[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
EVALUATING FDIC'S RESPONSE
TO MAJOR DATA BREACHES:
IS THE FDIC SAFEGUARDING
CONSUMERS' BANKING INFORMATION?
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
July 14, 2016
__________
Serial No. 114-88
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
______________
U.S. GOVERNMENT PUBLISHING OFFICE
20-917PDF WASHINGTON : 2017
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR., ZOE LOFGREN, California
Wisconsin DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas ERIC SWALWELL, California
MO BROOKS, Alabama ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois AMI BERA, California
BILL POSEY, Florida ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas DON S. BEYER, JR., Virginia
JOHN R. MOOLENAAR, Michigan ED PERLMUTTER, Colorado
STEVE KNIGHT, California PAUL TONKO, New York
BRIAN BABIN, Texas MARK TAKANO, California
BRUCE WESTERMAN, Arkansas BILL FOSTER, Illinois
BARBARA COMSTOCK, Virginia
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
DARIN LaHOOD, Illinois
WARREN DAVIDSON, Ohio
C O N T E N T S
July 14, 2016
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 5
Written Statement............................................ 7
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 14
Written Statement............................................ 16
Witnesses:
The Honorable Martin J. Gruenberg, Chairman, FDIC
Oral Statement............................................... 18
Written Statement............................................ 21
Mr. Fred W. Gibson, Acting Inspector General, FDIC
Oral Statement............................................... 38
Written Statement............................................ 40
Discussion....................................................... 45
Appendix I: Answers to Post-Hearing Questions
The Honorable Martin J. Gruenberg, Chairman, FDIC................ 82
Mr. Fred W. Gibson, Acting Inspector General, FDIC............... 89
Appendix II: Additional Material for the Record
Documents submitted by Representative Barry Loudermilk, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 94
Document submitted by Representative Randy Neugebauer, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 170
Document submitted by Representative Gary Palmer, Committee on
Science, Space, and Technology, U.S. House of Representatives.. 87
Document submitted by Representative Bruce Westerman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 101
EVALUATING FDIC'S RESPONSE.
TO MAJOR DATA BREACHES:.
IS THE FDIC SAFEGUARDING.
CONSUMERS' BANKING INFORMATION?
----------
THURSDAY, JULY 14, 2016
House of Representatives,
Committee on Science, Space, and Technology,
Washington, D.C.
The Committee met, pursuant to call, at 10:07 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Lamar Smith
[Chairman of the Committee] presiding.
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. The Committee on Science, Space, and
Technology will come to order.
Without objection, the Chair is authorized to declare
recesses of the Committee at any time.
Welcome to today's hearing titled ``Evaluating FDIC's
Response to Major Data Breaches: Is the FDIC Safeguarding
Consumers' Banking Information?''
I'll recognize myself for an opening statement and then the
Ranking Member.
The Acting Inspector General's recent audit confirms
exactly what the Committee's ongoing investigation revealed:
FDIC continues to have significant cybersecurity weaknesses.
Over the course of the Committee's bipartisan
investigation, we have learned a great deal about the FDIC and
how they conduct business. Yesterday we released an Interim
Report by majority Committee staff.
The report contains the following findings: One: The FDIC
has historically experienced deficiencies related to its
cybersecurity posture, and those deficiencies continue to be
present.
Two: The Chief Information Officer created a toxic work
environment, misled Congress, and retaliated against
whistleblowers.
Three: The FDIC deliberately evaded Congressional
oversight.
The FDIC experienced at least eight major breaches that
they have determined met the reporting guidelines issued by the
Office of Management and Budget. The IG found that one of these
breaches required law enforcement involvement. This was the
September 2015, New York breach, in which a disgruntled
employee, without authorization, downloaded sensitive
resolution plans, also referred to as living wills. This
breach, according to the IG's report and confirmed by a
witness's testimony during our ongoing investigation, revealed
that had the FDIC taken more than just the initial steps to
implement a formal insider threat program, this breach could
have been prevented or at the very least detected much earlier.
In a separate report, the IG found that the FDIC did not
properly interpret and apply the reporting criteria required by
a major incident, as articulated in the Office of Management
and Budget memorandum. The OIG found that reasonable grounds
existed to deem the Florida breach major but the FDIC waited
four months to notify Congress.
The Committee is pleased that as a result of our hearing in
May, the FDIC began the process of contacting individuals whose
personally identifiable information had been compromised and
offered them credit monitoring. The Committee also appreciates
the fact that after nearly four months, the FDIC is working to
produce all documents and communications that we have requested
in multiple letters.
