Katherine Archuleta’s out, but OPM’s problems run deep
When the number of Americans hit by the Office of Personnel Management’ data breaches reached 22 million, Katherine Archuleta finally gave her growing chorus of critics what they wanted on Friday: She let it be someone else’s problem.
But Archuleta’s resignation as OPM director accomplished little, both her detractors and supporters agree, beyond quieting the calls for her ouster.
For the Obama administration, all the daunting tasks remain: figure out who infiltrated all those personnel records and how to respond to the worst government cyber-attack in U.S. history; protect the federal employees and job applicants whose deeply personal information has been exposed; and shore up woefully outdated computer systems to make sure it doesn’t happen again. And now, a new item: find a qualified replacement who’s up for running the Senate confirmation gauntlet in exchange for just a year or so to make a dent in the decades-old security problem.
Federal employees see it getting worse before it gets better.
“There’s going to be sort of a learning curve, I think, not only on this cyberattack issue but also on all the other programs that OPM delivers,” National Federation of Federal Employees President William Dougan said in an interview, saying the end of Archuleta’s 20-month tenure leaves federal employees in a “critical state of uncertainty.”
While many Republicans – and some Democrats – cheered Archuleta’s departure, Senate Majority Leader Mitch McConnell skipped the praise.
“The Obama administration needs to take this opportunity to articulate a credible plan of action,” the Kentucky Republican said in a statement. “That means showing a resolve to get to the bottom of what happened, that means giving the American people renewed confidence in a creaking bureaucracy, and that means pledging to work with policymakers to enact real reforms rather than accepting failure.”
The White House, which stood by Archuleta even after the jarring scope of two separate cyberattacks on government personnel records became clear late Thursday, said she resigned “of her own volition.”
“She recognizes, as the White House does, that the urgent challenges currently facing the Office of Personnel Management require a manager with a specialized set of skills and experiences,” press secretary Josh Earnest said Friday.
Beth Cobert, Archuleta’s interim replacement, is set to start Saturday.
Earnest said President Barack Obama chose Cobert because her skills are “unique to the urgent challenges that OPM faces.” The chief performance officer and deputy director for management at the White House Office of Management and Budget, Cobert spent 30 years at McKinsey, a leading management consulting firm, where she worked on personnel management issues before spearheading efforts to improve federal information technology functions at OMB in 2013. That’s in contrast to Archuleta’s background as a former Denver schoolteacher who served as political director for Obama’s 2012 reelection campaign and has held a series of Democratic political appointments in Colorado and Washington, D.C.
But government workers, lawmakers and cybersecurity experts agreed that change at the top won’t be enough.
“It is unreasonable to place the sole burden of blame for the data breach on the shoulders of Director Archuleta, who has served for less than 2 years,” Senior Executives Association President Carol Bonosaro said in a statement. “The OPM data breaches were years in the making, with many warning signs, and now all federal agencies, the administration, and Congress must come together to address the serious vulnerabilities of the government’s IT systems to ensure the protection of data, including employees’ personal information.”
Archuleta and her defenders have said that despite her limited technology background, she made upgrading the office’s computer systems a priority and recruited an expert from the Defense Department to oversee the effort. But Archuleta’s handling of congressional hearings on the data breaches damaged her standing on the Hill, even among some Democrats.
Perhaps most of all, Archuleta was a political appointee at an agency typically run by political appointees — but at a time when OPM’s computers had become a huge security risk for the United States.
The stolen data threaten to put a huge, perhaps irreparable dent into U.S. security efforts, both by exposing the United States’ own intelligence personnel and by enabling China — the prime suspect in the cyber-attacks — to recruit or pressure federal employees into spying against America. Among a wealth of deeply personal data, the hackers stole background check information on nearly everyone who applied for or obtained a federal government job over the past 15 years.
FBI Director James Comey told reporters this week that the data represent “a treasure trove of information about everybody that’s worked for, tried to work for or works for the United States government” — including himself.
Criticism of Archuleta mounted last month after she deflected blame for the data breaches during a House Oversight and Government Reform Committee hearing in June, saying decades of neglecting government security systems was at fault.
She also said she’d made upgrading OPM’s security a priority, noting that she recruited agency Chief Information Officer Donna Seymour from the Defense Department early in her tenure. In fact, the administration has contended, Seymour’s upgrades to the system led to the discovery of the attacks. Seymour has also faced calls for her resignation, though she is apparently staying at the agency.
