a stock market that frankly has been good to me but i still hate to see what is happening. we have a stock market that is
1:14 am
so bloated, be careful of the bubble. what you have seen in the past might be small potatoes compared to what happens. be very careful. and strengthen our military and take care of our that's. -- vets. so so important. >> yes! mr. trump: sadly the american dream is dead. >> bring it back!. mr. trump: but if i get elected president, i will bring it. bigger better, and stronger than ever before. we will make america great again. thank you. make you very much. -- thank you very much. [cheers and applause]
1:15 am
[captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] ♪
1:16 am
>> like many of us, first families take vacation time.
1:17 am
a good reading could be the perfect companion for summer journeys. what better book than one that appears inside the personal life of every american first lady? first ladies, the lives of 45 iconic women. inspiring stories of fascinating ladies. a great summertime read. available from public affairs as a hardcover or an e-book through your favorite bookstore or online bookseller. >> secretary john made an unannounced appearance at the state army briefing today speaking on a video link from his home in boston where he is recovering from surgery on his leg. this is his first public appearance since breaking his right femur in a biking accident in france. he answered questions mostly focused on the nuclear iran
1:18 am
negotiations. >> good afternoon. thanks for coming today. >> welcome. [laughter] >> i appreciate that. i figured i might need some help. i've asked secretary kerry to help join me today. we have have him remotely from boston. areas. this is a live remote situation.
1:19 am
he will have a few comments and then we'll go to questions. i have a plane to catch, so i will have a lot of questions we can take -- won't have a lot of questions we can take. identify yourself and who you are with. mrs. secretary, can you hear me ok? secretary kerry: i sure can. -- mr. secretary, can you or me ok? secretary kerry: i sure can. i look forward to catching up with everyone. i wanted to have a chance to personally welcome former admiral john kirby to the podium. it is a special privilege for the state apartment as our spokesperson. he is the face of the department now going forward. i have had a chance to watch him a number of times from the hospital that a few days ago.
1:20 am
i thought he did an outstanding job. i'm really happy he will be taking over today officially at the podium. very much looking forward to building a strong relationship with all of you. john, thank you so much. welcome aboard. we are delighted to have you. let me say to the members of the press there that i look forward to coming and picking up where we left off in our give-and-take in rack and forth -- and back and forth. i want to share a couple of quick observations. i talked today with the prime minister of pakistan regarding a recent increase in the tensions publicly between india and i pakistan.
1:21 am
it is an enormous concern to all of us for all of the obvious reasons. these are two very important countries. it is very important that there be no misinterpretation or miscalculation with respect to any of the back and or -- fourth. the prime minister is extremely forthcoming. it could not have been more direct. he finished a conversation himself with the prime minister of india. we welcomed about how we could work, all of us come to try to do reduce those tensions over the next days and weeks. in addition, on going to be spending a fair amount of time focused on china for the
1:22 am
security and economic dialogue. it is coming at a time of some importance in terms of what has been going on in the region, as well as conceivably some of interest that we have with respect to trade, economy, and other interests. it will be an important meeting and i am confident we will have a full throated discussion of all the issues that confront us. that will be soon, we are not exactly sure of the day, depending on how things move in vienna. i will be leaving to conduct the, what one hopes will be the closeout and should be the closeout of negotiations with respect to the iran nuclear program. obviously, the stakes on that
1:23 am
are high. our position has not changed. i noticed back and over the next -- over the last few days, but our decisions have not altered one iota from what we declared in my interviews and discussions with people over the course of the last few months. so, the talks remain talks, they are critical. and just as i have said consistently, we will not rest to an agreement for the sake of an agreement and we will not sign an agreement we do not believe will get the job done. let me again welcome john to the podium. i will be happy to share questions before i race out of here. john kirby: thank you mr. secretary. the first question from matthew. >> i hope you can hear me ok. good to see that you are back on your feet, kind of.
1:24 am
it is a nice look behind you -- it is a nice boat behind you. john kerry: i actually rebuilt part of that. >> the original? [laughter] >> i want to start with iran there have been reports and comments from a variety of places over the course of the past couple days about the u.s. and its position. you said your position has not shifted, but is it not the case that this is a negotiation and there will be give and take between the two sides, between iran and the u.s., and if that is the case, how can you say
1:25 am
that you will not make concessions, that there are not going to be -- there isn't going to be movement in your position, especially regarding sanctions what kind of sanctions are lifted, and the possible military dimensions? john kerry: sure, matt. of course it is a negotiation, of course there is always give and take, but it was defined the fundamental parameters. -- of what needs to be achieved. for instance, on something like possible military dimensions the jpoa refers to that. that remains true. it has to be. we have to resolve our questions
1:26 am
about it with specificity. access is critical and has always been critical and remains critical. we define that as -- and that is our fundamental outlines. within that context, there is leeway to be able to further define certain things and of course, there were things i specifically articulated in luzon at the press conference. some things remain more open than others. but there are fundamental things here that have to be adhered to in order to have the definition
1:27 am
of a good deal, when we talk about it. that has not changed, can't change, those will have to be resolved along the lines of how they were defined in luzon. john kirby: margaret. >> secretary, good to see you again. i have a question about syria. how certain are you that it is the bashar al-assad regime that is carrying out these chemical attacks and have you made progress in getting them to stop? john kerry: we are certain that the preponderance of those
1:28 am
attacks have been carried out by the regime. we are putting together a portfolio of that data that supports that, even as we speak now. but that is not to say that some elements of opposition may not have had access at one point in time or another, and have utilized something at one point in time, but when i talk about them that -- about the vast preponderance, i mean that -- that preponderance. it has been documented, the opposition is not flying airplanes, and you can go through tracking of the delivery system, the delivery approach, so frankly it is not hard to pin down in the end. it is something we will lay out at the appropriate time. >> any progress in making him stop? john kerry: i discussed this
1:29 am
with foreign minister lavrov yesterday and i'm confident that he will reason with him, yet again. i think everybody's patience is wearing thin with respect to the extraordinary depravity of the weaponry and mechanisms for delivery, which our side has used against -- which is that side has used against its own people. if you look at aleppo, i still -- isil is in the area and they can close off umana terry in existence it they are -- humanitarian assistance, and they can cut it off. i raised this issue with lavrov yesterday and it will be something that we focus on very publicly.
1:30 am
but needless to say, we are engaged in a number of efforts are now, diplomatically and otherwise, to see if there is life in the political track. it is too early to answer that. we are not simply sitting there and allowing this to happen without any efforts to see if there is a way to stop it. thus far, it has not been stopped. it is only increasing the international community's anger at the bashar al-assad regime.
