[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
FDIC DATA BREACHES: CAN AMERICANS TRUST
THAT THEIR PRIVATE BANKING
INFORMATION IS SECURE?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
May 12, 2016
__________
Serial No. 114-77
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
20-874PDF WASHINGTON : 2017
_____________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR., ZOE LOFGREN, California
Wisconsin DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
MO BROOKS, Alabama ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois AMI BERA, California
BILL POSEY, Florida ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan ED PERLMUTTER, Colorado
STEVE KNIGHT, California PAUL TONKO, New York
BRIAN BABIN, Texas MARK TAKANO, California
BRUCE WESTERMAN, Arkansas BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
------
Subcommittee on Oversight
HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR., DON BEYER, Virginia
Wisconsin ALAN GRAYSON, Florida
BILL POSEY, Florida ZOE LOFGREN, California
THOMAS MASSIE, Kentucky EDDIE BERNICE JOHNSON, Texas
DARIN LaHOOD, Illinois
LAMAR S. SMITH, Texas
C O N T E N T S
May 12, 2016
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Barry Loudermilk, Chairman,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 5
Written Statement............................................ 7
Statement submitted by Representative Donald S. Beyer, Jr.,
Ranking Minority Member, Subcommittee on Oversight, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 13
Written Statement............................................ 15
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 17
Written Statement............................................ 19
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 26
Written Statement............................................ 28
Witnesses:
Mr. Lawrence Gross, Jr., Chief Information Officer and Chief
Privacy Officer, FDIC
Oral Statement............................................... 30
Written Statement............................................ 32
Mr. Fred W. Gibson, Acting Inspector General, FDIC
Oral Statement............................................... 36
Written Statement............................................ 38
Discussion....................................................... 47
Appendix I: Answers to Post-Hearing Questions
Mr. Lawrence Gross, Jr., Chief Information Officer and Chief
Privacy Officer, FDIC.......................................... 70
Mr. Fred W. Gibson, Acting Inspector General, FDIC............... 72
Appendix II: Additional Material for the Record
Documents submitted by Representative Darin LaHood, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 78
FDIC DATA BREACHES: CAN AMERICANS
TRUST THAT THEIR PRIVATE BANKING
INFORMATION IS SECURE?
----------
THURSDAY, MAY 12, 2016
House of Representatives,
Subcommittee on Oversight
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittee met, pursuant to call, at 10:04 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Barry
Loudermilk [Chairman of the Subcommittee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. The Subcommittee on Oversight will
come to order.
Without objection, the Chair is authorized to declare a
recess of the Subcommittee at any time.
Welcome to today's hearing entitled ``FDIC Data Breaches:
Can Americans Trust That Their Private Banking Information is
Secure?''
I recognize myself for five minutes for an opening
statement.
Good morning. We're here today to learn more about
cybersecurity breaches at the Federal Deposit Insurance
Corporation. As a former information systems technology company
owner for over 20 years, I know firsthand the importance of
safeguarding sensitive information and private customer data.
Regrettably, the American people have good reason to question
whether their private banking information is properly secured
by the FDIC.
The FDIC is an independent agency established by Congress,
with the mission ``to maintain stability and public confidence
in the nation's financial system.'' Unfortunately, the FDIC is
failing to live up to its mission of maintaining public
confidence in the Nation's financial system because the Agency
is failing to safeguard private banking information for
millions of Americans who rely on FDIC.
During the Committee's current investigation, it has become
clear that FDIC has a long history of cybersecurity incidents.
According to information obtained by the Committee, in 2011, a
foreign government hacked into the workstations of the former
FDIC Chairman and other senior officials. It appears that this
entity had access to senior officials' workstations for at
least one year before the FDIC took remedial action.
More recently, in letters dated February 26, 2016, and
March 18, 2016, FDIC notified the Science Committee of two
major security incidents. This notification to the Committee
was required in accordance with the Federal Information
Security Modernization Act of 2014, otherwise known as FISMA,
and Office of Management and Budget guidelines that require
executive branch departments and agencies to report major
security incidents to Congress within seven days.
The security breach reported in FDIC's February 26 letter
to the Committee involved an FDIC employee who copied sensitive
personally identifiable information, or PII, over 10,000
individuals onto a portable storage device prior to separating
from employment at the FDIC. The employee also downloaded
suspicious activity reports, bank currency transaction reports,
customer data reports and a small subset of personal work and
tax files. This security incident is particularly troublesome,
given that the FDIC did not ultimately recover the portable
storage device from the former employee until nearly two months
after the device was removed from FDIC premises.
Further, according to the information obtained by the
Committee, the FDIC did not report the incident to Congress
within the seven-day time period as required by FISMA. In fact,
FDIC waited for over four months to report the incident to
Congress and only did so after being prompted by the FDIC
Office of Inspector General.
Just as troubling, FDIC continues to maintain that the
employee ``accidently'' copied sensitive and proprietary
information to a portable storage device, despite the fact that
the employee initially told the agency that she ``would never
do such a thing,'' and even denied ever owning a portable
storage device. Ultimately, she retained legal counsel, who
engaged in protracted negotiations with the agency for the
return of the device.
The second security breach reported to the Committee was on
March 18, 2016, involved a disgruntled FDIC employee who
obtained sensitive data for over 44,000 individuals prior to
separating from employment at the agency. When the employee
left the FDIC on February 26, 2016, the employee took the
storage device from the premises. Upon learning of the incident
three days later, FDIC personnel worked to recover the device.
The device was ultimately recovered on March 1, 2016. According
to the FDIC, this was just another case of an employee
``accidently'' leaving the agency with sensitive information.
This week, FDIC retroactively reported five additional
major breaches to the Committee. In one of those instances, an
employee retired from FDIC and took three portable storage
devices containing over 49,000 individuals' personal data. In
total, over 160,000 individuals have recently been a victim of
having their personal information leave the FDIC by
``accident.'' To date, FDIC has failed to notify any of those
individuals that their private information may have been
compromised.
According to the FDIC, none of the 160,000 individuals has
anything to worry about because all of the FDIC employees who
improperly walked out of the agency with sensitive information
were required to sign affidavits stating the information was
not disseminated. At best, this is a misleading statement
because apparently all employees who are separating from the
FDIC are generally required to sign an exit document attesting
that they have not removed any FDIC materials from the
premises. In the recent breaches reported to this Committee,
all employees who improperly took the data should have already
signed exit documents before ever leaving the agency.
It is Congress's responsibility to shine a light on FDIC's
history of cybersecurity breaches. The Committee will continue
its oversight of FDIC failures to secure Americans' sensitive
information from apparent foreign entities and disgruntled FDIC
employees.
I thank the witnesses for being here today and sincerely
hope that we are able to get answers from the FDIC here this
morning.
[The prepared statement of Chairman Loudermilk follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. With that, I recognize the Ranking
Member for his opening statement.
Mr. Beyer. Thank you, Chairman Loudermilk, and I appreciate
your extensive detailing of these breaches.
Defending against cyber threats is a persistent and
evolving battle, and the cyber hazards that confront the public
and private sectors come in various forms. Hackers can and have
wreaked havoc on Hollywood studios, global financial
institutions, retail outlets, and public agencies alike, and no
one seems immune from the various cyber threats that touch
virtually everyone.
Please forgive a certain amount of redundancy in my
statement. It's important that we have both parties on record
here.
In case of the Federal Deposit Insurance Corporation, they
suffered from seven major cyber incidents in the past 7 months,
and these breaches include plugging removable media such as a
USB drive into an FDIC computer and removing thousands of
sensitive financial and other records from the agency as
employees walked out the door. We'll be focusing on two of
these breaches today, as well as the FDIC's cybersecurity
practices.
I'm glad the FDIC has installed new software that allowed
them to identify these recent breaches and respond to them.
Without that technology, known as data loss prevention tool,
these incidents, whether inadvertent or intentional, would have
gone unnoticed and unaddressed, and we in Congress would have
remained uninformed. And I believe the FDIC Chairman has taken
some positive steps in the wake of these breaches, phasing out
the use of removable media such as flash drives and CDs that
pose increased security risks.
However, I, along with our Chairman, do have questions
about why there was such a long delay in notifying Congress
about major cyber incidents, particularly the one that occurred
last October and was not reported to Congress until February
26, 2016. And in that instance, it took a memo from the FDIC
Inspector General's Office to the FDIC CIO reminding the agency
that they had an obligation to report the incident to Congress.
I would add that the IG was not the only one suggesting the
FDIC notify Congress of the incident. It's my understanding
that other FDIC employees had also recommended reporting this
to Congress earlier.
In addition, I believe that the new OMB guidance on federal
information security and privacy management requirements, as
detailed in the OMB memo 16-03 last October, is very clear. If
it takes 8 hours or more to recover sensitive data that
comprises 10,000 or more records or affects 10,000 or more
people, it is considered a major cyber incident.
Under these guidelines, once an agency is aware that a
breach meets that criteria, the incident should be considered a
major breach and must be reported to Congress within 7 days.
This did not happen in either of the two cases this hearing
will focus on or the other five that the FDIC just reported to
the Committee this week, and I'm still unclear why.
In the October incident, the breach included records from
eight banks, more than 40,000 individuals, and 30,000 entities,
including the sensitive bank currency transaction reports and
Social Security numbers. Despite the OMB requirement that
agencies inform Congress of major incidents within 7 days, FDIC
notified Congress nearly 3 months after it had enough data to
determine that this was a major breach.
I hope that Mr. Gross, the Chief Information Officer at
FDIC, can help explain FDIC's decision to delay notifying
Congress in that October incident, and I hope also that you'll
be able to help us understand the agency's characterization of
the incident, which appears to be at odds with some of the
information obtained by the Committee. I know the Inspector
General has looked at the October incident and the FDIC's
response, so I look forward to Mr. Gibson's testimony as well.
