Office of Personnel Management Director Katherine Archuleta said she is not stepping down following the massive breach of personnel and background investigation information at her agency — even as lawmakers are clearly frustrated with the situation and are calling for her to resign.
"I am committed to the work that I am doing at OPM," Archuleta said on a conference call with reporters after the agency announced Thursday that 22.1 million current, former and prospective federal employees and contractors were affected by two recent data breaches, including members of Congress. Following the news, more calls came for Archuleta's resignation, including from top GOP leaders such as Speaker John A. Boehner, R-Ohio; House Majority Leader Kevin McCarthy, R-Calif.; House Majority Whip Steve Scalise, R-La.; and Senate Armed Services Chairman John McCain, R-Ariz.
Though the agency released the long-awaited information on the scope of the cyber-hacks, officials remained mum on who was behind the incidents, though media reports have linked the breaches to China.
Officials declined to comment on the nature or identity of the actor who penetrated the systems and stole the information. But Andy Ozment, the assistant secretary of the Office of Cybersecurity and Communications at the Department of Homeland Security, indicated the two separate breaches — one of personnel information and the other of background investigation information — were related.
"It was the same actor moving in different networks, at least that is what the investigation right now indicates," Ozment said. Ozment also said the actor penetrated the networks “via a compromised credential, username and password, of a contractor."
According to Ozment, the breaches were discovered in April 2015, though the actor had access to the networks for several months before it was discovered. In the first breach of personnel information, the actor was on OPM networks from May 2014 through April 2014, and was very active from June 2014 to January 2015. For the second breach, involving background investigation information housed at the Interior Department, Ozment said the actor was on the network from October 2014 through April 2015.
The information was met with a backlash on Capitol Hill. House Intelligence ranking member Adam B. Schiff, D-Calif., released a statement alleging the agency was not forthcoming its its congressional briefings.
“I do not believe OPM was fully candid in its original briefing to the Committee and omitted key information about two distinct hacks and the breadth of the potential compromise," Schiff said. "To the degree OPM has not been fully forthcoming with Congress or has sought to blame others for a lack of its own inadequate security, OPM has not inspired confidence in its ability to safeguard our networks and most sensitive databases.”
"[T]his unprecedented hack was over six times what we were initially told," Senate Homeland Security and Governmental Affairs Chairman Ron Johnson, R-Wis, said in a statement. "Today's announcement shows not only that cybersecurity on federal agency networks has been grossly inadequate but that the management of the OPM is not up to the task of fixing the problem."
Sen. Barbara A. Mikulski, the ranking member on the Appropriations Committee, blasted the OPM for having "a new story with new facts" about the breadth of the data breach, calling it "outrageous."
"As a Senator from Maryland, which is home to more than 300,000 federal employees and retirees, I demand answers and assurances for them. And I demand a far more robust action plan for their protection," Mikulski said. "I am calling on the President to provide federal employees, retirees and their families affected by OPM's data breach with lifetime credit-monitoring services and identity-theft protection as well as unlimited liability protection for related damages."
Mikulski and her colleagues from Maryland, Virginia and the District of Columbia announced they would be introducing the RECOVER Act, which stands for the Reducing the Effects of the Cyberattack on OPM Victims Emergency Response Act of 2015, which includes lifetime identity theft coverage and no less than $5 million of identity theft insurance.
See photos, follies, HOH Hits and Misses and more at Roll Call's new video site. Get breaking news alerts and more from Roll Call in your inbox or on your iPhone.