China Suspected in FDIC BreachesNew IG Audit Criticizes FDIC for Continued Lax InfoSec Practices
The Chinese government likely was responsible for the hacking of computers at the Federal Deposit Insurance Corp. in 2010, 2011 and 2013, according to a new congressional report.
Public disclosure of those breaches in the congressional report comes as the FDIC inspector general issued a new audit report that criticizes the agency for continued lax information security practices.
The interim report from the Republican staff of the House Science, Space and Technology Committee, dated July 12, says a foreign government - "likely the Chinese" - penetrated computers and the workstations used by high-level FDIC officials, including chairwoman Sheila Bair, who ran the agency from 2006 until 2011, as well as a former chief of staff and former general counsel. Hackers compromised 12 workstations and also penetrated 10 servers and infected them with a virus, the report notes.
The committee staff based its findings on a 2013 memo from the FDIC inspector general to the agency's chairman. "The OIG was particularly critical of the agency for violating its own policies and for failing to alert appropriate authorities," the interim report says. The report also claims that the hack attacks were covered up to help smooth the Congressional confirmation process for FDIC Chairman Martin Gruenberg, who was nominated to lead the agency in 2011.
China Dismisses Allegations
The Chinese government, however, has dismissed reports that it hacked the FDIC. Chinese Foreign Ministry spokesman Lu Kang, speaking to reporters in Beijing on July 14, stated that China is opposed to hacking, and said that any related allegations should be documented with evidence, rather than couched in words such as "maybe" and "perhaps," Reuters reports.
"This is extremely irresponsible," he said.
This isn't the first time that Washington has accused China of hacking into U.S. government agency systems, including the breach of the U.S. Office of Personnel Management. The Chinese government confirmed that the attack emanated from China but claimed to not be involved (see China: Chinese Criminals Hacked OPM).
Cybersecurity consultant Shane Shook, who's helped investigate some of the FDIC breaches, tells Reuters that he has yet to see convincing evidence that the Chinese government perpetrated the hacks. "As with all government agencies, there are management issues stemming from leadership ignorance of technology oversight," he said.
FDIC Chairman Gruenberg and Acting Inspector General Fred Gibson are due to testify Thursday before the U.S. House Science, Space, and Technology Committee, on the agency's cybersecurity practices.
Panel Accuses CIO of Mismanagement
The congressional report outlines what staffers consider to be other slack cybersecurity efforts at the FDIC.
In a statement, the committee's chairman, Rep. Lamar Smith, R-Texas, says the panel's staff found the FDIC's CIO, Larry Gross Jr., had engaged in mismanagement, misled Congress and retaliated against whistleblowers. "He has fostered a hostile work environment," Smith says. "It is also clear that the FDIC deliberately evaded congressional oversight. In addition, the committee found the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to the present."
But the committee's ranking member, Rep. Eddie Bernice Johnson, D-Texas, disputes Smith's contention that Gross was intentionally misleading and obstructed the committee's investigation into these matters. "I am not dismissing the testimony of some of the FDIC employees who have been interviewed," she said. "But it is our responsibility to make sure we have all of the evidence and have heard from all parties before we begin to wave around serious allegations of criminal intent."
The FDIC, the U.S. agency that insures bank accounts, declined to comment on the interim report.
The agency's failure to follow its own security guidelines seems to persist. A new inspector general report says the FDIC had established various incident response policies, procedures, guidelines and processes, but these controls do not provide reasonable assurance that major incidents are identified and reported in a timely manner.
In its latest audit report issued July 8, the IG focused on a Florida incident involving a former FDIC employee who copied a large amount of sensitive agency information, including personally identifiable information, to removable media and took this information when the employee left the FDIC in October. The IG says the FDIC detected the incident through its data loss prevention tool.
Incident Response Policies Criticized
The IG criticized the FDIC's incident response policies, procedures and guidelines for not addressing major incidents. "The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC's ability to identify all security incidents, including major incidents," Mark Mulholland, assistant IG for audits, says in the report.
Based on its analysis of the Florida incident, the assistant IG concluded that the FDIC failed to properly apply the criteria in Office of Management and Budget guidance when it determined that the incident was not major. Specifically, Mulholland says the FDIC based its determination on various mitigation factors related to the "risk of harm" posed by the incident.
Defining 'Major Incidents'
OMB guidance, Memorandum 16-03, issued last October, provides a complex definition of a major incident, which could include compromise of confidential and personally identifiable information, inability to recover or delay in recovering data, and damage to the functionality of systems. OMB says the definition is subject to change based upon incidents, risks, recovery activities or other relevant factors.
Gross, who became the FDIC's CIO in 2015, says in a written response to the IG audit that in retrospect, the agency should not have considered what it believed to be mitigating factors when applying Office of Management and Budget major incident guidelines. "We have since updated our internal procedures to refer FDIC employees and contractors directly to the OMB guidelines on what constitutes a major incident," he says. "We believe this will be effective in ensuring proper assessment of any future incidents."