OPM has been been under the spotlight for the past month as evidence of the scale of the computer hacks grew. Republican critics denounced Archuleta as unsuited for the job of running such an agency with such vital responsibilities across the federal government. Some also question the qualifications of the office itself, which has faced criticism from auditors for failing to secure its computer networks.
OPM has long been viewed as a second-tier agency in the federal bureaucracy, often overseen by a politically connected ally of the White House. But on the continuum of past OPM directors, from politically connected allies of the president to chiefs with extensive government experience, Archuleta was “probably in the middle,” Bonosaro said in an interview. At the time of Archuleta’s appointment in May 2013, media coverage consistently noted that the administration was under pressure to appoint more Hispanic officials.
OPM shouldn’t be in charge of all that data in the first place, said Rep. Ted Lieu of California, one of the first Democrats to call for Archuleta’s resignation. “OPM was never designed to be an intelligence or national security agency,” he said in a statement. “We should not be trying to fit a square into a round hole.”
When news broke in June of the first recent breach of OPM’s database, which stole Social Security numbers and other information on 4.2 million current and former government employees, federal officials told POLITICO that the attack had been traced to computers in China — although some said they were unsure whether the perpetrators were spies or just criminals. But weeks passed and the stolen data – worth tens of millions of dollars on the black market – did not turn up for sale in cybercrime forums, making U.S. counter-intelligence specialists even more convinced that the hack was an audacious coup by Chinese intelligence. Earlier this month, Director of National Intelligence James Clapper said publicly for the first time that the Chinese were the “leading suspects.”
In mid-June, the administration acknowledged the second big hack of OPM, which vacuumed up data on 21.5 million people, including the 127-page disclosure forms that people fill out when applying for security clearances. Those forms include deeply personal information such as applicants’ mental health histories, past drug use and names of any foreign nationals they’re close to.
The second hack also swept up the fingerprints of 1.1 million Americans.
Both attacks had gone on for quite a while before being detected. The larger of the two hacks began in May 2014 and was discovered this spring.
Those weren’t even the first breaches at OPM, which was penetrated in March 2014 in a hack that didn’t result in the loss of personally identifiable information — or the first signs of trouble with the office’s computer operations.
Since 2007, the OPM’s inspector general has issued a series of increasingly urgent reports detailing flaws with the agency’s adherence to federal information security standards. The most recent report, in 2014, even advised OPM to shut down nearly a dozen of its computer systems because they lacked proper documentation of their security measures. Archuleta told lawmakers last month that she rejected those recommendations, fearing the harm to federal employees and retirees if the office shut down the systems that generated their benefit checks.
Despite those troubles, Archuleta had been popular with the bureaucratic rank and file, and federal employees’ unions praised her open-door approach.
“Firing one individual solves nothing,” J. David Cox Sr., national president of the American Federation of Government Employees, said in a statement. “Congress should recognize that preventing future breaches requires funding. Budget austerity has consequences, and we’re seeing one of them right now.”
Former George W. Bush administration technology overseer Karen Evans said the personnel office’s problems go beyond any one director, and that a new chief would face a host of structural and cultural obstacles to making a quick turnaround. Drawn-out budget and acquisition processes, plus a mentality of keeping development in-house, customarily exact a three- to five-year lag to achieve results after a new project starts, said Evans, who had the role but not the title of federal chief information officer during the Bush era.
“The traditional way that [agency staff] would like to do things may not necessarily be able to respond as quickly as you need to,” Evans said.
But going fast can also get agency officials into trouble. Agency auditors have criticized OPM for starting a $100 million modernization project without jumping through a number of budget and planning hoops. That project , begun after the March 2014 hack, aimed to construct a safer and more up-to-date IT environment for the agency.
Still, critics of Obama-era IT policies say technology problems have grown worse under the administration. One federal IT official, speaking on condition of anonymity because he’s not authorized to talk with the media, said the administration has eschewed the hard and tedious work of improving its cyber-infrastructure in favor of flashy websites and putting data sets online.
For past OPM directors, security and IT chops have never been part of the job requirements. Instead, the role has been more a conduit between the federal bureaucracy and the White House, more about human capital than hardware.
Archuleta did have one fire to put out after being confirmed in November 2013: cut down a swollen, decades-old backlog of retirement claims. The backlog has decreased incrementally during her tenure, though recent months have shown new growth or very modest reductions.