Unpaid contractor in OPM cleanup feels validated by Oversight report

Unpaid contractor in OPM cleanup feels validated by Oversight report
© Getty Images

The chief executive of the firm that makes the tools used to detect the Office of Personnel Management (OPM) data breach says he feels validated by a House Oversight Committee report on the breach that found the OPM never paid for the software. 

“The report is dead-on accurate,” CyTech CEO Ben Cotton told The Hill. 

ADVERTISEMENT

Cotton said the OPM violated an agreement to purchase $800,000 worth of security products CyTech provided after the security vendor discovered the hack during a product demonstration. 

Wednesday's House Oversight Committee report on the hack of 21 million background check dossiers is full of allegations of agency incompetence and failures to meet federal standards.  

Accompanying the report was a letter from the committee asking the Government Accountability Office to investigate the OPM for not paying CyTech, a possible violation of the Antideficiency Act (ADA).

The ADA establishes strict guidelines for what goods and services the government can accept for free. It can be — but never has been — enforced with jail time. 

Cotton has long alleged that CyTech discovered the OPM attack while demonstrating his firm's CyFIR software and he subsequently agreed to provide services to bolster the agency's security and aid in the forensic investigation of the hacker.

Former OPM officials testified before Congress, however, that CyFIR played no role in the discovery of the breach and had no agreement in place to sell products to the agency.

The Oversight Committee report sides with Cotton.

According to the report, CyFIR was installed on four of the five servers eventually implicated in the breach during an April 21, 2015, product demonstration. CyFIR turned up three malicious computer processes masquerading as antivirus programs.

Cotton and the report said the test was so successful that by the next day, CyTech and OPM IT Director Jeff Wagner began negotiating terms for its use. 

While negotiations were underway, both the committee and Cotton agree, CyTech provided the OPM with a temporary license to use its wares on 1,000 computer, flew out senior staff to aid in the investigation into the malware and began coordinating with other OPM vendors.

“I knew how important it was for the government to remain secure,” said Cotton, a 21-year veteran of the U.S. Army Special Forces. “So a handshake agreement was good enough for me at the time.” 

Emails between Imperatis, a contractor coordinating cybersecurity at the OPM, and OPM staff showed the “clear expectation that CyTech would be compensated for CyFIR and incident response and forensic support based on the investigation,” said the report.

On June 10, The Wall Street Journal published an account of CyTech’s importance in discovering and mitigating the OPM breach. 

Wagner, the report noted, pinned the story on a CyTech leak, although investigators noted that company personnel were not sources for the story.

“I cannot express how bad this is going to go down for you,” he wrote to Cotton in an email. 

As Wagner and Cotton tried to smooth the choppy waters created by the story, Cotton said it became clear in the conversations that the real problem was that “OPM tried to tell Congress one story which did not confirm our involvement.”

On June 16, former OPM head Katherine Archuleta testified before Congress that “OPM detected the intrusion,” leaving out the role of contractors. Asked in a subsequent hearing if CyTech was involved in the investigation, OPM officials denied it. 

The report noted that the OPM did discover one aspect of the breach: OPM servers were beaconing the site opmsecurity.org, which was not controlled by OPM itself. The OPM reported that to the United States Computer Emergency Readiness Team, but US-CERT has acknowledged in its own report that CyFIR discovered malware in live servers. 

In testimony to Congress, OPM Chief Information Officer Donna Seymour claimed the malware CyFIR discovered was already identified and “quarantined” on the servers. 

In August 2015, the OPM returned hardware used by CyFIR to store information to CyTech. It was “scrubb[ed]” of data, said the report, despite a congressional preservation order to keep data in place for investigations into the breach.

Cotton is grateful that the report “was a validation of our technology.” But he still thinks CyTech should be compensated for its work and wares. 

“I think they’re right,” he said of people who might be concerned with the OPM’s alleged actions. “It does not seem fair.”