Political Hack Resigns As OPM Director
The unqualified hack who led OPM while China stole 21 million sensitive personnel files has finally resigned.
The unqualified hack who led OPM while China stole 21 million personnel files has finally resigned.
National Journal (“OPM Director Katherine Archuleta Quits“):
Katherine Archuleta, the director of the Office of Personnel Management, has resigned from her post amid a cascading scandal over her handling of a massive breach of federal employee data.
Archuleta, who has been at the helm of OPM since November 2013, submitted her resignation Friday morning.
OPM announced Thursday that the size of a hack that began last year led to the pilfering of sensitive personal information of 21.5 million former and current employees. That admission, following weeks of scrutiny on Capitol Hill after OPM acknowledged a separate data breach that affected 4.2 million, led to a rush of lawmakers who called for her ousting, including the top three House Republicans and Democratic Sen. Mark Warner, who sits on the Senate Intelligence Committee.
[…]
The data breach compromised 19.7 million individuals’ Social Security numbers, and the remainder of the affected individuals—1.8 million people—were family and friends. In addition to Social Security numbers, the stolen information included employment history, financial and health history, addresses, and even fingerprints. The hack announced Thursday occurred at roughly the same time as another hack, which OPM announced in June. That data breach affected 4.2 million current and former federal workers, 3.6 million of whom were also affected by the larger breach.
[…]
But on Friday, [White House Press Secretary Josh] Earnest said the agency is in need of a change. “It’s quite clear that new leadership with a set of skills and experiences that are unique to the urgent challenges that OPM faces are badly needed. That accounts for the acting director that the president has appointed.”
Archuleta served as a national political director for President Obama’s reelection campaign. Former Florida Gov. Jeb Bush, a GOP candidate for the White House, had taken to referring to her as a “political hack” who needed to be removed.
Warner, who represents thousands of federal workers who live in Northern Virginia, said Friday, “This is the right move for the agency and all those affected by the breach.”
Rep. Adam Schiff, the top Democrat on the House Intelligence Committee, said Archuleta’s removal was the “right decision, and one that will help to restore confidence in an agency that not only poorly defended sensitive data of millions of Americans but struggled to respond to repeated intrusions.”
“This change in leadership is also an acknowledgement that we cannot simply place blame on the hackers, but need to take responsibility for the protection of personal information that is so obvious a target,” Schiff added.
Rep. Ted Lieu said in a statement after Archuleta’s resignation that the OPM should not be in charge of storing background check data. “OPM was never designed to be an intelligence or national security agency,” the California Democrat said. “We should not be trying to fit a square into a round hole. That’s why Congressman Steve Russell and I are working on legislation to move the security clearance system out of OPM.”
Like Michael Brown, who led FEMA during the Hurricane Katrina debacle, Archuleta is a reasonably accomplished and intelligent person placed into a very important position they had no business filling for purely political reasons. Brown at least had a couple years under his belt at FEMA before taking over; Archelata had no connection to OPM or any other large agency before being nominated.
I’ve long argued that we need to drastically reduce the number of Executive billets filled by political appointees rather than career professionals. Not only are the appointees seldom competent to hold the posts, the nature of the selection and confirmation process creates long periods of vacancy in key posts, both during transition between administrations and during the constant turnover inevitable in these relatively low-paying jobs. Archelata is a case in point.
All that said, it’s not obvious to me that a competent professional would have stopped the Chinese hack of OPM. Government agencies, to include the Defense Department, are absurdly behind the state of the art on technology.
Now if only we could get rid of all the other unqualified political hacks in government… Oh, wait a minute that would only leave a few thousand. OK, how about Congress… Nope, a couple dozen at most. Oh well, I guess we’ll just have to make do with the finest gov’t money can buy.
@OzarkHillbilly: All but a handful of Federal jobs are filled through a competitive process. Alas, the ones that aren’t are at the very top.
I don’t mind politicians being political. I’d prefer they not be hacks but, hey, that’s up to the voters.
Not entirely accurate. She served as deputy chief of staff and then chief of staff at DOT for 4 years, then spent a subsequent 15 months as a senior policy advisor to the Secretary of Energy.
