Dozens of cyber attacks against the Federal Reserve are raising “serious concerns” from members of Congress about the agency’s ability to defend itself and the financial information it stores.
In a June 3 letter, Reps. Lamar Smith (R-Texas) chairman of the Science, Space, and Technology Committee, and Barry Loudermilk (R-Ga.), chairman of the subcommittee on oversight, asked for seven year’s worth of information on cybersecurity reports, detailed incident descriptions, as well as documents and communications related to the Reserve’s National Incident Response Team (NIRT).
“According to recent media reports, the Federal Reserve detected more than 50 cyber breaches between 2011 and 2015, including several incidents involving hackers, as well as other breaches described by Federal Reserve officials as ‘espionage,'” the letter to Federal Reserve Chairwoman Janet Yellen stated. “Given the especially sensitive data stored on the Federal Reserve’s systems, which could be extremely valuable in the hands of foreign governments and those who seek to threaten the stability of the U.S. financial system, the committee is interested in learning how NIRT responds to security incidents, and how the group works to prevent threats from compromising information contained on the Federal Reserve’s systems.”
The Federal Reserve did not immediately respond to a request for comment.
The cyber incidents were first reported by Reuters through a Freedom of Information Act request.
The committee members’ letter also refers to 310 reports provided in the FOIA request, almost half of which included a hacking attempt, while “four hacking incidents in 2012 alone were considered acts of ‘espionage.'”
NIRT, according to the letter, handles “higher impact cases” with the Federal Reserve, and also oversees the agency’s cybersecurity policy.
The information Smith and Loudermilk requested includes:
All cybersecurity incident reports created by NIRT and local cybersecurity teams since Jan. 1, 2009.
A detailed description of all confirmed cybersecurity incidents since Jan. 1, 2009.
All documents and communications referring or related to higher impact cases handled by NIRT or local cybersecurity teams.
All documents and communications related to NIRT’s policies and procedures for responding to cybersecurity incidents, including the incident guide.
The two lawmakers asked for the information no later than June 17, and for the Federal Reserve to scheduled a briefing with the committee by June 10.
The letter is the latest investigation by the committee into a financial agency’s cyber posture.
In late May, Smith and Loudermilk requested Federal Deposit Insurance Corporation Chairman Martin Gruenberg’s testimony at a July hearing on “FDIC’s cybersecurity posture,” as well as additional documents and transcribed interviews related to five incidents when outgoing employees unknowingly downloaded customer data while they were saving personal information to their own devices.
FDIC Chief Information Officer Larry Gross testified at a May 12 hearing before the technology committee that the five “low risk” security incidents were not malicious.
But Gross admitted that because the agency lacks digital rights management (DRM), there’s no guarantee that data didn’t end up on someone else’s storage drive.