As a business owner, we have a very important
responsibility to protect our customer data, which includes
Social Security numbers, cell phones, emails, personal
addresses, and we do all we can to protect them, especially
when an employee leaves, because we know that this has value to
the employee in a different role. And we're just a business.
We're not the government controlling these really sensitive
government records. So this is a very important issue.
And, Mr. Gross, I understand you just arrived at the FDIC
in November, and the CIO's office has suffered from a lack of
consistent leadership. You're the fourth CIO in the last four
years. I hope that you'll be able to bring some stability to
this office, and equally important is I hope that you'll help
us establish a solid foundation of reliability and openness
with Congress and that you'll strive to do that as well.
So thank you both for being with us today, and we look
forward to the questioning.
Mr. Chairman, I yield back.
[The prepared statement of Mr. Beyer follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. Thank you, Mr. Beyer.
I now recognize the Chairman of the Full Committee, the
gentleman from Texas, Mr. Smith.
Chairman Smith. Thank you, Mr. Chairman. And I appreciate
both your comments and the Ranking Member's comments as well.
The recent cybersecurity breaches experienced by the FDIC
date back to October 2015 and compromise nearly 160,000
individuals' sensitive information or personally identifiable
information. The number of individuals whose information was
compromised by the agency's poor cybersecurity posture could be
much higher. The breaches reported to Congress represent only
those that the agency itself called ``major.'' In reality, the
FDIC likely has experienced additional breaches deemed
insufficient by the agency to warrant reporting to Congress.
On April 8, 2016, the Committee sent a letter to the FDIC
about a February 2016 cyber breach. In that case, more than
44,000 individuals' sensitive information was breached. Less
than two weeks later, the Committee sent an additional letter
to the FDIC concerning an earlier breach in October 2015, which
compromised more than 10,000 individuals' sensitive
information. The Committee sent the additional letter to the
FDIC because the FDIC withheld reporting the breach to Congress
for more than four months. In fact, the FDIC only reported the
breach once the Office of Inspector General urged it to do so.
The FDIC's attempts to shield information from Congress did
not end with its hesitation to report the significant October
breach. The Committee has encountered a pattern of obstruction
from the FDIC when responding to Committee requests.
In the FDIC's response to the Committee's letters, the
agency initially produced documents extensively redacted for
information the agency deemed to be confidential. These
redactions included public information, such as the names of
senior-level agency employees, whose identities were already
known to the Committee.
The FDIC failed to provide statutory authority or a valid
privilege for redacting the information. Still, the agency
resisted the Committee's request for unredacted documents until
faced with the threat of the Committee's use of the compulsory
process to obtain the information.
Additionally, the Committee learned that the agency
actively obstructed the Committee's ongoing investigation by
limiting the scope of documents produced in response to the
Committee's requests. The FDIC responded to the Committee's
second letter and certified that it produced all responsive
documents. However, subsequent discussions with the Office of
Inspector General indicated that responsive documents were
withheld by the agency.
Upon learning of the agency's active obstruction, the
Committee wrote to the Office of Inspector General to request
these documents. If not for the Office of Inspector General's
openness and transparency with the Committee, we would not have
been aware of the Agency's attempts to avoid providing a full
and complete response to the Committee.
The FDIC's repeated efforts to conceal information from
Congress are inexcusable. They raise significant questions
about whether the Agency actively attempts to hide potentially
incriminating information from Congress. As an agency that has
faced repeated security breaches, it should focus its resources
on reforming its internal cybersecurity mechanisms instead of
engaging in efforts to conceal information from this Committee.
The Committee will continue to investigate the shortfalls
in the FDIC's cybersecurity posture and why the Agency
continues to withhold certain information from Congress and
this Committee. We also will hear what measures the Agency
should take to remediate the damage to the tens of thousands of
Americans' whose information was compromised.
So, Mr. Chairman, we have a lot to learn this morning and
look forward to the testimony of our two witnesses, and I yield
back.
[The prepared statement of Chairman Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. The gentleman yields back.
I now recognize the Ranking Member of the Full Committee
for a statement.
Ms. Johnson. Thank you very much, Chairman Loudermilk, and
thanks to you, our witnesses, for being here today.
All data breaches that expose sensitive personal
information should be taken very seriously. In today's digital
age, our sensitive personal data is everywhere. When we swipe
our credit cards at the grocery store, renew our driver's
license at the Department of Motor Vehicles and passports at
the Department of State, or visit the emergency room at the
local hospital or the bank around the corner, our sensitive,
personal, and financial data is processed, stored, and
entrusted to those entities to safeguard it and ensure that it
is not inadvertently breached or intentionally stolen.
But that has happened seven times in the past 7 months in
major cyber breaches at the Federal Deposit Insurance
Corporation. None of these breaches were the result of
sophisticated hackers, foreign adversaries, or cyber criminals.
And those that downloaded this data, including Social Security
numbers and suspicious activity reports, did not use high-tech
digital tools. They simply plugged in their thumb drives and
other removable media to their FDIC workstations in that office
and downloaded sensitive, personal, and financial data onto
their personal storage devices. These actions jeopardized the
data security of thousands of individuals, multiple banks, and
potentially criminal investigations.
In virtually every--each of these seven instances the FDIC
has said the sensitive data was inadvertently downloaded and
that there was no malicious intent. In all of these cases the
FDIC was able to recover the data, and the former FDIC
employees signed affidavits saying they had not shared the data
with others.
However, in at least one case, according to FDIC's own
records, a former employee who downloaded such data was evasive
about her actions and not cooperative when initially confronted
by FDIC staff. Some FDIC employees also suggest that it was
highly improbable that this former employee's actions were
accidental.
In addition, this former employee is now working for a U.S.
subsidiary of a non-U.S. financial services company, which
raises additional concerns. I would remind FDIC that in 2013 an
Inspector General review of another much more serious cyber
accident at the agency resulted in one senior official in the
CIO's office leaving the agency and another being demoted.
My understanding is that this response by these former
officials to both the Chairman of the FDIC and the IG's office
and the Government Accountability Office lacked candor in both
of their descriptions of the extent of this penetration and
potential consequences to the agency.
I hope IG's office will be able to clarify whether or not
all of the recent data breaches were inadvertent, as the FDIC
has claimed, when his office completes the two audits they are
currently working on regarding FDIC's handling of major
cybersecurity incidences in the coming weeks. I also hope that
the IG's office can shed some light on the reasons why the
office of the Chief Information Officer and the FDIC failed to
inform Congress of these major incidences within the 7-day time
frame required by the guidance from the Office of Management
and Budget and that issued in the late October 2015.
I believe that FDIC has already taken some positive steps
in responding to the recent data breaches, phasing out the use
of removable media, for instance. I encourage them to continue
to ensure that sensitive data is not intentionally or
inadvertently breached, but I would also request that the new
CIO, Mr. Lawrence Gross, who is testifying with us today, to
keep Congress appropriately and fully informed in a timely
manner when major cybersecurity incidences do occur.
I thank you, Mr. Chairman, and my time's expired. I yield
back.
[The prepared statement of Ms. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. I thank the lady. She has yielded
back.
Now, let me introduce our witnesses for today. Our first
witness is Mr. Fred Gibson, acting Inspector General of the
Federal Deposit Insurance Corporation. Mr. Gibson has
previously served with the Resolution Trust Corporation Office
of Inspector General and as Principal Deputy Inspector General
and counsel to the Inspector General.
Mr. Gibson received his bachelor's degree in history from
the University of Texas at Austin and his master's degree in
Russian Area Studies from Georgetown University. He received
his J.D. from the University of Texas Law School.
Our second witness today is Mr. Lawrence Gross?
Chairman Loudermilk. Gross. Mr. Lawrence Gross, Jr., Chief
Information Officer and Chief Privacy Officer of the Federal
Deposit Insurance Corporation. Mr. Gross previously served as
the CIO for the U.S. Department of Agriculture, Farm Service
Agency and the Deputy CIO at the Department of the Interior.
Mr. Gross received his bachelor's degree in information
systems management from the University of Maryland, University
College, and he received his CIO certification from the
National Defense University.
I now recognize Mr. Gibson for five minutes to present his
testimony.
TESTIMONY OF MR. LAWRENCE GROSS, JR.,
CHIEF INFORMATION OFFICER
AND CHIEF PRIVACY OFFICER, FDIC
Mr. Gibson. Thank you, sir.
Chairman Smith, Ranking Member Johnson, Chairman
Loudermilk, Ranking Member Beyer, and Members of the
Subcommittee, my name is Fred Gibson, and I'm the acting
Inspector General of the Federal Deposit Insurance Corporation.
Thank you for the invitation to speak with the Subcommittee
today regarding recent cybersecurity incidents at the Federal
Deposit Insurance Corporation.
The Federal Government has seen a marked increase in the
number of information security incidents affecting the
integrity, confidentiality, and availability of government
information, systems, and services. The charter for this
hearing is to address two specific security interests and
concerns that this Committee has regarding the FDIC's
cybersecurity posture.
The FDIC's Office of Inspector General carries out two
primary functions. The first is to audit and evaluate the
FDIC's programs and operations, including controls designed to
safeguard the Corporation's data and address and report
breaches when they occur. The second function is to investigate
suspected criminal activity, including breach incidents where
case-specific facts lead us to believe that a crime may have
occurred.
With respect to our first role, we are currently conducting
two audits pertinent to the Committee's concerns that we
anticipate will be completed in the near future. The first
examines the FDIC's process for identifying and reporting major
security incidents, as required by applicable federal law and
related guidance. The second audit addresses the FDIC's
controls for mitigating the risk of an unauthorized release of
sensitive information submitted by systemically important
financial institutions.
