Is OPM Breach Just Tip of Iceberg?Returning Congress Delves into Federal Cyberdefense
As federal lawmakers return this week from their Independence Day recess, Congress picks up where it left off before the break: holding hearings on the Office of Personnel Management breach that exposed the personal records of millions of government employees and retirees.
On Wednesday, two subcommittees of the House Science, Space and Technology Committee - one on Oversight and the other Research and Technology - will hold a joint hearing titled: Is the OPM Data Breach the Tip of the Iceberg? Expect the answer from witnesses to be yes.
One of the experts scheduled to testify is Gregory Wilshusen, the Government Accountability Office's director of information security issues, who told me a few weeks ago (see Ramping Up Agency Security, Yet Again): "Systems and networks are so complicated and large - and given the priority or their resources - it's sometimes a challenge for agencies to keep up with it."
Gregory Wilshusen analyzes threats facing federal government agencies.
Joining him at the witness table will be OPM Assistant Inspector General for Audits Michael Esser, who - like Wilshusen - testified at earlier hearings, and Charles Romine, director of the National Institute of Standards and Technology's Information Technology Laboratory, in his first congressional testimony on the OPM breach.
Don't expect any of the witnesses to call for the resignations of OPM Director Katherine Archuleta and CIO Donna Seymour for not taking sufficient steps to prevent the breach, as did some lawmakers in the last round of hearings. With these witnesses, the hearing could provide a valued lesson to lawmakers about why the federal government faces challenges in mounting a solid cyberdefense.
Hits Close to Home
Still, for some lawmakers, the OPM breach hits close to home. Research and Technology Subcommittee Chairwoman Barbara Comstock, a Republican whose Virginia district sits across the Potomac River from Washington, represents thousands of federal employees whose personal information was likely hacked, and they're obviously very upset, which makes her upset. "The trust between our federal employees, our citizens and their government's capability to thwart an attack is without a doubt damaged," Comstock wrote in a letter to Archuleta on June 17. "Serious security measures to avoid these lapses need to be crafted and put in place in advance of the next attack."
Let's hope this hearing, and future ones to come, don't turn into a blame game. Federal officials must be held accountable, but it's more important for Congress to gain a clear understanding how these breaches occur and can be mitigated. As Comstock says, the government must craft and implement better cyberdefenses. Congress must provide the government the support - monetarily and legislatively - to do just that.