The agency initially produced redacted summaries of
responsive documents and a limited set of email communications,
but whistleblowers and the IG's staff immediately informed the
Committee that we were not getting the whole story.
This has been the overreaching theme of the Committee's
dealings with the FDIC: we're not getting the whole story.
Based on interviews and documents, there is a culture of
concealment at the FDIC.
For example, the Office of Legislative Affairs staff,
according to testimony, knowingly failed to provide the
Committee with a full and complete production of documents.
The Office of General Counsel's staff directed their
employees not to put certain opinions and analysis in emails or
other written forms, presumably to avoid discovery through the
Congressional oversight process.
This Committee takes seriously its cybersecurity
responsibilities under the Federal Information Security
Modernization Act of 2014, or FISMA, as well as our
responsibility to root out waste, fraud, abuse, and
mismanagement.
Our investigation has identified serious management
deficiencies in the CIO's office. Certain FDIC employees
believe that not only is he doing a poor job of protecting the
agency's sensitive information technology, but also he's
created a hostile work environment. One witness called Mr.
Gross ``vindictive,'' removing his staff from leading projects
if they disagreed with his opinions.
The FDIC needs to be accountable for breaches of
cybersecurity and responsive to the findings of our
investigation.
We look forward to receiving all the requested documents
and hearing about what steps the FDIC is taking to protect
sensitive banking documents and taxpayers' personal
information.
[The prepared statement of Chairman Smith follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. That concludes my opening statement, and
the gentlewoman from Texas, Eddie Bernice Johnson, is
recognized for hers.
Ms. Johnson. Thank you very much, Mr. Chairman, and welcome
to our witnesses.
As we have learned over the course of many hearings before
this Committee, cybersecurity is a never-ending struggle.
Public and private entities alike are engaged in a constantly
evolving challenge to prevent both intentional data breaches
and unintentional dissemination of sensitive information.
Since the last hearing we held on data breaches at the
Federal Deposit Insurance Corporation--the FDIC--just two
months ago, 32 million Twitter users had their login
credentials compromised, Walmart's corporate headquarters
disclosed the unauthorized access to data of more than 27,000
customers, and the medical records of thousands of National
Football League--the NFL--players were compromised when a
laptop computer was stolen from a car.
Today is the Committee's second hearing on the FDIC's
handling of several data breaches that occurred since October
2015 when the Office of Management and Budget--the OMB--issued
new cybersecurity guidance. The OMB memo, known as Memo 16-03,
helped to define what constitutes a major data breach and
requires reporting incidents designated as major to Congress
within seven days of such a determination. Data from the FDIC
is particularly sensitive, and may include personal banking
information and data indicating potential criminal activity
such as suspicious activity reports.
The agency failed to notify Congress of seven major data
breaches within the 7-day time frame that OMB requires from
October 2015 through February 2016.
During our Oversight Subcommittee hearing on this topic in
May, the FDIC's Chief Information Officer described these data
breaches as inadvertent and occurring without malicious intent.
The FDIC Acting Inspector General, Mr. Fred Gibson, testified
at that hearing and is a witness here today. His office
released two audits of the FDIC's data breaches last week, and
the evidence his office gathered clearly shows that in at least
one of the seven breaches, the data was not taken accidentally.
His office is in the process of conducting a further forensic
review of the remaining six incidences.
I think it's fair to say that our May hearing yielded
bipartisan agreement that the FDIC's interpretation of the OMB
guidelines was flawed. It is also clear that FDIC did not
initially provide all documents responsive to the Committee's
requests.
However, I do not agree with my Majority colleagues as to
what constitutes evidence of intent. The Majority is likely to
allege that the CIO intentionally misled the Committee and that
the agency attempted to obstruct the Committee's investigation
into these events. I do not believe the Committee has uncovered
convincing evidence to support those allegations. I am not
dismissing the testimony of some of the FDIC employees who have
been interviewed but it is our responsibility to make sure we
have all of the evidence and have heard from all parties before
we begin to wave around serious allegations of criminal intent.
What I do believe is this. First, the recent reports issued
by the Inspector General's office on the data breaches at FDIC
point to a series of corrective actions that I hope will
improve the agency's ability to appropriately respond to the
multiple cybersecurity threats we all face. I do believe the
FDIC Chairman takes these issues seriously. He has a strong
track record on responding to cybersecurity challenges,
including holding his staff accountable.
