The nominee to head the hacked Office of Personnel Management says she is working with Congress to answer the question of whether a vendor discovered an OPM network breach during a product demonstration, contrary to her predecessor's testimony that the agency detected the hack.
The night before Acting OPM Director Beth Cobert testified at a Thursday Senate confirmation hearing, the House oversight committee subpoenaed her to deliver documents relating to the compromise that exposed records on 21.5 million U.S. national security employees and their relatives.
Since June 2015, when the suspected Chinese espionage act was disclosed, OPM has maintained that agency employees uncovered the intrusion last spring while fortifying the agency's IT environment.
Republican lawmakers contend that, after sending a July 24, 2015 information request, the panel has still not received copies of OPM files about the contractor, CyTech.
Nominee Cobert told the Senate Homeland Security and Governmental Affairs Committee at her confirmation hearing she looked at the subpoena, but has not had time to thoroughly review it.
When questioned about her knowledge of the contents, Cobert said, "I do know that we have had an ongoing discussion with the House oversight committee around a range of documents related to the breach, including information about CyTech."
Committee Chairman Sen. Ron Johnson, R-Wis., said the issue the House needs to tease out is then-OPM Director Katherine Archuleta's June 2015 testimony that "it was OPM’s new technology that discovered the breach when it sounds like in fact it was really this demonstration project that determined it."
CyTech, a Virginia-based firm, said last summer that on April 21, 2015, sales reps were invited to demonstrate a tool called CyFIR for the agency.
“Using our endpoint vulnerability assessment methodology, CyFIR quickly identified a set of unknown processes running," CyTech CEO Ben Cotton said in a statement in June. "This information was immediately provided to the OPM security staff and was ultimately revealed to be malware."
The company said it does not know if OPM was already aware of this suspicious activity. Archuleta, in her June congressional testimony, insisted OPM detected the breach on an unspecified April 2015 date.
The heart of the mystery the House panel is trying to solve with the missing documents is who actually spotted the compromise, said Johnson, who noted he had conferred with his House counterparts.
Cobert, who took office in July 2015 after Archuleta resigned in the wake of mounting criticism about her role in the crisis, said, "We have been working with them to get them the information to resolve that question.”
Johnson and other GOP committee members expressed unease with the tussle for evidence from OPM.
At a Jan. 7 Oversight and Government Reform Committee hearing, Chairman Rep. Jason Chaffetz, R-Utah, grilled OPM officials about hundreds of redacted papers received and months of delay in delivering many files. Other outstanding items include a list of individuals whose usernames and last four Social Security number digits were compromised during an earlier phase of the multiyear cyberspy campaign.
"It is troubling that the House oversight committee was forced to resort to a subpoena," Johnson said. "From my standpoint, that’s something I am going to do as a very last resort."
Sen. James Lankford, R-Okla., sought assurances that the Senate committee would not run into similar resistance from OPM if Cobert is confirmed.
In a Feb. 2 letter, Sen. David Vitter, R-La., who does not sit on the panel, threatened to halt Cobert's nomination unless OPM answers written questions relating to Obamacare.
"I’m trying to figure out" the reason that "it took a subpoena to say, let’s help push this," Lankford said of the House’s unfulfilled document requests. "I would hope when we talk about going through the process here on the nomination that we can have the commitment" to providing files.
"If confirmed, you have my commitment and we will continue to work with you," Cobert said.