The Office of Personnel Management, or OPM, refused to encrypt the personal data of millions of Americans, telling lawmakers security is the top priority while failing to implement much of anything recommended by its own inspector general.
“Verbally, [security] was a high priority but as a matter of fact it was not,” said Rep Mark Meadows, R-N.C., chairman of the House Oversight and Government Subcommittee on Government Operations.
“We see for eighteen months, everything else was a priority. They just didn’t have time to get to it or they said they were working on it. Yet it was priority number one. Well, we find that priority number one was a whole lot of other issues with regards to this director,” said Meadows.
In June, the House Oversight and Government Reform Committee heard testimony from OPM officials and others following reports that the data of 4.2 million Americans had been compromised. More recent reports put the number at 22 million, triggering the resignation of OPM Director Katherine Archuleta.
Meadows is pleased to see Archuleta step down. He says her performance before the committee last month proves she was not up to protecting sensitive data from America’s cyber enemies.
“In the hearing they said security is priority number one. Yet, what we found was over and over again, each and every thing that was recommended didn’t get done, as if somehow there was a firewall that would not allow…Chinese hackers to come in but to stay in there for days at a time,” he said.
The biggest jaw-dropper in the June testimony was that sensitive data was virtually unguarded.
“The director and her chief information officer failed to take even the basic precautions of encryption. You and I would know to do that. You would think that someone who was charged with protecting the personal information of federal workers would just [do] the basics,” said Meadows.
He says Archuleta and Chief Information Officer Donna Seymour offered multiple reasons for the lack of encryption.
“One of the reasons why it supposedly wasn’t encrypted was because the programming language was so old that it couldn’t be encrypted,” said Meadows. “Then it went further to say it was such a large volume of information that they just didn’t have time.”
Meadows says millions of Americans are now at great risk of having their personal information “sold or conveyed” to identity thieves. However, he says the danger to our country is even more sobering.
“You’ve got a real espionage issue here, where you’ve got people with top-secret security clearance that have background information that are now in the hands of a foreign entity,” said Meadows.
He added, “The privacy of individuals is one thing, but the national security of a nation is another. To not take the basic precautions as you would with any offensive threat from a foreign government is troubling.”
According to Meadows, just changing the director at OPM is not enough. He recommends three areas of focus that he refers to as “buckets,” starting with the resignation of Seymour. Next is a major focus on updating and strengthening encryption.
“We need to make sure that all private information is encrypted, and that includes not only Social Security numbers but other personal identifiers as well,” he said, while also highlighting the critical role the private sector can play in protecting out data.
“Get the private sector involved in the type of security clearance and encryption and cyber attack defenses that they use. Google does a great job of that in the private sector. We need to get some of those private sector solutions,” said Meadows.
In addition to the OPM story breaking in June, Meadows himself was in the headlines for several days after full Oversight and Government Reform Committee Chairman Jason Chaffetz, R-Utah, removed Meadows as chairman of the subcommittee on government operations at the behest of GOP leadership. Meadows was punished for voting against various procedural motions on the House floor. After fierce protest from House conservatives, Chaffetz restored Meadows to his previous role.
Meadows says he and Chaffetz work together very well and their ability to dig into issues like OPM is not at all hampered by the politics that played out in recent weeks.
“My vote was more one that was challenged by leadership. Chairman Chaffetz doesn’t see that as a direct attack towards him, nor I his removal of me as a direct attack on me. Hopefully, in the end, we have our priorities, both of us, on the American taxpayer. That’s where it needs to be,” said Meadows.
And right now, he says, that focus needs to be protecting American information and assets from those who wish to do us harm.
“We can’t continue to turn a blind eye to the kind of attacks that we have. Anybody that has any kind of connectivity with the World Wide Web has an issue with this. So we need to be vigilant each and every day. There are folks out there that are wanting to take this and use this for their benefit and our detriment,” said Meadows.