Cybersecurity , Data Breach , Risk Management
New IG Audit Criticizes FDIC for Continued Lax InfoSec Practices
The Chinese government likely was responsible for the hacking of computers at the Federal Deposit Insurance Corp. in 2010, 2011 and 2013, according to a new congressional report.
See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience
Public disclosure of those breaches in the congressional report comes as the FDIC inspector general issued a new audit report that criticizes the agency for continued lax information security practices.
The interim report from the Republican staff of the House Science, Space and Technology Committee, dated July 12, says a foreign government - believed to be China - penetrated FDIC computers and the workstations of high-level FDIC officials, including the former chairman, former chief of staff and former general counsel. Hackers compromised 12 workstations and also penetrated 10 servers and infected them with a virus, the report notes.
The committee staff based its findings on a 2013 memo from the FDIC inspector general to the agency's chairman. "The OIG was particularly critical of the agency for violating its own policies and for failing to alert appropriate authorities," the interim report says.
China's Washington embassy did not immediately comment on the allegations, Reuters reports.
Panel Accuses CIO of Mismanagement
The congressional report outlines what staffers consider other slack cybersecurity efforts at the FDIC.
In a statement, the committee's chairman, Rep. Lamar Smith, R-Texas, says the panel's staff found FDIC CIO Larry Gross Jr. had engaged in mismanagement, misled Congress and retaliated against whistleblowers. "He has fostered a hostile work environment," Smith says. "It is also clear that the FDIC deliberately evaded congressional oversight. In addition, the committee found the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to the present."
The FDIC, the U.S. agency that insures bank accounts, declined to comment on the interim report.
The agency's failure to follow its own security guidelines seems to persist. A new inspector general report says the FDIC had established various incident response policies, procedures, guidelines and processes, but these controls do not provide reasonable assurance that major incidents are identified and reported in a timely manner.
In its latest audit report issued July 8, the IG focused on a Florida incident involving a former FDIC employee who copied a large amount of sensitive agency information, including personally identifiable information, to removable media and took this information when the employee left the FDIC in October. The IG says the FDIC detected the incident through its data loss prevention tool.
Incident Response Policies Criticized
The IG criticized the FDIC's incident response policies, procedures and guidelines for not addressing major incidents. "The large volume of potential security violations identified by the DLP tool, together with limited resources devoted to reviewing these potential violations, hindered meaningful analysis of the information and the FDIC's ability to identify all security incidents, including major incidents," Mark Mulholland, assistant IG for audits, says in the report.
Based on its analysis of the Florida incident, the assistant IG concluded that the FDIC failed to properly apply the criteria in Office of Management and Budget guidance when it determined that the incident was not major. Specifically, Mulholland says the FDIC based its determination on various mitigation factors related to the "risk of harm" posed by the incident.
Defining Major Incidents
OMB guidance, Memorandum 16-03, issued last October, provides a complex definition of a major incident, which could include compromise of confidential and personally identifiable information, inability to recover or delay in recovering data, and damage to the functionality of systems. OMB says the definition is subject to change based upon incidents, risks, recovery activities or other relevant factors.
FDIC CIO Gross, in a written response to the IG audit, says the agency, in retrospect, should not have considered what it believed to be mitigating factors when applying Office of Management and Budget major incident guidelines. "We have since updated our internal procedures to refer FDIC employees and contractors directly to the OMB guidelines on what constitutes a major incident," he says. "We believe this will be effective in ensuring proper assessment of any future incidents."
(Watch for updates on this developing story.)