OK…that’s fine…as long as I still get my seat on one of the Death Panels!!!
@James Joyner:
Given what is essentially a lockout for external non-veteran federal applicants due to veteran preference laws, and the Animal Farm “some veterans are more equal than others” nature of those laws, I’m not sure that I would call the federal hiring process competitive.
Once upon a time this kind of patronage was a vital tool used to maintain a political network of water-carriers, but I think it’s stopped being useful and started to look like useless corruption. Useful corruption is one thing, but useless corruption is pointless.
@michael reynolds:
Yes, a very nice summary, I rather like it.
@HarvardLaw92:
basically the only thing a civilian can get is airport screener or some USDA lab position in the middle of iowa.
no thanks.
Speaking of which…and this is way off topic….but I just saw a headline about the boondoggle F-35 not being able to take a 40 year old F-16 in a dog-fight.
https://medium.com/war-is-boring/read-for-yourself-the-f-35-s-damning-dogfighting-report-719a4e66f3eb
Now I know we are all very concerned about welfare recipients eating surf and turf every night and going on cruises with their benefits. Do you think we could start showing the same concern for Defense Contract Welfare Recipients????
This is another Sherri Sherrod.
The Republicans swiftboated this poor oppressed Hispanic woman.
Besides Republicans are to blame because 10 of them out of 45 voted to confirm her.
I hope she sues Breitbart over this.
This is true – the hackers have proven time and time again that they are smarter than the people trying to prevent the hacking. Keep in mind that’s it’s not just the government but private business as well but when a private business gets hacked it is not a political issue. We can’t do away with the network known as the internet so what we need is a Manhattan project to address the issue. This may include recruiting successful hackers who are still siting in jail.
@C. Clavin:
A B-52 can’t take an F-16 in a dog-fight either. It wasn’t intended to. The F-35 is a ground strike aircraft; the fact it can’t beat a dedicated air superiority aircraft like the F-16 doesn’t prove anything other than the fact congress was foolish to reduce the production run of the F-22.
@T: Well, if you have a scientific background you CAN end up at the USPTO….don’t go through the government jobs website. No one I know ever got a job that way.
Maybe if we started firing the HR people, pour encourager les autres? (Something I recommend in general, by the way.)
@Ron Beasley:
I thought the same thing though I went with Bletchley Park as my analogy. The question is whether the US government has the kind of recruitment and hiring flexibility required to find their Turing. I suspect not. You’d be hard-put to find a hacker who doesn’t have at least one unsolved felony in his past. You sure as hell won’t find the right people if you’re going to screen for marijuana use.
I must say that this may be the best opening lede to a blog post that I’ve ever seen.
I’m curious James, are the CEOs of Fortune 500 companies that have suffered massive data breeches also incompetent hacks?
@anjin-san: To the people whose data has been stolen they are. I believe Dr, Joyner falls in that group here. A few CEO firings without golden parachutes might encourage the others to take customer data protection more seriously.
@Stormy Dragon:
So you are saying it is unlikely that a F-35 is drawn into a fight with an enemy’s fighters?
Interesting. I wonder why they tested that, then?
And I wonder how they prevent such a thing from happening in the theater?
@C. Clavin:
The original concept is that the F-35 were only supposed to be opperating in places were F-22s had already had established air superiority. The F-35 had some anti-air capaibility so as not to be completely defenseless, but it wasn’t originally designed to be fighting for airspace.
But the F-22 program get slashed from an initially planned buy of 750 to only 187, so now the government wants to make the F-35 fill in for the missing F-22s role in a role it was never intended for.
Obviously it’s not going well.
This is not to say the F-35 doesn’t have problems, but contractors frequently get blamed when the government changes its mind mid-stream about what it wants and then complains that something designed to meet a completely different set of requirements doesn’t fit the new ones.
@Ron Beasley:
Whether the information that was obtained in the breach should have been digitized at all or needed to be retained on servers that could be accessed via the public internet, however, are questions that might be reconsidered.
There is an inherent level of security in paper files.
@Dave Schuler: I vote for clay tablets.
@Stormy Dragon: The F-35 is not a ground strike aircraft, it’s supposedly a multi-role fighter designed to fulfill air superiority, tactical strike and ground support roles.