Second, all federal agencies need strong, competent,
independent chief information officers--chief information
security officers, and I am glad that both the IG's office as
well as the Government Accountability Office, or GAO, are now
engaged in separate reviews of the appropriate role, placement,
and authorities of the Chief Information Security Officer at
FDIC and other federal agencies.
And finally, while we investigate failures at different
agencies to fully and properly implement federal cybersecurity
requirements, we should also support agency efforts to continue
to strengthen their cybersecurity posture as the technologies
and the threats rapidly evolve around them.
I look forward to hearing from both Mr. Gruenberg and
Acting IG Mr. Gibson.
Thank you, Mr. Chairman. I yield back.
[The prepared statement of Ms. Johnson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Mrs. Johnson.
Let me introduce our witnesses. Our first witness today is
Mr. Martin Gruenberg, Chairman of the Federal Deposit Insurance
Corporation. Mr. Gruenberg previously served as Vice Chairman
and Member of the FDIC Board of Directors. He was also Chairman
of the Executive Council and President of the International
Association of Deposit Insurers. Mr. Gruenberg received his
bachelor's degree from Princeton University's Woodrow Wilson
School of Public Policy and International Affairs and his J.D.
from Case Western Reserve Law School.
Our second witness is Mr. Fred Gibson, Acting Inspector
General of the Federal Deposit Insurance Corporation. Mr.
Gibson previously has served with the Resolution Trust
Corporation Office of Inspector General as Principal Deputy
Inspector General and Council to the Inspector General. Mr.
Gibson received his bachelor's degree in history from the
University of Texas at Austin and his master's degree in
Russian area studies from Georgetown University. He also
received his J.D. from the University of Texas School of Law.
We welcome you both, and Chairman Gruenberg, if you'll
begin?
STATEMENT OF THE HON. MARTIN J. GRUENBERG, CHAIRMAN, FDIC
Mr. Gruenberg. Thank you, Mr. Chairman. Chairman Smith,
Ranking Member Johnson, and members of the Committee, thank you
for the opportunity to appear before you today.
An effective information security and privacy program is
critical to the FDIC's mission of maintaining stability and
public confidence in the Nation's financial system.
My testimony today will discuss the recent incidents
pertaining to information security at the FDIC and our response
to the two related Office of Inspector General audits.
The first audit was of the FDIC's controls for mitigating
the risk of an unauthorized release of sensitive resolution
plans. As detailed in my written statement, on September 29,
2015, the FDIC determined through use of our Data Loss
Prevention software that immediately prior to resignation, an
employee in the FDIC's Office of Complex Financial Institutions
had transferred copies of sensitive resolution plans from the
internal network onto an unencrypted removable storage device,
which was prohibited by FDIC policy. The FDIC notified the OIG
of the incident on September 29, and law enforcement officials
later recovered the storage device from the former employee.
The OIG began an audit to determine the factors that
contributed to this incident, and to assess the adequacy of
mitigating controls.
Its final audit report identified several weaknesses that
the FDIC needed to address and made six recommendations. We
concur with the findings and recommendations, and expect to
complete implementation of our responsive actions by the end of
2016. These include a recommendation that the FDIC establish an
agency-wide insider threat program, which we have committed to
fully implement by the end of this year. In addition, the OIG
noted that a key control intended to prevent users from copying
information to removable media failed to operate as intended.
We are now installing a new software version that addresses the
observed defects and plan that installation to be completed by
August 26.
The second audit I'd like to address is the OIG's audit of
the FDIC's process for identifying and reporting major
incidents, which stemmed from a breach of sensitive information
that's referenced in the OIG report as the "Florida Incident".
This incident involved a former FDIC employee who copied a
large quantity of sensitive information to removable media and
took the information when departing FDIC employment on October
15 of 2015. The FDIC detected the incident through its DLP
software on October 23. The employee, who was initially
resistant, ultimately returned the device on December 8 of last
year.
Also during this time, on October 30 of last year, the
Office of Management and Budget issued guidance on the
reporting of "major incidents". In initially assessing the
application of this new guidance and consistent with FDIC
policy and procedure, the CIO considered the incident's risk of
harm and reached the conclusion that although it was a breach,
it did not rise to the level of a "major incident".
On February 19 of this year, the FDIC received an OIG memo
analyzing the Florida incident in which the OIG concluded that
the FDIC had not properly applied the OMG guidance for
classifying the incident as a "major incident". The OIG found
that the FDIC had based its determination on mitigating factors
relating to "risk of harm", but that such factors are not
addressed in the guidance and therefore are not relevant in
determining whether or not incidents are major. The OIG
determined that the FDIC should instead have reported the
incident to Congress as a major incident no later than 7 days
of having determined at least 10,000 Social Security Numbers
were involved.