1:31 am
john kirby: michael. >> you mentioned that possible military dimensions for suspected nuclear design work and testing components has to be addressed as part of a perspective iran agreement. to these concerns -- do these concerns need to be resolved before sanctions are eased or released or removed, or suspended on iran as part of that agreement? is that negotiable? john kerry: michael, the possible military intervention get distorted a little bit in the discussion, in that we are not fixated on iran specifically accounting for what they did at one point in time. we know what they did. we have no doubt. we have absolute knowledge with respect to certain military activities they were engaged in. we are concerned about going forward.
1:32 am
it is critical for us to know that going forward, those activities have been stopped and that we can account for that in a legitimate way. that clearly is one of the requirements in our judgment for what has to be achieved in order to have a legitimate agreement. in order to have an agreement to trigger any kind of material significant sanctions, we will have to have those answers. john kirby: police -- aleese. >> can you talk about your discussions about ukraine, there are reports that russians are moving heavy weaponry into ukraine. there has been talk that the u.s. is preparing additional sanctions along with europeans. it seems as if president clinton -- putin can absorb the cost of
1:33 am
the current status quo, so how can you get directions to withdraw their support of separatists, or are you planning additional punitive measures? john kerry: thank you for your comments. look, we discussed this at some length yesterday. and i made it very clear that the united states and european capacity to try to move forward with respect to sanctions is fully dependent on the implementation of the men agreements. -- minsk agreements. there have been several meetings in the last days of the working
1:34 am
groups and the trilateral group, which has been more productive than meetings here to for, and discipline has moved into discussion with respect to separatists. i made it very clear to foreign minister lavrov that, really it was my emphasizing it, because i think he understands and accepts the idea that the working groups are the key. they are the key to making minsk happened. the russians always raised counter initiatives by the ukrainians, which they suggest are causing the separatists to shell and engage in military activity. frankly, you get trapped in a
1:35 am
rabbit hole if you start to discuss who did what, when and how. so we really tried to focus on how to we move forward. i made it clear and he accepted the idea that it needs to be less exciting and more negotiating and more movement with respect to the minsk implementation process. newland will be visiting there shortly. we will continue to put pressure on the process of the working groups to be able to more fully implement minsk and i made it as clear as i possibly can that in the absence of a reduction in
1:36 am
hostility, and the absence of further progress, europe and the u.s. needed to be united in a rollover of the current level of sanctions and whether or not more comes depends on what happens on the ground. but we have also seen russian activities that further support the separatists in ways that are not productive. i called back to his attention and we will see whether or not there can be progress made and whether or not the minsk process actually takes greater hold through the working groups and ultimately through the political pieces that need to be achieved from both sides in order to have that and begin to get the autonomy, the individual economy steps in place -- economy steps in place that have been at the heart of the separatist demands and the ukrainian propers with
1:37 am
respect to a resolution. if it does happen, there is a way forward. if they do not happen, and if president putin continues to allow separatists to press forward, then obviously we have a very big challenge ahead of us. john kirby: this will be the last question, leslie. >> i hope you are feeling better mr. secretary. today president putin said he will add more missiles in its nuclear arsenal is here. do you think that -- does that concern you? john kerry: of course it concerns me. we have an agreement, we are trying to move in the opposite direction.
1:38 am
with cooperation for the destruction of nuclear weapons and former territories of the soviet union and nobody wants to see us step backwards. nobody wants to go back to a cold war status. it could well be posturing with respect to negotiations, because of their concerns about military moves being made by nato. the insurance program in place for the states, as well as potentially the missile defense deployment plans.
1:39 am
so it is hard to tell. but nobody should hear that kind of announcement from the leader of a powerful country and not be concerned about what the implications are. john kirby: ok, we will wrap it up there so the secretary can catch his plane to washington. sir, thank you for joining us. that concludes the press conference, i don't think i can improve upon that. have a good day. >> defense secretary ashton carter and joint chiefs chair dempsey will be on capitol hill tomorrow. mac library plans to ask them how u.s. armed forces can meet the president's goal of defeating isis, when there is no comprehensive strategy against isis, as he puts it. in the afternoon, federal reserve chair janet yellen holds a press conference on monetary policy and a possible interest rate hike. that is also on c-span3. >> this summer, book tv will -- >> 4.2 million personnel are
1:40 am
affected by two recent data breaches and the numbers are likely to grow you to that was breech holds data for the people who need security clearances. the director testified for two hours and 45 minutes before the oversight committee. t committee. [chatter] >> this well, the order. the chair is allowed to call a recess at any time. mr. cummings will be with us momentarily. last week, we learned that the united states of america may have had one of the most devastating cyber attacks in our
1:41 am
nations history. this may have been happening over a long. of time. there is a lot of confusion about what personal information for millions of employees and workers that was exposed in the data breach at the office of personnel management. opm initially reported that more than 4 million employees had information exposed during this attack. more recent reports suggest that this breach was worse man that. -- worse man that. we would like to know what information was exposed and who has this vulnerability. it would also be good to know who conducted the attack and i think we need to be more candor with the american people. the breach included background information collected through the security clearance applications. we would like clarity on that.
1:42 am
lots of this information puts our federal workforce at risk particularly those working on sensitive objects. -- projects. we are concerned about the public and these employees, who interests this information with the government. we needed to understand why the federal government is struggling to guard important information. the fact that opm was breached should come as no surprise given their troubled track record. this has been going on for years and it is inexcusable. each year, the government make sure that these groups are compliant with anders. according -- opm's data was exposed like an open house. how wrong they were. since 2007, the opm data
1:43 am
security was a material weakness. the agency had no policies and procedures they did not come close to something that could be used as an excuse for securing information. it is unbelievable to think that the agency that is charged with protecting information for all federal employees had a few formation technology policies or procedures in place. let me read through some of the reports that have happened in the course of the years. this is from the inspector general, 2009, this year we are expanding the weakness to include the agencies overall security programs and incorporating concerns about the agency's information management structure. the continuing weakness of their program results directly from an adequate governance. most if not all of the
1:44 am
exceptions we noted this year is from a lack of leadership and guidance. fiscal year 2010, we continue to consider the technology management structure insufficient. the lack of policies and procedures is a material witness in their security program. fiscal year 2011, we continue to believe that the information security, this represents a material weakness at opm. 2012 throughout 2012, the oci o continue to operate with a decentralized structure that do not have the authority or resources available to adequately implement new policies. however, the material witness remains open in this report as the agencies remain decentralized throughout 2012.
