The Pentagon is preparing to undertake a full-scale security assessment of the previously hacked and patched-over IT systems currently used to store background investigation files.
Defense Department Chief Information Officer Terry Halvorsen told a House committee today the security scan is the first step in a process being led by DOD to build an entirely new system to store and protect security clearance documents.
The Obama administration announced last month its plan to transfer the responsibility for storing the sensitive files out of the hands of the Office of Personnel Management, which last year revealed it had fallen victim to a sustained hacking campaign purportedly by Chinese cyberspies.
The responsibility for conducting background checks will remain within OPM in the form of a new National Background Investigations Bureau.
Lawmakers applauded the move to put DOD in charge of IT security but are less enthused about the creation of the new OPM bureau over fears of a “convoluted” organizational chart and lack of accountability.
Who’s ultimately responsible for the security of the IT systems, lawmakers asked.
"In the end, DOD is in charge of the technical decisions,” Halvorsen said. He stressed that DOD had been working collaboratively with OPM since the breach was first identified last spring, but added: "In the end, I report to the secretary of defense ... And I assure you, I don't expect any problems to come up. If they do, I'll take them directly to the secretary of defense."
Aiming to dispel the idea of any power struggles, acting OPM Director Beth Cobert said her agency would cede to DOD when it comes to decisions around IT security.
“We want to rely on their expertise,” she said. “They have the national security expertise, the cybersecurity expertise around these issues.”
Halvorsen said the DOD-built systems would be up and running in an initial capacity by October, although full operational capability would take well into 2017.
But given the long history of overbudget, lumbering federal IT upgrades, lawmakers are worried that may be too rosy a projection.
"I just think that that's happy talk, with all due respect,” said Rep. Stephen Lynch, D-Mass. "That's just dream world stuff. We've had terrible, terrible problems with just getting basic information up and running. We're still doing stuff manually.”
Rep. John Mica, R-Fla., went even further, telling the panel of government officials: “I think we're headed for another disaster... Building this system, it is designed to fail.”
The upcoming security assessment will help DOD come up with some “near-term” steps to help better defend the current OPM-run system as Defense planners begin the build-out of the new system, Halvorsen said.
“The department's objective, of course is to replace the current background investigation information system with a new, more reliable, flexible and secure system,” he testified.
The National Security Agency will assist with the on-site inspection, which is expected to begin in the next 60 days.
All told, DOD expects to spend about $95 million to design and build the first phase of the new system.
When asked by Rep. Gerry Connolly, D-Va., if the new system would deploy the most advanced version of EINSTEIN, a governmentwide anti-hacking protection, Halvorsen suggested the security protections would be stronger.
“This is a field that changes rapidly,” he testified. “There will not be a single system that does this but an integrated layer of systems.”
The Pentagon’s IT arm, the Defense Information Systems Agency, is tasked with developing and deploying the new system. Once it’s up and running, DISA -- along with U.S. Cyber Command -- will be responsible for operating and defending it.