It can’t control the air because it’s underpowered and overweight, can’t strike because it can barely carry ordinance and its stealth technology is a joke, and can’t provide ground support because it can’t fly slowly, it’s gun won’t work until 2018 and even then will only hold 180 rounds.
Therefore I propose immediate cuts to Social Security and Medicare.
In 2012, Archuleta mocked Romney for warning about Chinese hackers going after government files. Then Obama nominated her for OPM head, and Hispanic groups threatened the GOP if they dared to filibuster her.
In 2015, she’s explaining how the Chinese hackers got hold of (at last count) the highly-confidential information of over 20 million Americans. And she wasn’t fired; she was allowed to resign after she finally proved to be too much of an embarrassment.
As far as the F-35 diversion… any pilot who lets himself get into a “dogfight” scenario these days needs to be grounded. With BVR/OTH sensors and weapons, getting that close is almost guaranteed to be a sign of incompetence.
There are plenty of reasons to criticize the F-35. That it can’t out-dogfight the incredibly agile and nimble F-16 is a pretty stupid one.
@Jenos Idanian #13:
This was the exact thinking behind design of the F-4 and the training of its pilots. Then Vietnam happened and U.S. pilots found themselves in dogfights for which they weren’t prepared and in any case couldn’t win because the plane had no gun.
@Jenos Idanian #13:
That’s the same bunkum that led to the initial production runs of the F-4 omitting a gun. That idiocy didn’t last long.
Here’s what a fighter jock for whom I used to work told me is Rule 1 of air-to-air combat: you will always end up in the furball.
@Jenos Idanian #13: So, we’re using the F35 only over open desert country during daytime where there’s no chance that they get into a dog fight with someone flying behind a hill or hidden by a good rain shower? That air plane has failed every performance criterion from the original order, and it’s only kept alive by revising qualifications down. They even built 100 non-combat capable trainers to keep the money coming while they try to get it to work. So probably all the trainees will have retired by the time that happens.
Agree with the thought, and at certain levels we do have professional civil service who are all but impossible to fire and replace with political patrons, but I wonder if it is wise to expand that to dept heads.
Department heads that do not fear “the boss”? They will be picked, as certain high Justices are, because of their political agenda with the idea they would be embedded within government to further that for life in mind. Some level of this kind of political embedding is unavoidable, a necessary evil to correct the abuses which existed before the Polk administration, but dept heads? If we are going to hold our elected government accountable for what the government does they need a certain level of authority over it, and that means willing cooperation from dept heads.
@Jenos Idanian #13:
No she didn’t. None of the campaign tweets Rightwing media is trying to spin have anything to do with China or cybersecurity. The tweet that’s being pushed the most today is just Archuleta blandly quoting Madeleine Albright on Romney’s Russia-greatest-geopolitical-foe statement — again with no mention of China anywhere. All-in-all it’s one of the Right’s lazier attempts at manufacturing outrage.
@Stormy Dragon: oh god yes, government bid specs….which get created by some poor wight who goes around to all the scientists in the lab ands asks them what they’d like to see available on Apparatus X. He then writes up the entire request list, not realizing that half of the requested bells and whistles make it impossible to have the other half.
This all gets put on official notepaper and released to the public and the potential bid providers. The latter take one look, say “that’s impossible” and either give up entirely or decide which set of bid specs to lie about, figuring that no one’s going to use them anyway….
@Ben Wolf: @Mikey: Yes, you’re absolutely right about the F-4, but the F-4 was designed as an interceptor, not a fighter. It was later adapted into a fighter/bomber, and yes, the initial absence of a gun was a serious mistake.
But you’re also talking about an entire different world from 50 years ago. We have far better sensors on the aircraft. We also have nigh-omnipresent sensor platforms, which would be far more likely to detect possible hostile fighters before they even get off the ground. AWACS, satellites, drones — and that’s just three off the top of my head.
The F-35 has a very capable sensor suite and a 25mm gun. The main challenge being cited is its maneuverability. Part of the problem is that other innate features don’t lend themselves to agility. The stealthy design is one. Another are the requirements for the B and C variants — the B has to be STOVL capable, while the C has to CATOBAR rated. Both requirements add a considerable amount of weight to the airframe.
