U.S. Office of Personnel Management Director Katherine Archuleta testifies Tuesday before the Senate Appropriations Committee concerning a recently revealed data breach affecting millions of federal employees' personal data. Credit: Jonathan Ernst/Reuters
The recently disclosed data breach at the U.S. government's Office of Personnel Management follows a long history of lax security at the agency, according to the inspector general's office.
In testimony before a joint House subcommittee hearing, Michael Esser, OPM's assistant inspector general for audits, told lawmakers that the agency's "long history of systemic failures to properly manage its IT infrastructure" may have invited a pair of related hacking incidents that compromised more than 21 million current and former government employees' personal information.
That figure was more than five times larger than the agency initially had estimated the scope of the breach was, which OPM says it first discovered in April.
Then late Friday word emerged that the embattled head of the agency was stepping down.
Esser says that OPM has made some improvements in its security posture, but at the same time he expresses frustration that many recommendations his office has made over the years -- some dating back to 2007 -- have essentially been ignored within the agency.
"We are pleased to see that the agency is taking steps to improve its IT security posture, but many challenges still lay ahead," Esser says.
OPM face budget and resource challenges in fight to improve IT security
Esser acknowledges that OPM, like virtually every other entity in the federal government, faces a challenging budget environment that limits the organization's ability to undertake major IT initiatives, but that's only part of the problem.
"Resources, I think, are always an issue, but are not the sole answer. Sometimes we feel that things that we report don't get the attention that they should get," Esser says.
Lawmakers noted that the CIO of OPM had been invited to testify, but declined owing to a scheduling conflict.
But the breach has reverberated throughout the organization, with Friday bringing the resignation of the agency's director, Katherine Archuleta.
"I think what the president thinks is that it's quite clear that new leadership, with a set of skills and experiences that are unique to the urgent challenges that OPM faces are badly needed," White House Press Secretary Josh Earnest told reporters on Friday. At the daily White House press briefing, Earnest explained that Archuleta offered her resignation "of her own volition," and he praised her for elevating cybersecurity as a priority within the agency.
"And it's precisely because of some of the reforms that she initiated, that this particular cyber breach was detected in the first place," Earnest said.
Sign up for CIO Asia eNewsletters.