Having received this OIG memorandum, the FDIC proceeded to
give Congressional notification on February 26 of this year. We
then reviewed other incidents that had occurred since issuance
of the guidance and reported six additional incidents to
Congress between March and May.
In retrospect, and in light of the OIG's report findings,
we should not have considered what we believed to be mitigating
factors when applying the OMB guidance. We also failed to
provide adequate context when reporting to Congress on the
Florida incident and should have notified the potentially
affected individuals when the notice to Congress was given in
February.
We agree with the OIG conclusions and are working on each
of their recommended corrective actions. Our expectation is
that taking the steps outlined in the responses to the OIG
reports will minimize the potential for similar incidents. I
would note that the OIG's reports state that our planned
actions are responsive and that the recommendations are
resolved.
We have also discontinued the use of removable media at the
FDIC except for limited exceptions for the GAO, OIG, and our
legal division. We will keep the OIG and Congress informed of
our progress.
Finally, if I may add, Mr. Chairman, there have been
reports about advanced, persistent threat incidents in 2010 and
2011 at the FDIC. The Office of Inspector General provided me
an investigative report back in May of 2013 on the incidents,
which found that our Division of Information Technology did not
fully inform me and other board members and senior executives
about the incidents. As a result of that OIG report, we took a
number of steps including engaging an independent cybersecurity
firm to assist our system, and personnel changes were made.
Mr. Chairman, thank you again for the opportunity to
testify today and I'd be happy to answer your questions.
[The prepared statement of Mr. Gruenberg follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Chairman Gruenberg.
And Mr. Gibson.
STATEMENT OF MR. FRED W. GIBSON,
ACTING INSPECTOR GENERAL, FDIC
Mr. Gibson. Thank you, Chairman Smith, Ranking Member
Johnson, Members of the Committee. Thank you for the invitation
to speak with you today.
Since I last testified before this Committee's Subcommittee
on Oversight, my office has completed two publicly available
audits relating to the information security posture of the
FDIC. Our first audit dealt with the FDIC's process for
identifying and reporting major incidents and focused on the
reporting of one such incident, which is being referred to as
the Florida incident.
This incident involved a former FDIC employee who copied a
large quantity of sensitive FDIC information to removable media
and took this information when the employee left in October of
2015. The FDIC detected the incident through its data loss
prevention tool. We determined that although the FDIC had
established various incident response policies, procedures,
guidelines, and processes, these controls did not provide
reasonable assurance that major incidents were identified and
reported in a timely manner consistent with the law and OMB
guidance. We made five recommendations that were intended to
provide the FDIC with greater assurance that major incidents
are accurately identified and promptly reported
Our analysis of the Florida incident prompted the FDIC to
initiate a review of similar incidents involving departing
employees that occurred after the OMB issued applicable
guidance in October of 2015. Based on its review between March
and May 2016, the FDIC reported six additional incidents to the
Congress as major. We are currently studying these incidents
and the manner in which they were reported and expect to
complete this work by mid-September.
In a second audit, we reviewed the Corporation's controls
for mitigating the risk of an unauthorized release of sensitive
resolution plans. Under Dodd-Frank, designated systemically
important institutions must provide resolution plans to federal
bank regulators. These resolution plans, or living wills,
contain some of the most sensitive information that the FDIC
maintains.
In September 2015, an FDIC employee working in the FDIC's
Office of Complex Financial Institutions abruptly resigned from
the Corporation and took copies of non-public components of
resolution plans without authorization and in violation of
FDIC's policies. The incident is not one of the seven that the
FDIC reported as major to the Congress. Our work identified a
number of factors contributing to the security incident. We
concluded that an Insider Threat program would have better
enabled the FDIC to deter, detect and mitigate the risk of an
event like this, and a key security control designed to prevent
employees with access to sensitive resolution plans from
copying electronic information to removable media had failed to
operate as it was intended. Our report contains six
recommendations. One is that the FDIC establish a corporate-
wide Insider Threat program.
The FDIC concurred with the recommendations we made in both
audits and has outlined actions that would be responsive. We
will follow up carefully on the implementation of each of those
recommendations.
We will also complete this year's FISMA audit in the fall.
The report will build upon the work I've described today and
will broadly assess the effectiveness of the FDIC's information
security program and practices.
