Chaffetz wants CyTech to get paid for OPM work

A contractor who says the government owes him money for work performed in the wake of the discovery of the Office of Personnel Management data breach has won a powerful ally.

Ben Cotton, the CEO of CyTech Services, says that his firm received an oral contract on the spot from OPM to help ferret out resident malware in the system back in April 2015. He's been after OPM for about $800,000.

Rep. Jason Chaffetz (R-Utah), the influential chairman of the House Oversight and Government Reform Committee, released a report on Sept. 7 that includes a chronology of the hack discovery, criticizing OPM's cybersecurity hygiene and network defenses. The report details CyTech's involvement. Separately, Chaffetz sent a letter to Comptroller General Gene Dodaro, who heads the Government Accountability Office, requesting an opinion on whether OPM violated the law by not paying CyTech.

"In brief, we believe OPM violated the [Anti-Deficiency Act] when the agency retained and deployed CyTech's software following a product demonstration and never paid," Chaffetz wrote. The letter was co-signed by Rep. Michael Turner (R-Ohio), also a member of the Oversight committee.

Cotton told FCW that the Chaffetz report "absolutely backed up everything that we've always stated."

He said that within 12 minutes of hooking into OPM systems, CyTech discovered three processes that were pieces of zero day malware. Following an oral request from agency tech staff, CyTech "rolled into supporting OPM and managing and handling the breach for them, in an extremely short amount of time," Cotton said. That support lasted through May 1. OPM hung onto the CyTech appliance that included the firm's CyFIR forensic analysis tool through August 2015.

When contacted by FCW about the report, OPM officials characterized the agency's interactions with CyTech as a roughly two-week product demonstration.  During that time, OPM spokesman Samuel Schumach said, told FCW the CyFIR tool "was deployed to a limited number of machines utilizing licenses provided by CyTech.  The tool was removed from our networks, and CyTech’s equipment was returned to the company at their request."

Email threads revealed in the Chaffetz report indicate that OPM IT staffers deleted all the data from the appliance before returning it to CyTech. "There is no evidence showing that any OPM official recommended that the data on the CyFIR appliance should be preserved in light of the ongoing congressional investigation," the report says.

A June 2015 email from OPM IT contractor Imperatis to OPM IT security staffer Jeff Wagner included in the Chaffetz report suggests that conversations about compensating CyTech for their involvement in the hack remediation were ongoing inside OPM.

"The report clearly details the activities that we did and substantiated that there was a verbal commitment by OPM to us. Given those facts, I think that we have a pretty good chance of getting paid for our work," Cotton said.

Schumach told FCW that OPM "did receive a request from CyTech in connection with an alleged verbal contract for their product. However, OPM never heard back from CyTech after we asked for more information."  (Cotton has asserted previously that CyTech was unable to supply any documentation because the agreement was not in writing, and because the appliance was scrubbed of data by OPM prior to its return.)

The agency "has never received a request for payment from CyTech for services rendered or licenses provided during the product demonstration they conducted during the 2015 breach response," Schumach said. "If and when OPM receives any such request, OPM will pay any appropriate amounts owed and required by law."