Katherine Archuleta is at the center of the storm after what was likely the biggest hack of government networks in history.
Pressure is building for Archuleta to resign as director of the Office of Personnel Management, with the calls coming from lawmakers on Capitol Hill and some security experts who say she is not up to the task of defending the nation’s networks.
The critics question whether Archuleta — a former school teacher who was national political director for President Obama’s 2012 campaign — is qualified to pick up the pieces after a catastrophic security lapse that likely allowed China to pilfer the information of more than 18 million people.
“She should have never been hired,” Republican presidential hopeful Jeb Bush said Friday. “It sends a pretty powerful signal that the head of the HR department of the federal government was a political hack. That was wrong.”
Archuleta is hardly a neophyte to government, having served as chief of staff and senior aide at three Cabinet-level departments. Some experts defend her qualifications, arguing that requiring the OPM director to be an expert in cybersecurity is unrealistic and unnecessary.
“I would consider that a ridiculous criticism,” said Jeffrey Carr, CEO of cybersecurity firm Taia Global and a government contractor who nonetheless supports Archuleta being replaced. “We don’t expect our CEOs to have a security background. We just expect them to hire people with a background in security.”
During her confirmation hearings in 2013, Archuleta stressed to lawmakers that she was committed to fortifying the OPM’s outdated computer systems.
At one point, she vowed to create a modernization plan within 100 days of taking office.
“I believe that OPM can successfully update its IT systems,” she said.
Archuleta “came through” on her “promise” to implement the modernization plan, OPM spokesman Samuel Schumach said in a statement to The Hill.
“Only because of the director’s leadership,” he added, “was OPM able to adopt the security measures that allowed us to identify intrusions into its networks.”
Archuleta’s career in government began after she left public school teaching in the 1980s to become an aide to former Denver Mayor Federico Peña (D), drawn by his push to provide better public education to Spanish-speaking students.
She followed Peña to Washington during the Clinton administration, serving as his chief of staff while he was Transportation secretary and later as his senior policy adviser when he headed the Energy Department.
Between the Clinton and Obama administrations, Archuleta returned to Denver, working as director of professional services at a large law firm before becoming executive director of the National Hispanic Cultural Center Foundation, a New Mexico-based nonprofit with fewer than 10 full-time employees, according to tax filings.
In 2005, she returned to government, working in various roles for then Denver mayor John Hickenlooper (D), who is now governor of Colorado.
When Obama came into office in 2009, Archuleta became the chief of staff for then-
Secretary of Labor Hilda Solis.
She eventually got the job at the OPM after becoming the first Hispanic woman to serve as national political director for a major presidential campaign.
“I have been a leader and a manager, a small business owner and an employee, a communicator and a listener,” Archuleta said during her confirmation hearing.
While Archuleta does not bring a background in cybersecurity to the job, that kind of experience is the exception, rather than the rule, among senior administration officials.
“Realistically, you’re not going to have that,” said Robert Lee, a former cyber officer in the Air Force and co-founder of Dragos Security. “That’s what makes it incredibly difficult.”
“I don’t think you can find anything in somebody’s background that prepares them for it,” Carr said.
Archuleta hired new IT staff for the OPM and issued a two-year network modernization plan in March 2014.
But that plan has drawn the ire of lawmakers and many in the security community. A recent inspector general flash audit of the efforts admonished the agency for being dangerously undisciplined.
OPM officials, the audit warned, had underestimated their costs, rushing to start the overhaul before it had established the full scope of the project.
“Without a guaranteed source of funding in place,” the audit said, the OPM might be making itself “less secure.”
“This is not a security thing,” said Rodney Joffe, a senior technologist at security firm Neustar who has advised numerous agencies on cyber practices. “As a manager, she should have been managing the process, and she didn’t. … If you put a program in place, you have to make sure the metrics you set are acceptable.”
Lawmakers have also accused the agency of dragging its feet on more basic cybersecurity safeguards, such as two-factor authentication and encryption.
In a murderer’s row of Capitol Hill hearings last week, Archuleta defended her plan as “on schedule and on budget.”
“They are working really, really hard and doing the right things,” Tony Scott, the federal chief information officer, told senators during one of those hearings. “[OPM staff] tell me that they are very, very supportive of the efforts and the leadership they see there. I think we need to be careful about distinguishing fire-starters from firefighters in this case.”
Lee, of Dragos Security, questioned whether that rhetoric matches the reality of what’s happening at the OPM.
“I see an inability to ask the right questions,” Lee said. “What you want to see is an ability to cut through hype and jargon.”