The biggest problem, as far as I can tell, is the STOVL requirement. It turns out that the F-35, when used in vertical mode, puts out (well, down) a LOT more heat than runways or ship decks can handle currently. That means that using it in CTOVL or VTOL mode is a strictly one-time maneuver from any given point. And it it’s a vertical landing, there’s a pretty good chance that the landing gear will melt into the landing area. OOPS…
I think that the F-35 has tremendous potential, but we’ve had too many problems, and it’s a waste of money. But the fact that it can’t outmaneuver one of the most agile planes in existence today is not a major failure. In car terms, this would be like complaining that your new BMW is out-handled by a 20-year-old Lotus.
@Jenos Idanian #13:
ha, there’s no way that lotus is running.
@Stormy Dragon:
lolwhut
The F-16 isn’t an air superiority fighter, it’s a multirole fighter just like the F-35, and just like dogfighting, the F-16 is a much better ground strike plane than the F-35, the same F-35 which can’t even drop the bombs it was designed to carry.
And what’s the point of sending a F-35 on a strike mission when it can only carry two big bombs or four small ones in its bay without mounting them on the wings and completely defeating the purpose of a stealth aircraft?
@Timothy Watson: And what’s the point of sending a F-35 on a strike mission when it can only carry two big bombs or four small ones in its bay without mounting them on the wings and completely defeating the purpose of a stealth aircraft?
THIS. Screw the “dogfighting” angle. We have some airframes right now that are fully matured and still more than capable enough for the challenges. The F-15, F-16, F./A 18, and the F-22 can do everything we need of them, and can meet the threats coming. The F-35 isn’t needed. If it was the wonder-weapon the backers say it was, it might he necessary, but it can’t live up to that hype.
Oh, and the day before OPM admitted it had been hacked, it released its top priorities.
(And #7 was promoting Obamacare, BTW.)
Apparently, it served Goals 1-3 to outsource their top IT work to contractors, including foreign nationals. And granting root access to Chinese nationals who telecommuted from China.
These contractors certainly were More Diverse and Engaged. Sadly, their “diversity” was in loyalties, and they were “engaged” in espionage. But hey, they made the diversity stats look better and were awfully hard workers, so that balances it all out, right?
@HarvardLaw92: Thanks for the correction. Her Wikipedia entry simply notes “She had previously served as National Political Director for Obama’s 2012 reelection campaign. Prior to that, she had been Executive Director of the National Hispanic Cultural Center Foundation, had co-founded the Latina Initiative, and had worked at a Denver law firm, and had worked in the Clinton Administration.” I don’t know whether the last part was added after I referred to it or if I glossed over it.
@HarvardLaw92 and @T: Veterans preference is meaningful only in the very low-level jobs where “points” are used. Above GS-9 or so, hiring managers select interviewees based on resume and whatnot. Diversity issues are more impactful than veteran status at that level.
michael reynolds: Yes, this is a real problem in hiring cyber experts. DOD, in particular, struggles with that.
@anjin-san: Many Fortune 500 CEOs have risen to their Peter Principle level, yes. But it’s different to hire someone through a thorough vetting process and have them fail at the job than simply filling an executive post with a political crony who’s demonstrably unqualified. This isn’t a slam at Obama or, really, Archuletta but rather at the game as it’s played.
@dazedandconfused: The Senior Executive Service operates under very different rules than the General Schedule employees. Executives are sacked all the time, although they rightly have protections that would allow them to move back down the ladder.
How government procurement actually works:
Pentagon Wars – Bradley Fighting Vehicle Evolution
@Jeremy R: ” All-in-all it’s one of the Right’s lazier attempts at manufacturing outrage.”
No wonder Jenos is repeating it. He can’t be bothered with low-hanging fruit – if it’s not already rotting on the ground, it’s too much work for him.
Mitt Romney said that the greatest geopolitical threats we faced were Russian expansionism, Iran’s nuclear ambitions, Islamic extremism, and Chinese hackers. From a Republican debate:
“China is stealing our iintelectual property — our patents, our designs, or know-how, our brand names. They’re hacking into our computers, stealing information from not only corporate computers, but from government computers. And they’re manipulating their currency.”