As you are aware, on February 19, 2016, during the planning
phase of the first of these audits, we issued a memorandum to
the FDIC's Chief Information Officer regarding a specific
security incident which we believe warranted Congressional
reporting. In the memorandum the OIG concluded that the
Corporation was required under the Federal Information Security
Modernization Act of 2014 and related guidance issued by the
Office of Management and Budget--and that's OMB Memorandum 16-
03--to report the security breach as a major incident to the
appropriate Congressional committees. Ultimately, the FDIC
reported the major incident to this Committee, which led
ultimately to our testimony today.
With respect to our criminal investigative function, the
FDIC OIG participates as a non-voting member on the FDIC's Data
Breach Management Team, or DBMT, for situational awareness
purposes. The DBMT, as its name implies, reviews data breach
incidents. Where the facts of a particular incident, which we
learn through our participation in the DBMT or from other
sources, appear to point to a crime having been committed, we
open an investigation. If the results of our investigation
warrant, we make referrals to the Department of Justice. I can
confirm the existence of one criminal investigation arising out
of the incidents that formed the basis for today's hearing.
However, that case is open. It's in a pre-indictment phase,
which limits my ability to discuss it directly.
Nevertheless, I hope to be able to provide you with the
information that you need to conduct your oversight activities
with regard to these issues, and I look forward to answering
the questions that the Committee has. Thank you very much.
[The prepared statement of Mr. Gibson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. I now recognize Mr. Gross for his
opening statement.
TESTIMONY OF MR. FRED W. GIBSON,
ACTING INSPECTOR GENERAL, FDIC
Mr. Gross. Chairman Loudermilk, Ranking Member Beyer, and
Members of the Subcommittee, thank you for the opportunity to
appear before you today.
At the FDIC, protecting sensitive information is critical
to our mission of maintaining stability and public confidence
in the Nation's financial system, and we are continually
enhancing our information security program.
My name is Lawrence Gross, and I am FDIC's Chief
Information Officer and Chief Privacy Officer. I assumed my
duties at the FDIC in November of 2015, and I have more than 39
years of combined military and federal sector experience in the
information technology, law enforcement, cybersecurity, and
critical infrastructure fields. My testimony today will focus
on our program to identify, analyze, report, and remediate
incidents based on the risk of harm they pose.
The FDIC has a strong information security program to
identify events that could signal a data security incident,
including mandatory annual training for all employees and
contractors to ensure that they will be alert to inadequate
protection of sensitive information and know when and how to
notify our Computer Security Incident Response Team.
We also have automated monitoring tools, including the data
loss prevention tool, which scans for sensitive information in
outgoing emails, uploads to Web sites, and any data downloaded
to portable media from FDIC systems. Our goal is to assess and
continually improve our situational awareness so that we can
reduce and ultimately eliminate the risk of harm to individuals
and entities.
The FDIC has a security incident response and escalation
plan to ensure the systemic gathering and analyzing of facts
relevant to an event to determine the risk of harm and the
taking of appropriate action. We then take steps to mitigate
the risk of harm and complete the appropriate reporting and
notifications based on the risk of harm.
With the passage of FISMA in late 2014 and the subsequent
issuance in October of OMB guidance on what constitutes a major
incident, we have further refined our incident reporting
regime. Notably, the new law and OMB's guidance have been
applied to incidents over the past 6 months where FDIC
employees departed employment and were identified by our
monitoring tools as having downloaded personally identifiable
information or other FDIC-sensitive information on portable
media not long before their departure.
It was my initial judgment, based on several factors, that
these incidents did not rise to the level of major incident as
defined in the OMB guidance. In each case, the employee had
legitimate access to the sensitive data in question while at
the FDIC. Further, our analysis indicated the downloading of
the PII was inadvertent. The FDIC recovered the data from the
former employees, and there was no evidence that the former
employee had disseminated the data. And all the former
employees assigned affidavits affirming they had not
disseminated the data beyond themselves.
Lastly, in each case, the circumstances surrounding the
employees' departure were non-adversarial. Under these
circumstances, I judged the risk of harm to be very low,
meaning that the reporting of these incidents would fall under
the annual FISMA-notification-to-Congress requirement.
However, our Office of Inspector General reviewed one of
these incidents and came to a different conclusion. Although
our interpretations are different, we nevertheless gave such
notification to Congress within seven days, and I further
directed my staff to go back through all incidents that had
occurred since issuance of the OMB guidance, regardless if they
were closed, to identify any incidents that had characteristics
we thought would meet the OIG's interpretation of major
incident. FDIC has now reported those as well to Congress.
Finally, let me touch on changes we have made or are making
to lower the risk of future incidents. We've implemented a plan
to eliminate the ability of employees and contractors to
download to portable media. We're implementing digital rights
management software that prevents copying of information.
Further, I've directed my staff to begin immediately a top-to-
bottom review of IT policies and procedures with the focus on
those for departing employees to ensure that everyone
understands FDIC policy regarding downloading of data. Also, I
will be engaging an independent third party to conduct an end-
to-end assessment of all the key areas of the IT security and
privacy programs.
The global interconnected landscape continues to evolve,
and the threats continue to develop. The FDIC takes very
seriously cybersecurity incident management and transparency as
it relates to our reporting requirements and remains committed
to maintaining a robust IT security program that ensures a
real-time current view of our situational awareness.
Thank you again for the opportunity to testify, and I would
be happy to answer any of your questions.
[The prepared statement of Mr. Gross follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Loudermilk. I thank the witnesses for their
testimony.
And just before we begin our questions, for the witnesses
and the Members of the Committee, it is the Chair's intention
to be somewhat lenient with the clock because it is important
that we do get these questions answered and as many rounds of
questioning as we need. The Chair is ready to extend this
hearing as long as we need to make sure that all the questions
are adequately answered.
And also to our witnesses, we ask that you be very
truthful, as well as comprehensive, but also we have had
incidents of filibustering answers. And again, the Chair will
maintain the Subcommittee going as long as we need to, to make
sure. So we ask that you be as accurate and as brief with your
answer.
I now recognize myself for five minutes for questioning.
Mr. Gross, this Committee wrote the FDIC requesting
documents and communications referring or relating to the
security breaches we discussed here today. Are you aware of
those letters?
Mr. Gross. I am.
Chairman Loudermilk. The FDIC has certified that all
responsive documents pursuant to this Committee's request had
been produced. Is that your understanding as of today?
Mr. Gross. I believe the office has been responsive to your
inquiries, sir, yes.
Chairman Loudermilk. Mr. Gross, did anyone in your office,
to your knowledge, voice any concern regarding the manner,
scope, or have any other concerns about the FDIC's response to
this Committee's request?
Mr. Gross. No one in my office had any concern with being
responsive----
Chairman Loudermilk. No one expressed any concerns about
the documents you were providing?
Mr. Gross. No one in my office expressed any concerns, sir.
Chairman Loudermilk. What about other offices, anyone in
the FDIC express concerns about the comprehensiveness of the
investigation or the documents you're providing?
Mr. Gross. I'm not aware of anyone expressing any concerns.
Chairman Loudermilk. No one in the FDIC. Mr. Gross, are you
aware of any internal FDIC documents responsive to the
Committee's request that were not produced to this Committee?
Mr. Gross. I'm not aware of any that have not been
provided, sir.
Chairman Loudermilk. Mr. Gibson, to your knowledge, were
all responsive documents produced to this Committee?
Mr. Gibson. Sir, was that direction--was that question----
Chairman Loudermilk. I'm sorry. Yes, I'm sorry. Mr. Gibson,
that was directed to you. I was looking at Mr. Gross. Sorry.
Mr. Gibson, to your knowledge, were all responsive
documents produced to this Committee?
Mr. Gibson. Sir, we haven't reviewed the FDIC's production
of documents to the Committee. We received a request from the
Committee for FDIC documents that were in our possession, and
we provided the documents that we collected in the context of
our audit.
Chairman Loudermilk. Okay. So, Mr. Gross, just to summarize
and make sure we understand, to your knowledge, you provided
all the documents that were responsive to the Committee's
request?
Mr. Gross. To my knowledge, sir, we were responsive to the
request. If there's a request for additional information, I'll
stand ready to provide that.
Chairman Loudermilk. Okay. Thank you.
Mr. Gross, what I have here is the stack of documents that
the FDIC provided to the Committee in response to our inquiry.
This stack of documents, however--I may need a forklift. This
stack of documents was provided to the Committee by the
Inspector General's Office. Why were these documents not
provided to the Committee by the FDIC?
Mr. Gross. I had an opportunity to review the material
provided by the IG, and in reviewing that material, a lot of it
is duplicative, so the material that you received from us with
the incident response forms that are in there, it includes
information that has been duplicated in the IG's response. The
incident response forms provide a summary of the incident, and
it's--it may in fact provide a more comprehensive review of
each of the incidents more so than what's in the documents.
I did note that there were several copies of what we call
our Data Breach Management Guide that was included in the
material provided by the Inspector General, and there were
multiple copies of that. That document is still currently being
developed and in review.
Chairman Loudermilk. So let me make sure I understand what
your statement here is today, that everything that you provided
is also covered in the IG's? There's no more information in
what the IG provided to us than what is covered in this stack
of documents here?
Mr. Gross. I can----
Chairman Loudermilk. Is that what you're telling me?
Mr. Gross. I cannot make that as an affirmative statement,
sir. I had a brief opportunity to review the IG's material
yesterday----
Chairman Loudermilk. Okay.
Mr. Gross. --so I cannot say that it's a one-to-one
correlation.
Chairman Loudermilk. Well, you were saying it was
duplicative----
Mr. Gross. I said----
Chairman Loudermilk. --but----
Mr. Gross. --quite a bit of the material that was in there
was duplicative. There was multiple copies, for example, of the
Data Breach Management Guide. There are multiple copies of that
guide provided in their response to you.
