OPM Cybersecurity Hearing Devolves into Russia Hacking Squabble

A House oversight committee hearing focused on shoring up the cybersecurity of federal employee information devolved Thursday for more than 10 minutes into a partisan battle over Russian meddling in the 2016 election.

Chairman Jason Chaffetz, R-Utah, and ranking member Elijah Cummings, D-Md., frequently spoke over each other during the squabble, offering yet another sign the election season hacks and the legislative response to them could overshadow other cybersecurity priorities.

During the dispute, Rep. Stephen Lynch, D-Mass., repeatedly urged the oversight committee to launch its own investigation into the election season hacks that wreaked havoc on Democratic nominee Hillary Clinton’s campaign while Chaffetz responded only the House Intelligence Committee is equipped to launch a full investigation.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Meanwhile, Cummings pushed his bill to form an independent 9/11-style commission to investigate the Russian government-backed breaches at the Democratic National Committee, the Democratic Congressional Campaign Committee and the Clinton campaign, and Chaffetz declared one or the other of the Democrats “out of order” at least seven times.  

Witnesses, including acting Office of Personnel Management Director Kathleen McGettigan and retiring Defense Department Chief Information Officer Terry Halvorsen, remained silent throughout the dispute.

Senate Intelligence Committee Chairman Richard Burr, R-N.C., and ranking member Mark Warner, D-Va., have agreed to launch a formal investigation into the Russian hacks, while House Intelligence Chairman Devin Nunes, R-Calif., has pledged only to investigate the breaches as a normal part of the committee’s oversight activity.

House Intelligence ranking member Adam Schiff, D-Calif., has joined Cummings and other Democrats pushing for a broader investigation.

The fact that Nunes served on President Donald Trump’s transition team could cause some observers to question that committee’s findings, Cummings argued during Thursday’s hearing, a point that caused additional conflict between the chairman and ranking member.

Chaffetz accused Cummings of questioning Nunes’ integrity and Cummings accused Chaffetz of putting words in his mouth.

“I’m not questioning the integrity of Mr. Nunes,” Cummings said, adding, “when people look at the report and they see someone on the transition team for Mr. Trump, then it becomes questionable.”

A spokesman for Nunes declined to comment on the dispute.

It would make little sense for the oversight committee to investigate the election season breaches, Chaffetz insisted, because the committee is ill-equipped to investigate either the attacker or the breach victims.

On the attackers’ side, the committee cannot investigate without delving into sources and methods U.S. intelligence agencies used to gather information about the Russian hackers—typically, the domain of the Intelligence Committee working in a closed session.

On the victims’ side, he said, it would be inappropriate for a congressional oversight committee to investigate an independent political party.

In the case of the OPM breach, he said, “we could look at those that were breached and how inept their systems were and how bad it was set up and how the inspector general was warning of these things.”

He later added, “If you want me to start issuing subpoenas on the DCCC, I’m probably not going to do it, but go ahead and request it.”

Cummings and Lynch both insisted the oversight committee could begin an investigation looking only at documents that are unclassified and already public, such as January reports from intelligence agencies and the Homeland Security Department describing the breaches and the larger Russian influence operation during the campaign.

“The idea that Russia could come in and interfere with our elections, all of us should be going berserk,” Cummings said.

Witnesses reported during the hearing that:

• All OPM systems now require dual-factor authentication for access.
• Only one OPM database containing federal employee Social Security numbers and other sensitive data remains unencrypted. That database is scheduled to be upgraded to encrypted status next month.
• OPM is in the midst of a small pilot focused on examining precisely how to integrate public social media posts into the current background check systems.