1:45 am
and because of the continued instances of noncompliance with requirements, it goes on however that oci oh statement is an accurate -- let me go back and , because of the program that opm had made with the credit programs, because there was no loss of sensitive data during the year. as the inspector general point out, the statement is inaccurate as there were numerous occasions of information security issues that led to the unauthorized release of sensitive data. they cannot even decide or agree that they had lost data back in 2012. let alone actually solve the problem. go to 2013, the inspector
1:46 am
general, the findings in this report highlights the fact that opm and their decentralized structure -- therefore we are again reporting this issue as weakness. fast-forward to 2014, this is november, 11 major opm information systems operating without valid authorization. this represents a material weakness in the control structure of opm and security programs. it goes on. opm does not maintain a comprehensive inventory of devices, they cannot know what they had or what is in the inventory. offices are not adequately incorporating known weaknesses into lands of action. the majority of systems are 120 days overdue. they continue to implement their plan but security controls are
1:47 am
not accurately tested in accordance with their own policy. not all opm systems have conducted contingency plans this is due thousand 14. several information agreement between opm and contractors contractor systems have expired. -- is not required to access opm systems. this has been going on for a long time. and yet when i read the testimony that was provided here, we are about to hear, hey we are doing a great job. you are not. this is failing. this went on for years and it did not change. the inspector general found that 11 of the 47 major information stems, roughly 23%, at opm lacked proper security
1:48 am
authorization, meaning that the security of 11 major systems was completely outdated. five of the 11 systems work in the office of the chief information officer. this is a horrible it ample -- example to be setting. the opm recently was updated to a significant deficient -- significant deficiency. and 2014, over 6% of offices -- over 60% of offices work on systems with new valid authorization. that is 65% of the information. for any agency that consciously disregards data security for so long, that is negligent. the fact that the agency that did this is responsible for maintaining highly sensitive information for all -- for almost all federal employees it
1:49 am
in mind opinion is egregious. other agencies also suffered breaches. the latest clever hack comes on the heels of other government agencies, the state department the internal revenue department and even the white house. and at the same time, the government is spending more on information technology. last year, we the american people spent almost $80 billion on information technology and it stinks, it does not work. $80 billion later, and the person in charge of security the person in charge of making sure that there is authentication of systems, even in her own office there is authorization needed. -- there is no authorization you. opm is not alone in the blame for this failure. the office of budget has the
1:50 am
response ability for setting standards for these practices. it is -- job to hold these agencies accountable. the department of homeland security has been given the lead responsibility for this, the geek squad, to monitor day-to-day practices, but the technical tools that have been deployed is not doing the job. while dhs has developed einstein to monitor networks, and only detects known in traders -- intruders. it is completely useless in the latest hacks. this status quo cannot continue. we are talking about the most vital information of the most sensitive nature of the people that we care about most. the people who trust that information to opm, and through the years it has been a total
1:51 am
failure. to the point that we find ourselves, millions of americans wondering, what some -- what somebody knows about them. what are they supposed to do? i have read the letter that you have sent to employees, it is inadequate. this is why we have this hearing today. i think what we will do now, i would like to recognize the judgment from texas who is the chairman of the subcommittee that we have in i.t.. we have set up a new subcommittee to deal with i.t. issues, we are honored and pleased to have that gentleman for five minutes. >> thank you mr. chairman, not only is the head of this subcommittee, but someone who has been through background investigations, i am concerned.
1:52 am
today's hearing is another example of the undeniable fact that america is under constant attack. it is not bonds dropping, but it is cyber weapons aimed at our data. from private sector innovations to military information, they are attempting to rob us and they are succeeding. these are not coming from afghanistan, but from air-conditioned office aliens and china, iran, and russia. these hackers work with impunity knowing that their actions have no consequences. this is not a question of how to protect networks, but of how we define the appropriate responses for digital attacks. this is a question i have asked for years and continue to ask in my role as chairman of this subcommittee. it is no secret that federal agencies need to improve our security. we have for years these reports
1:53 am
highlighting these systems, poor system compliance, and there have been improvements, but they have not kept pace with the nature of threats we are facing. until leadership takes control of basic cyber security measures, things like network monitoring, encrypting data, and segmentation, we will always be playing catch-up against highly sophisticated advocate -- adversaries. i welcome the witnesses here today and i look forward to their testimony. i will yield back. >> not recognize the gentlewoman from illinois, ms. kelly. ms. kelly: i want to thank the witnesses today. as you know, i have had the privilege to serve as a ranking member in the i.t. committee. the issue of data brings -- region is something we are
1:54 am
concerned with and we look order to work with colleagues to be active in addressing this issue. all of us should be concerned. the opm breach has reached -- raised questions about how adequately the information about employees is served -- stored on government networks. every day our government and businesses states a barrage of cyber threats. we are reminded of breaches on some of our most important companies, but every day there are cyber intrusions on our data that are not making headlines. whether it is criminal beyond our borders, or domestic attackers, or hackers looking to make a statement against government, cyber crime threatens our national security and economic prosperity. data breaches will not end anytime soon, but there is something we can be more aggressive in addressing. as we catch on to methods, these
1:55 am
actors will look to innovate around our defenses. we need to be just as innovative and we must have a frank conversation today and prepare a multi-front strategy to ward off and diminish the possibility of future data breaches. i think the committee and our witnesses again for this opportunity to examine the attack. >> think the gentlewoman. it is our intention to cure mr. cummings -- to hear mr. cummings and his statement. first we will hear witnesses and then go to mr. cummings. if that is ok with everybody. i will also hold the record open for five legislative days for anybody who would like to submit a written statement. we will recognize the panel of witnesses. we all welcome katherine archuleta:, the director of the office of personnel management. the secretary of cyber security.
1:56 am
mr. tony scott, u.s. chief information officer of the office of the government and the opposite of management and budget. ms. kearns, the department of the interior. donna seymore, the chief information's office of the united states office of personnel management. mr. michael esser, assistant inspector general for audit office of the inspector general of the united office of personnel management. we welcome you all. witnesses are all to be sworn in before they testify. if you can rise and raise your wife -- right hand. you solemnly swear or affirm that the testimony you will give will be the truth, the whole truth, and nothing but the truth . thank you, please be seated, and
1:57 am
let the record respect -- reflect that all witnesses responded in the affirmative. we appreciate you limiting your testimony to five minutes. we will, i can limit those 25 minutes, we will be -- limit those testimonies to five minutes. it will be entered into the record. after the conclusion, we will hear from mr. cummings and go to questions. we were now recognize katherine archuleta:. you are wrecking nice for five minutes. katherine archuleta: members of the committee, i'm here today to talk to you about the successful intrusions into opm systems and data. first, i want to deliver a message to employees, retirees and emily. the security -- and families.
