Cybersecurity problems at hacked agency 'decades in the making'

The federal agency hit by a cyber breach putting potentially millions of government personnel files at risk has a long history of failing to meet basic computer security standards, an investigative official with the agency testified Tuesday -- as the head of the agency faced congressional pressure to step down.

Michael Esser, an assistant inspector general with the Office of Personnel Management, testified before the House oversight committee that many of the people hired to run the agency’s IT department had no computer experience, and that the agency itself did not discipline its employees after it failed several security audits.

Esser was among several officials, including OPM head Katherine Archuleta, testifying on the cyber theft of private information for millions of current and former federal employees as well as U.S. security clearance holders.

Archuleta came under fire repeatedly at the hearing.

Committee Chairman Jason Chaffetz, R-Utah, sharply criticized the lapse in security, and called the latest cyberattack the “most devastating” in U.S. history. He added that the OPM’s security strategy was on par with leaving its doors and windows unlocked and trusting nothing would be stolen.

Archuleta said that her agency recognizes that “there’s a persistent and aggressive effort on the part of these actors to not only intrude in our system but systems throughout government and indeed in the private sector.”

Chaffetz responded, "Well, you have completely and utterly failed in that mission if that was your objective."

Archuleta said such cybersecurity problems are "decades in the making," though Chaffetz said, "We don't have decades!"

Chaffetz later called on the OPM director to step down.

"It is time for them to go," he said of OPM leaders. "Whether the president fires them or they resign -- we have to have a change."

Fox News is told that the outrage over the breach, though, could be muted as the U.S. also conducts such cyber activity against other countries like Russia and China.

Still, lawmakers told Fox News they expect to hear more calls demanding Archuleta's resignation. They argue she was told by the inspector general on multiple occasions to shut off the system which was hacked but ignored those warnings, exposing millions of federal workers.

Investigators familiar with the case have alleged that those responsible for the latest cyberattack have ties to China.

The fear is that China will use the information to gain leverage over Americans with access to secrets by pressuring their overseas relatives, particularly if they happen to be living in China or another authoritarian country.

Over the last decade, U.S. intelligence agencies have sought to hire more people of Asian and Middle Eastern descent, some of whom have relatives living overseas. The compromise of their personal data is likely to place additional burdens on employees who already face onerous security scrutiny.

China denies involvement in the cyberattack.

The potential for new avenues of espionage against the U.S. is among the most obvious repercussions of the pair of data breaches by hackers who are believed to have stolen personnel data on millions of current and former federal employees and contractors.

In the cyberattack targeting federal personnel records, hackers are believed to have obtained the Social Security numbers, birth dates, job actions and other private information on every federal employee and millions of former employees and contractors.

In a second attack, which the Obama administration acknowledged on Friday after downplaying the possibility for days, the cyberspies got detailed background information on millions of military, intelligence and other personnel who have been investigated for security clearances. Together, the hacks affected the records of as many as 18 million people.

Applicants for security clearances are required to list drug use, criminal convictions, mental health issues, and the names and addresses of their foreign relatives.

"You're supposed to list every relative outside the U.S. who could be a source of foreign government pressure on you," said Stewart Baker, who served in senior roles at DHS and the National Security Agency.

The pitch to a Chinese-American working with U.S. secrets, he said, would amount to, "You belong to us, and we can make an approach that is designed to make you understand that."

But the fears don't end with China. China's intelligence service could share the information with countries such as North Korea or Pakistan. Also, experts say, many who hack on behalf of the Chinese government are allowed to freelance and sell what they steal.

"The `friends and family' dataset is ultimately the most useful for a hostile intelligence service," said Richard Zahner, a retired lieutenant general and former top NSA official. Tie the information to what's publicly available, and other intelligence the adversary has already collected, "and you have insights that few services have ever achieved."

Those insights go beyond merely spying on the U.S. government, he said. Many senior business executives need government clearances to serve on advisory boards, or hold them from prior government service. Google chairman Eric Schmidt, for example, holds a security clearance, he has said. So at one point did Microsoft founders Bill Gates and Steve Ballmer.

"If I can get into the strategic planning side of a U.S. competitor, investment decisions and negotiating strategies are vastly simplified," Zahner said.

Also Monday, DHS disclosed that as many as 390,000 employees, contractors and job applicants may have had their personal data breached in a separate hack of a contractor, KeyPoint Government Solutions, that was discovered in September. In December, DHS acknowledged another hack of the same contractor in which 48,000 people were affected.

Administration officials have left many questions unanswered, including why the latest hacks went undetected for months. The federal chief information officer, Tony Scott, ordered government agencies to beef up their network security by scanning logs, patching security holes, and accelerating their use authentication that goes beyond passwords.

Fox News' Chad Pergram and The Associated Press contributed to this report.