An interim report filed yesterday by the U.S. House Committee on Science, Space and Technology revealed gaping holes in the Federal Deposit Insurance Corporation’s (FDIC) cybersecurity posture and accused the financial institution of withholding documents pertaining to data breaches.
In light of the scathing report, the FDIC, a government-run corporation that providers banking customers with deposit insurance, came under heavily scrutiny today at a public hearing held before the Committee.
In its report, the Committee states that the FDIC “has historically experienced deficiencies related to its cybersecurity posture and those deficiencies continue to the present.” It also claims that the FDIC operates in a “toxic work environment,” and that it has intentionally tried to evade or Congressional oversight by downplaying serious incidents and failing to disclose breaches in a timely manner.
In his testimony on the Hill, Martin Gruenberg, chairman of the FDIC, agreed with the independent assessment of the FDIC’s Office of the Inspector General (OIG), which determined that the institution must take additional steps to reduce the risk of data breaches and report incidents more responsibly. Such measures include the introduction of an insider threat program, and more stringent policies for how employees can handle data – and Gruenberg testified that they would be in place by the end of 2016.
The report cites several examples of gaffes and missteps following a data breach. For instance, it took the FDIC four months for the FDIC to alert Congress of a major October 2015 breach in Florida, in which an outgoing FDIC employee downloaded sensitive materials onto a thumb drive — including currency transaction reports and customer data reports — and left the premises with it. (All major breaches must be disclosed to Congress within seven days.)
The Committee report states that the FDIC originally sent a letter to Congress acknowledging that over 10,000 individuals’ records were stolen. But further investigation showed that over 40,000 customers and more than 30,000 banks and other entities had had records compromised. The report also states that staff members claimed the offending employee was neither tech-savvy nor adversarial, and was merely attempting to download family photos. The OIG’s office, however, debunked this story, noting that the employee had an extensive IT education and was uncooperative during the investigation.
The Congressional report said that in other cases, the FDIC didn’t disclose a particular breach because it didn’t consider it a “major” incident, even though it fit that very definition according to standard policies set forth by the U.S. Office of Management and Budget. And when Congress requested documentation to investigate a breach, the FDIC would sometimes withhold hundreds of relevant documents, the report also states.
“There’s a culture of concealment at the FDIC,” said Committee Chairman Lamar Smith (R-Tex.) at today’s hearing. In one breach case, the FDIC turned over 88 pages to the Committee – only for the OIG to uncover 883 relevant pages, thanks to the help of an anonymous whistleblower.
In an especially concerning section, the Committee’s report cites a 2013 memo from a previous FDIC inspector warning Gruenberg of a computer security incident involving an advanced persistent threat (APT) from China that compromised 12 workstations and 10 servers between 2011 and 2013. The OIG notified eventually Congress of the incident because the FDIC did not.
During testimony on the Hill, Rep. Gary Palmer (R-Ala.) introduced an excerpt from an earlier interview with an FDIC employee who said employees covered up the discovery of a malicious party penetrating the FDIC network in the early 2000s so as not to jeopardize Gruenberg’s chances of being named chairman in 2012. “I find it interesting that some at the FDIC thought your appointment was more important than taking immediate action to protect almost 31,000 banks and 161,000 individuals,” said Palmer.
Gruenberg said he was unaware of his staff’s intent, and said if the employee’s claims are accurate, that it would “certainly” concern him. FDIC CIO Lawrence Gross was also hit hard in the report, which claims that he mismanaged cybersecurity programs and drove experienced employees to leave.