Chairman Loudermilk. Okay. There are many emails that were
provided to us by the IG that were not included in your
documents. Those are not duplicative.
Mr. Gross. I cannot speak to that without looking at the
exact emails, but what we have in the incident response summary
might be--well, I would think it's an encapsulation of what may
be contained in emails that were transmitted between different
entities that participated on the DBMT.
Chairman Loudermilk. Okay. Okay. But you did say that you
had reviewed the materials----
Mr. Gross. I did----
Chairman Loudermilk. --provided----
Mr. Gross. I did a cursory review.
Chairman Loudermilk. A cursory review----
Mr. Gross. Yes.
Chairman Loudermilk. --but you have not looked at them.
When were these--Mr. Gibson, when were these documents
provided?
Mr. Gibson. Sir, I believe they were provided at ten
o'clock yesterday morning.
Chairman Loudermilk. Okay. Has Mr. Gross received copies of
these documents?
Mr. Gibson. Yes, sir. We provided a copy of our--I don't
know if Mr. Gross personally has. We provided a copy of our
production to the Congress to the FDIC so they would be aware
of what we did.
Chairman Loudermilk. And when was that provided?
Mr. Gibson. At the same time we provided it to the
Committee.
Chairman Loudermilk. So ten o'clock yesterday morning?
Mr. Gibson. Yes, sir, about ten o'clock.
Chairman Loudermilk. Okay. Allow me to clear my desk for a
moment here. Okay.
So, Mr. Gross, you still stand by that--your previous
testimony that you did provide this Committee all the documents
that we requested?
Mr. Gross. That wasn't my statement, sir. I said I believe
we were responsive to your request. If there is additional
documents that you think are necessary or required, I stand
ready to deliver that.
Chairman Loudermilk. Okay. So you're acknowledging that
there may not be some documents that we requested that the
FDIC----
Mr. Gross. I believe----
Chairman Loudermilk. --failed to provide us?
Mr. Gross. I believe our response to you was responsive. If
there's other material or additional material that you deem
that's warranted, I stand ready to provide that.
Chairman Loudermilk. So you will provide every document
that we request?
Mr. Gross. If there's a request for additional information,
we stand ready to provide that.
Chairman Loudermilk. Okay. Well, we requested the
information the IG has actually provided as well. We're just
asking for it to be comprehensive and all-inclusive.
And so who's responsible for providing the documents in
response to the Committee's request?
Mr. Gross. When your letter came in and when the letter
came in for the information, that's sent to each of the offices
that may have relevant information. Each of those offices then
provide that information. It's a--there's a coordination effort
that's done by our Office of Legal Affairs, and then it's put
together as a comprehensive package for submission.
Chairman Loudermilk. Were any directions--to your
knowledge, were any directions given to withhold or not provide
certain documents to this Committee?
Mr. Gross. No, sir.
Chairman Loudermilk. To your knowledge, was anyone in your
office or the legal division directed to limit the response to
the Committee's request?
Mr. Gross. I'm not aware of anyone making such a statement
or providing any such direction.
Chairman Loudermilk. I do have other questions, but I have
run over the clock. I was a little more lenient with myself
than I intended to be. I do have more questions. The Chair's
intention is to do a second round of questioning.
And so at this time I recognize the Ranking Member, Mr.
Beyer.
Mr. Beyer. Thank you, Mr. Chairman. And thanks again to the
witnesses.
Mr. Gross, are you aware--to follow up on Chairman
Loudermilk's questions--of any documents requested by the
Committee that you have not submitted yet?
Mr. Gross. No, sir, I'm not aware of any.
Mr. Beyer. So at this point if anything's missing, you'd be
happy to provide it?
Mr. Gross. Yes, sir, I will.
Mr. Beyer. And I hope--are you willing to have your--you
and your staff carefully go through Mr. Gibson's documents to
make sure that anything he provided that you didn't that you
affirm its value or its legitimacy? I'm trying to get--you
pointed out that one reason the stack of documents are so
different was there's many duplications, things provided again
and again in Mr. Gibson's documents. I think what the Chairman
is concerned about is, is there anything Mr. Gibson provided
that you didn't?
Mr. Gross. I understand. I can go through the material and
review that and provide you any additional information that you
may need or want. I haven't had a full opportunity to review
the material, as he's indicated. I received it at 10 o'clock
yesterday.
Mr. Beyer. So we're 24 hours away. So--but you're willing
to do the reconciliation?
Mr. Gross. Yes, sir, I am.
Mr. Beyer. Great. Great.
The employee in the October breach reportedly left the FDIC
on good terms. She was seeking new employment at the time, and
she currently works for a foreign financial firm. Furthermore,
she initially denied that she had downloaded the information.
She resisted turning over the device to the FDIC, and we
understand she was having personal problems at home, she was
going through a divorce, she was living in a hotel room. All
these factors highlight increased security risks, not
mitigating factors, especially as outlined by the FBI and the
U.S. counterintelligence community, as this brochure ``The
Insider Threat'' details.
Were these facts known by the Data Breach Management Team
when the incident was being analyzed for risk of harm?
Mr. Gross. All the circumstances surrounding the incident
was known by the Data Breach Management Team. I'd like to even
go back further and state that we--personally, I make a
concerted effort to be very transparent in all the activities
that we have within the security realm. This incident, when it
occurred, it actually occurred prior to the promulgation of the
OMB guidance, so it was in fact reported in 2015 in our annual
FISMA report.
It was my encouragement to the staff that we knew that the
policy had come out as we were reviewing this incident, and I
asked that they apply the standard of the policy to the
incident. So we fully understood the circumstances surrounding
it, yes, and we applied the standard to the incident to ensure
that we were being responsive. But it had already been reported
as part of our FISMA submission.
Mr. Beyer. Okay. So let me break these up. On the one hand,
you're arguing that the 7-day didn't apply because the OMB
guidance didn't come out until January, but the greater concern
is whether it was low risk, moderate risk, or high risk. And we
know that this person had gone to work for a foreign bank, had
initially denied downloading, refused to turn over the drive,
and was going through a lot of personal problems. Don't all
those elevate the sense of risk that your--the breach team
would consider and that you would consider as CIO?
Mr. Gross. I considered all the factors associated with the
incident. We weighed all the factors. But I would say even if
an individual leaves their employment with the Federal
Government, we leave with not only potentially material that on
removable media, we leave with corporate knowledge. And we
still trust that the individuals leaving federal service is
going to protect not only that digital media that they may
take, but the corporate information they may take in their
head. So that had to be weighed as to what risk of harm did the
information that this individual inadvertently download pose.
And yes, we considered what type of employment she may have
been seeking outside the organization and other factors, and we
deemed that the incident was in fact low.
Mr. Beyer. In your testimony on page 4 you talk about that
your initial judgment in all these incidents didn't rise to the
level of the major incident as defined by OMB guidelines. But
the OMB guidelines talked about 8 hours to restore the data,
more than 10,000 records affected. Weren't more than 10,000
records affected in virtually every one of these cases?
Mr. Gross. Yes, sir, they were. Several of these incidents
just barely met the threshold that we just retroactively
reported.
I think the larger issue is not only does the policy say
that there's time-specific parameters for reporting, but it
also says in the very end of the document that it's left to the
discretion of the agency to determine if in fact the agency has
sufficient information to determine if the incident rises to
the level of a major. That was considered as part of the review
of the policy and the incident.
Mr. Beyer. I don't want to harp on this too much, but
you'll forgive us if there's a certain amount of skepticism of
seven different people downloading information just as they're
leaving that affects more than 10,000 records, and none of them
seem to rise to the level of major incident.
Mr. Gross. Well, it's--in--from my perspective it's not a
question of whether or not we're going to report. The agency
has no relief in reporting. The issue that we were looking at
was what was the time frame that the reporting was required. If
there's a 7-day notification or a 30-day notification or if
it's included in the annual FISMA report, you'll find that the
FDIC is very responsive. And if you review our FISMA report,
you will find that we report all incidents. There is no
incidents not reported.
Mr. Beyer. One more question right on this part of it. You
said that in each of these cases the downloading was
inadvertent.
Mr. Gross. Yes, sir.
Mr. Beyer. Once again, I have a hard time understanding how
you could inadvertently download 10,000 customer records or
bank records.
Mr. Gross. The individuals involved in these incidents were
not computer proficient. We have policies in place that will
allow the FDIC IT staff to assist you when you're departing the
organization to copy down things that you may have collected
over your long tenure with the agency, specifically,
photographs or your personal resume.
The fact that they were not computer proficient, if you go
in and you don't copy the material and do it as a targeted
copying of that information, you could in fact inadvertently
copy the entire hard drive. So if you insert and you do the
copy and not being proficient in the technology, you may take
more data than what you intended.
Mr. Beyer. I would certainly hope as you--you talked about
the many steps going forward. I think a major step going
forward would be to make sure that all that personal
information isn't on their computers and that there isn't a way
to download an entire--I just--I'm glad you're making progress
because all of this sort of boggles the mind that somebody
could go in and download an entire disc or all the information
that the FDIC has on record about companies and individuals.
Mr. Gross. Well, sir, I arrived at FDIC in November. As you
see from my resume, I've been in federal service to this
country for 39--actually, it'll be 40 years in July. I'm an IT
professional, and there were several areas that I focused on
immediately upon arriving, one of which was removable mobile
media, as well as the elimination of the need for being able to
do that as a common business practice.
Mr. Beyer. Great. Great. Well, thank you very much, Mr.
Gross. Mr. Chairman, I yield back.
Chairman Loudermilk. Thank you, Mr. Beyer.
Being 30 years in the IT world, I find it very
disheartening that you give someone who is not computer
proficient access to such sensitive data. Maybe someone will
address that.
I now recognize Mr. Posey, the gentleman from Florida.
Mr. Posey. Thank you very much, Mr. Chairman.
