Breach Response , Cybersecurity , Data Breach

Archuleta Resigns as OPM Director

Beth Cobert, Top OMB Official, Named Temporary OPM Chief
Archuleta Resigns as OPM Director
Katherine Archuleta

A day after the Office of Personnel Management confirmed that security breaches exposed to hackers the personal information of more than 22 million individuals, Katherine Archuleta has resigned as director of the agency.

See Also: API vs. Proxy: Understanding How to Get the Best Protection from Your CASB

Federal Chief Performance Officer Beth Cobert, who also serves as deputy director of the Office of Management and Budget, will temporarily take over as OPM director.

Archuleta had resisted calls for her resignation, mostly from lawmakers, for the past month since revealing the first of two security breaches that exposed the personally identifiable information of 4.2 million federal government workers and retirees. On July 9, OPM confirmed that a second breach of a system used to vet security clearances exposed the Social Security numbers and other personal information of 21.5 million individuals, including many of those who were also affected by the first breach (see OPM's 2nd Breach: 21.5 Million Victims). She submitted her resignation to the president, which was accepted, on July 10. "I conveyed to the president that I believe it is best for me to step aside and allow new leadership that will enable the agency to move beyond the current challenges and allow the employees at OPM to continue their important work," Archuleta said in a statement.

One of the more persistent legislators calling for Archuleta's resignation has been Rep. Jason Chaffetz, R-Utah, who chairs the House Oversight and Government Reform Committee, which has oversight over OPM. "This is the absolute right call," Chaffetz said. "OPM needs a competent, technically savvy leader to manage the biggest cybersecurity crisis in this nation's history. The IG has been warning about security lapses at OPM for almost a decade. This should have been addressed much, much sooner, but I appreciate the president doing what's best now. In the future, positions of this magnitude should be awarded on merit and not out of patronage to political operatives."

White House Reacts

White House Press Secretary Josh Earnest credited Archuleta for beginning a process of upgrading cybersecurity at OPM. "It's precisely because of some of the reforms that she initiated, that this particular cyber-breach was detected in the first place," Earnest said. "But given the urgent and significant challenges that are facing OPM right now, a new manager with a specialized set of skills and experiences is needed."

Earnest said Cobert "conveniently enough" offers the skills and experience needed to address the IT security challenges OPM faces. Prior to joining the administration, Cobert spent three decades as a management expert at the management consultancy McKinsey. "She had experience working with a wide variety of public, private and even non-profit entities to make significant progress and improvements and enhance the broad deployment of new technology," Earnest said.

Still, Earnest cautioned that correcting the IT security problems OPM confronts will not fixed immediately. "It's clear there are some significant challenges," he said. "Despite the intense focus and expertise that's being leveraged to address the situation, I don't expect this is a situation that's going to be resolved next week or next month. These are some longer-term challenges that are going to require a sustained focus."

Weighing 'Proportionate' Response

As a new leader assumes the top post at OPM, the government is taking other steps to react to the twin OPM breaches.

Department of Homeland Security Director Jeh Johnson said this week that the government was weighing a "proportionate" response, while FBI Director James Comey suggested that the government might bring charges against the hackers, believed to have ties to the Chinese government.

"We are continuing to look at all the different ways and all the different tools that we have to respond," White House cybersecurity coordinator Michael Daniel said during a July 9 press briefing.

Chinese government officials, however, have dismissed any suggestion that China was involved in the OPM breach. "We hope relevant parties of the U.S. side can stop making unfounded and hypothetical accusations and work constructively with China to address cybersecurity issues," Zhu Haiquan, spokesman for the Chinese Embassy in Washington, said July 9, The Wall Street Journal reports.

OPM officially announced July 9 that hackers appeared to have stolen every background-investigation form - SF86, SF85 and SF85P - filed with the U.S. government since 2000, if not before. That breach affects at least 19.7 million people who applied for a background investigation, plus 1.8 million non-applicants, predominantly including applicant's "spouses or co-habitants." Every one of their Social Security numbers was stolen, as were about 1.1 million of their fingerprints.

That theft is "separate but related" to the December 2014 hack attack that OPM first discovered in April, which the agency says exposed personnel data for 4.2 million individuals. Many, but not all, of those people were also victims of the background-investigation hack attack, OPM says.

Identity Theft Worries

For victims, OPM says it will offer three years of prepaid identity theft monitoring services via a third-party firm.

But that move downplays the potential long-term fallout for OPM breach victims, whose sensitive personal information - included on background-check investigations - has been exposed. Victims also face lifelong fraud concerns because their Social Security numbers were stolen. The U.S. government will replace Social Security numbers for free in the event that they get lost or stolen. But the Federal Trade Commission notes that many government agencies and others will still keep a record of the prior number, meaning it nearly impossible to make a fresh start.

Such concerns are at the heart of two lawsuits that have been filed by federal employees' unions against OPM and its directors, seeking court-ordered information security improvements at the agency, as well as greater breach transparency.

The second such lawsuit, filed July 8 by the National Treasury Employees Union, which represents 150,000 employees, also demands that OPM provide free lifetime identity theft monitoring for victims.

OPM officials, however, have dismissed criticism that their response to the breach - and related notifications to victims - have been slow or incomplete. "Throughout this investigation, OPM has been committed to providing information in a timely, transparent and accurate manner," according to a July 9 statement issued by the agency.

In the numerous hearings Congress has held following OPM's June 4 breach announcement, however, few lawmakers have asked if Congress might be culpable for fostering the information security situation that Archuleta inherited in November 2013.

"OPM has known about these vulnerabilities for years, but failed to address them," Michael Esser, OPM's assistant inspector general for audits, recently told the House Committee on Space, Science and Technology. Indeed, since 2009, OPM's inspector general has been issuing increasingly dire warnings over the state of the agency's information security posture (see Analysis: Why the OPM Breach Is So Bad).

Those reports get submitted both to OPM's leadership as well as Congress.

Criticism After e-QIP Security Upgrades

Congress also appears to have missed its cues after OPM suspended its Web-based Electronic Questionnaires for Investigations Processing, or e-QIP, online background-check application filing system June 30. Archuleta characterized the move as being a "proactive, temporary suspension" to fix vulnerabilities in the system that attackers could exploit (see OPM Suspends Background Check System).

Multiple lawmakers, instead of lauding OPM's move to patch vulnerable systems and safeguard employees' information, criticized OPM for taking e-QIP offline. "With the e-QIP system now reportedly down for at least four to six weeks, it will cause significant disruption to the process through which information is submitted to allow OPM to process security clearances," senators Warner and Tim Kaine, D-Va., wrote in a letter to Archuleta.

But their letter begs this question: Do they want a background-check system that is secure, or an insecure system that attackers could exploit to steal yet more data? Then again, some security experts, including Europol cybersecurity advisor Alan Woodward, have characterized OPM's e-QIP overhaul as being too little, too late.

Indeed, OPM auditor Esser said the shutdown was not a proactive move, but rather a delayed response to security flaws that had first been identified in September 2012, and which had been scheduled to be fixed by September 2013. That would have been two months before Archuleta began her tenure at OPM.

About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network