In addition, we have ongoing work related to the FDIC's
plans and actions to address earlier audit recommendations
pertaining to credentialing and multifactor authentication. We
plan to initiate additional audit work in such areas as data
breach notification and the FDIC's information technology
enterprise architecture.
Finally, we also have open investigations relating to
several of these matters, which have not reached the stage
where further public discussion would be appropriate.
In any case, thank you again. I look forward to answering
any questions the Committee may have about these or any related
matters.
[The prepared statement of Mr. Gibson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chairman Smith. Thank you, Mr. Gibson, and I'll recognize
myself for questions.
Chairman Gruenberg, let me address my first one to you and
say that it's our understanding that no staff has been
reprimanded for mishandling the cybersecurity breaches, no
staff has been reassigned because of the mishandling of
breaches, and the appearance is that no one's been held
accountable for the breaches. I am just wondering why not.
Mr. Gruenberg. Thank you, Mr. Chairman. If I may, let me
give you my perspective on this, particularly in regard to our
CIO, who I think has been the lead person responsible in this
are. I understand this may not be consistent with your
perspective but I wanted to give you my perspective for what
it's worth from my position. As you know, the incident that
precipitated this, the Florida, so-called "Florida Incident",
occurred on October 15, and was identified on October 23, and
the OMB guidance on major incident was issued on October 30,
and our CIO began--assumed his responsibilities on November 2.
So what we had was sort of a confluence of developments. The
breach occurred and was identified, the guidance was issued,
and our CIO assumed his new position. It was sort of presented,
if I may say, with a pretty--for a guy just starting the job--a
pretty difficult situation to sort through. He had the breach
occur. He had to--the decision was made that even though the
breach occurred before the issuance of the guidance there'd be
an effort made to apply the guidance to the breach, but it was
new guidance, first impression without real precedent to go by.
Chairman Smith. Right. Let me interrupt you just briefly.
You had six major breaches. One was so serious it involved
law enforcement, and there were a number of individuals
involved, not just the one CIO, but it appears that again no
reprimands, no reassignments, no accountability for anyone, and
that sends a message that the breaches are not necessarily
being taken seriously.
Mr. Gruenberg. Mr. Chairman, I assure you we have no higher
priority at the FDIC than addressing these matters. We
certainly are prepared to consider the information provided by
the Committee and review and consider them in regard to the----
Chairman Smith. And this particular breach was not reported
to the Committee for four months. Was there any good
explanation why the FDIC waited to report the incident?
Mr. Gruenberg. This is in regard to the Florida incident?
Chairman Smith. The Florida incident. Correct.
Mr. Gruenberg. If I could just complete my comments on
that.
The CIO, who is the responsible official, was trying to
sort through the application of the new guidance to this
incident. He utilized existing FDIC policy of considering the
risk of harm, applying the guidance, and utilizing mitigating
factors applying to risk of harm, and a conclusion was reached
that that incident was a breach that would be reportable under
FISMA, but did not rise to the level of a "major incident".
That was the assessment made based on the facts available to
the CIO.
That occurred in December. When the OIG, who then was
reviewing this matter, provided a memo in February, on February
19 saying no, you got it wrong, these mitigating factors are
not provided in the guidance, they're not relevant----
Chairman Smith. There was a difference of opinion as to how
you define ``major''?
Mr. Gruenberg. That's really what it came down to, and I
guess what I want to suggest, and I understand there may be a
difference of view. While we may have gotten it wrong, while
the CIO may have gotten it wrong, I think, at least my
perspective is, there was an honest effort here to review the
guidance, consider mitigating factors, and make a reasonable
judgment. The judgment may have been wrong, but I don't think
there was malintent here. That's what I wanted to convey.
Chairman Smith. Thank you, Chairman Gruenberg.
And Mr. Gibson, are you satisfied that the FDIC are taking
the necessary steps or will take the necessary steps to address
your findings?
Mr. Gibson. Sir, in our view, the FDIC has described
actions that if taken will be responsive to the recommendations
of each one of our audits. I mean, it's our intention to follow
up with respect to the implementation of each one in order to
ensure both that they're implemented and that it's done so in
an effective manner and that the effect of those actions
achieves the goal that we were trying to achieve.
Chairman Smith. Okay. Thank you, Mr. Gibson.
I'll recognize the Ranking Member, Eddie Bernice Johnson,
for her questions, but let me say that I'm going to need to
shuttle between this Committee hearing and another committee
hearing, so I'm going to turn the chair over to the gentleman
from Georgia, Mr. Loudermilk, and hope to return.