Mr. Gross, you and I are just viewing this incident from
completely different perspectives. You make it sound like this
is a very friendly termination from an employee, she
accidentally took personal information about 160,000 or more
citizens, and then gladly gave it back, just for one example.
And the staff kind of tells me it didn't really work out that
way all the time, that there was some defiance there, some
refusal.
You mentioned there was no evidence that she kept any of
the information. Actually, there's no evidence that she didn't
keep the information. One went to work for a foreign financial
institution that could benefit greatly from mining that kind of
data, we know that.
And, you know, I'm amused by the term--the whole issue. We
call it a data breach. You know, where I'm from we'd call it a
theft. If you take something that's not yours, that's called a
theft. We don't call it a data breach back home. Maybe just
because we're talking about electronic records, we're no longer
going to call it a theft, we're going to call it a data breach.
But the fact is tens of thousands of American citizens are
compromised because of this.
And my question for you, Mr. Gibson, in your testimony you
stated that ``If the threshold for criminal investigation is
not met, the responsibility lies with the FDIC to pursue the
civil and administrative remedies.'' Could you expound upon
what these remedies could potentially be? Surely there will be
clear punitive measures for the perpetrators of such a breach.
Are there--any of these former employees currently on
administrative leave, getting a full paycheck, receiving a
pension like the IRS people were? There needs to be
consequences for these actions.
Mr. Gibson. Sir, as a former employee, they're not on
payroll, and I do not believe that any of these individuals
have retired or are receiving pensions, but I don't know for
sure. I believe that they all left for other employment
opportunities in other places.
With respect to the FDIC's remedies, both administratively
and civilly, the FDIC can pursue the return of information. The
FDIC could take actions to enjoin an individual from using,
disseminating, taking any action with respect to that
information. The FDIC could undertake administrative actions
within the FDIC in order to tighten up its security protocols
or other situations. There's a number of things they can do in
the absence of criminal activity, and that's what I'm really
referring to.
Mr. Posey. Okay. But just on a practical basis, you know,
somebody walks into a retail store without the owner's
permission and steals 160,000 items, the store owner comes back
and figures out somebody stole this, went to them, they say,
oh, okay, well, I'll give you back these particular items is
all I'm going to admit that I accidentally took from your
store. That doesn't eliminate the fact that there was a theft
from the store just because they gave back at least some of the
items that they illegally took. Do you see any similarity to
the example I'm drawing and what happened here?
Mr. Gibson. Well, sir, I understand the example that you're
using, and I would agree in that particular situation. I mean,
the fact that somebody robs a bank and gives the money back
doesn't mean that they didn't rob the bank. That's absolutely
right.
For us to pursue a criminal case, however, one of the
things that we're going to have to be able to establish in
connection with our case is specific intent on that person's
part. If the material was removed inadvertently, which is the
FDIC's conclusion with respect to that, we have a bar right up
front to being able to pursue a criminal case in the face of
that determination. I'm not saying that we can't, but we're
going to need some facts that get us over that and allow us to
be able to pursue that sort of a case.
Mr. Posey. Have you exhausted the questioning of the people
involved? Have they voluntarily come forth? Do you need to
depose them? Are you in a position to--you could depose them
and ask the kind of questions you'd like to see answers to and
I'd like to see answers to?
Mr. Gibson. Sir, we--when we conduct a criminal
investigation, we do so when we have probable cause to believe
that there's been a crime that's been committed. Prior to that
time, we conduct something called an inquiry. And the methods
that we use in conducting that are somewhat less intrusive than
the methods that we would use to conduct an investigation.
When information comes to us where we are able to open an
investigation, we do. And in one of these cases, we have. If
additional information were to come forward to us that would
enable us to open a case, we certainly would be asking those
questions. We try and develop it as best we can, and that's the
way in which we're pursuing it.
Mr. Posey. Thank you for your frank answers. I see my time
is up. I thank you, Mr. Chairman.
Chairman Loudermilk. The Chair recognizes the gentlewoman
from California, Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman.
I understand from your testimony that in some instances the
Data Breach Management Team recommends that individuals or
financial institutions be notified of the breach of personally
identifiable information and then credit monitoring can be
offered and that that has not been done in this case or in the
five other major breaches. Mr. Gross, can you explain why that
hasn't happened, what was the thinking here, and are
individuals adequately protected without this credit monitoring
opportunity?
Mr. Gross. We evaluated each of the cases and determined
because there was low risk of harm that there were no
individuals that were affected or impacted adversely as a
result of the downloading of the information. So as a result of
the lack of impact to the individuals, it was deemed that
credit monitoring was not warranted.
We have in other cases where the information has been taken
and we know it was a known adversary or someone with adverse
intent where they may break in an employee's car and steal
records, we know that that individual had ill intent by
breaking in the car. That information, regardless of the number
of records that may have been exposed, in those cases we would
have offered credit monitoring, as we've done in the past.
Ms. Lofgren. But we don't have digital rights management on
these files at this point, do we?
Mr. Gross. We don't have digital rights management deployed
across the FDIC at this moment. It is one of the 60-day
response activities that I've laid out for the IG.
Ms. Lofgren. So we don't know for sure whether this
information that was taken was not in fact further copied
because there was no DRM to prevent it?
Mr. Gross. Well, we have the signed affidavit from the
employees a----
Ms. Lofgren. Right.
Mr. Gross. --and each of these employees----
Ms. Lofgren. Well, technologically, we have no assurance of
that?
Mr. Gross. Technologically, no, ma'am.
Ms. Lofgren. I'm interested in the DRM response that you're
recommending. I'm interested in what is the timeline. And also,
did you--what process was used to determine what DRM response
would be--did you do an RFP, was it sole-source, did you do
market research? How did you select which DRM solution and
what's the timeline for implementation?
Mr. Gross. I'm working very aggressively to implement it.
This is something that we're just beginning to pursue. I don't
have the specifics for you at this moment. I could come back to
you with a more detailed plan.
Ms. Lofgren. Oh, so you haven't actually begun that?
Mr. Gross. We have begun the process of identifying the
technology from the standpoint that we think that the right
tool for protecting the data is DRM. What solution set and the
timeline for implementing it, we have not identified that as
yet. We've looked at two technologies. We didn't put that in
the report. We didn't want to advocate for any specific vendor,
but we are looking at two right now as the potential tools that
we would employ.
Ms. Lofgren. Well, I'm interested in whether you might
conduct a pilot with different offerings. I mean, this is an
important decision for the agency.
Mr. Gross. Absolutely, it is. And one of the things that we
have to look at is we want to make sure that we don't break the
business, that means we have to do this focused on the data
that is the most sensitive and work our way out. So yes, we are
not going to do this as a wholesale change across the
organization because it's--not only do we have to evaluate if
there's any internal impact, we have to evaluate is this going
to create an impact with the businesses that we have to work
with in the conduct of the mission.
Ms. Lofgren. Just a final note, I was interested in your
comment that employees that are leaving are permitted to
download their personal information on their computer. And my
suggestion would be there shouldn't be any personal information
on the government computer.
You know, people do dumb things. I--we once had a young
person who downloaded BearShare who migrated all kinds of
sensitive information unwittingly. You should create
technological barriers to doing that, and if someone manages to
subvert that, they should lose their personal information.
I'm just sort of interested in what technological methods
have you deployed to prevent the migration of potentially
harmful data from outside of your system.
Mr. Gross. Ma'am, I've arrived at FDIC in November, and I
can assure you that there are several things that we've already
begun to implement, but there are several other things that
we'll be looking at implement going forward.
One of the messages to my staff is that security is not
something that we bolt on after the fact. It's something that
we include as part of the process from implementation moving
toward. So I've identified a number of things in the 60-day
plan, but I can assure you that those are immediate actions
that we need to take because of these incidents that we've
seen, but there are others that I'm fully looking to employ
based on the years of experience knowing that it's about
protecting the data and that we do have individuals that may do
things mistakenly and we have to manage that. But we also have
to manage for external adversarial threats as well. So I can
assure you this is just the beginning of some of the things
that will be implementing.
Ms. Lofgren. I see my time is expired, Mr. Chair.
Chairman Loudermilk. The Chair recognizes the gentleman
from Illinois, Mr. LaHood.
Mr. LaHood. Thank you, Mr. Chairman. And I want to thank
the witnesses for being here today.
I would just say at the outset, it is troubling to me to
hear your response to Mr. Beyer's questions, almost a
dismissive nature of these breaches and kind of the nonchalant
answers that you've given, particularly with the backdrop of
cyber attacks on this country.
We hear every week in this Committee about the
cybersecurity and how, at the highest levels of our government
and in the private sector, computers are compromised every
single day. And you look at--whether it's Chinese entities or
Russian mob or domestic enterprises in the United States, I
don't think anybody has any confidence that we have this under
control. And it leads to a lot of uncertainty about how we
tackle this issue.
And so when I hear about an agency, the FDIC, and the
information that you control, it's concerning to me that you
don't highlight this as an important breach and further
investigation to find out what's at stake here. That's really
concerning to me to hear that today.
Let me ask some specific questions here. Mr. Gross, in your
opening statement you state that the downloading of the
personal identifiable information in all the breaches FDIC
reported to Congress was ``inadvertent'' and ``non-
adversarial.'' Is that accurate?
Mr. Gross. That's correct, sir.
Mr. LaHood. I want to direct your attention to Exhibit one,
which is a document sent by the FDIC legal department to one of
the former FDIC employees who left the agency with unauthorized
materials on a portable storage device. According to this
document, which is dated December 2, 2015, when asked about her
actions, she said ``she would never do such a thing.'' And that
it would be against FDIC policy and that she knows the policy.
When asked if she owns an external hard drive, she said she did
not know what an external hard drive is. And she stated that
``in any event, she does not own such a device.''
Now, Mr. Gross, do you stand by your statement that this
person is non-adversarial?
