The steps the Federal Deposit Insurance Corporation is taking to address cybersecurity weaknesses are at best misguided, and at worst, could jeopardize the agency in the future. That’s according to members of the House Committee on Science, Space and Technology.
Lawmakers warned FDIC Chairman Martin Gruenberg to reconsider some of his agency’s ongoing cybersecurity updates and the leadership of the FDIC’s information technology office.
“It appears some of these initiatives [FDIC Chief Information Officer Larry Gross] is spearheading are not solutions that are really going to fix the problem, but may exacerbate the problem and make it worse. … Maybe he’s just responding to the inquiries of this committee to show that he’s doing something, but it will not actually have a positive effect but will have a negative effect,” said Rep. Barry Loudermilk (R-Ga.).
But Gruenberg defended Gross’ actions, which are trying to deal with a series of seven data breaches involving tens of thousands of confidential files.
“He’s been on the job for 9 or 10 months, and I think our sense is — believe me we will carefully consider the points you raise — I think our sense is we’d like to give him an opportunity to do the job, and we will evaluate and I assure you we will hold him accountable, but we want to at least give him a fair chance,” Gruenberg said.
Among some of the initiatives launched as a result of the breaches include a draw down on the number of FDIC employees authorized to use USB devices, as well as a deployment of digital rights management (DRM) technology and the purchase of 3,000 laptops for employee use.
According to the committee’s investigation — details of which it released July 13 — the laptops would cost about $5 million, but Gross has not secured the funding.
Loudermilk asked Gruenberg whether he thought the DRM technology was a good idea. When Gruenberg said “yes,” Loudermilk summarized a redacted FDIC whistleblower email that said the technology would “actually render the agency’s current data loss prevention (DLP) tool ineffective.”
“This makes DRM a high risk to undetected data loss,” Loudermilk said. “That sounds like an environment supported by [Gross] who doesn’t really understand what he’s doing.”
Gross did not attend the July 14 hearing, but previously testified before the committee on the series of cyber incidents at FDIC, including a breach in October.
That breach occurred when an outgoing FDIC employee downloaded confidential data onto a personal USB device. While the agency eventually recovered the device, an FDIC inspector general report determined that the breach could have been designated a major incident earlier than the eventual designation. The IG also found there was room within the FDIC’s cybersecurity posture to improve how it uses its data loss prevention tools, to update incident response policies and to incorporate the Office of Management and Budget’s guidance on determining a major cyber incident.
“We may have gotten it wrong, while the CIO may have gotten it wrong, I think, at least from my perspective, there was an honest effort here to review the guidance, consider the mitigating factors and make a reasonable judgment. The judgment may have been wrong, but I don’t think there was malintent there,” Gruenberg said. “What we had was a confluence of developments. The breach occurred and was identified, the guidance was issued and our CIO assumed his new position, and was sort of presented with — if I may say, for a guy just starting the job — a pretty difficult situation to sort through. He had the breach occur, the decision was made, even though the breach occurred before the issuance of the guidance, there’d be an effort made to apply the guidance to the breach, but it was new guidance, a first impression without real precedent to go by.”
Rep. Suzanne Bonamici (D- Ore.) wanted additional information on the FDIC’s implementation of the DLP, specifically a new version launched in September which helped flag the breaches in question, and which found more than 604,000 potential security violations. Of those, Bonamici said, about 400,000 were related to removable media such as USB devices.
“My understanding is it’s up to some individual to sort through those incidents to determine which are most suspicious in order to see if they were legitimate downloads or indicated potential unauthorized activity,” Bonamici said. “It seems a bit like looking for a needle in a haystack.”
FDIC acting IG Fred Gibson said the DLP tool was “tremendously important” but it required more resources in order to be more effective.
“I would agree that digging though the volume of reports that the individual who’s tasked with that has had to dig through, really is like looking for needle in a haystack,” Gibson said. “I think that could be resolved by devoting some additional resources to it, we’ve recommended that be resourced differently. ”
“By additional resources do you mean additional people looking for the needles in the haystack or do you mean some other approach?” the congresswoman asked.
“Both,” Gibson said.
Gibson also said investigations on the data breaches were still open, but had not reached the stage where information should be made publicly available.
Some committee members have taken issue with Gross’ prior testimony, the FDIC’s lack of an insider threat program and a dedicated information security manager, and the agency’s perceived lack of cooperation in working with Congress for the investigation.
“We’re focusing on one or two individuals, but really the IT department at your agency can’t be as strong as one new employee,” said Rep. Warren Davidson (R-Ohio). “You’ve got a robust staff and so I’d be curious to know what sort of recommendations and dialogue, and frankly from whistleblower information it seems like there’s really not a lot of support for some of the direction your new CIO is going. That doesn’t mean that it’s accurate to your point. I appreciate your desire to look into it, but I’d also ask you to look into the culture. It sounds like this culture is perhaps maybe partisan cover ups. There’s a lot of pressure to perform, there’s cover ups there, a culture that doesn’t provide the kind of transparency is not likely to be able to deliver the kind of results that your mission requires, so I’m very concerned about that.”
Rep. Eddie Bernice Johnson (D-Texas) said while it’s clear that FDIC did not initially provide all the documents requested by the committee, she did not agree with her Republican colleagues “as to what constitutes evidence of intent,” and a desire to obstruct the investigation.
“I do not believe the committee has uncovered convincing evidence to support those allegations,” Johnson said. “I am not dismissing the testimony of some of the FDIC employees who have been interviewed. But it is our responsibility to make sure we have all of the evidence and have heard from all parties before we begin to wave around serious allegations of criminal intent.