The gentlewoman from Texas is recognized for her questions.
Ms. Johnson. Thank you, Mr. Chairman.
Chairman Gruenberg, several years ago before the current
CIO came to the agency, the FDIC suffered from a cyber-attack
by a foreign government. I understand that a senior IT security
staff member failed to inform you about this breach at the
time. Once you found out about it, I also understand that you
took disciplinary actions against some of these individuals who
failed to inform you of this breach.
The FDIC IG's office says that in one of the recent data
breaches, known as the Florida Incident, your Chief of
Information Officer decided not to forward information to you
about the breach because he made the determination it was not a
major incident and therefore did not need to pass this along
for your approval.
Given this history, are you taking any specific steps to
ensure that you are being kept well-informed of cybersecurity
issues at your agency?
Mr. Gruenberg. Thank you, Congresswoman. We are, needless
to say, very focused on this set of issues. As I indicated,
they are critical and essential to the functioning and
credibility of our agency, and we are engaging on a daily basis
in terms of complying with all of the recommendations and
implementing all of the recommendations made by the OIG
including implementing policies and procedures relating to
major incidents that will assure the timely reporting to
Congress if such incidents should occur again.
Ms. Johnson. Thank you.
Mr. Gibson, I understand that your office is undertaking
review of the role of the Chief Information Security Officer to
make sure that he or she has the authorities and independence
necessary to ensure a strong cybersecurity posture for the
agency. I know that this review is just getting started, but
can you tell us what sorts of questions you are trying to
address and why you're conducting this in the first place?
Mr. Gibson. Yes, ma'am. We believe that the Chief
Information Security Officer as a matter of principle should be
in a position to speak up and in a position to inform those in
the corporation who need to know what the status is of
incidents of information that may be relevant pertaining to the
security of the system. I'm not sure that we have reached--we
obviously haven't reached any conclusions yet but the goal is
essentially to reach a reasoned assessment as to whether the
CISO in current structure where the CISO reports to the Chief
Information Officer is able to provide that independent,
security-minded voice with respect to that information or
whether it's a position that should organizationally and from a
governance standpoint be separated so that there's a degree of
independence and a degree of ability to speak up.
Ms. Johnson. Now, in regards to the seven data breaches
reported to Congress by the FDIC as major incidences, do you
believe that the circumstances in those specific cases gave the
agency the discretion to determine that they were not major
incidences as they initially were determined?
Mr. Gibson. We're still reviewing all six of those
incidents so our work isn't complete. What I would say at this
point in time preliminarily is we believe they should all have
been reported as major incidents consistent with 16-03.
Ms. Johnson. Thank you very much.
I yield back.
Mr. Loudermilk. [Presiding] I thank the lady from Texas,
and now recognize myself for five minutes for questions.
Mr. Gruenberg, you had mentioned earlier that Mr. Gross was
assessing the risk of harm as one of the reasons that it wasn't
reported to Congress. I may remind you that risk of harm is not
one of the criteria in OMB. It's the scope and the type of
documents which I think is clearly in the realm of what should
have been reported and reported within seven days, not in
several months, but it's not the place of this Committee to try
to micromanage the operations within FDIC, but when the
operations puts at risk the safety and security of American
citizens or our national security, then it is our
responsibility, it's our duty to inject ourselves on behalf of
the American people.
And so in our previous hearing, we really looked at in
depth, as in depth we could, as to what happened in those data
breaches. Today I want to assess what is the response. Because
I think it's important that we understand the direction that
you're taking. Is it effective? Are we actually trying to
correct that as we go forward in still investigating what
happened and why the law was not followed? We also need to know
what direction you're going.
Now, I understand that through testimony before that you
have a data loss-prevention program, DLP, that is, I believe, a
Symantec program, that actually notified the FDIC and your data
team that this data had been copied, and so that kind of
prompted your internal investigation into that. I also
understand that Mr. Gross is now fast-tracking a number of
other initiatives to show progress on remedying these security
breaches and, you know, normally this--we would take that as
good news that you're giving priority and importance to trying
to resolve this, but it appears that some of these initiatives
Mr. Gross is spearheading are not the solutions that really are
going to fix the problem but may exacerbate the problem and
make it worse.
Mr. Gruenberg, are you aware that Mr. Gross has planned
out--planned a rollout of a Digital Rights Management System?
Mr. Gruenberg. Yes, Congressman.
