Some OPM contractors may have handed "foreign governments direct access to data long before the recent reported breaches," according to Rep. Lamar Smith, R-Texas.
The House Science, Space and Technology Committee is questioning whether foreign nationals may have had direct access to sensitive Office of Personnel Management data before a historic OPM hack attack was disclosed last summer.
The agency recently told federal auditors that nation state-sponsored cyberattacks are the gravest and most common threat to its IT security.
"In other words, an agency that identifies foreign nations as the source of the most serious and frequently occurring threat either failed to realize that foreign nationals had access to its database, or knew it and failed to correct the situation,” committee Chairman Rep. Lamar Smith, R-Texas, said in a July 19 letter to the administration.
Last July, OPM announced adversaries had copied national security background checks and personnel records containing 21.5 million people's Social Security numbers and other private data. Security researchers and U.S. intelligence officials have said the theft likely was a Chinese spy operation.
Smith has requested documents and information pertaining to foreigners' potential access to OPM data.
He says that, reportedly, some OPM contractors may have handed "foreign governments direct access to data long before the recent reported breaches."
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Allegedly, an administrator for a project was in Argentina, while his co-worker was physically located in China, Smith says. Both individuals had sweeping "root" access to every row of data in every database, he continues.
Separately, there were reports that two employees with passports from China led a team working on the database, Smith says.
The backdrop for the lawmaker’s inquiry is a Government Accountability Office report released in June that found OPM and other agencies that run "high-impact" systems, which, if disrupted, could cause catastrophic harm, still do not always use effective access controls.
The most severe and most frequent avenues of attack against high-impact systems were through email, the web, or an employee's improper use of technology, the auditors said.
Smith is directly asking the administration whether OPM or any OPM contractor ever allowed foreign nationals entry into systems that would provide access to sensitive data or personal information. He also wants to know how many foreigners work for OPM and its contractors, as well as the extent of their access to that agency's IT systems.
During the GAO review, auditors reported pushback from OPM staff on some recommendations made at the time, Smith notes. OPM said it ensures vendor-operated systems are secure through "contractor oversight," but GAO said each agency is responsible for seeing to it that those systems are secure.
"It is OPM's responsibility to ensure that all contractors have in place the appropriate security controls to protect its information and information systems," Smith says.
In response to an earlier draft of the report, OPM argued the auditors did not supply the agency with enough details to cross-check the weaknesses categorized as "boundary protection" and "authorization” vulnerabilities.
The agency also contended GAO did not fully describe the nature of the vulnerabilities until a week before a response to the draft was due May 2. GAO said, to the contrary, it was back on March 9 the auditors briefed OPM on technical findings. Last month, OPM officials told Nextgov they continue to dispute the final audit report.
"While OPM and GAO are in agreement on most of their recommendations, we continue to disagree with GAO’s security control assessments recommendation as written because it does not address the issues identified within the technical assessment, and suggests another cause for which no analysis was conducted and/or provided to OPM for review,” OPM spokesman Sam Schumach told Nextgov in an email in June.
Smith sent letters to OPM and the White House Office of Management and Budget, which promulgates policies for federal agency IT security.
On Tuesday afternoon, Schumach said in an email to Nextgov, "OPM will be responding to the congressional inquiry in a timely fashion."
NEXT STORY: VA Gets New CISO from NASA