Mr. Gross. Sir, if I could, one, I'd like to draw the scale
because in your opening comment you mentioned the difference
between the current incidents and if we had a third-party bad
actor in our system. And I don't want to be dismissive. Any
loss of information, regardless of how that information is
lost, is significant. It's important, and we need to pay
attention to it.
I think what we have to do is to draw to scale, though, the
different incidents that we have. If there was a third-party
actor in my system today, the way the policy is currently
constructed, unless that third-party has taken an amount of
records, it may not meet the criteria of a major, but I can
assure you, if there was a bad actor in our system today, it
would be reported as a major, especially if I know that they're
adversarial in nature and they intend to do harm to the
organization or the agency. I could care less if they were
reading the menu for the FDIC. If it's a bad actor and they're
in our system today, it is reported, and it falls into the
major category.
These incidents where we had employees that left had
multiple years of faithful service to the FDIC. These are
different circumstances.
Mr. LaHood. I understand that, Mr. Gross. My specific
question that I asked you, I--the exhibit that's up there, I
mean, do you stand by the statement that this person is non-
adversarial?
Mr. Gross. I do. And let me give some context. When the
employee departs the FDIC, they sign a document indicating that
they have not taken any information with them. When we go back
to that employee and we have proof, because of our DLP
capabilities, that in fact they have downloaded information, at
that instance that conversation is an employee who now realized
I've made a mistake. And as a result of that, that relationship
has to be managed from the standpoint of a trusted employee who
now realizes that they inadvertently took information, and now
they're caught misrepresenting the truth.
So I do stand by that from the standpoint is I believe that
the employee inadvertently took the material and now they find
themselves in an awkward situation where their closing
statement doesn't match the actual facts.
Mr. LaHood. Yes. Well, I understand your statement, what
you're saying there. I mean, this is not a foolproof system. It
clearly is not. And the nature of the world we live in now with
cyber attacks and foreign entities and what's out there, that's
what's, I guess, concerning about the protocol that you went
through here.
Let me follow up. So was she telling the truth when she
said ``she would never do such a thing''?
Mr. Gross. I believe she, on the surface, was telling the
truth, but I don't think she really understood that she had
taken--one, I think she realized she took her personal data. I
don't believe she realized she took FDIC-specific data. And in
each of these cases, these are all referred to the IG's office.
Every one of these cases we had asked the IG if they were going
to investigate the case. The response we received is that there
was no criminal activity; therefore, it did not warrant any
further action on their part.
Mr. LaHood. Mr. Gibson, let me ask you. Do you agree with
Mr. Gross that this person was non-adversarial?
Mr. Gibson. So I really need to take a look at this set of
facts. Offhand, I'd say that there are different
interpretations of these facts. Non-adversarial, I mean, it
seems to me that you could interpret these facts to suggest
that she is adversarial. You could certainly interpret these
facts to suggest that she's being less than candid or truthful.
Mr. LaHood. And so you don't necessarily agree with that
statement and they have a different opinion, is that fair to
say?
Mr. Gibson. Sir, I don't agree with that statement, and I
may have a different opinion.
Mr. LaHood. I see my time is expired. Let me just ask
another question here.
I'm going to refer to Exhibit number two. Mr. Gross, this
is an email dated April 28, 2016, to you from the acting Chief
Information Security Officer at the FDIC. The message says,
``We were notified of the $10,000 record count of these
incidences on April 27, so the seven-day reporting requirement
will be on May 4, 2016.'' Mr. Gross, what incidents is the
acting Chief Information Security Officer referring to?
Mr. Gross. I'm not really sure from just looking at this
document, but I believe what he's talking about are one of the
incidents that we retroactively went back and looked at.
Mr. LaHood. And you understood the seven-day reporting
period, correct?
Mr. Gross. Actually, this may have been an incident that
was reviewed by the DBMT and already deemed as closed. Without
actually looking closer at the document and getting the other
information, I'm not sure of that. But we went back
retroactively, and some of the incidents that we reported, they
had already been reviewed by the DBMT and it had been deemed a
breach but a low-risk breach.
Mr. LaHood. Did you report the incident to Congress by May
4, as required by the law?
Mr. Gross. I don't know if this incident was reported by
May 4. I believe it was reported in the recent report where we
provided five different incidents to the Congress.
Mr. LaHood. Yes. I mean, in looking at what the--
information I have, it was not reported within the seven days,
and actually, it appears on May 9 it was reported, so it was
outside of that window. Do you disagree with that?
Mr. Gross. I don't agree or disagree without looking at--
but I believe this was included in the report for all of the
incidents. My question would be is was this incident previously
closed by the DBMT and deemed as a low-risk? So therefore, the
seven-day clock would have actually started long before we
completed the record count. It would have been back when the
incident may have been initially reviewed.
Mr. LaHood. Well, when I look at this document, it looks
like this--I mean, clearly, in that quote that I sent to you,
you're notified of the incidents on April 27 and told that it
has to be done by May 4. It appears that it's outside that
window. I guess it just as a follow-up, Mr. Gibson, should
incidents such as this that we're discussing today be reported
to Congress within a timely manner?
Mr. Gibson. Sir, I think that when the waterfall
requirements of 16-03 are triggered, I think that there's an
obligation to report in 7 days from the time that the agency
has a reasonable basis to believe that a major incident has
occurred. That's what the law says.
Mr. LaHood. It appears from this document in Exhibit two
that that was the case and it wasn't done within the seven-day
period.
Mr. Gibson. So it could. I haven't--I'm not familiar with
the incidents that that's referring to and, you know, to answer
that conclusively, I want to review that. But, you know, it
certainly could indicate that, yes.
Mr. LaHood. Thank you. I went over my time.
Chairman Loudermilk. The Chair recognizes himself for
questions.
Mr. Gross, the Florida incident, is that one of the
incidents that Mr. LaHood was referencing that you believed was
inadvertent?
Mr. Gross. I believe all of the incidents that have been
reported were identified where the individual inadvertently
downloaded the material.
Chairman Loudermilk. And how many incidents has that been?
Mr. Gross. I believe we've reported seven.
Chairman Loudermilk. Seven and they were all accidental?
Mr. Gross. Out of the seven, we had--I believe it was five
individuals that were retiring, and I believe the other
individuals were term employees and they were coming to the end
of their term.
Chairman Loudermilk. Were all seven of these those that you
described as not very computer literate or----
Mr. Gross. Yes, sir, I would say that these individuals
downloaded the information in an attempt to take their personal
information prior to departure.
Chairman Loudermilk. But they had access to sensitive
information even though they were not ``computer literate''?
Mr. Gross. Well, the information they had legitimate access
to was required for them to perform their day-to-day duties.
Their duties continued up until the day they left employment
with the FDIC.
Chairman Loudermilk. So it's common practice to allow
personnel to download information from the FDIC official
server?
Mr. Gross. Prior to my arrival, we did utilize mobile
media, and individuals could download information to those
devices. We've since put into place capability to prevent the
downloading of information to mobile devices.
Chairman Loudermilk. So is it accepted practice to allow
personal use of the government computers? If they were taking
personal information, then obviously they're allowed to use
them for personal----
Mr. Gross. Policy does allow de minimis use of the personal
computer, yes, sir.
Chairman Loudermilk. Does--do any of the employees in the
FDIC, yourself or any others, use personal email to conduct
official business?
Mr. Gross. No, sir, not that I'm aware of.
Chairman Loudermilk. None at all. Regarding the Florida
incident, the Data Breach Management Team, did they give you a
recommendation on whether this was a breach?
Mr. Gross. The Data Breach Management Team is a group of
representatives across the organization. The Inspector General
sits on that group. It's not a voting body. It's a consensus
body, and they do provide a recommendation. And I believe from
the Florida incident that they did recommend that it was a
breach, but we did also indicate it was a low-level breach.
Chairman Loudermilk. Okay. Well, let me read from you an
email which you were just provided a copy. This was from the
former CIO Christopher Farrow to you, and--regarding the
Florida incident and just item number seven, ``Only you can
declare this incident a breach. You have not done so. The DBMT
has only recommended that this is a breach. We're waiting on
you to declare this a breach.''
I'm bringing attention to this email that was provided to
us by the IG, and it was sent to you on November 30, 2015. And
in the subject line it refers to the October 2015 Florida
incident that you informed this Committee of. And the subject
line says ``action required, Florida incident.''
As we've discussed here, the body of the email concerns the
handling of the incident completely within the scope of the
documents requested by this Committee. The IG provided us this
document, but you did not, sir. Now, how is not including this
email with the documents you provided us being responsive to
the Committee's request?
Mr. Gross. Sir, I believe every effort was made to be
responsive to your request. If there's needs for additional
information, as I said, I stand ready to do so. I believe this
document right here is summarized in our response in the
incident management.
Chairman Loudermilk. But, sir, did the Committee's request
ask for summaries or did it ask for the documents? I believe
our request was for all documents, not summaries of documents,
but documents.
Mr. Gross. Sir, I believe our response to the Committee's
request was comprehensive. We made an active effort to provide
a comprehensive response to this Committee.
Chairman Loudermilk. But evidence that you have in front of
you is that it was not comprehensive.
Mr. Gross. I don't know for sure if this was included in
the overall submission to the Committee, sir.
Chairman Loudermilk. It was not, but the IG did provide
this to us.
Are you aware, sir, that actively--by not providing this,
you are actively obstructing this Committee's investigation?
Mr. Gross. Sir, I believe our submission to you was
comprehensive. Every effort was made for it to be
comprehensive.
Chairman Loudermilk. But, sir, it wasn't comprehensive if
we're receiving documents from the Inspector General that are
clearly relating to these incidents that we are investigating
but you did not provide them.
Mr. Gross. Well, I didn't provide all the documents that
you received, sir. These documents came from a variety of
different offices within the Corporation.
