By now, it’s clear that hackers — believed to be tied to the Chinese government – stole files from the Office of Personnel Management that amount to a giant “how to blackmail anyone in the federal government” manual. This was America’s “cyber 9/11,” exposing an administration full of true believers in the expansion of government who can’t handle the most basic tasks of secret-keeping.
How does a government failure so consequential — a foreign power accessing 18 million confidential records, including the intimate personal details of federal workers’ infidelity, drug abuse, and personal debts uncovered during the background-check process for security clearances — happen?
For many Obama critics on and off the Hill, the answer lies in a troubling pattern of incompetent management from Obama appointees selected more for their political loyalty than for their expertise, skill, or leadership abilities.
Before becoming the head of OPM, Katherine Archuleta had no background in the kind of work the agency does. Archuleta, a lawyer and former Clinton administration official, was national political director for President Obama’s reelection campaign. She served as the chief of staff to Secretary of Labor Hilda Solís, and was the City of Denver’s lead planner for the 2008 Democratic National Convention. Like the president, she has roots in “community organizing”: She co-founded the Latina Initiative, a Colorado organization aimed at getting more Hispanic voters involved in politics. (In 2011, the Latina Initiative suspended its operations, citing insufficient funding.) Nothing in this record suggests any expertise in the vitally important human resources and record-keeping functions OPM is supposed to serve.
Before the hack, Archuleta’s primary goals at OPM appeared to be increasing the diversity of the federal workforce and implementing Obamacare’s changes to federal workers’ health-insurance options.
Her July 2013 confirmation hearing was brief and relatively controversy-free. Senator Mark Udall, (D., Colo.), introduced her and declared, “she has an impressive range of accomplishments that make her completely, totally well-qualified to be director of OPM.”
Archuleta mentioned her determination to “build on OPM’s health care experience” including “implementing its provisions of the Affordable Care Act.” She did say she would “prioritize the improvement of the agency’s Information Technology systems” and pledge to create the position of Chief Technology Officer, but that came in the context of a discussion on OPM’s difficulty in moving to a digital system for handling retirement services for federal workers. The topic of cyber security only came up during a brief discussion of whether OPM had sufficiently skilled personnel in that area.
She was confirmed 62 to 35, but most of the Republicans who voted ‘no’ said their objection was not with Archuleta herself but with the Office of Personnel Management deciding that members of Congress were not, in fact, required to enroll in the exchanges under Obamacare — an interpretation most Republicans saw as an unfair exemption that was contrary to the law’s text.
Upon her arrival in the post, she was touted by the Obama administration as “the first Latina Director” of OPM. The White House website declared, “Katherine shares President Obama’s vision for diversity and inclusion in the federal workforce” and added, “OPM has recognized and acknowledged the underrepresentation of Hispanics in the federal work force, and the potential and talent they have to offer.” Information technology and cyber-security were not mentioned.
“The complex and important work of government requires a diverse and inclusive workforce that is representative of the many important perspectives, talents, and backgrounds of our great nation,” Archuleta declared upon taking her post. “I am committed to building a diverse and inclusive workforce to serve the American people.”
While Archuleta, the administration, and its allies were busy hailing a new era of diversity in the federal government, OPM’s apparently long-standing cybersecurity vulnerabilities remained unattended. Slate has noted that OPM knew as early as 2013 that “sensitive data was not secured” and “security measures were not even tested to make sure they worked.” Worse yet, the agency “was unsure even of how to fix these problems,” and hadn’t fixed them as recently as this past April, years after the system had been repeatedly breached.
When news broke of the first of those breaches, in early 2014, Archuleta went so far as to insist in public that there was nothing that needed fixing.
In March 2014, OPM became aware of a partially successful Chinese hack into its systems. On July 9, 2014, the New York Times reported that “Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials, targeting the files on tens of thousands of employees who have applied for top-secret security clearances.” Officials quoted in the story said the hackers gained access to some of OPM’s databases before federal authorities detected the threat and blocked them.
Archuleta was quick to downplay the breach, declaring in a July 21, 2014 interview with Washington’s ABC affiliate that, “We did not have a breach in security. There was no information that was lost. We were confident as we worked through this that we would be able to protect the data.”
This was America’s “cyber 9/11,” exposing an administration full of true believers in the expansion of government who can’t handle the most basic tasks of secret-keeping.
Even now, as the full extent of OPM’s security failures is slowly beginning to come into public focus, Archuleta has barely backed off that stance. She repeatedly told the House Oversight and Government Reform Committee two weeks ago that she couldn’t say if any non-personnel information was lost in the 2014 hack.
Her answers under oath in front of the Oversight Committee two weeks ago left Republicans and even some Democrats convinced she either knows exceptionally little about the state of her agency’s cyber-security or she’s comfortable lying about it, insisting that breaches aren’t really breaches and that obviously insecure systems are secure.
Representative Ted Lieu of California, a Democrat on the Oversight Committee, told Archuleta and her staff he was looking for “a few good people to step forward, take responsibility and resign for the good of the nation.” So far, he’s found no takers.
“Since 2007, the OPM Inspector General has continuously pointed out serious deficiencies in OPM’s cybersecurity posture. OPM’s response has been glacial,” wrote Rhode Island Democrat Jim Langevin, a member of the House Committee on Homeland Security’s cyber-security subcommittee, in a statement calling on Archuleta to resign. “While I appreciate that Ms. Archuleta inherited a difficult situation, her first budget request continued to reflect the status quo even as the OIG’s warnings continued.”
Langevin said cyber-threats can’t be solved, only managed, but admonished Archuleta for treating the difficulty of that task as an excuse for not developing “a risk-based cyber strategy.” He concluded, “I have seen no evidence Ms. Archuleta understands this central principle of cyber governance, and I am deeply concerned by her refusal to acknowledge her culpability in the breach.”
Jason Chaffetz (R., Utah), the chairman of the Oversight Committee who, like Langevin, has called on Archuleta to resign, was more heated in his criticism. “[The breaches were] not dealt with, and you were misleading, and went on television and told all the federal employees, don’t worry, no information was lost,” he told Archuleta. “You failed, utterly and totally.”
As a result of that failure, millions of federal workers have had their personal information stolen, putting them at risk for identity theft, blackmail, and worse. That’s something no workforce diversity initiative can correct.
— Jim Geraghty is the senior political correspondent for National Review.