Pressure is mounting for Office of Personnel Management Director Katherine Archuleta to resign.
A growing number of lawmakers say it’s time for new leadership at OPM in the wake of a massive data breach that could impact as many as 14 million current and former federal employees, and now congressional staff and even contractors.
“It is time that Director Archuleta step down and be replaced with someone prepared to immediately address cybersecurity vulnerabilities at the agency,” said Rep. Mark Meadows (R-N.C.), chairman of the Oversight and Government Reform Committee’s Subcommittee on Government Operations, in a statement. “OPM officials were well aware of the vulnerabilities within the agency’s IT security systems, yet failed to address them. Under Director Archuleta’s leadership, OPM disregarded an inspector general’s recommendations to improve its cybersecurity infrastructure, and now millions of federal workers, including military officials, are having to pay the price for the Director’s unwillingness to address the issue.”
Meadows joins full committee chairman Jason Chaffetz (R-Utah) and Rep. Ted Lieu (D-Calif.) in calling for Archuleta to leave her position.
Rep. Jim Langevin (D-R.I.), also joined the chorus of lawmakers who want Archuleta out.
“While I appreciate that Ms. Archuleta inherited a difficult situation, her first budget request continued to reflect the status quo even as the OIG’s warnings continued. In testimony yesterday before the House Committee on Oversight and Government Reform, she refused to acknowledge the errors OPM has made or to apologize to the millions of affected Americans. I am fully aware that cybersecurity is a problem that cannot be solved, but merely managed,” he said in a statement. “However, we must not allow leaders in government or the private sector to use this as an excuse for operating without a risk-based cyber strategy. I have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach. I therefore believe that Ms. Archuleta should tender her resignation immediately. I would hope that other agency directors are paying close attention to this incident and taking the opportunity to quickly and thoroughly reexamine their own cyber risks.”
And one more lawmaker, Rep. Barbara Comstock (R-Va.), wrote to Archuleta asking for a private briefing on the cyber breach.
Comstock, who represents thousands of federal employees, said she is also one of the 4 million current and retired feds who received a letter from the credit monitoring service, CSID.
“I would also like to know how many of my constituents in Virginia’s 10th Congressional District are affected by this latest breach,” Comstock wrote. “Identity theft, especially by a potential foreign entity, is a very serious national security issue that touches many of my constituents’ lives.”
Part of the reason for the increase in calls for Archuleta to resign is congressional staff members now are part of the 4 million receiving offer letters for credit monitoring services.
Ed Cassidy, the House chief administrative officer, wrote an email to employees alerting them they also are impacted.
“It now appears likely that the service records of current House employees employed previously by ANY federal government entity (including the House, if an individual left the House and later returned to a House position) may have been compromised. In addition, the background investigation files of individuals holding security clearances (whether currently active or not) may have been exposed,” Cassidy wrote in the email. “Although OPM remains the definitive source for information on the breach, we are continuing to monitor this situation closely and will provide updates as further details become available.”
Just as the pressure is growing, White House Press Secretary Josh Earnest said Archuleta has the support of the President.
“[T]he reason that this cyber intrusion was detected is because OPM was in the final stages of adding important security upgrades to their computer network. There has been some discussion about this Office of Inspector General report identifying some weaknesses in the OPM computer network. That report was issued after OPM was already in the midst of upgrading their cyber defenses. And the IG report identified 11 elements of the network that were particularly vulnerable. The work had already been started to upgrade the protections for those networks prior to the issuing of the Inspector General report. And OPM announced — or at least indicated yesterday in the hearing that that work had been completed and that those vulnerabilities had been addressed,” Earnest said. “And I think that is an indication that OPM, under the leadership of Director Archuleta, recognizes that this does need to be a priority and that there is significant and important work that needs to be done to make sure that they’re fulfilling their responsibility to protect the data of federal workers.”
While Congress and the White House spar over Archuleta’s tenure, another employee association is asking for the government to give impacted employees lifetime credit monitoring services.
The National Active and Retired Federal Employees Association (NARFE) wrote a letter to Archuleta asking for more protections for current and former federal employees.
“[I]n light of the magnitude of the records breached, the nature of the information compromised, and the potential for a lifetime of identity theft and fraud, that OPM offer free credit monitoring services for the lifetime of anyone affected and that you authorize an increase in the amount of identity theft insurance provided (in specific circumstances, unlimited coverage may be required),” wrote Richard Thissen, NARFE’s national president. “It may be years before the information taken is used by criminals, and it is only fair to provide continued financial protection for the many victims who spent a lifelong career in federal service.”
The National Treasury Employees Union also wrote to Archuleta on June 15 asking for an in-person briefing as soon as possible to receive an update on the breach investigation.
“Many NTEU members do not possess high-level security clearance, but rather undergo suitability determinations and provide Standard Form 85 as they are in positions designated as public trust or critical non-sensitive,” wrote Colleen Kelley, NTEU president. “OPM’s statements do not currently address whether these individuals have been affected by this latest breach, and I ask that you provide immediate confirmation of exactly what type of information was hacked and who is at risk. Additionally if family members and acquaintances, whose information typically must be provided as part of a background investigation, have also been affected, these individuals must also be notified and provided with credit and identity theft protection services.”