1:58 am
the security of their data is of paramount importance. we are committed to the complete investigation of these incidences and are taking actions to mitigate vulnerabilities. when i was sworn in as director 18 months ago, i recognize that in order to build a well-trained workforce, that we would need a thorough assessment of the state of information technology at opm. i immediately became aware of vulnerabilities in our systems and i made modernizations in the security of our network one of my top priorities. government and nongovernment entities are under constant attack by a vaulting and advanced threats. these adversaries are
1:59 am
sophisticated, well-funded and focus. these facts will not stop -- these attacks will not stop, if anything they will increase. in the last year, we have undertaken an aggressive effort to update our i.t. posture. adding tools and capabilities to networks. as a result, in april 2015, and intrusion that predated the adoption of security controls was detected. we immediately contacted the department of homeland security and the fbi and together with these partners, initiated an investigation to determine the scope and impact of the intrusion. in may, the inner agency incident response team concluded that the exposure of personal records had occurred and notifications to affected individuals began june 8, and will continue through june 19.
2:00 am
as part of our notification process we are continuing to learn more about the systems that contributed to individuals and data being compromised. these individuals were included in the previously identified population of 4 million individuals and are being appropriately notified. for example, we have confirmed any federal employee from across all branches of government whose organizations submitted service history records may have been compromised, even if their personnel file is not stored on opm systems. during the course of the ongoing investigation, the inner agency incident response team concluded later in may that additional systems were likely compromised. this separate incident which
2:01 am
also predated deployment of our new security tools remains under investigation by opm and our inner agency partners. there is a high degree of confidence that systems related to background investigations of current, former, and prospective employees, and those for whom a federal investigation was conducted, may have been exfiltrate it. while we have not determined if scope or impact, we are committed to notifying those individuals whose information may have been compromised as soon as practicable. throughout these investigations we have provided regular updates to congressional leadership and relevant committees of these incidents. but for the fact that we implemented new, more stringent security tools, we would have never known that malicious
2:02 am
activity had previously existed on that network and would not have been able to share that information for the protection of the rest of the federal government. in response to these incidents and working with our partners at dhs, we have immediately implemented security measures to protect sensitive information and to take steps towards building a simplified, modern, and flexible network structure. we continue to execute on our aggressive plan to modernize platforms and bolster security tools. our 2016 budget request includes an additional $21 million above funding levels to further these order of the modernization of our i.t. infrastructure which is critical to protecting data from the persistent adversaries we face. the funding will help us sustain the network security upgrades
2:03 am
and maintenance initiated in fiscal year 2014 and 2015. to improve our cyber posture including advanced tools such as database encryption, stronger firewalls, storage devices, and masking software. funding will support the redesign of opm legacy network. thank you for the opportunity to testify. i'm happy to address any questions you may have. >> thank you. i appreciate the opportunity to appear before you today. like you, i am deeply concerned about the compromise at opm. i'm dedicated to ensuring we take all necessary steps to drive forward the cyber security of the federal government. director archuleta spoke to the
2:04 am
incident. i want to focus my remarks on how we are accelerating efforts to protect the federal government. i will discuss how the department of homeland security is protecting federal agencies and helping those agencies attack themselves. under legislation passed by congress last year, agencies are responsible for their own cyber security. dhs provides a baseline of security and helps better manage their risk. we protect agencies by providing a common set of capabilities through the einstein and continuous diagnosis program. we measure and motivate agencies to implement best practices. we service a hub for information sharing. i will focus on the first area how dhs revives a baseline of
2:05 am
security through einstein and cdm. i've describe the other three areas and him happy to take questions. the einstein system protects agencies at the perimeter. a facility, it is similar to a camera the entrance to the facility that records traffic coming and going and identifies anomalies. einstein 2 heads -- adds the ability to alert security when a prohibited vehicle is identified. einstein 2 does not stop cars that sets off an alarm. they are fully deployed and screen federal civilian traffic. all traffic goes through trusted internet connections. the latest phase of the program is akin to a guard post.
2:06 am
einstein three uses classified information to compare them with a watchlist. it actively blocks prohibited cars from entering the facility. we are accelerating efforts to protect civilian agencies. the system covers 15 federal civilian agencies with 930,000 federal personnel, 45% of the civilian government. those are protected with one of two security countermeasures. that is double the coverage we had nine months ago. einstein 3a has blocked attempts and played a key role in identifying the compromise of opm data. we recognize that security cannot be achieved through only one type of tool. einstein will not be able to block every threat.
2:07 am
it must be complemented with systems and tools to monitor inside agency networks. our program addresses this challenge. returning to our analogy of a facility continuing the analogy , the next two faces will monitor facilities to make sure they are not engaged in our authorized activity and will assess across the facility to detect unusual patterns. we have provided phase one capabilities to eight agencies covering 50% of the federal government and we expect to cover 90% of the government by the end of this fiscal year. the deadlines are wednesday a given capability. it will take additional months to implement their side of both einstein and cdm when they are available. agencies must supplement additional tools appropriate to their needs. i would like to conclude by
2:08 am
noting frequent attempted intrusions. we are facing a major challenge we are facing a major challenge. the entire nation is making up for 20 years of cyber security. in response, we are bringing cutting-edge capabilities online. we are asking our partner agencies in congress to work with us to strengthen cyber
2:09 am
security in federal agencies. thank you, and i look forward to questions. >> thank you. you have an impressive background. we look forward to hearing your testimony. >> thank you. thank you for the opportunity to appear before you today. i appreciate the opportunity to speak with you about recent cyber incidents affecting federal agencies. i would like to start by highlighting a very important point, which has been mentioned and of which i and sure you are aware. state and nonstate actors who are financed and persisted in attempting to breach government and nongovernment systems every day.
2:10 am
as we remediate and strengthen our own practices, our detection capabilities will improve. we have to be as nimble, as aggressive, and well resourced as those who are trying to break into their systems. threats on a continuous basis is our nation's new reality. in reality i face the private sector and am continuing to see here in my new role. as federal cio i leave lead information and technology. my office is responsible for developing the implementation of federal information technology policy. even though my team has a variety of responsibilities, i will focus on cyber security.