Sounds like Romney was dead on.
Romney said that Russion “is without question our No. 1 geopolitical foe.” Obama mocked him for that. Romney was dead on.
Romney said that a US pullout from Iraq would result in more “chaos and tumult” in the Middle East, adn that “jihadists” would continue to spread.
Romney said that if Obama was re-elected, the national debt would approach $20 million. It’s now $18.6 trillion.
Archuleta retweeted the Obama campaign’s mockery of Romney’s predictions. And it turns out that many of those predictions were right.
@James Joyner:
Surely if that were true you would have written a different article, with a different title and a different lede?
As for CEOs,
…I don’t really see how hiring a business crony is substantively different from hiring a political crony, in this case. If you think CEOs are ‘vetted’ for competence, you’re dreaming. The only real difference is that a CEO really does have the power to make the company take steps against potential hackers, whereas the head of a federal agency does not. (When Congress funds the IRS for real cyber security, we’ll know they’re serious about cyber threats.)
@Jenos Idanian #13:
The dominant rationale for the F-35 was that it was going to be cheap — 1/3 the price of an F-22 — and therefore we could buy the 2000 we needed to modernize the USAF, Navy, and Marine Corps strike fleets.
Once it became clear that the F-35 was not going to be cheap, the entire rationale for it went away. It should have been cancelled 5 years ago. It survives only because the Services hate to admit error (or to start over) and the contractor has megaclout.
@James Joyner:
While I appreciate your point about not hiring unqualified hacks, this really seems to be about a moderately qualified person who got blamed for something that she didn’t have much to do with and who fell on her sword when people who wanted a scapegoat went gunning for her.
This guy seems to have the right take on things. Hope his inititiave succeeds.
@stonetools:
The fact she didn’t have much to do with it is precisely the problem.
@Jenos Idanian #13:
I love how the Right keeps trying to recast Romney as some sort of prescient foreign policy guru, when he had zero foreign policy expertise or background, and was just repeating the talking points his cold-warrior foreign policy team prepared for him and that his political consultants focus group tested.
With respect to Archuleta, you’re cherry-picking Romney campaign statements from many different venues and stretching a tweet criticizing a single statement into an attack on everything he’s ever said. Again, Archuleta, then in her capacity as an Obama campaign political director, tweeted out a campaign video and a Madeleine Albright quote. The video plays a clip from a Romney TV interview where he says “This is to Russia. This is without question our number one geopolitical foe.” The campaign video then includes statements from Albright and Michele Flournoy questioning that Romney statement. That’s the entirety of it. There’s nothing about China or cybersecurity.
In fact, it was hardly a forward-looking, novel position at the time to be concerned about Chinese hacking. The Obama administration certainly was. Obama himself penned an OpEd in the WSJ on the subject, urging the passage of the Cybersecurity Act of 2012, which if it had become law would have set cyber security standards for critical infrastructure and required DHS to invest more heavily in assessing risks and vulnerabilities for critical infrastructure site computer networks. Congressional Republicans opposed mandatory cybersecurity standards for gov’t and private critical infrastructure (the bill died in committee). His administration also frequently engaged China on the subject and had reportedly started to make some headway (w/ Chinese officials finally acknowledging the problem), and then the first Snowden leaks completely tanked the US-China Cyber-summit and undid all those previous efforts.
@Jeremy R: Your points only make it worse. Obama was aware of the danger, and did nothing. As he’s demonstrated on illegal immigration, he has a wealth of options available to him beyond calling for a law. He could have put someone in at OPM who actually had some vague knowledge about IT security. He could have directed them to make IT security a higher priority than #4 on their list. He could have ordered “no outside contractors who are nationals from nations known to be cyber-hostile, especially if they’re working from that country.”
He knew there was a potentially huge problem, so he addressed it the way he does best: he talked about it. All words, zero action.
@Jenos Idanian #13:
Actually, he did much the same as w/ immigration reform. He issued a series of executive orders implementing what small parts of the Cybersecurity Act he felt he had the authority to do on his own.
