At the House hearing investigating this breach, Donna Seymour, the OPM's CIO said, "Some legacy systems may not be capable of being encrypted." She's right.
Representative Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, ranted "You failed. You failed utterly and totally," at OPM's management. He also said, this incident "may be the most devastating cyberattack in our nation's history." He continued, "OPM's security policy was akin to leaving its doors and windows unlocked and expecting nothing to be stolen." He's right too.
Let's look more closely. Archuleta claimed that "In February 2014, I immediately became aware of security vulnerabilities in the agency's aging legacy systems and I made the modernization and security of our network and its systems one of my top priorities." She must have been. There's nothing new about this old problem.
Back in the 80s, when I worked as a system administrator, network admin, and programmer for NASA and Naval Sea Systems Command, we were still using gear from the 60s and 70s. For example, when I helped manage NASA Shuttle data communications in the mid-80s one backup connection I monitored was a 1950s telex 110 baud line to the Bermuda tracking station. It always checked out, but I thank God we never had to use it on a mission.
The reason for this wasn't because we felt secure with antique equipment. We didn't. It was that we never had anything like enough Capital expenditures (CAPEX) funding at either NASA or DoD for IT. That's still the case today.
As you might guess, in 2011 the OPM already realized that "Many critical applications at OPM are hosted on legacy platforms and have not been re- architected in many years. In some cases, documentation of these systems is lacking, making it difficult to estimate time and cost of consolidation."
Why? The OPM's IT deparment "has historically been underfunded, especially on the operations side, making it difficult to make investments in consolidation projects, even when those have positive ROI in later years."
The OPM report shows that the organization was well aware of its problems. Looking ahead, the agency wanted to move to a modern virtualized, cloud-based system, but it was never sufficiently funded.
Fast forward to this year. In the OPM's 2016 budget request, it asked for $32 million more. Archuleta wrote "Most of these funds will be directed towards investments in IT network infrastructure and security. As a proprietor of sensitive data - - including personally identifiable information for 32 million federal employees and retirees -- OPM has an obligation to maintain contemporary and robust cybersecurity controls."
Clearly, OPM long knew they had a major problem on their hands due to their reliance on out-of-date equipment and software. They knew their obsolete IT infrastructure made them more vulnerable to hackers. And, they knew what the answer was. It's just too bad they couldn't get Congress to pay for it.
The real culprits behind the OPM hack aren't Archuleta and Seymour They're the scapegoats. The real blame should fall on Congress, which as they showed in the 2013 budget sequestration, refuse to rationally budget for critical government needs.
Without sufficient funding, the OPM might as well tried using stone knives and bear skins to secure its systems. Just because Mr. Spock could work technical miracles on Star Trek with obsolete tech is no reason to think OPM's IT staff could do it in real life.