A Democratic senator wants to know what the federal government did to prepare for the massive hack of federal employee information this year.
Sen. Ron Wyden, D-Ore., also took aim at cybersecurity legislation that he has said would violate privacy without preventing future attacks.
Wyden sent a letter on Wednesday to the National Counterintelligence and Security Center, which is responsible for protecting the federal government against cyberattacks. He asked why the agency failed to prevent an April intrusion that resulted in the theft of the names, birth dates, addresses and Social Security numbers of 4.2 million current federal employees from the Office of Personnel Management database, and a subsequent June incident that resulted in the theft of the same information from 21.5 million current, former and prospective federal employees and their relatives and associates.
“There appear to have been significant warning signals regarding the security of OPM’s networks,” Wyden wrote in the letter addressed to NCSC Director William Evanina. “The fact that such sensitive information was not adequately protected raises real questions about how well the government can protect personnel information in the future.”
Wyden also posed three questions to the agency. He asked whether the NCSC identified the OPM’s database as a vulnerability; whether it made any recommendations to the OPM on securing the database; and asked why OPM had stored information on individuals as far back as 1985.
In a statement accompanying the letter, Wyden noted that the Senate had postponed a vote on a bill known as the Cyber Information Security Act, which would make it harder to sue private companies for sharing their customers’ information with the government without customer consent. Wyden has called it a “surveillance bill by another name.”
Proponents say the bill would help prevent future cyberattacks. But in his statement, Wyden called it “severely flawed legislation” that “would not have prevented the OPM data breach.”
“Cybersecurity experts and the Department of Homeland Security agree,” Wyden wrote.
This year, Wyden said, “CISA does little to stop hackers” and “lacks any real privacy protections.”
“In what world is this real cybersecurity?” he asked.
Others have been vocal in advocating for the legislation. Sen. John McCain, R-Ariz., called it “a shameful day in the United States Senate” when senators voted to stall the bill in August. “This is disgraceful, and I tell my colleagues on the other side of the aisle: By blocking this legislation, you’re putting this nation in danger.”
The Senate is expected to take the issue up again in September.