Mr. Loudermilk. You are. Do you support that initiative?
Mr. Gruenberg. As it's been explained to me, it seems like
a reasonable step for us to take.
Mr. Loudermilk. Okay. And you trust that--is it Mr. Gross
that has explained that to you?
Mr. Gruenberg. Yes, sir.
Mr. Loudermilk. It has. Do you understand the benefit that
DRM will have for cybersecurity protection at the FDIC?
Mr. Gruenberg. I have some understanding. I don't hold
myself out as a technology expert but I do have some
understanding.
Mr. Loudermilk. Well, I spent 30 years in the IT business
so I have somewhat of an understanding, but it is an evolving
field. Basically, the Digital Right Management is a method of
encrypting and applying rules of access or non-access to
specific documents.
Mr. Gruenberg, I understand that the FDIC has this DLP
that--and as I brought up the DLP earlier, you were nodding
that yes, it did notify your data security team of that data
being copied. Are you aware that the rollout of DRM will
actually render DLP ineffective?
Mr. Gruenberg. Not to my understanding, Congressman.
Mr. Loudermilk. So you haven't been briefed that it would
actually render ineffective the current security system that
actually notified you of that breach?
Mr. Gruenberg. Not that I'm aware of, no, sir.
Mr. Loudermilk. Let me mention an email provided to the
Committee by a whistleblower in the FDIC discussing the actual
impact DRM will have. This email was sent on July 1, 2016, so
it was pretty recent, and the subject line reads ``risk to
FDIC's data.'' Now, we have redacted the email and I am just
going to summarize it, one, because we feel that if I read the
details as it was written, it would provide--it would even
exacerbate your current security risk that you have but also we
have concerns of retribution on the whistleblowers within your
organization. Basically this is from a senior expert within the
FDIC that says, and I summarize or paraphrase, that there is a
great risk of losing control over your data by simply releasing
DRM without a lot of other work being done first, especially
data classifications, labeling and access rights, which has not
been done. It says each of these has to be done or essentially
applying a DRM file will bypass the current DLP controls. This
makes DRM a high risk to undetected data loss. It sounds like
an environment that is supported by CIO, Mr. Gross, doesn't
really understand what he's doing, and maybe he's just
responding to the inquiries of this Committee to show that he's
doing something but it will not actually have a positive effect
but actually have a negative effect.
How do these types of fundamental security conflicts arise
at the FDIC? Do you feel Mr. Gross has been giving you the full
extent of what the system will do?
Mr. Gruenberg. I do believe so, Congressman. I take very
seriously the points you raise, and if I may, let us go back
and take a look at the issue you raised, particularly in regard
to DRM and its impact on the DLP. I think that's an important
point. If we may, let us look into it and we'll come back to
you.
Mr. Loudermilk. I appreciate it.
Now, I understand that right now there's no permanent Chief
Information Security Officer in place. Is that true?
Mr. Gruenberg. That is true. We're in the process of
putting out a notice soliciting individuals for that position.
Mr. Loudermilk. Do you feel that position is very vital?
Mr. Gruenberg. Central, sir.
Mr. Loudermilk. But yet you're going ahead with the rollout
or fast-tracking rollout of a security program without this
position being filled.
Mr. Gruenberg. I think, if I may say, in regard to--if
you're referencing DRM, I mean, that's still in the initial
phase, so we will go back and consider the points you raised.
This is going to be done in a very careful and deliberate way,
and if the issues you raise are on point, we'll obviously take
that into consideration.
Mr. Loudermilk. Well, I think it would be very advisable to
do that, and I'm quickly--I've exceeded my time. But does the
FDIC have any classified material of any quantity?
Mr. Gruenberg. We do have a so-called SCIF.
Mr. Loudermilk. Is that information in danger if we
continue to have conflicts like rolling out a DRM that will
circumvent the current security protocols you have in place?
Mr. Gruenberg. Not to my understanding but let me be sure I
understand it before I give you a conclusive answer on that.
Mr. Loudermilk. My time's expired, and I now recognize the
gentlewoman from Oregon, Ms. Bonamici, for five minutes.
Ms. Bonamici. Thank you very much, Mr. Chairman, and thank
you for calling this hearing.
Chairman Gruenberg, can you provide us with an update of
the actions that the agency has taken to notify any individuals
affected by all of the major data breaches? Have you offered
credit monitoring services, for example? And if they have not
been notified, when will that happen?
Mr. Gruenberg. We are undertaking notifying and providing
credit monitoring to all the individuals affected by those
seven breaches.
