Ars Technica on the OPM Director defending the cyber security capabilities of her organization and by trying to deflect blame back onto the attackers:
Archuleta defended her tenure before a Senate hearing on June 23. “I’m as angry as you are that this is happening,” she said in a message to federal employees and retirees during her testimony. “I am dedicated to ensuring that OPM does everything in its power to protect the federal workforce, and to ensure that our systems will have the best cyber security posture the government can provide.” And she insisted that no one at OPM was to blame for the breaches, saying, “If there is anyone to blame, it is the perpetrators.”
Today, OPM e-mailed an eight-page document outlining OPM’s “Actions to Strengthen Cybersecurity and Protect Critical IT Systems” to members of the media. In the document, OPM officials asserted, “Upon Director Archuleta’s arrival, OPM engaged in an end-to-end review of its IT systems and processes. Based on that review, the agency developed a Strategic Plan for Information Technology to guide its efforts to protect its legacy systems to the maximum extent possible as it replaced them with more modern and secure systems. This plan laid out a multi-phase strategy to bolster security through realignment of professional staff, adherence to relevant laws, policies and best practices, and investments in modern tools.”
The OPM statement also promoted how much the agency was doing right.
“In an average month, OPM thwarts millions of…confirmed intrusion attempts targeting our network,” the OPM spokesperson wrote. And Archuleta and OPM should get credit for effort, the spokesperson noted, because “It was only because of OPM’s aggressive efforts to update its cybersecurity posture, adding numerous tools and capabilities to its network, that the recent cybersecurity incidents were discovered.”
All it takes is for one hole to be found by the attackers, especially if they are backed by a nation state, to compromise even the most hardened network.