@James Joyner:
James,
I am aware of how the SES works, generally, but that wasn’t my intended point. I was addressing “drastically reducing the billets”. It appeared to me that would leave each President the people he inherited to run the agencies, and people who were given those jobs without “advise and consent of the Senate”. There would certainly be people placed in agencies whom were picked to undermine the original intent of that agency, and if a new President can’t appoint his or her own “political appointees” to replace them…
I see a practical problem in the application of a good theory, that’s all.
@Jeremy R: That actually shows that Obama has two modes of reacting: do nothing, and do way too much.
A judge told the Obama administration to stop issuing amnesties while he heard the case. They said sure, no need to issue an order. The judge said fine, and the kept issuing amnesties. So the judge called them back in and said you said you didn’t need an order to stop, but didn’t stop. Here’s your order, now stop. They said sure, and still kept issuing amnesties. Now the judge is pissed and calling them back in again to explain why they won’t stop issuing amnesties, even with a legally binding court order.
@HarvardLaw92:
Even qualified veterans have a hard time getting hired in the Federal gov’t due to priority placement rules and disability preference. I’ve seen qualified veteran applicants get selected as the most competitive candidate–only to not get offered the job because of a priority placement (a person rotating back stateside from overseas)–or a person who, on paper looks so disabled they shouldn’t be able to get out of bed.
This means that thousands of qualified veterans who were dumb enough to accurately account for how injured or disabled they are upon exiting the service–will have an extremely difficult time getting hired–especially with the trickle of job opening available do to the years long hiring freeze.
@Timothy Watson: That’s not entirely true…there are multiple variants of both the F16 and F15–each with specialty. I believe it is the F16C that is the Air to Air variant.
@DrDaveT: No…it survives because parts of the F-35 are manufactured or designed in nearly EVERY CONGRESSIONAL DISTRICT. What Congress Critter is going to vote jobs out of his/her community. They only vote to end other people’s pork—not their own.
@HarvardLaw92: “Not entirely accurate. She served as deputy chief of staff and then chief of staff at DOT for 4 years, then spent a subsequent 15 months as a senior policy advisor to the Secretary of Energy.”
James, comment?
I think that your post is, ah – no longer operative.
@Ron Beasley: “Keep in mind that’s it’s not just the government but private business as well but when a private business gets hacked it is not a political issue. We can’t do away with the network known as the internet so what we need is a Manhattan project to address the issue. This may include recruiting successful hackers who are still siting in jail.”
And I’m sure that the DoD gets hacked 10x as much, but that those get covered up.
Heck, does anybody want to bet that the NSA isn’t being hacked?
And in many ways it’s clear that US government policy is to blame – we *know* that the US government has been forcing software and hardware companies to put in all manner of back doors, likely since the late 90’s at the latest (see https://en.wikipedia.org/wiki/NSAKEY).
The end result is an internet/computersphere which was quite deliberately designed to be insecure.
@Stormy Dragon: “The F-35 is a ground strike aircraft; the fact it can’t beat a 30-year old dedicated air superiority aircraft like the F-16 doesn’t prove anything other than the fact congress was foolish to reduce the production run of the F-22.”
FIFY
@michael reynolds: “I thought the same thing though I went with Bletchley Park as my analogy. The question is whether the US government has the kind of recruitment and hiring flexibility required to find their Turing. I suspect not. You’d be hard-put to find a hacker who doesn’t have at least one unsolved felony in his past. You sure as hell won’t find the right people if you’re going to screen for marijuana use.”
Note that Bletchley Park was set up during wartime, when things were flexible. And that Turing was a famous person at the time, *and* that despite the movie, they were interested in his computers from 1939 or before. I don’t know if they knew about his sexual preferences at that time, but then again it was during a massive war (also, I’ve heard that among the Oxbridge set this was tolerated).
@Doug Mataconis: “I must say that this may be the best opening lede to a blog post that I’ve ever seen.”
Aside from being wrong…………..
@anjin-san: “I’m curious James, are the CEOs of Fortune 500 companies that have suffered massive data breeches also incompetent hacks?”
I’m sure that James will link to posts where he had said just that 🙂
@Barry: @Barry: I addressed both these issues three days ago.