Personnel chief's resignation doesn't address prevention of more data breaches

The head of the federal personnel office quit Friday in the wake of a massive data breach said to affect 25 million people, leaving behind major questions about the government's ability to urgently address massive vulnerabilities in the trove of data it controls.

The resignation of the chief of the Office of Personnel Management, Katherine Archuleta, came a day after officials acknowledged that the data breach was much more widespread than had been previously acknowledged, and amid growing bipartisan calls from lawmakers for her to step aside.

But the loss of Archuleta, tapped by President Obama to run the agency after she served as a top aide in his reelection campaign, was viewed as little more than a politically expedient step that left unresolved a much bigger question: how the government can upgrade cybersecurity systems to prevent intrusions.

The issue has national security implications — U.S. officials have said they suspect China is behind the hack — and raises the question of how the government can continue to carry out its functions in an increasingly digital world.

“The resignation or firing of one figure at OPM isn't even one drop in the sea of how big a problem this is,” said Sen. Ben Sasse (R-Neb.).

In two related attacks that began last year, hackers broke into the personnel office and Interior Department systems to steal 21 million Social Security numbers, mostly from people who'd applied for background checks — which includes anyone who does or has worked for the federal government, as well as contractors and job applicants — and personal data from an additional 4 million people.

The stolen data included addresses, family members' names, health and financial data and criminal histories.

Foreign governments could use that kind of information — who's in debt or who's keeping secrets from employers or loved ones, for example — to recruit spies in the federal government, security experts say.

The weaknesses that allowed the attack to go undetected for months are probably not unique to OPM. Inspectors general at 23 of 24 federal agencies cited “information security” as a significant problem in 2014, according to a report released this week by the Government Accountability Office.

“You often see vulnerabilities like this are not isolated to one bureaucracy but are present in other parts of the government as well,” said Rep. Adam B. Schiff of Burbank, the ranking Democrat on the House Intelligence Committee.

The report also highlighted growing threats facing federal agencies. The number of information security incidents increased 12-fold from 2006 to 2014.

“The White House needs to admit we have huge vulnerabilities to cyberattack and we don't have a national long-term strategy,” Sasse said.

Robert Knacke, former director for cybersecurity policy at the National Security Council, blamed what he called 20 years of under-investment in cybersecurity, cautioning that Archuleta's resignation would do little to fix the problem.

“You don't expect the head of a federal agency to be the one defending the network. That's not their jobs,” Knacke said. “If Congress wanted to blame somebody, my view is they should look at themselves and the funding they've provided for cybersecurity and [information technology] modernization.”

White House Press Secretary Josh Earnest said that the president did not request Archuleta's resignation, but that she recognized the agency required “a manager of a specialized set of skills and experiences.” Her previous experience was mostly in the political realm.

Beth Cobert, a deputy director at the White House Office of Management and Budget, will take over as acting director of the personnel office.

Following the hack, experts and lawmakers have scrambled to propose new ideas to safeguard data and prevent further attacks.

Two House members are working on a bill that would move security clearance processes from the personnel office to an agency with stronger cybersecurity safeguards.

The federal government needs to rethink the organizational structures and amount of control given to those attempting to increase cybersecurity, said Samuel Visner, senior vice president and cybersecurity expert at technology company ICF International and adjunct instructor at Georgetown University.

“Cybersecurity is always the second priority,” said James Andrew Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “An agency gets a budget and they want to spend it on things that's going to let them carry out their mission.”

Archuleta's resignation “put agency heads on notice that they need to make sure they have their house in order, that they'll be held accountable if they don't, and that whatever assumptions we hold about the security of our systems need to be questioned and questioned again,” Schiff said.

Copyright © 2016, Los Angeles Times


6:44 p.m.: Updated with changes throughout.

10:28 a.m.: This article was updated with comment from Schiff.

10:03 a.m.: This article was updated with details on Archuleta's resignation and background on the hacks.

This article was originally published at 9:50 a.m.