Chairman Loudermilk. But, sir, you are the addressee on the
email with this document, so clearly you did have this
document. And it would have been your responsibility to provide
this in response to our request for all documents.
Mr. Gross. I believe that this would have been included in
the incident response because this document speaks to what's
summarized in the incident report.
Chairman Loudermilk. But again, sir, the Committee did not
ask for summaries; we asked for documents. And are you aware
that obstructing Congress is a violation of federal law?
Mr. Gross. I'm fully aware of that, sir. I'm a prior law
enforcement officer.
Chairman Loudermilk. Okay.
Mr. Gross. As I said, we made every effort to be
responsive. I believe what we provided was a representation of
the production. We made every effort to be quite exhaustive in
our response to this Committee. As I said, I--we stand ready to
provide any additional information that you deem warranted.
Chairman Loudermilk. Well, I thank you for that, but I
would prefer that we get these initially and not have to go
back and get--let me read directly from the correspondence this
Committee sent to you. It says, ``All documents and
communications referring or relating to the security
incident.'' All documents and communications. We didn't ask for
summaries; we asked for all documents and communications, which
you failed to provide.
Let me ask you another question. We'll shift our direction
of questioning here. Sir, if a bank were to have the incidents
happened to them, an employee walks out with a USB drive
containing 10,000 pieces of PII of their customers, and they
followed the same procedure that you followed by not reporting
it to the FDIC, what would the FDIC's actions be to that bank?
Mr. Gross. I can't speak to that, sir. That's speculative.
I----
Chairman Loudermilk. I would like to get the answer to that
because I don't think it would be following the same procedures
that you're holding yourself accountable to.
Maybe, Mr. Gibson, do you know what action would be taken
to a bank?
Mr. Gibson. Sir, I think that question would need to be
answered by the supervisors.
Chairman Loudermilk. Okay.
Mr. Gibson. I'm afraid I can't.
Chairman Loudermilk. I did pose that to--a question to a
banker yesterday, and I will get a formal response of what he
believes would have--the action that would have been taken.
Mr. Gross, it appears the FDIC has a history of cyber
security breaches that goes beyond what has been made public to
date. I personally have a problem after 30 years of being in
the information systems business that seven repeated incidents
are all inadvertent.
But let's move on to other incidents. Is it true that an
``advanced persistent threat'' was able to penetrate the FDIC
computer systems in August 2011?
Mr. Gross. I believe that's correct, sir.
Chairman Loudermilk. Okay. Is it true that FDIC employees'
computers were accessed by a foreign entity without their
knowledge?
Mr. Gross. I believe you're speaking from an Inspector
General report, sir, and that, I think, would be best discussed
by the Inspector General. That document has sensitive
information in it.
Chairman Loudermilk. Mr. Gibson, do you have any
information that you can share with us?
Mr. Gibson. If you want to ask me a question, let's see.
Chairman Loudermilk. Is it----
Mr. Gibson. I don't see why not.
Chairman Loudermilk. Is it true that FDIC employees'
computers were accessed by a foreign entity without their
knowledge----
Mr. Gibson. Sir----
Chairman Loudermilk. --dating back to August 2011?
Mr. Gibson. That is my understanding, yes, sir.
Chairman Loudermilk. Okay. Thank you. Mr. Gross, is it true
that the Chairman of the FDIC's own computer was accessed by
this foreign entity?
Mr. Gross. Sir, I have reviewed that document. I believe
what you're stating is included in the report, but I just
became familiar with that document yesterday. I think Mr.
Gibson would be best positioned to respond.
Chairman Loudermilk. Mr. Gibson, can you respond? Is it
true that the Chairman of the FDIC's own computer was accessed
by this foreign entity?
Mr. Gibson. Sir, that's my understanding.
Chairman Loudermilk. That's your understanding. And again,
this is in an IG report?
Mr. Gibson. Sir, there are actually--well, there is--I
believe the document that you've got is an IG report.
Chairman Loudermilk. Okay.
Mr. Gibson. That document was produced to address the
FDIC's handling of the incident internally. It's not a
technical report.
Chairman Loudermilk. Okay.
Mr. Gibson. The technical reports would have been prepared
by an FDIC contractor that was brought in to study the specific
situation. The question is a technical one. Our report really
doesn't get to that. It gets more to the issue of reporting of
the incident and the FDIC's handling of the incident than it
does the technical aspects.
Chairman Loudermilk. Okay.
Mr. Gibson. But in so far as--you know, yes, the answer to
the questions that you're asking is yes, but I don't know the
technical details----
Chairman Loudermilk. Okay.
Mr. Gibson. --behind some of that.
Chairman Loudermilk. Mr. Gross, is it true that the foreign
entity was China?
Mr. Gross. Sir, I don't know that to be correct. I can only
tell you what I've read in the report. The details surrounding
the report, it happened prior to my arrival.
Chairman Loudermilk. I understand.
Mr. Gross. I can assure you that if that was to happen
today under my watch, I'm a prior military person and I believe
in the command structure, so if there's an incident that occurs
in my organization, one, it's my boat. I'm responsible for
making sure it's reported and addressed.
Chairman Loudermilk. Well, I understand that and I
appreciate your response there. But in the report, does it
identify anywhere--Mr. Gibson, in the report does it identify
that the foreign entity was indeed China?
Mr. Gibson. No, sir, it is not.
Chairman Loudermilk. It does not.
Mr. Gibson. We are not authorized to make a specific
attribution to any particular actor.
Chairman Loudermilk. Okay. Thank you.
Mr. Gross, regarding this particular incident where
supposedly China had access to FDIC computer systems for over a
year, which I think would be a very significant issue to maybe
have more information on than what we're sharing here today,
according to the materials provided to the Committee, the FDIC
chose to intentionally violate its own policies and procedures
and did not notify CSIRT, the central national authority
responsible for tracking, analyzing, and coordinating responses
to computer security incidents that attack U.S. Government
systems. Is this true?
Mr. Gross. Sir, as I said, I've reviewed that report, and
it's actually great to kind of draw that to scale. When you
look at the APT that you're mentioning here versus an incident
where we have trusted employees that left the organization, you
can see why we drew the fact that the risk of harm to
individuals were low. In this instance, if there was an APT in
our environment, we would be taking active steps to address it.
But I would have to defer to Mr. Gibson on the specifics
that might be contained in the report as to who might have been
penetrated or the extent of the penetration into the
environment.
Chairman Loudermilk. Mr. Gibson, can you provide any more
enlightenment in whether they followed proper procedures by
notifying a foreign entity?
Mr. Gibson. They did not.
Chairman Loudermilk. They did not. Thank you.
Mr. Gross, it's my understanding that one of the steps
taken by the FDIC to prevent further breaches was to shut off
the use of USB drives on the computers at the FDIC. What
percentage of the FDIC employees roughly still have access to
their USB drives?
Mr. Gross. I believe we've reduced that number down to
probably less than 50 percent. We still have a significant
number. Our goal is zero. As I said, I've come from other
federal agencies, so my goal is to reduce that down to zero.
However, we have to work through different business processes
that still require the use of that, and what I mean by that is
our examiners have a need to exchange information with their 50
different counterparts that they work with in the field. So I
can't immediately drive down to zero, but I can assure you and
the Committee my goal is to get to zero on use of mobile media
within the organization.
Chairman Loudermilk. So with the 50 percent that you have
disabled, were those the employees that have access to the type
of the information that was breached, or are those the 50
percent still remaining to be blocked?
Mr. Gross. The 50 percent that we had are primarily
examiners that work out in the field and other components of
the organization that still have an express business
requirement for that. The goal, as I said, is zero. In our
examiner area, we are actually rolling out technology right now
which we call our ETS system.
Chairman Loudermilk. Right.
Mr. Gross. As we roll that out, we will begin to be able to
have larger numbers of those groups no longer have a need for
the use of mobile media. So we're going to do this over time in
specific business areas to be able to get to that zero
threshold.
Chairman Loudermilk. So if you had these 50 percent--let me
ask it this way. If the 50 percent you have blocked now was
done six months ago, would it have prevented these incidents?
Mr. Gross. I can't say that for certain, sir, because these
individuals were in various different parts of the
organization. And even, as I said, it was an inadvertent
download of the data.
Chairman Loudermilk. What have you done to prevent it from
happening other than the USB drives?
Mr. Gross. Actually, what we've done to prevent it is
we've, one, eliminated the use of mobile media across the
organization only to those individuals that require it in order
to complete their business processes. In order for those
individuals to be able to use the removable media, it requires
the approval of their division director.
Chairman Loudermilk. Okay.
Mr. Gross. The--in addition to that, what we're also
putting in place is encryption--is that any device that's
placed into the machines, once that device is placed in the
machine, it will automatically be encrypted. So those mobile
devices that we do have in the environment would in fact have
encryption, which would enhance their--the security on those
devices if they're lost.
Chairman Loudermilk. But it would not have prevented these
actions from taking place?
Mr. Gross. I don't believe it would have.
Chairman Loudermilk. Mr. Gross, it's interesting that some
of these breaches were retroactively reported to Congress. It's
clear that the OMB guidance and FISMA state anything over
10,000 instances of PII is to be reported to Congress. We have
systems in place to trigger awareness at various government
levels. If I go to the bank and withdraw $10,000 of my own
money, that is immediately going to be reported, but certain
employees at FDIC can download 10,000 individual PIIs and it's
not flagged. Is that a double standard?
Mr. Gross. Well, actually, sir, it is flagged. I think we
have a best practice in the fact that we're using DLP to
identify those instances. Prior to DLP, we would have been
unaware that the employees were downloading that information.
Chairman Loudermilk. But there was 10,000 that were
breached that were disclosed or taken but you did not report
those within the seven-day window.
