Inside courtroom Historic moments 📷 Key players Bird colors explained
WASHINGTON
USIS

OPM hack raises questions about security of government contractors

Erin Kelly
USA TODAY
Rep, Elijah Cummings, D-Md., ranking member on the House Oversight and Government Reform Committee.

WASHINGTON — The massive hack of the Office of Personnel Management has raised questions about whether government contractors may have inadvertently made the agency more vulnerable to attack.

Rep. Elijah Cummings of Maryland, the top Democrat on the House Oversight and Government Reform Committee, is seeking to question two contractors that OPM hired to perform background checks on job candidates seeking positions that require a security clearance.

"If these cyber attackers are able to get into our federal agencies through contractors, that is a huge vulnerability that must be addressed immediately," Cummings told USA TODAY. He said he feels even stronger about the need to question the contractors after he and other committee members received a classified briefing Tuesday by OPM.

The agency recently revealed that a cyber attack that occurred in late 2014 and early 2015 has compromised the personal data of at least 4.2 million federal employees.

The issue of contractor vulnerability is underscored by the fact that OPM's current contractor — KeyPoint Government Solutions of Colorado — was hacked last year. That attack followed one against OPM's previous contractor, Virginia-based USIS, which also occurred in 2014.

Prep for the polls: See who is running for president and compare where they stand on key issues in our Voter Guide

Cummings said those hacks show that OPM did not adequately monitor and audit the contractors.

"I don't think OPM should stop using contractors, but we do need to re-assess our over-reliance on contractors, especially for conducting core government functions like granting security clearances to access our nation's secrets," the congressman said.

While the FBI and other government officials investigate the OPM hack, agency officials said they are continuing to process background checks on job applicants needing security clearance. Agencies who employ workers with security clearances say those clearances are still in place.

"Background checks continue to be processed," said OPM press secretary Samuel Schumach. "At this time, we have no indications that the actor (hacker) remains in the OPM networks."

He said the enhanced security measures that helped OPM discover the hack in April "have allowed us to identify, isolate, and prevent even sophisticated actors who are using new techniques."

KeyPoint, the contractor used by OPM now, was hacked last year, OPM officials revealed in December. The agency said there was "no conclusive evidence" to confirm that sensitive information was stolen. However, OPM notified more than 48,000 federal workers that their personal data may have been exposed.

That breach came just a few months after OPM decided against renewing its contract with USIS. KeyPoint replaced USIS, which had problems beyond being hacked. The U.S. Justice Department, in a complaint filed last year, has accused USIS of submitting at least 665,000 incomplete background checks that the company claimed were complete in order to earn bonus pay for high performance numbers.

Neither USIS nor KeyPoint would comment for this story. According to KeyPoint's website, its clients also include the Transportation Security Administration, Immigration and Customs Enforcement, the Department of Homeland Security, the Army, the Department of Energy, and the Social Security Administration.

A cyber expert said contractors — which are widely employed by agencies throughout the federal government — bring both advantages and risks.

"It's not realistic for the government to stop using contractors," said Arun Vishwanath, an expert on cyber psychology and online deception at the University at Buffalo. "We're living in a world where we need these guys because they are much more efficient than federal bureaucracies, let's be honest. But the risk is if they get hacked, the government gets hacked."

Ultimately, the responsibility to prevent hacks lies with the government, whether it employs contractors or not, said Robert Lentz, former deputy assistant secretary of defense for cyber issues and a consultant for Palerra cloud security automation company.

"Our adversaries will go to the weakest link to get to the crown jewels," Lentz said, adding that a contractor's network may be the weakest link. "That's why the government has to have very powerful security infrastructure overseeing all of that. This (the OPM hack) is not something that should have occurred. There's no excuse."

Follow @ErinVKelly on Twitter

Featured Weekly Ad