Chaffetz demands mysteriously deleted OPM breach data
House Oversight and Government Reform Committee digging into a small business tool that may have played a role in uncovering the OPM breach.
Oversight and Government Reform Chairman Jason Chaffetz wants OPM to explain its handling of a CyTech Services incident response tool.
CyTech Services, the service-disabled veteran-owned small business that may have helped detect the Office of Personnel Management breach, is back on the congressional radar.
The House Oversight and Government Reform Committee has given OPM a Sept. 23 deadline to explain why it abruptly returned, and deleted information from, a CyTech appliance it had held onto for months.
In a letter to OPM Acting Director Beth Cobert, Chairman Jason Chaffetz (R-Utah) said that CyTech, while demonstrating its high-speed incident response tool CyFIR on April 21, had turned up evidence of “malicious code” on OPM’s networks.
OPM has denied that CyTech’s tool was responsible for discovering the breach.
CyTech has publicly affirmed that CyFIR turned up malicious code, but CyTech’s president noted that he could not say whether OPM already knew of the threat before CyFIR’s revelation.
OPM never provided FCW with an exact date of breach discovery to contradict reports that CyTech had discovered the breach, but in a timeline obtained by FCW last month, federal investigators reported that OPM officials learned of their problem on April 15 – six days prior to CyTech’s demo – when the agency discovered "anomalous SSL traffic with [a] decryption tool" that had been implemented in December 2014.
CyTech representatives said the company supported OPM’s breach response until May 1, but OPM held onto the CyFIR appliance for months afterward.
On Aug. 20, one day after committee staff asked where the CyFIR appliance was, OPM returned it to CyTech, Chaffetz’s letter said. CyTech reported that it appeared the device’s data storage drive had been deleted on Aug. 17.
“The deletion or loss of that data – intentional or otherwise – would damage the Committee’s effort to determine how and why OPM’s networks were infiltrated,” Chaffetz wrote.
Sources familiar with the situation said CyFIR’s storage capacity was 16TB.
Chaffetz demanded that OPM provide his committee with all the data that was on the CyFIR appliance by the close of business on Sept. 23.
“OPM has received the committee's letter and is working to respond in a timely manner,” said OPM spokesman Sam Schumach.
CyTech leadership declined to speak about the issue on the record.