Office of Personnel Management Director Katherine Archuleta on Tuesday refused to take the blame for a massive data breach that will affect more than 4 million current and former federal workers, and instead insisted that the entire government is at fault.
Archuleta appeared before the House Oversight and Government Reform Committee, and was asked by Chairman Jason Chaffetz, R-Utah, how she thinks she’s doing in the area of cybersecurity after OPM announced it was hacked.
“What kind of grade would you give yourself? Are you succeeding or failing?” Chaffetz asked.
“I am, I am, uh… Cybersecurity problems take decades,” Archuleta answered, apparently misreading part of her prepared testimony.
“We don’t have decades!” Chaffetz bellowed. “They don’t take decades.”
“Cybersecurity problems take decades in the making,” Archuleta then said, reading the line correctly. “Whole of government is responsible, and it will take all of us to solve the issue and continue to work on them.”
Archuleta made that broad claim even though an official from the OPM’s inspector general’s office said OPM had been told for years that it was failing to adequately protect its IT systems from hackers. That official said OPM “has a history of struggling to comply” with these mandated security rules.
RELATED: Massive data breach followed ‘long history’ of failed IT systems at OPM
Chaffetz had no patience for Archuleta’s attempt to shift blame, and said given these warnings since 2007, OPM itself is the entity that messed up.
“You have completely and utterly failed in that mission if that was your objective,” he said of Archuleta’s stated goal of trying to protect employee information. “The inspector general has been warning about this since 2007. There has been breach after breach.”
The inspector general also warned OPM to shut down some systems that hadn’t passed security tests. Chaffetz said Archuleta, who has only been in her position for 18 months, agreed to keep those systems running, and said the blame lies with her.
“You made a conscious decision to leave that information vulnerable,” he said. “It was the wrong decision, it was in direct contradiction to what the inspector general said should happen.”
OPM has said about 4 million people were affected by the first breach, which exposed personal information from current and former federal workers. But during the hearing, Archuleta said the number is a little bigger than that.
“That number is approximately 4.2 million,” she said.