2:11 am
under the federal security information monetization act of 2014 omb is responsible for federal information security oversight. it executes its responsibilities in close coordination with security partners. as i mentioned they re-slanderous a creation of a first-ever dedicated cyber security unit within my office. this is the team that is behind the work articulated in fiscal year 2014, which highlighted the successes and challenges facing federal agencies cyber security programs. in fy 2015 the cyber unit is
2:12 am
targeting oversight through reviews, prioritizing agencies with high risk factors determined by cyber security performance and incident data. my colleagues will address the incidence. in terms of the role of r&d my we use these reports to look for trends and patterns, and for areas where government wide processes, policies and practices can be strengthened. we update our guidance and coordinate with other agencies to ensure that guidance is implemented. the recently passed federal information technology act and our guidance associated with that legislation strengthens the role of the cio in agency cyber
2:13 am
security. opm notified in april of 2015 of an incident affecting data in transit. opm reported they were working closely with various government agencies on a comprehensive investigation and response to this incident. we have been monitoring the situation and have been engaged in making sure there is a government wide response to the events. to further improve cyber security and protect systems against these evolving threats omb launch the 30 day cyber security threat. they will further adjust cyber security priorities. second, agencies were directed to accelerate efforts to threat
2:14 am
indicators tighten policies and practices for privileged users and to dramatically accelerate implementation of multifactor authentication. i want to underscore a critical point i made at the beginning of this testimony. state and nonstate actors are attempting to breach government and nongovernment systems in an aggressive way. it is not going to go away and we're going to see more of it. ensuring the security of information on federal government networks and systems will remain a core focus of the administration as we move to implement innovative protections and respond to new challenges as they arrive. in addition we look forward to working with congress on legislative actions that may protect our nation's critical networks and systems. i think the committee for holding this hearing and for your commitment to improving
2:15 am
cyber security. i would be pleased to answer questions you may have. >> miss burns you are acknowledged for five minutes. sylvia burns: i appreciate the opportunity to testify regarding efforts to secure and protect agency, customer, and employee data in the wake of cyber intrusions. we appreciate having the opportunity to provide a classified briefing on the cyber intrusion for your staff and congressional staff. cyber intruders executed sophisticated tactics to obtain unauthorized access to data posted in a dod data center. the incident was and remains
2:16 am
under active investigation. the effort has not discovered evidence that any data other than opm data was exfiltrate it. we have initiated planning effort to address remediation to strengthen security protection, and reduce risk to the department, employees, customers, and workers. we take the privacy and security of the data seriously. in april dhs informed doi about potential malicious activity which was determined to be a sophisticated intrusion on doi networks. doi we get working with u.s. director of federal agencies to initiate an investigation and determine what information may have been compromised. doi allow dhs immediate access to the computer systems and dedicated support to the
2:17 am
investigation. there is evidence there was actions to the overall environment, the investigation remains ongoing. concurrent with the investigation, doi initiated a major planning effort to address short my medium, and long-term mediation to strengthen cyber security. we have now accelerated our work on existing efforts while advising new security measures in consultation with the investigating agencies with expertise related to this threat. activities are underway including working with dhs to
2:18 am
scan for malicious indicators across the doi network. we are identifying and mitigating critical i.t. security vulnerabilities for all internet racing systems that the direction of the secretary and deputy secretary. we are doing the same for all i.t. systems including systems for internal use and for the public and non-doi users. we are requiring new capabilities to detect and respond to new intrusions. we continue to meet with partners to learn about activities and leverage their knowledge to make improvements. we are fully enabling to factor authentication. the existing plan includes separate and -- several initiatives. we are a done implementing
2:19 am
hardware and software asset management and will add new capabilities for access control and dashboard and fashion alley -- dashboard functionality. we are strengthening cyber security and privacy workforce so we have knowledgeable and experience people to address current and future threats facing the agency. we are designing increase network segmentation so if an intrusion occurs within one comment -- one component we can limit the extent of the exposure. we are evaluating data protection technology potential future investment. we take the privacy and security of the data seriously. we are committed to supporting and continuing the investigation regarding the incident affecting opm data. we will continue to be an active participant in the ongoing efforts by the federal government to improve our
2:20 am
nation's security posture. this concludes my repaired statement. i would be happy to answer any questions you may have. >> my remarks were included with the director. thank you for having me here today. i will be happy to answer questions. >> members of the committee, good morning. i am the assistant inspector general for audits at the office of personnel management. thank you for inviting me to testify on the i.t. security. i will discuss the long history of systemic failures to properly manage its i.t. infrastructure which we believe led to the breaches we are discussing
2:21 am
today. there are three primary areas of concern that we have identified through our audits. information security governance security assessment authorization, and technical security controls. for many years, opm operate in a decentralized manner with the agency program offices managing their i.t. systems. the agency had responsibility for protecting the systems but did not have the access or control to do so. the program office staff responsible for i.t. security had no i.t. background and perform this function in addition to their other full-time roles. as a result of this structure many security controls remain unimplemented or untested and all of our audits identified
2:22 am
this as a serious concern. in 2014, opm took steps to centralize i.t. security responsibility with the cia out. the structure has resulted in improvement in the consistency and quality of security practices. we are optimistic about these improvements. it is apparent it is negatively impacted by years of decentralization. the second topic is security assessments and authorization. this a comprehensive assessment of each i.t. system to ensure that it meets the applicable security standards before allowing the system to operate. opm has a history of issues related to system authorization. in 2010, we noticed serious concerns in this area. after improvements were made, we
2:23 am
removed it as an audit concern in 2012. problems with the system authorization have reappea21 opm systems were due to receive a new authorization but 11 were not authorized by year end. recently the oci l has put authorization efforts on hold while it modernizes opm i.t. infrastructure in response to security breaches. it is likely the number will increase. we support the effort to modernize systems. authorization activity should continue. the third topic relates to opm use of technical security controls. they have implement a controls and told to make the agency systems more secure. such tools are only helpful if they are used properly and cover the entire technical infrastructure. we have concerns they are not.
