Jan 08 2016

House Committee Knocks OPM for Not Turning Over All Data Breach Documents

Lawmakers tussled with an OPM official about a contractor that claimed to have discovered the hack before OPM did.

House Republican lawmakers recently criticized the Office of Management (OPM) for failing to fully submit all of the relevant documents connected with the data breaches that struck the agency last year.

On Thursday during a House Oversight and Government Reform Committee hearing, lawmakers went back and forth with Jason Levine, director of OPM’s office of congressional, legislative and intergovernmental affairs. Levine and the committee members argued over whether OPM has given the committee full access to unredacted documents relating to the twin breaches that exposed the personal information of more than 20 million federal employees and others who were involved in background investigations.

Fighting Over a Contractor

The Hill reported that the lawmakers and Levine clashed over CyTech, a contractor that inspected OPM’s networks shortly before the agency disclosed the breaches.

The publication reports: “At the center of the argument is CyTech’s digital forensics tool, called CyFir, that was used during the inspection. Before the OPM gave the tool back to the company in August, the agency wiped the information that CyFir had gathered. Since then, House Oversight Committee Chairman Jason Chaffetz (R-Utah) has been seeking that data.”

CyTech has said it discovered the attacks when it scanned the agency’s systems in April, The Hill notes. However, OPM officials later said the agency itself discovered the breaches before CyTech was consulted.

According to NextGov, the committee does not think it has gotten all of the information it requested in letters sent July 24, 2015, and Aug. 18, 2015. The July letter asked about CyTech’s scan of OPM's systems, and the August letter focused on the fact that the hackers had stolen manuals detailing OPM’s IT environment. The breach exposed "security documents and systems manuals that could be used by hackers to launch additional attacks on OPM's network,” Chaffetz wrote in the August letter.

Additionally, Chaffetz wants access to those network security manuals and wants the Department of Homeland Security to provide the committee with a more detailed timeline of the breaches.

During the hearing, Chaffetz asked Levine whether the committee would get all of the data it is seeking, and Levine said OPM has tried to respond to every request for information.

“While we’ve provided answers,” Levine said, according to The Hill, “we do expect another set of documents coming, I would say this month, if not in the next couple weeks.”

Getting Access to Unredacted Information

Both Chaffetz and Rep. Michael Turner (R-Ohio) sent OPM a letter asking it to give the committee all documents and other communications related to CyTech’s investigation.

So far, the committee has received heavily redacted documents pertaining to CyTech’s work on OPM’s IT systems. CyTech has given the committee some of the documents, but OPM has not produced backups for all of them, Chaffetz said, according to The Hill.

“You better start explaining to us why CyTech is providing us documents that you aren’t providing to us, that you wrote, that you engaged in,” Chaffetz told Levine, The Hill reported.

According to NextGov, Levine said OPM has redacted some of the information in order to stop future hacks.

“As a result of the extreme and ongoing sensitivities of information related to OPM’s IT networks, servers and systems, redactions of sensitive system information were made so as not to provide a road map of vulnerabilities for potential adversaries and malicious actors,” Levine said.

Levine said OPM’s IT security professionals and interagency cyber experts recommended the redactions.

"Additional redactions were also made for reasons of longstanding executive branch confidentiality interests,” Levine said. He added that OPM made a "significant number” of sensitive, unredacted documents available for private review in its liaison office in a House building.

"At the committee’s request, and after further consultation with OPM IT security professionals and other federal agencies, a number of these documents subsequently have been produced to the committee,” Levine added.


Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT