Cybersecurity is lacking at the Federal Retirement Thrift Investment Board, which could ultimately lead to hackers stealing personal information and withdrawing funds from Thrift Savings Plan accounts. Ian Dingwell, the chief accountant for the Labor Department’s Employee Benefits Security Administration, told FRTIB that it isn’t aggressive enough with its approach to adding recommended system controls.
But that’s not the whole story, said Kim Weaver, director of External Affairs for FRTIB. It just depends on which of two separate auditors you pay most attention to during its monthly meeting: the one that listed all the flaws, or the one that explained how far FRTIB has come in a relatively short time and what it still plans to do.
“We are going to do them. It’s a matter of timing,” she said on In Depth with Francis Rose on Wednesday. The delay stems from the EBSA itself. “What they want to do is called a ‘penetration test,’ where you try to see if you can hack into the system.”
Weaver explained there are two types of penetration tests. In one, someone simulates an attack coming from outside the system, mimicking the strategy used by some random hackers working from their own basement. Weaver said the board has no problem letting the EBSA do that whenever it wants.
It’s the other type that is causing the delay. Called “credentialed penetration testing,” it simulates the potential damage done by an insider threat. The tester has all the credentials needed to access the system and can move freely around the network to pry into nooks and crannies.
“What is required when you’re doing penetration testing are ground rules,” Weaver said. “So both sides understand what tools are going to be used, what is going to be accomplished and, importantly for our participants, what are the security and liability issues with that.”
In other words, FRTIB is taking its insider threat security development so seriously, it’s putting its own cybersecurity testers through the ringer.
“In this kind of insider testing, what they’re proposing to do is go into live accounts,” Weaver said. “So they could get into my account and potentially move my account balance from $1,000 to $500,000. While it’s nice if it goes up, it’s not so nice if it goes down.”
She said the process of setting the ground rules for the test will take a matter of weeks, not months or years. Once that process is out of the way, FRTIB is free to implement the necessary controls.
“In just the last two years, we closed about 50 percent of our open audit findings,” Weaver said. “It’s not like we’ve been sitting around and waiting for someone to tell us ‘Here’s something good to do!’ We have been moving out smartly and we take this very seriously. … It really was the tale of two auditors, if I can wax rhapsodic.”