2:24 am
we were told that opm performs vulnerability scans on all computer servers using automated scanning tools. opm was performing the scan. some were not done correctly and that some servers were not scanned at all. one is the requirement for two factor authentication to access information systems. we determined that opm does not have an accurate centralized inventory of all servers and databases. tools were being used properly. opm cannot fully defend its network without assets. in closing it is clear that even the security responsibility is highly centralized under the oci l the recent security breaches indicate opm has significant work to do to
2:25 am
identify all of the assets and data that it is tasked with protecting and then take the steps to do so. thank you for your time. i'm happy to answer any questions you may have. >> we now recognize the ranking member mr. cummings. mr. cummings: the recent cyber attack against the office of personnel management is the latest in a series of aggressive attacks against our nation in both the public and private sectors. i want to put up a slide that lists some of the most significant breaches over the past few years. 80 million people. jpmorgan. 76 million people. target. 70 million people. opm, 3 million so far. then there was the postal
2:26 am
service. this is not a comprehensive list by any means. when you see this list, the picture is clear. the united states of america is under attack. sophisticated cyber spies many from foreign countries, are targeting the sensitive personal information of millions, millions of americans. they are attacking our government, our economy, our financial sector, our health care system, and every single aspect of our lives. for more than two years i have been pressing for our committee to investigate these cyber attacks. i think the chairman for holding today's hearing. i hope we will have similar hearings on other attacks as well.
2:27 am
with respect to the attack on opm, my primary concern is who was targeted. government workers and what foreign governments could do with this information. i have several questions for opm. how many employees were affected? what kind of information was compromised? what steps are being taken to help these employees now? i want to know how these attackers got inside the networks. lester cyber attackers penetrated networks of usage. one of the most critical questions we have today is, did the cyber attackers gain access to opm data systems using information they stole from usage or keep going/year?
2:28 am
did they get the key to networks from one of its contractors? i asked you to invite usage representatives to testify today. you agree to invite usage. last night, they refused. just as they have refused requests over the past year. this is not something else they thought was appropriate. they simply refuse. i do not say this lightly. i believe they may be obstructing this committee's work. we have suggest the committee holds an interview given the history of noncompliance. i believe this may be one of the oldest ways -- only ways to obtain the information we are seeking. i have been pressing to
2:29 am
investigate ways to better protect information that belongs to the american people. financial records medical records, credit card information, social security numbers, and a host of other information they want to keep secure. i have advice from one of the top experts in private business and government. these experts warned we could not rely on primarily on keeping the attackers out. we need to operate with the assumption there are already attackers inside. last was penetrated in a cyber attack. according to fire eye, one of the company's my staff spoke with the average amount of
2:30 am
time a hacker remains undetect second-degree more than 200 days. that is a lot of time. obviously we need strong firewalls to keep attackers out. data systems to minimize the impact of inevitable data breaches of the future. redax, encryption must become the norm rather than the exception. finally, we need to remember who the bad guys are here. they are not u.s. company or federal workers who are trying to keep our information safe. bad guys of foreign nations and other entities. according to law enforcement officials, north korea china,
2:31 am
russia and iran are the most advanced threats to this nation's cyber security. so as we move forward today, i wanted to caution everyone that as much as we want to learn about this attack, we have to do so in a responsible way. a lot of the information about the attack is classified. the last thing we want to do is give our enemies information or compromise active law enforcement investigation. we're having a classified meeting for members at 1:00 p.m. today which i encourage everyone to attend. as i close, mr. chairman, i want to thank you again for the bipartisan approach you have taken on this issue and i hope we can continue to investigate these and other breaches to identify common threats against our country in the best ways. with that, i yield back. rep. chaffetz: thank you i now
2:32 am
recognize myself for five minutes. miss archuleta, my question for you, how many federal workers were compromised? we have heard 4 million and 14 million. what is the right number? your microphone, please. ms. archuleta: during the course of the ongoing investigation into the cyber intrusion of o.p.m., the compromise, the current personnel records of former federal employees that we announced last week, that number is approximately 4.2 million. in addition in the investigation of that breach we discovered, as i mentioned in my testimony an additional o.p.m. system was compromised and these systems included information based on the background investigations of current, former and perspective federal government employees as well as other individuals. because different agencies feed into o.p.m.'s background investigation systems in different ways, we are working
2:33 am
with the agencies right now to determine how many of their employees were affected. we do not have that number at the time, but we will get back to you once we -- rep. chaffetz: what is your best estimate? is the 14 million number wrong or inaccurate? ms. archuleta: we do not have that number at this time, but we will get back to you once we -- rep. chaffetz: what is your best estimate? is the 14 million wrong or accurate? ms. archuleta: as i said before, we do not have an estimate. this is an ongoing investigation. rep. chaffetz: it has nothing to do with impeding an investigation. you should know what you have and what you don't. people have a right to know. employees have a right to know. how far back does this information go?
2:34 am
you don't know? does it include military personnel? ms. archuleta: as i said -- rep. chaffetz: this is a yes or no question. does it include militaryry personnel? ms. archuleta: like i said, i would be glad to discuss that in a classified setting. rep. chaffetz: there is nothing classified as to what information this includes does it include c.i.a. personnel? ms. archuleta: i would be glad to discuss that in a -- the individual who is have completed fs-86 and may be included in that and we can provide additional information in a classified setting. rep. chaffetz: why wasn't this information encrypted?
2:35 am
ms. archuleta: i'm look to my colleagues at d.h.s. for their response. chris paul: -- rep. chaffetz: i want to know from you. ms. archuleta: data information is valuable. rep. chaffetz: it is valuable. why wasn't it. ms. archuleta: our cyber security framework promotes encreppings as a key protection method. o.p.m. does utilize -- rep. chaffetz: we didn't z ask you to come read statements. i want to know why you didn't encrypt the information. ms. archuleta: an adversary can often decrypt data. it is not feasible to implement on network s that aretoo old. the limitations on encryptions
2:36 am
is why o.p.m. is taking other steps such as limited administrators. rep. chaffetz: ok. it didn't work. so you failed. you failed utterly and totally. the inspector general recommended the o.p.m. shut down information systems and you chose not to. why? ms. archuleta: i appreciate the record by i.g. rep. chaffetz: he had a very serious recommendation to shut down the system. that is how bad it was and you said no. ms. archuleta: i would like to turn that over to my -- rep. chaffetz: no, i would like you to answer that question. we recommend that the o.p.m. director consider shutting it down. your response was -- the response back to the office of -- from the office of chief
2:37 am
information officer, the i.t. program manager also work with the issos to ensure that systems maintain current -- basically you said no. the inspector general was right. your systems were vulnerable. the data was not encrypted. it could be compromised. they were right last year. they recommended so bad that you shut it down and you didn't. and i want to know why. ms. archuleta: there are many responsibilities we have with our data. and to shut down the system, we need to consider all of the responsibilities we have with the use of our systems. rep. chaffetz: you made a conscious decision knowing it was vulnerable, all of a these millions of records for federal employees was out there and the inspector general
2:38 am
pointed out the vulnerability and you said no, we're not making a change. ms. archuleta: as the director of o.p.m. i have to take into consideration all of the work that we must do. it was my decision that we would not but continue to develop the -- the system and making sure that we have the security within those systems. rep. chaffetz: and did you do that? you didn't, did you? that didn't happen, did it? ms. archuleta: the recommendation to close down our systems came after the adversaries were already in our network. rep. chaffetz: when did they get in the network? ms. archuleta: our security systems, we were able to detect this intrusion. rep. chaffetz: when did they get into the system? ms. archuleta: we detected the intrusion of april. rep. chaffetz: of? ms. archuleta: 2015. rep. chaffetz: how did you know in 2014 if they were -- you didn't know if they were in there, did you?
