Efforts to fix cybersecurity problems at the U.S. Office of Personnel Management (OPM) may be doomed because the agency is moving too quickly and ignoring some best practices, an auditor said Thursday.
Even before two recently disclosed breaches at OPM, Agency Director Katherine Archuleta pushed to improve cybersecurity at the agency, which still runs several mainframe systems.
But a "massive" agency-wide effort to update decades-old systems is not following proper IT project management procedures, including a cost-benefit analysis, and the agency does not have a firm estimate on the cost of the project, said Patrick McFarland, OPM's inspector general.
OPM has not factored in the cost of migrating its old data into a new IT system when preparing budget estimates, and it doesn't have a dedicated funding stream for the transition, McFarland told the Senate Homeland Security Committee Thursday.
"It may sound counterintuitive, but OPM must slow down and not continue to barrel forward with this project," he said. "The agency must take the time to get it right the first time."
The recent breaches at OPM show that the government and the agency's leaders aren't serious about cybersecurity, some lawmakers said.
Breaches of OPM's government employee personnel files and its security clearance database raise questions about whether Archuleta, appointed to the job 18 months ago, should stay, two Republican members of the committee said.
The breach of OPM's security clearance database may be the largest and most damaging breach ever for the U.S. government, said Senator Ron Johnson, a Wisconsin Republican. "It is hard to overstate the seriousness of this breach," he said. "It has put people's lives and our nation at risk."
Johnson and Senator John McCain, an Arizona Republican, both questioned the commitment of the Obama administration to protect the government against cyberattacks. With years of cybersecurity warnings from its inspector general, "OPM has become a case study in the consequences of inadequate action and neglect," Johnson said.
McCain questioned why Archuleta has given conflicting statements about whether she or other OPM officials are responsible for the breach.
"You are responsible," he said. "I wonder whether you think you should stay in your present position?"
OPM is moving forward on aggressive IT updates, Archuleta said. "I have been working hard from day one to correct decades of neglect," she said. "We've taken great strides."
McCain pressed Archuleta to confirm press reports saying 18 million people may be affected by the two breaches. Archuleta also declined to give senators a number, saying that breach is still being investigated. About 4.2 million employees were affected in the separate personnel file breach, but the security clearance breach numbers could even be larger than the numbers in the press reports, she said.
Sign up for CIO Asia eNewsletters.