Lawmakers want answers to ‘significant shortfalls’ in FDIC cybersecurity

Amid debate on Capitol Hill over the future of federal IT systems, members of the congressional committee that oversees the development of cybersecurity standards are demanding answers from the Federal Deposit Insurance Corporation on its reporting of two data breaches, and how the agency plans to address future incidents.

Reps. Lamar Smith (R-Texas)  chairman of the Science, Space, and Technology Committee, and Barry Loudermilk (R-Ga.), chairman of the subcommittee on oversight, requested FDIC Chairman Martin Gruenberg’s testimony at a July hearing on “FDIC’s cybersecurity posture,” as well as additional documents and transcribed interviews related to five incidents when outgoing employees unknowingly downloaded customer data while they were saving personal information to their own devices.

“The [committee] is continuing its oversight of recent security events at the [FDIC]. … Additional information has come to light regarding the effectiveness of the agency’s cybersecurity measures, attempts to circumvent providing full and complete responses to the committee’s requests, and concerns that the agency may attempt to take retaliatory action against whistleblowers,” the lawmakers said in their May 24 letter. “As an agency that has faced a seemingly never ending series of security breaches, it should focus its resources first and foremost on reforming its internal cybersecurity mechanisms, instead of endeavoring to conceal information from the committee.”

Smith and Loudermilk also requested the testimony of nine other information security and legislative affairs personnel from the agency.

Advertisement

An FDIC spokesperson declined to comment on the letter, the second in as many weeks from the committee to Gruenberg.

A May 19 letter requests the FDIC chairman review testimony of the agency’s chief information officer Larry Gross, and either clarify or amend it.

Gross testified at a May 12 hearing before the technology committee that the five “low risk” security incidents were not malicious.

But Gross admitted that because the agency lacks digital rights management (DRM), there’s no guarantee that data didn’t end up on someone else’s storage drive.

“This information raises serious concerns about whether additional data breaches have occurred without detection due to inherent weaknesses in the FDIC’s systems used to monitor data breaches,” Smith and Loudermilk’s letter said. “Even more troublesome, the committee is concerned that Mr. Gross was not forthcoming during his recent testimony about significant information regarding vulnerabilities within the agency’s cybersecurity programs.”

The incidents would have been reported in the agency’s annual Federal Information Security Modernization Act (FISMA) report to Congress if not for recently revised guidance.

Gross said that along with procuring DRM technology, the agency was:

  • Creating a new incident tracking system and position of an incident response coordinator that will serve as the main point of contact for IT security incidents at the FDIC.
  • Monitoring printed materials in high-risk areas.
  • Starting a chief information office and operationswide review of all policy documents to ensure they reflect current cybersecurity oversight policies.
  • Applying encryption software agencywide.