07.21.15

Daines: Americans Shouldn’t Have to Pay the Price for Obama Administration’s OPM Hack

“The American people will pay the price for a failure to adapt to this rapidly changing world of technology, this rapidly changing world of media, this rapidly changing world of information gathering - for sheer carelessness of those in authority.”

WASHINGTON, D.C. — Senator Steve Daines, a member of the Senate Commerce Committee, today highlighted the growing cyber-warfare threats facing our nation, and the incompetence of the Obama administration that led to a massive breach of personal and security information at the Office of Personnel Management (OPM) that resulted in the resignation of Director Katherine Archuleta.

Click here to watch Daines’ speech.
Click here to download Daines’ speech.

Daines made the following remarks on the Senate floor this evening:

“Mr. President, the headlines in the past few months have been enough to paint a startling picture of how our nation is handling cybersecurity and technology issues these days. 

“Before I came to Congress – I spent 12 years working within the technology sector, but it doesn't take an extensive background in these fields to see that in this ever-changing realm of technology and online communications, Americans' constitutional freedoms and their civil liberties are at risk.

“Our security as a nation is under attack. When it comes to protecting American citizens' privacy and personal information, we as a nation need to respond to the new threats our enemies are posing and the new tactics they are using, and demand equal vigilance from those in our government who claim to have Americans' safety at heart. 

“The modern battlefield is changing. We see it changing before our very eyes, and America needs to adapt. With the incredible advantages that modern technology offers also comes with that greater risks as well as greater responsibility.  Our enemies – America’s enemies – are utilizing social media it particular to recruit others to their side in a plot against our rights, our freedoms, our American way of life. 

“As Michael Steinbeck, the Assistant Director of the FBI's Counterterrorism Division, said at the House Homeland Security Committee just last month, he said, ‘the foreign terrorists now has direct access into the United States like never before.’ 

"We know for a fact that ISIS aggressively uses social media to spread its propaganda, to target individuals in our own country and to urge them to attack us on our own soil. In March of this year, The New York Times reported that ISIS' use of social media, including Twitter and high-quality online recruiting videos, has been astonishingly successful. 

“In the speed at which modern social media moves means that America must move faster. In fact, we read about the recent foiled terrorist attack in Boston where Islamic extremists planned to behead law enforcement officials. It shows us the importance of engaging these online terrorists, their propaganda machines, interpreting their encrypted communications, and cracking down on the spread of online terrorist networks. 

“But how can we fight back against these cyber threats from abroad when our own government officials show themselves to be woefully incompetent? 

“We in this country spent months debating about the National Security Agency's bulk collection of Americans' metadata and in the meantime, while we're having this debate, Chinese hackers stole millions of Americans' personal information. In fact, it's estimated now those Chinese hackers who broke into the Office of Personnel Management, the HR system of the federal government, stole over 20 million employees of the federal government's records.  

“This recent breach of federal employees’ personal information may possibly be rooted in a phishing e-mail. In fact, in a recent article in Ars Technica on June 8, they said this, and I quote, ‘It may be some time before the extent of the breach is known with any level of certainty. What is known is that a malware package—likely delivered via an e-mail ‘phishing’ attack against OPM or Interior employees—managed to install itself within the OPM's IT systems and establish a back-door for further attacks. The attackers then escalated their privileges on OPM's systems to the point where they had access to a wide swath of the agency's systems.’

“These hackers broke into the computers at the federal government's Office of Personnel Management. They were downloading the very forms that federal employees use to gain national security clearances. In fact, in USA Today earlier this month, they said ‘the hackers took millions of the forms used by people that disclose intimate details of their lives for national security clearances.’  The information could be used to unmask covert agents or try to blackmail Americans into spying for an enemy.

“In fact, I was one of those millions of Americans, as were other members of Congress, whose personal information was compromised in this breach – and I demanded accountability from the Director and others of the OPM – but we also need others the systemic problems with cybersecurity in this country directly. These outdated security systems at the OPM and other agencies of the federal government that have been recently hacked show that America is not up to speed with the kinds and the levels of cyber threats our country is facing. 

“Let me give you an example – in the publication Ars Technica: ‘The OPM hack is just the latest in a series of federal network intrusions and data breaches, including recent incidents at the Internal Revenue Service, the State Department, and even the White House. These attacks have occurred despite the $4.5 billion National Cybersecurity and Protection System (NCPS) program and its centerpiece capability, Einstein. Falling under the Department of Homeland Security's watch, that system sits astride the government's trusted Internet gateways. Einstein was originally based on deep packet inspection technology first deployed over a decade ago, and the system's latest $218 million upgrade was supposed to make it capable of more active attack prevention. But the traffic flow analysis and signature detection capabilities of Einstein, drawn from both DHS traffic analysis and data shared by the National Security Agency, appears to be incapable of catching the sort of tactics that have become the modern baseline for state-sponsored network espionage and criminal attacks. Once such attacks are executed, they tend to look like normal network traffic. Put simply, as new capabilities for Einstein are being rolled out, they're not keeping pace with the types of threats now facing federal agencies. And with the data from OPM and other breaches, foreign intelligence services have a goldmine of information about federal employees at every level of the government. It's a worrisome cache that could easily be leveraged for additional, highly-targeted cyber-attacks and other espionage. In a nation with a growing reputation for state of the art surveillance initiatives and cyber warfare techniques, how did we become the ones playing catch up?’

“But this isn't just a problem about being sloppy or being slow. This is a problem – this is a matter of national security. America needs to get smart on cybersecurity and tech issues and to hold officials accountable for their behavior.  There's just too much at stake if we fail. The American people will pay the price for a failure to adapt to this rapidly changing world of technology, this rapidly changing world of media, this rapidly changing world of information gathering – for sheer carelessness of those in authority.  

“The private sector innovation and progress can help America compete. As a member of the Commerce Committee and having spent 28 years in the private sector, the last 12 years with a cloud computing start-up that we took public – became a great cloud computing company with offices all over the world based in my home state of Montana. I admit I had to smile when I saw that so many Congressmen that want to regulate the private sector to protect the private sector from cyber threats. 

“You know, in 28-years of serving in the private sector, I never once had information breached –never once had a letter from my HR Department saying my information had been compromised. It wasn't until I became a federal employee – elected to Congress a few years ago – when my information was compromised. 

“The private sector runs a whole lot faster than the public sector. I think the government needs to look within to make sure that we can be the forefront of technology and cybersecurity but these efforts will be thoroughly wasted if the public sector – if the federal government does not take the necessary precautions and procedures to protect the American people.”

###