On July 14, 2016, a congressional hearing was held where FDIC Chairman Martin Gruenberg was questioned by members...
of the Committee on Science, Space and Technology regarding several internal and external breaches that further cast a shadow on the Federal Deposit Insurance Corp.'s commitment to cybersecurity. The issues raised were significant, including cover-ups of several serious data breaches and attacks, as well as evasion of government oversight.
The investigation report claimed systemic mismanagement and toxic work environments undermined the FDIC's cybersecurity posture, and the CIO retaliated against the CISO and other cybersecurity staff members who spoke out. This tip takes a closer look at the FDIC investigation and cybersecurity management problems the report revealed. How did the situation get so out of control? What were the biggest failures of the FDIC's leadership? How can they be corrected?
A brief history of FDIC cybersecurity breaches
To understand the significance of the congressional investigation into the FDIC, it's important to first understand the FDIC's history with cybersecurity. The FDIC cybersecurity breaches in recent years have been numerous.
- The former FDIC chairwoman's personal computer was hacked by a foreign government between 2010 and 2013.
- Advanced persistent threats compromised an FDIC employee's desktop computer, which the Chinese government is believed to be behind. These threats occurred both in 2011 and 2013.
- On Sept. 29, 2015, the FDIC learned of a data breach that took place in New York, in which an employee intentionally left with a portable USB storage device that contained sensitive information -- including living wills, banking information and social security numbers -- of approximately 30,000 individuals. The FDIC failed to report this data breach to Congress as it is required to do.
- On Feb. 26, 2016, the FDIC reported a breach that took place in Florida on Oct. 15, 2015 -- that it learned of on Oct. 23, 2015 -- in which personally identifiable information for over 10,000 individuals was copied onto a personal portable USB storage device before the employee at fault stopped working for the FDIC. It was later found that this employee stored over 100,000 files on the device, affecting over 70,000 individuals and organizations. The FDIC misrepresented the effects of this major data breach, as well as the intent of the employee, who the FDIC claimed did this unwittingly and without malice. It took the FDIC until Dec. 8, 2015, to retrieve the USB device from the former employee.
- In March 2016, the FDIC reported a security breach occurring in Texas in which an employee on Feb. 26, 2016, copied sensitive data of 44,000 individuals onto a personal portable USB storage device before separating from the FDIC and leaving FDIC premises with the device. The USB device was recovered on March 1, 2016.
- Five additional major incidents took place at the FDIC between March and May 2016, which lead to a total of over 160,000 individual's personally identifiable information leaving the FDIC. None of these incidents were reported until May 2016, and the FDIC claimed they were all accidental.
The FDIC has approximately 8,700 employees and reportedly follows NIST's Framework for Improving Critical Infrastructure Cybersecurity, which includes the use of a data loss prevention (DLP) product to capture all traffic that flows through its firewalls and endpoints, even when the endpoints are offline. Based on the hearing dialogue, the DLP product captured the download of sensitive during the October 2015 Florida data breach, but the FDIC was not aware of it for eight days.
After a February 2016 Office of Inspector General (OIG) letter, the FDIC configured its DLP to prevent any downloads to USB drives except for limited use by OIG, legal and General Accountability Office personnel. Depending on the number of cybersecurity staff, the FDIC should easily be able correlate configuration rules to identify anomalous activity. Despite the FDIC's claims to follow remediation suggested by the OIG, the committee's investigation indicates a lack of confidence in FDIC cybersecurity measures.
The Committee of Science, Space and Technology investigation also stated the FDIC was lacking an insider threat prevention program for all of the above mentioned security incidents.
Read the full Interim Staff Report from the Committee on Science, Space and Technology's investigation.
OMB Memo 16-03
In October 2015, the Office of Management and Budget (OMB) issued a guidance (Memo 16-03) that required all federal executive branch agencies to report incidents designated as "major" to Congress within seven days.
A major incident would be one that involves information that is Classified, Controlled Unclassified Information (CUI) proprietary, CUI Privacy or CUI Other. It also would be major if it involves exfiltration, modification, deletion, or unauthorized access or lack of availability to information or a system where 10,000 or more records or users were affected.
Although several of the FDIC cybersecurity incidents occurred after the OMB guidance, there have since been other incidents that have repeatedly been reported after the required reporting period. On Feb. 19, 2016, the FDIC received an OIG memo analyzing a Florida incident where a former employee had downloaded sensitive data onto a USB drive that the FDIC had apparently not properly applied the OMB guidance within seven days, since it involved more than 10,000 social security numbers.
FDIC cybersecurity issues
The issues with the FDIC appear to be numerous. One obvious issue is its latency in complying with the OMB guidance reporting requirement. Another is management's judgment in determining whether an incident is major or not. The DLP product used by the FDIC is a powerful tool and can identify a multitude of incident activity when used correctly. During the investigation, Gruenberg stated, at one point, the DLP product failed to prevent data to be copied to a USB drive, and a new version of the DLP product would be installed by Aug. 26, 2016. Over time, the FDIC can effectively use this tool for proper prevention and detection of sensitive data exfiltration.
Several whistleblowers came forward during the committee's investigation and provided insight into further issues within the FDIC, including:
- The FDIC Deputy General Counsel directed staff on more than one occasion not to put in writing any comments or opinions related to major FDIC cybersecurity breaches;
- The FDIC was mischaracterizing the severity of the breaches and intentionally withholding information from Congress; and
- It was also noted during the hearing that some FDIC cybersecurity staff members who spoke out were retaliated against by the CIO, Larry Gross. No details were provided on the nature of the retaliation.
FDIC cybersecurity leadership
During the July 14, 2016, hearing, FDIC Chairman Gruenberg appeared to be grossly unprepared for this line of questioning. He appeared to be uninformed and deferred to further investigation on his part in answering numerous questions from committee members. He was not even sure whether all FDIC employees are required to sign an acceptable use agreement, or whether the AUA was in the FDIC employee handbook. Barry Loudermilk (R-Ga.), who co-chaired the committee, stated a concern that Gruenberg was "not prepared or has [not] taken this meeting seriously."
On Nov. 12, 2015, Gross was before the same congressional committee and stated that incidents occurring prior were "inadvertent and non-adversarial." Based on the activity then and since then, the committee questioned whether Gross was fit to serve as the CIO. Gross' testimony and questioning leaves the impression he does understand cybersecurity and risks. He has excellent credentials and experience. However, the committee chair, Lamar Smith (R-Texas), opened the July 14, 2016, hearing by stating that Gross had "created a toxic work environment, misled Congress and retaliated against whistleblowers."
Even when a C-level executive has the proper credentials and understands cybersecurity, that person may not be suited for the role of CIO or CISO if there's a lack of understanding about proper security management. In addition, organizations need better reporting structures to prevent situations where a single executive is preventing security issues from being elevated and addressed in a timely manner.
One additional control that was recommended by Gross to Gruenberg was the implementation of digital rights management (DRM) to protect sensitive data. Loudermilk's subject matter experts had informed him that DRM would disable DLP monitoring if implemented. Also, the FDIC had a plan to replace all workstations with laptops because they could be better controlled. The Interim Staff Report showed other security professionals working within the FDIC were concerned the laptop program would cost a lot to very little effect. Loudermilk and other committee members questioned Gross and Gruenberg's judgment on his decision to go ahead with the program anyway, since exfiltration was a major issue.
Both Gruenberg and Gross remain in their current positions of chairman and CIO, respectively, at the FDIC.
Check out this report on the effects of DRM on insider threats
Learn how the experts combat insider threats
Find out what CISOs can do to mitigate insider security threats