A new congressional investigative report found that the FDIC covered up approximately 11 cybersecurity incidents,...
including multiple APT attacks by hackers believed to be linked to the Chinese government.
The House of Representatives' Committee on Science, Space and Technology followed up after finding anomalies in the Federal Deposit Insurance Corporation's (FDIC) annual Federal Information Security Modernization Act (FISMA) report. In February and March of 2016, the FDIC submitted notifications of major breaches to Congress, but the FDIC Office of Inspector General (OIG) found further misrepresentations in how the FDIC described the incidents, especially in the number of records impacted.
According to the committee report, the FDIC suffered approximately eight major breaches -- defined as the loss of more than 10,000 records -- by former employees who stole portable drives containing personal data on more than 300,000 individuals or entities. At least one of these breaches was referenced in the FISMA report, but the FDIC did not notify Congress on any of them, and at least one of the stolen drives was never recovered.
The committee also found a 2013 memo from then-FDIC Inspector General Jon Rymer to FDIC Chairman Martin Gruenberg informing him of a cybersecurity incident in October 2010 in which an FDIC employee's desktop computer was compromised by an advanced persistent threat (APT).
"The advanced persistent threat in this case is believed to have been the Chinese government. The same threat was able to compromise FDIC computers in 2011, and again in April 2013," the report reads. "In essence, a foreign government penetrated computers and the workstations of high-level agency officials, including the former chairman, the former chief of staff, and the former general counsel of the agency. In all, 12 workstations were compromised and 10 FDIC servers were penetrated and infected by a virus created by a hacker."
The committee investigation findings said the FDIC deliberately evaded congressional oversight, historically experienced deficiencies and continues to have deficiencies in its cybersecurity posture, and even that the CIO "has created a toxic work environment, misled Congress, and retaliated against whistleblowers."
Rebecca HeroldCEO, The Privacy Professor
The committee report also suggested that "inconsistency in leadership" may have hurt the FDIC's security posture because the agency had a number of acting CIOs and only one permanent CIO in the time before current CIO Lawrence Gross took over in November 2015.
Michael Angelo, chief security architect at Micro Focus, told SearchSecurity that neither the fact that the FDIC was hacked nor the fact that they didn't tell anyone surprised him.
"Unfortunately, I believe it is endemic in the federal culture," Angelo said. "That is, when we have the leaders of the federal government implying, if not stating, they didn't understand the rules for protection of information and that those rules were not convenient, how can we expect anything different from the average federal employee?"
Rebecca Herold, CEO at The Privacy Professor, said she wasn't surprised about the breaches within the FDIC but was disappointed in how it was handled.
"For a government agency that depends upon its credibility to obtain the trust of the public for how it is overseeing the nations' money and investments, it puts a big bruise on their reputation," Herold said. "When it comes to data protection and technology, cover ups create more problems, and allow for what may have started as a small issue that could have been addressed upfront to grow to a full blown data exfiltration tsunami."
Angelo said the covered up APT attacks were the more serious findings in the committee report.
"While the information leakage is bad, and could hurt a few people, an APT attack could have been worse," Angelo said. "Imagine if the APT delivered a ransomware payload, and all the accounts in a branch or financial institution were locked?"
Herold said it was unacceptable that malicious APT code was able to be loaded into government networks and questioned the protections and security audits in place. However, she said that while the APT attack was very bad, government agencies are often targets of such attacks and improving security could prevent such cyberattack incidents in the future.
"The insider threat is probably worse. Humans are inherently flawed and will always be the weakest link in information security; there are no technology patches you can apply to them that will predictably produce results. These are individuals who have been cleared and given access to incredibly sensitive information. They were entrusted to protect this information," Herold said. "This access also leads to the personal and other sensitive information of Americans; paths to large vaults of data that is of high value to those who may have opportunities to misuse it, and result in a wide variety of significant harms to those associated individuals, and damage to the U.S. government as well as businesses for the sensitive and classified data that was obtained."
Learn more about CSA security frameworks for government cloud security.
Get info on how government agencies are struggling with security data analytics.