FDIC’s cyber posture called into question by auditors, Congress

A technology oversight committee wants the Federal Deposit Insurance Corporation to be more transparent when it comes to sharing information on recent cybersecu...

The chairman of the Federal Deposit Insurance Corporation is expected to answer Thursday on the missteps taken by his agency when reporting recent cyber breaches, as well as what FDIC is now doing to protect confidential information from future incidents.

FDIC Chairman Martin Gruenberg is scheduled to testify July 14 before the House Committee on Science, Space and Technology, alongside acting Inspector General for FDIC Fred Gibson.

Gibson’s office recently released two audits, both calling for the strengthening of FDIC’s cybersecurity policy and systems.

The Republican members of the committee on July 12 released a report midway through its investigation into FDIC’s cybersecurity, which claims the agency has purposefully avoided congressional oversight, the agency’s chief information officer has created a “toxic work environment,” and FDIC is struggling with its cybersecurity.

“The committee’s interim report sheds light on the FDIC’s lax cybersecurity efforts,” said committee Chairman Lamar Smith (R-Texas) in a statement. “The FDIC’s intent to evade congressional oversight is a serious offense. Major improvements need to be made to the FDIC’s cybersecurity mechanisms.”

‘Outside of the FDIC’s control’

Both the committee report and IG reports focus on two specific incidents, one that took place in Florida and another that occurred in New York, and the reports and actions taken after their discovery.

The incidents would have been reported in the agency’s annual Federal Information Security Modernization Act (FISMA) report to Congress if not for recently revised guidance.

Following a February 2016 Inspector General report, FDIC Chief Information Officer  Larry Gross directed the agency to review all security incidents that not only involved 10,000 or more records, but were “outside of the FDIC’s control for any length of time.”

According to the most recent July IG report, on Oct. 23,  a member of FDIC’s Information Security and Privacy Staff detected through a Data Loss Prevention tool (DLP) that a former employee had copied sensitive data onto a USB device.

Two days later, Office of Management and Budget Director Shaun Donovan released new guidance on information security and management requirements. This included the definition of a “major incident” as one involving 10,000 or more records.

On Nov. 2, FDIC’s Gross took office.

Throughout November and into December, FDIC worked to retrieve the USB drive. Eventually, the former employee turned over the drive, but not before hiring an attorney. Auditors also discovered that the employee had set up two folders on the drive, one for personal information and another for FDIC documents.

“In addition, files were labeled with bank names or the types of bank data in the files,” the IG report stated. “The employee copied a significant quantity of information from an FDIC laptop on multiple occasions prior to the employee’s last day of employment. In one instance, data was downloaded for approximately 14 consecutive hours.”

The former employee did sign a document stating they had not shared that confidential information, nor was in possession of any additional FDIC information in any format.

The IG determined that the Florida incident could have been designated a major incident as early as Dec. 2, but it wasn’t until February when the OIG informed the CIO of that designation that the agency told Congress about the breach.

“Although the FDIC had established various incident response policies, procedures, guidelines and processes, these controls did not provide reasonable assurance that major incidents were identified and reported in a timely manner,” the audit report stated. “The FDIC’s incident response policies, procedures, and guidelines did not address major incidents. The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC’s ability to identify all security incidents, including major incidents.”

Chat with Jonathan Alboum, USDA CIO, July 26 at 2 p.m.  Sign up here.

During a series of hearings, Gross testified on his thought process and decisions when it came to designating the incidents and how to report them.

He said that part of the problem is that FDIC lacks data digital rights management, which means the agency can’t be 100 percent sure the information wasn’t copied outside of the agency’s walls.

FDIC has started the process of identifying DRM technology it can use and establishing an implementation timeline, Gross said in his testimony.

Gross drew criticism from some committee members, who raised concerns with his testimony as well as the his office’s production of documents for the committee’s investigation.

The committee report addresses the CIO’s testimony, agency cybersecurity posture, and the perceived lack of cooperation during the investigation.

“The committee remains concerned about the FDIC’s weak cybersecurity posture and its ability to prevent further breaches,” the committee report stated. “Further, the FDIC’s repeated unwillingness to be open and transparent with the committee’s investigation raises serious concerns about whether the agency is still attempting to shield information from production to Congress.”

An FDIC spokesman did not offer comment on the committee report, but pointed to the agency’s responses to the IG audits.

The spokesman also confirmed that currently five people out of the roughly 6,500 FDIC total employees are authorized to use portable storage devices. Those people work in the legal division.

The number is a reflection of the drawdown FDIC said earlier this year that it would make for the number of employees with access to mobile media devices.

Insider threats

The other incident investigated by the IG took place on Sept. 29 in New York, when a member of FDIC’s Information Security and Privacy Staff detected through a DLP tool that a former employee had copied sensitive information onto an unencrypted USB device the day on their last day in the office.

“We identified a number of factors that contributed to the security incident involving sensitive resolution plans,” the IG report stated. “Most notably, an insider threat program would have better enabled the FDIC to deter, detect and mitigate the risks posed by the employee. In addition, a key security control designed to prevent employees with access to sensitive resolution plans from copying electronic information to removable media failed to operate as intended.”

According to the audit, FDIC took steps to establish an insider threat program in 2014-15, but progress stopped by the fall of 2015, in part because the agency’s counterintelligence officer took a job with another agency in August. The position was still open when the IG finished its audit.

The OIG recommended FDIC work with its Executive Management Committee to create a corporate-wide insider threat program.

At the time of the incident, neither CIO’s office nor the  Office of Complex Financial Institutions (OCFI) had worked together to ensure controls like this were in place across FDIC and working.

“A contributing factor for the lack of policies, procedures, or assessment plans may have been the departure of OCFI’s permanent [information security manager] in April 2014,” the audit stated.

As a result of the incident, the Inspector General made six recommendations related to insider threats and control assurance, all of which FDIC concurred with and is continuing to address.

“We are committed to addressing each of the recommendations to further strengthen our controls and lower the risk of harm from the unauthorized release of sensitive information,” FDIC said in a response to the recommendations.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories