Cummings Releases Staff Memo on Cyber Attacks Against OPM
Evidence Shows Inadequate Requirements for Government Contractors
Washington, D.C. (Sept. 7, 2016)—Today, Rep. Elijah E. Cummings, Ranking Member of the House Committee on Oversight and Government Reform, released a Democratic staff memo with findings from the Committee’s investigation into the cyber attacks against the Office of Personnel Management (OPM). He released the memo on the same day as a Republican staff report on the same topic that suffers from key deficiencies.
“Today’s Republican staff report reaches conclusions that are contrary to the facts we found during our investigation,” Cummings said. “The Committee’s year-long investigation into the data breaches showed that no one from the Intelligence Community or anywhere else detected the presence of the attackers and that these cyber spies were caught only with cutting-edge tools that OPM had deployed.”
The Republican staff report fails to adequately address federal contractors and their role in federal cybersecurity. One of the most significant deficiencies uncovered during the Committee’s investigation was the finding that cyber requirements for government contractors are inadequate. The evidence obtained by the Committee demonstrates that:
- a “well-planned campaign” by a sophisticated adversary targeted both OPM and private sector contractors for the government;
- sensitive information about federal employees was stolen from both OPM and private sector companies performing services for the government;
- the OPM breach was achieved using credentials taken from one of OPM’s contractors to disguise its initial movements into and through OPM’s computer network; and
- contract requirements for sharing information with private sector companies that handle sensitive government data need strengthening.
The Republican staff report unfairly criticizes former Chief Information Officer Donna Seymour. Even before the Committee began its investigation, Chairman Chaffetz demanded Ms. Seymour’s resignation, and he called for her resignation on at least five occasions. The Republican staff report repeats assertions made by Chairman Chaffetz, but ignores specific evidence refuting them. Evidence obtained by the Committee found:
- OPM discovered the breach with tools deployed by Ms. Seymour, and claims that a private company conducting a product demonstration was responsible for discovering the intrusion are inaccurate.
- The specific justifications used by Chairman Chaffetz for demanding Ms. Seymour’s resignation were not supported by the evidence obtained by the Committee.
Click here to read today’s memo.