2:39 am
ms. archuleta: we did not have the security systems installed at that time. it was because we were able to add those security systems that we were able to detect. rep. chaffetz: you detected this system? it wasn't a software provider? you found it yourself? ms. archuleta: o.p.m. detected the intrusion. rep. chaffetz: so the "new york times" and others that wrote it were wrong? ms. archuleta: that is correct. rep. chaffetz: how many other people received letters? ms. archuleta: it is a rolling number as we worked from the first data notification january 8, we will complete it to 4.2 million by june 19, i'm sorry, i don't have the exact number as of today. i would be glad to get that information for you. rep. chaffetz: one last question with everybody's indulgence here. ms. archuleta, that was a data breach at o.p.m. in july of 2014. ok? this is what you said about your -- ms. seymour.
2:40 am
in december i was fortunate to bring donna seymour onboard. it is because of her leadership that we were able to make sure none of this personal, i departmentifyable information was compromised. this was july of 2014. you cited her in the data breach making sure none of the information got out the door. now that it has been hacked, are you going to give her that same amount of credit? ms. archuleta: i did give her that same amount of credit, sir. when i began my tenure as director of o.p.m., one of my first priorities was to develop an i.t. strategic plan and to develop the important pillar of cyber security within our systems. we have worked very hard since that time and as we update these legacy systems, it is important that we recognize
2:41 am
that there is a persistent and aggressive effort on the part of these actors not only to intrude in our system but systems throughout government and indeed in this the private sector. rep. chaffetz: you have completely and utterly failed at this mission if that was your objective. the inspector general has been warning about this since 2007. there has been breach after breach. he recommended shutting it down last year and you you made a conscious decision to not do that. you kept it open. i don't know if it is the chinese or the russians or everybody else but they have got it and they are going to prey on the american people. that is their goal and objective. you made a conscious decision to leave that information vulnerable. it was the wrong decision in direct continue democratic national convention what the inspector general said should happen and he had been warning about it for years. ms. archuleta: he acknowledges the fact that we have taken important steps in reforming our i.t. systems. advanced tools take time.
2:42 am
rep. chaffetz: so what kind of grade would you give yourself? succeeding or failing? ms. archuleta: i am -- i am -- cyber security problems take decades. rep. chaffetz: we don't have decades. they don't take decades. ms. archuleta: sorry. cyber security problems are decades in the making. the whole of government is responsible. it will take all of us to solve the issue and continue to work on them. my leadership in this particular -- with o.p.m. is one that instigated the improvements and changes that were recognized, that recognized the attack. rep. chaffetz: i yield back. i recognize mr. cummings for as much time as he wants. caller: thank you very much,
2:43 am
mr. chairman. ms. seymour, this information is disconcerting. i'm concerned that this breach may pose a national security threat. according to a statement from o.p.m., the personal information that approximately 4 million current and 4 million federal employees was compromised in this breach. what can you tell us about the type of personal information that was compromised in this breach? ms. seymour: thank you for the question, sir. the type of information involved in the personnel records breach includes typical information about job assignments, some performance ratings, not evaluations, but performance ratings as well as training records for our personnel. the information involved in the
2:44 am
background investigations incident involves sh-86 data as well as clearance abjude indication information. caller: so social security rep. cummings: so social security data? ms. seymour: yes. rep. cummings: do you know how far back that goes? ms. seymour: no, sir i don't. the issue is these are longitudinal records. they span an employee's career. i do not know what the oldest record is.
2:45 am
rep. cummings: so it is possible that somebody could be working for the federal government for 30 years and their information over that 30 years could have been breached? ms. seymour: yes, sir, these records do span an employee's career. rep. cummings: what can you tell me about the information that may have been compromised in the second breach? ms. seymour: i believe that would be better for our classified meeting later this afternoon, sir. rep. cummings: went after sensitive detailed information about federal employees. what could they do with this information? i'm talking to you. dr. ozment: i'm going to have to refer that to our intelligence committee who'll be participating in our classified meeting at 1:00. rep. cummings: using tools such as data segmentation, data
2:46 am
masking and encryption, the chairman asked about encryption. i know from past o.p.m. testimony before the committee, that o.p.m. has been a leader in deploying those tools. ms. seymour. it is kind of hard to see how cyber spies could have accessed more than 4 million records if you were using those tools to the fullest. and ms. archuleta has a lot of faith and confidence in you as the chairman just stated. can you explain what happened? ms. seymour: thank you, mr. cummings, for the question. a lot of our systems are aged and implementing some of these tools takes time and some of them we cannot even implement in our current environment. that is why under director archuleta's leadership, we have launched a new program where we
2:47 am
are building a new environment, a new architecture, a modern architecture that allows us to implement additional security features. we have in our legacy environment, we have installed numerous technologies. that is how we discovered this breach in the first place. we are shoring up what we have today and are building up for the future so we can become more secure and provide these types of protections to our data and systems. rep. cummings: in the meantime, we're going to collect and store personal information, we must make it unusable to oured a versares. would you agree? o.p.m. as well as american businesses do a better job of protecting sensitive information, would you agree, ma'am? ms. seymour: yes, sir. rep. cummings: do you have the
2:48 am
tools to do that? are you trying to tell us you don't? ms. seymour: o.p.m. has the tools for encreppings of its databases and we are in the process of applying those tools within our environment but there are some of our legacy systems that may not be capable of accepting those types of encryption in the environment that they exist in today and that is why it is important for us to focus very aggressively, very proactively on building out that new architecture so that in the future we will be able to implement those tools for all of our databases. rep. cummings: what are you talking about? three months? three years? ms. seymour: we began our program after the march 2014 incident. we worked very closely with our inner agency partners to devise a very aggressive and very comprehensive plan. we have been implementing that plan since then. we are delivering what we call our shell, which is the new
2:49 am
architecture. we are delivering that this fall and we will begin looking at our business systems application and how we can migrate those into the new architecture. rep. cummings: ms. seymour this is the question. with the data right now there are people whose data is out there. i'm talking about in the meantime, where are we? in other words, i know you're trying to do some things, but that doesn't make federal employees feel pretty good. it doesn't make me feel good. so tell me more. are you saying that we are just vulnerable and we don't know when we're going to be able to deploy the types of systems that you just talked about? ms. seymour: no, sir. we have done a number of things. rep. cummings: i'm not talking
