As acting Office of Personnel Management Director Beth Cobert looks back on her time at the agency, she’s confident that OPM is a different place than it was before hackers accessed personally identifiable information for nearly 22 million people.
And Cobert says those current and former federal employees and contractors impacted by two major cyber breaches should feel more confident in OPM’s ability to protect their data.
“They absolutely should feel safer,” she said in an interview with Federal News Radio. “It is my data; I feel safer.”
Cobert stepped in to lead an agency in crisis, one that quickly had to assemble a new team to deal with a series of IT issues, notify millions of people that their data had been breached and offer credit monitoring and identity protection services.
But the rest of the agency — which also processes retirement claims, administers federal employees’ health benefits and makes decisions on governmentwide recruitment and retention policies — had to continue to function.
“One of the things I am most proud of, of that period in our tenure is how the parts of the agency that weren’t directly involved in cyber stepped up and kept going,” Cobert said. “That fall we rolled out self-plus one. That went off, [and] we got close to half a million people enrolled. We kept up the every six-week updates in improvements and functionality to USAJobs; that kept going. We kept answering and getting retirement things processed. The rest of the agency really stepped up because I was focusing on all things cyber with our inter-government partners.”
To respond, OPM restructured much of its front office. It created a chief management officer position to help fill the void of several vacancies at top leadership roles. OPM has been without a deputy director and chief operating officer for a few years.
Kathleen McGettigan now serves as the chief management officer and will lead the agency until President-elect Donald Trump names and the Senate confirms a new OPM director.
The agency also brought on several veteran and retired IT and cybersecurity leaders and temporarily “borrowed” their expertise.
“We’ve now built a lot of that into permanent positions where people are here,” Cobert said. “But it was really compelling to see how many people were willing to raise their hands and say, ‘I am willing to step up and help.'”
Cobert said she was particularly impressed by the response team that assembled twice a day in the weeks immediately following the breaches.
“I wanted to hear from everybody, from the most junior to the most senior, about what was happening, what was getting done, what were they worried about [and] how are we going to fix it,” she said. “You have to have that communication, and people had to be able to feel like they could raise their voice and say, ‘I think we have a problem.'”
Like any agency rocked by a major crisis or scandal that made the headlines and sparked major leadership changes, the public won’t be quick to forget about OPM’s cyber breaches, Cobert said.
“People are going to talk about it,” she said. “But that doesn’t mean we haven’t changed our reputation. Cyber is an issue that is central to every leadership team in every large or small organization today. I saw this transformation in my private sector experience. … Trying to have a board meeting to talk about cybersecurity in an organization … the eyes would glaze over. That was an IT problem. It wasn’t even a CIO problem, it was six layers down.”
But the agency is beginning to build back its credibility — not only with Congress, industry partners and other agencies but also with its own employees, Cobert said.
OPM is quick to point to its collaborations with the Homeland Security Department to implement continuous diagnostics and monitoring and other IT upgrades. The breach is also a major factor informing the agency’s collaboration with the Defense Department on a new background investigation review system for the National Background Investigations Bureau.
But OPM knows it has a lot of work left, particularly on its IT modernization project that has to yet to fully get off the ground. Cobert said the agency still needs more funding to support a new IT infrastructure.
“Cyber is going to be part of where we are for a long time,” she said. “It has fundamentally, appropriately, changed how we think about our systems. It has fundamentally changed how we think about our data. We know we need to move to a world where we are much more data intensive in how we think about managing human capital. That means we have to secure that data, protect that data, think about privacy. Those are lasting changes. I want those changes to stick. But I think we have defined ourselves by more than that since then, and that’s the difference. The difference is that we can now go out and speak. I can talk to folks like you and it’s not the first question I get asked every time. And when we go to the Hill, we’ve built credibility.
Federal leaders are also beginning to recognize that cybersecurity is a leadership management challenge, Cobert said.
“We are nowhere near done,” she said of the OPM and governmentwide effort to improve federal cybersecurity. “Frankly, we will not be ever in the course of my professional lifetime. This is a challenge that’s here for us all along.”