The Federal Deposit Insurance Corporation's CIO and inspector general offices have differing opinions on what constitutes a "major" cybersecurity incident and lawmakers are looking into these discrepancies.
The corporation suffered several data breaches over the last few years, at least seven of which were the result of employees taking sensitive information with them when moving on to new jobs. Initially, the FDIC declined to label these as major incidents, which would require immediate reporting to Congress. However, subsequent to IG investigations and news reports, it was determined all seven rose to this level and they were retroactively reported.
All totaled, these seven incidents affected some 160,000 individuals, including the leak of Social Security numbers and other personally identifiable information (PII).
While these incidents were eventually reported, the delay and disconnect between the CIO and IG has raised some concerns, which were the subject of a May 12 hearing of the House Committee on Science, Space and Technology's Subcommittee on Oversight.
"We identified several inconsistencies here today by the FDIC," Oversight Subcommittee Chairman Barry Loudermilk, R-Ga., said at the end of the May 12 hearing.
Loudermilk and legislators from both sides of the aisle questioned FDIC CIO Larry Gross and acting IG Fred Gibson for almost two hours on the proper procedures for reporting and why the corporation seemed to fail to meet those requirements.
The hearing centered on two breaches, both of which included former employees leaving the FDIC with portable hard drives containing tens of thousands of sensitive records. In one — in which 44,000 records were taken — the breach was detected and the drive returned within days.
The second — known internally at the FDIC as the "Florida incident" and referred to at the hearing as the October incident — only included about 10,000 records. However, these records were not returned for more than six weeks and FDIC officials took more than four months to report the breach to Congress.
An internal IG report obtained by Federal Times showed the CIO's office declined to label these incidents as "major." Under the lesser designation, FDIC was required to report them in its annual incident report but not under the shorter, seven-day timeline required for major incidents.
"I judged the risk of harm to be very low, meaning that the reporting of these incidents would fall under the annual FISMA notifications to Congress," Gross said. "It was not a question of whether the incident would be reported; it's a matter of when it is reported."
Gross said reviews of all seven security incidents appeared to show the employees' actions were "inadvertent and non-adversarial," without any malicious intent.
The CIO told Congress the employees involved in these incidents were not very computer-savvy, which led to them taking more data than they intended. Rather than spend time and resources on these, Gross said the agency instead chose to focus on incidents with more malicious intent, such as someone breaking into an employee's car to steal sensitive information.
When prompted, Gibson said he disagrees with this assessment, stating that he and Gross have a "different interpretation of these facts."
Gibson said the IG office has investigated all seven incidents and one criminal investigation remains open. He declined to go into detail on that investigation, as it is currently in the pre-indictment phase.
Representatives also questioned whether FDIC officials had fully honored the committee's requests for documents.
Loudermilk held up responses from the CIO and IG side by side, noting the latter was significantly thicker. Gross said much of the documentation in the IG's response was duplicative — such as multiple copies of FDIC's breach guidance — and reiterated several times that he thought his office's response was full and comprehensive.
Not everyone agreed.
"This Committee has uncovered a pattern of obstruction," said Rep. Lamar Smith, R-Texas, chairman of the full committee. Smith pointed to what he considered to be unnecessary redactions in the CIO's documentation.
"Additionally, the Committee learned that the agency actively obstructed the Committee's ongoing investigation by limiting the scope of the documents produced," he added. "The breaches reported to Congress represent only those the agency itself called 'major.' In reality, the FDIC likely has experienced additional breaches deemed insufficient by the agency to warrant reporting to Congress."
The hearing wrapped without many answers or hard details, though the inquiry is far from over.
Gibson said the IG office is in the midst of two audits: One examining the process for identifying and reporting major incidents and another assessing the internal controls for mitigating the risk of future breaches.
At the conclusion of the hearing, Loudermilk said another would be scheduled when those audits are completed, during which he hopes to hear testimony from FDIC Chairman Martin Gruenberg.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.