Millions of government employee records apparently stolen by Chinese hackers were not encrypted, and software designed to block known computer breaches has not been installed to protect most of the files, officials said Tuesday.
The latest disclosure came as officials continue to investigate two devastating hacks into the files of the Office of Personnel Management, the federal government's human resources agency. The cyberattacks have exposed how vulnerable and outdated are many of the computer systems that the federal government uses to store details collected for job applications, security clearances and other needs.
Intelligence officials are concerned that Chinese intelligence services or others could use the sensitive information, which can include medical histories and other personal details, to blackmail or otherwise recruit spies in the U.S. government and to design carefully tailored emails to infect computers of federal workers with access to secret files.
Chinese officials deny being behind the incursion.
During a contentious congressional hearing about the massive digital theft of personnel files, lawmakers ripped into the officials in charge of securing the networks.
"You failed. You failed utterly and totally," Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, told the officials.
The agency's inspector general had recommended last year that security on the databases be upgraded. The warning followed a hack discovered in 2014. But the agency didn't move quickly enough, lawmakers said.
Many electronic files that hold Social Security numbers, health carrier information and other details about the personal lives of officials and government contractors are so antiquated that federal computer experts are unable to encrypt the files at all, said Donna Seymour, the top technology officer for the Office of Personnel Management.
"Some legacy systems may not be capable of being encrypted," Seymour told lawmakers, who expressed bafflement and frustration at the lack of progress to improve the outmoded systems.
If sensitive records were scrambled and locked, hackers would not be able to read the data even if they could get the files out of federal servers, security experts note. But some of the electronic files are more than 20 years old and are stored in outdated systems, Seymour said
"These problems are two decades in the making," she said.
The intrusion into personnel files was discovered in April. Computer forensics experts found that hackers had been in the databases for months. They are believed to have copied private information belonging to 4.2 million current and former federal employees and government contractors.
During a second cyberattack, which was discovered by looking for computer activity similar to the earlier breach, the intruders accessed the detailed background forms filled out by millions of intelligence, military and other federal workers who have applied for security clearances. Those forms were stored on shared servers maintained by the Department of Interior.
The security clearance application requires potential hires to list any mental health issues, criminal convictions, drug use and the names and addresses of relatives overseas. Intelligence officials fear that China or another authoritarian government will use the information to blackmail American officials or pressure foreign relatives of U.S. government workers with access to classified files.
Despite the sensitivity of the data held by the Office of Personnel Management, the agency was not using the most up-to-date monitoring software that many other federal agencies use to automatically block known vulnerabilities in the computer systems.
That so-called perimeter system, called EINSTEIN 3A, is managed by the Department of Homeland Security and covers nearly half of the computers used by civilian personnel at 13 federal agencies. But the system is not in place at the Office of Personnel Management or 51 other agencies. The National Security Agency is responsible for protecting intelligence and military servers.
The security breaches follow a "long history of failing" by the personnel agency to update its information technology infrastructure, said Michael Esser, the agency's assistant inspector general of audits. For many years, Esser said, agency staff in charge of computer security had no technology background. Also, the agency has never disciplined managers for failing to pass multiple cyber-security audits, he said.
Rep. Ted Lieu (D-Torrance) called for the resignation of the top leaders overseeing the systems that were breached.
"I'm looking here today for a few good people to step forward, accept responsibility and resign for the good of the nation," Lieu said.