Mr. Gross. Sir, it's--we don't have relief in reporting. I
want to be--I want to go back to that in that it's not a
question of whether or not if it's going to be reported. All
incidents within the FDIC are reported. The question is, is it
reported within 7 days, 30 days, or is it reported in an annual
FISMA report.
So I want to make sure that it's understood is that there's
no question about our transparency in reporting. It was in
which time frame. And we wanted to draw to scale--we wanted to
focus on, is this major? Is this an APT? Is this someone in our
system? If we report on incidents that we have deemed as non-
major, then we're reporting on everything. And then when we
have an APT or a significant event, the risk you run is that
these incidents are then lost in the noise. And I would hate to
classify any incident as just noise. But we want to make sure
that we're focusing our energies and our time around those
incidents that pose significant risk of harm to individuals or
the organization.
Chairman Loudermilk. Okay. I have been very lenient with my
time, and I will do the same to my good friend from Virginia,
Mr. Beyer, who is now recognized.
Mr. Beyer. Thank you, Mr. Chairman.
Mr. Gibson, in your testimony you said that the memorandum
that you had prepared on February 19 this year to the Chief
Information Officer was marked privileged and for official use
only, and it was later leaked, which is how come we know about
it. Why wasn't it public in the first place? And what's the
argument for keeping something like that from the public?
Mr. Gibson. Sir, it's not our responsibility to report;
it's the FDIC's responsibility. We prepared that document in
the middle of an audit, actually planning for an audit. We had
not completed our work at that point in time. At the time that
our work is completed, we would have made some public
disclosure of it. There are other points at which public
disclosure might have occurred, depending upon the FDIC's
response to that memorandum. When they responded by determining
that they would disclose the incident, then there was no need
for us to make it public ourselves.
Mr. Beyer. In the seven incidents we're talking about that
the FDIC and the CIO have all determined were inadvertent, does
the decision--or the determination of inadvertency make it more
difficult for you to pursue criminal charges?
Mr. Gibson. Well, sir, it could. It's a fact that you'd
have to consider as you evaluate the case. When we have a
statement from the government that says that something's
inadvertent then you have to establish that there's specific
intent to violate the law. Now, if I was a defense lawyer,
that's probably the first document that I would wave around.
That doesn't mean we can't, but it does mean that it can
increase the bar; it can increase the level of difficulty that
we have.
Mr. Beyer. Great. Thank you.
Mr. Gross, one of the things I want to be clear about, too,
because you've mentioned a number of times your distinguished
39-year career in the military and the federal office, and we
thank you for that and thank you for your service. But I just
want to also clarify that the hearing is not about your
remarkable career but rather about what's going on with the
FDIC right now.
In your attempt to remove the mobile media devices down to
50 percent and rolling out ETS, how then will examiners share
data if the mobile devices are gone?
Mr. Gross. We're identifying technology solutions that will
allow them to exchange information. As I said, since arriving,
I've been looking at the business practices that we have within
the organization trying to identify other solutions that will
allow us to conduct our business without exposing the data.
Mr. Beyer. Which will include not being able to email the
data back and forth?
Mr. Gross. That's correct. We currently monitor email, and
we have the ability to manage or prevent email exchange. But in
the case of mobile media, it--just as it says, the ability for
a person to move it from point A to point B is quite easy.
Mr. Beyer. I want to clarify one thing you said earlier,
and I'm confused. So in the OMB guidance, on the one hand, if
it affects more than 10,000 records, it triggers the 7-day
response. You also said that it's your classification, major,
minor, intermediate, that determines 7-day, 30-day, annual
disclosure. Are those in conflict? Do you really have the
discretion as CIO to determine what's major and what's not
major and therefore what--or, to be specific--because something
released 11,000 records and you still determine it not major?
Mr. Gross. Actually, sir, in the incidents that we've
reported, we have several in there that just barely meets the
bar. I believe there's a couple that are 13,000 records. The
policy is a--it provides some guidance to the agency to
consider in making a determination of, one, the significance of
an event. So you can have an incident and it's not considered a
major in that the surrounding issues around the incident
doesn't warrant the 7-day reporting.
Mr. Beyer. Even though it has more than 10,000 records?
Mr. Gross. In----
Mr. Beyer. Is the 10,000 records threshold not de facto
sufficient----
Mr. Gross. I----
Mr. Beyer. --for the 7-day reporting?
Mr. Gross. I believe it draws a bright line, and that
bright line is that--is what we're following now. But I believe
what happens is it creates an environment where you're
reporting everything and--as a major, and then you run the risk
that if you have a significant event, it would be--it may be
overlooked. But the policy clearly says it leaves to the
discretion of the agency if there's significant enough
information to warrant reporting as a major.
Mr. Beyer. Okay.
Mr. Gross. But I want to be clear, there's not a question
of if the incident is reported. It is reported. The question is
in what time frame is it reported.
Mr. Beyer. Well, and I--I'd ask you, please, to listen
carefully to this, too, because if anything over 10,000
constitutes so many reports that it's noise, we have a much
bigger problem. We should have very few incidents ever that
have more than 10,000 records.
Mr. Gross. I would hope, sir, that we get to zero. My goal
by removing the mobile media where we have seen these incidents
occur is that we have better management of control of our data.
But as you--if you read through the incidents, our employees
are fully aware of their requirements of reporting, so we're
focused today on removable media.
But on a day-to-day basis, you may have employees that may
inadvertently have access to information that was unintended.
That could be they saw--they looked at a file share that was
online where the permissions may not have been removed. Is that
a major? Well, there may be 10,000 records in that file share
that they inadvertently saw during that period of time, but was
it during the normal course of their business so it's not
reported as a major, but we still report it as an incident in
our FISMA report.
Mr. Beyer. You say that in determining whether major, minor
incident, that you used their signed statements, their
affidavits to determine that the information has not been
disseminated. That seemed to put an awful lot of trust into one
signed statement. Are there any other steps you did, tests to
see whether any of these records had leaked out, had been sold,
had been contacted? For example, the FEC assaults its FEC
reports with fake names so they can determine whether somebody
else has pulled it off the internet and used it
inappropriately.
Mr. Gross. We do have a forensic review that we conduct on
the device once it's returned. One, we can identify if the
device that was returned is in fact the device that was used to
make the copy. We can also examine the files that are on the
document to ensure that we've in fact recovered all of the
information that was exfiltrated onto the device originally.
But in addition to that, we can determine the last time the
files were opened or accessed.
There are limitations to what we can do with the forensics,
but it gives us a better perspective as to what happened to the
data from the time it was downloaded to the device to the time
the device was returned to the organization.
Mr. Beyer. Is there any way to determine whether that data
was downloaded into another computer or sent to someone else?
Mr. Gross. We have limited capabilities in our forensic
that we can determine some things but we have to rely on the
fact that the employee's assertion that it has not been
disseminated beyond themselves is important.
Mr. Beyer. Yes. Once again, I fear that that's going to be
too low a bar. But let me move on.
Is the--on the personal information, Ms. Lofgren from
California pointed out how probably important it is that the
personal information be in fact de minimis, and if it's de
minimis, there should be very little that needs to be taken
off.
I served four years in State Department, and at the end
didn't need to download a single thing. I did have to go delete
emails to my wife as to what time I was coming home for dinner
but nothing else beyond that. And it's sort of hard to imagine
that I would need it--after serving four years that there--or
even 30 years that there's much that you'd need to take off the
computer.
Mr. Gross. By implementing the procedures that we have in
place for preventing the downloading of the material to mobile
media, what that does is put us in a position that if an
employee in fact does want to download information, we in fact
have to intervene and do that with them on their behalf. So I
believe we'll be able to meet that bar that she's indicated
where we should be.
We want to make sure that if the employee does have
information that they may have created through de minimis use
of the device, creating of a resume or other material, that in
fact they can take that. But by eliminating their ability to
download it, I believe we're in a better position to manage
that.
Mr. Beyer. Okay. One last question. On the October breach
you made the determination that it couldn't be classified as a
major incident, but you have the DBMT, the Data Breach
Management Team. And they all have a--are they simply advisory
or do they have a vote in determining what's a major and what's
a minor event?
Mr. Gross. It's not a voting body. All of the
representatives on the group--as I said, the Inspector General
sits on the group. We have a representative from each of the
program areas where the incident may have occurred. They
provide a recommendation based on the information to the CIO of
whether or not it's a breach, but they also make other
recommendations of things that should be considered as part of
the review process.
Mr. Beyer. Do you remember whether the--what recommendation
the DBMT made in response to the October incident?
Mr. Gross. I'm not sure the--when you say October incident,
is that the Florida incident? That's the one we refer to as----
Mr. Beyer. The original one, yes.
Mr. Gross. --the Florida incident. I believe it was
recommended that it was a breach but it was low risk.
Mr. Beyer. Okay. Have you been in the position yet of
having to make a determination that differed from what the DBMT
recommended?
Mr. Gross. No, I don't believe so. And I want to be clear
is that the DBMT doesn't meet once. So on the surface it may
appear that these incidents may have lingered on or we were
nonresponsive. In fact, the DBMT meets on a number of different
times during an incident as additional information becomes
available, but I don't know of any incidents where I have been
in--I've had a difference of opinion of what came out of the
DBMT.
Mr. Beyer. All right. Thank you, Mr. Gross. Thank you, Mr.
Gibson.
Mr. Chairman, I yield back.
Chairman Loudermilk. I thank the Ranking Member for the
line of questioning, and I thank the witnesses for their
testimony and the other Members who were here with questions.
We've identified several inconsistencies here today by the
FDIC, and the Committee will continue its oversight and looking
forward to having the FDIC Chairman here once the Inspector
General completes its audits. We will continue looking into
this. This is a very critical issue.
And the record will remain open for two weeks for
additional comment and written questions from the members.
The hearing is adjourned.
[Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]
Appendix I
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]