2:50 am
about what you have done. i'm talking about what is going on today. ms. seymour: that is exactly what i'm offering, sir. we have implemented for remote access to our network. thaten means without a card or some other type of device, that our users cannot log into our network remotely. we have implemented additional firewalls in our network and we have tightened the settings of those firewalls. we have reduced the number of privileged users in our account and have further restricted the access privileges that those users have. we have made a number of other steps to increase the steps of our existing network. we began that last march and it has continued. we continue to test those systems and make sure they are working appropriately. rep. cummings: the office of
2:51 am
inspector general conducted an audit in 2014. the chairman was talking about this of o.p.m. and found several weaknesses. can you briefly identify what those weaknesses were that you found? >> yes, sir. the most critical weaknesses that we identified in our report from 2014 were the continued information security governance problems that have existed since 2007. the decentralization of the controls over systems. that, however, is an area that is certainly close to being improved to a full extent. another area of weaknesses were the security assessments and authorization, which is each system that o.p.m. owns should go under an assessment every three years and be authorized
2:52 am
for usage. we identified 11 systems at the end of 2014 that had not been authorized that were due to be authorized. the technical security controls was another big area that we identified. while o.p.m. has implemented a number of strong tools sand improving in that area, our concern is that some of those tools were not being used properly and that they do not have a complete and accurate inventory of databases and servers that those tools should be applied against. rep. cummings: so the chairman asked -- ms. archuleta a question of how she thought she had done. based on that, what grade would you give? >> i don't know that i can give a grade. rep. cummings: so -- of all the
2:53 am
things that you just stated, there were certain things that were not done. is that right? >> yes, sir. rep. cummings: did any of them lead to this breach? the things that were not done? >> i don't know the exact details of how this breach occurred so i really can't answer that question. certainly there is a lot of weaknesses at o.p.m. that are in the process of trying to address. rep. cummings: last, but not least do you have a silver bullet to address this issue, sir? >> no, sir, i do not. there is very sophisticated attackers out there and there is no one silver bullet. i think that that can be applied that will prevent these types of things from happening. rep. cummings: you heard me ask ms. seymour about the fact that we're collecting information and it seems as if we just are vulnerable. is that -- and there are certain areas that we may not
2:54 am
be able to defend ourselves in. is that an accurate statement? >> certainly there is a lot of things that can be done to make our systems more secure. is there something that can be done to make them inpenetratable? not that i'm aware of. >> thank you, mr. chairman. i appreciate the witnesses being here. this morning, we have certainly heard there is no silver bullets and i don't think we expected the answer to be yes, there is a silver bullet. we are concerned that knowing what has been going on, having clear evidence that hackers have been attempting for quite sometime and at least those of us here, who trust on agencies and people like yourselves who know the issues that some more
2:55 am
efforts could have been successful in stopping the most recent attacks, we have heard today that networks are not depart mentalized, segmented, in certain cases encrypted with the recent attacks, it the perimeter has been breached. the attacks often remain undetected for months. that is concerning. they are able to exploit vulnerabilities within the networks without passing through -- this is most concerning to me, additional inspector security measures. mr. scott, as i understand in the private sectors have have been shifts toward zero trust model. ultimate given o.p.m.'s role for metrics settings for agencies, can you tell us what o.p.m. is doing to set i.t.
2:56 am
security metrics to limit the number of workloads, application tiers to the networks? mr. scott: thank you for the question. i think there is a number of things that i would point to in addition to the measures that you just talked about. the first one is to share across the federal government, not only the lessons learned from o.p.m. but what we see from other attacks, whether successful or not. private and public and make sure that all agencies are up to speed with the latest information on the med of attacks, the tools that are used and so on. >> that is the weakness? mr. scott: it has been historically for the government and the private sector to share information for our ability to thwart these things.
2:57 am
the specific measure that you mentioned, the segmentation and zero trust is something that is more easily applied to very modern architectures. it is not as easily applied to some of the oldest and old legacy systems that we have. and i think that is going to be a challenge for all agencies where the architecture itself just doesn't lend itself to the application of certain technologies. the best answer i think in terms of what we have and where we go is a model that we're promoting and encouraging across the agencies which is defense in depth. it is a number of different measures so that if one thing doesn't work, you the next layer that helps stand that doesn't work you the next layer and zero trust is applicable in some of those environments and frankly is very difficult or impossible to
2:58 am
apply. >> how far are we from that? mr. scott: i would say years and years comprehensively. one of the things we're working on now is prioritizing based on the highest value assets that the federal government has so that we're going after the most valuable stuff first and make sure that is protected the best way we can. >> ms. seymour, with the millions of current and former federal employees, a lot of them in my district sign on to do the work we give to them. we appreciate the work. it is something we ask them to do. the federal jobs of the departmentes they work under have been asked to do. they don't expect their life to be compromised, their history to be compromised, their records to be compromised. when did o.p.m. begin to let the victims know of the risk and breach?
2:59 am
ms. seymour: thank you for your questions, sir. i too am a federal employee. and am concerned about this matter. we began identifying personnel on june 8 and will continue to make those notifications through june 19. that is for the personnel records security incident that we had. we have not yet been able to do the analysis to have data involved with the background investigations incident that is ongoing. as soon as we can narrow the data that is involved if that incident we will make appropriate notifications for that one as well. rep. chaffetz: i recognize the gentlewoman from new york. >> i want to thank the chairman and ranking member for calling this hearing and all of our panelists for your public
3:00 am
service. as one who represents the city that was attacked by 911, we lost thousands on that day and thousands more are still dying from health-related causes from that fateful day, but i consider this attack, i call it an attack on our country, a far more serious one to the national security of our country. and i would like to ask mr. ozment from homeland security, would you character size this as a large scale cyber spying effort? that's what it sounds like to me. what is it? dr. ozment: i think to speak to who were the this is a spying effort, we would have to talk to any understanding of who the adversaries were and what their intent was. >> you do believe it was a

10 Views

info Stream Only

Uploaded by TV Archive on