Ms. Bonamici. And Mr. Gibson, one of the two audit reports
you released last week looked at a data-breach case in New York
and suggested that the Insider Threat program could have
potentially helped prevent that data breach. That language is
pretty strong. The report mentions that the program was stalled
in the fall of 2015. So will you please explain the importance
of the Insider Threat program, and what happened? Why did it
stall? Because that's a pretty serious issue.
Mr. Gibson. Sure. The Insider Threat program is an
overarching program that allows the integration of information
from multiple sources to assess whether an individual poses an
insider risk to an enterprise. I think it's commonly accepted
wisdom, and it's probably good wisdom, that the most
significant threats that most organizations are going to face
are insider threats, in other words, the risk of an employee or
a person who's trusted within a computer network obtaining
access or misusing access to data that's contained within or
housed within a particular system. So we think that an Insider
Threat program is an extremely important thing to do.
The program itself consists of a variety of different
pieces, but beyond that, what's necessary is an overarching
goal.
Ms. Bonamici. I understand that, and I don't mean to
interrupt----
Mr. Gibson. That's----
Ms. Bonamici. --but why did it stall in the fall?
Mr. Gibson. That is unclear. I think that we've heard two
different versions of the story as to why it stalled in the
fall. From a senior management perspective, we've been told
that there was concern that components of the program were
conducting an investigation that was going too far and too fast
with respect to an employee and that they needed to establish
policies, procedures, standard operating procedures, and a
means for managing the work that was being done before it
continued.
We've heard kind of a different story at a different level
of the organization where they believe that they were in
essence directed to stop, and they got the message that there
wasn't----
Ms. Bonamici. I want to try to get another question in but
I know that the Committee would appreciate follow-up on that
when you determine exactly why that failed.
Mr. Gibson. Okay.
Ms. Bonamici. I wanted to follow up on Mr. Loudermilk's
questioning, and I think this is best directed to you, Mr.
Gibson.
The FDIC implemented a new version of its data loss
prevention tool last September, and it was apparently the
software that allowed you to identify the recent major data
breaches but your office looked at the implementation of this
tool, found some problems from September 2015 to the end of
February 2016. The software identified 604,178 potential
security violations and nearly 400,000 of those were related to
removable media.
So it's my understanding that ultimately it was up to some
individual to sort through those incidents and determine which
are the most suspicious in order to see if they were legitimate
downloads or indicated potential unauthorized activity, which
seems a little bit like looking for a needle in a haystack.
So do you think that this DLP is a useful cybersecurity
tool? What do you need to do to ensure it's used effectively?
And just to follow up on Mr. Loudermilk's question, apparently
now you're doing something that's inconsistent with that. And
finally, since you've eliminated the removable media usage, has
there been a reduction in the incidents that have been flagged
by this DLP program?
Mr. Gibson. Let me answer that as best I can. I think that
the DLP tool as a tool is a tremendously important and helpful
tool. I think that it requires a higher level of resources in
order to be timely and effective. I would agree that digging
through the volume of reports that the individual who's tasked
with that has had to dig through really is a little like
looking for a needle in a haystack, and I think that could be
resolved, you know, by devoting some additional resources to
it, and we've recommended that that be resourced differently.
There may be other technical approaches that can be used as
well. I wouldn't be the person to address that.
Ms. Bonamici. By ``additional resources,'' do you mean
additional people looking for the needles in the haystack or do
you mean some other approach?
Mr. Gibson. Both.
Ms. Bonamici. Mr. Gruenberg?
Mr. Gruenberg. Congresswoman, if I can just add to that, I
think a large percentage of the incidents being identified by
the technology was a result of the use of removable media. So
by discontinuing the use of removable media, we hope that's
going to substantially reduce the number of incidents and allow
for the more effective use of the technology.
Ms. Bonamici. And you said you hope that it does, but do
you know yet, have the--has there been a reduction in incidents
flagged by the DLP program since the elimination of removable--
--
Mr. Gruenberg. It's obviously a recent development. We can
check into that and come back to you.
Ms. Bonamici. Terrific. Thank you very much.
I yield back. Thank you, Mr. Chairman.
Mr. Loudermilk. The Chair now recognizes the gentleman from
Texas, Mr. Neugebauer, for five minutes.
Mr. Neugebauer. Thank you, Mr. Chairman.
Chairman Gruenberg, through the course of this Committee's
transcribed interviews of FDIC employees, it is clear that CIO
Larry Gross's fast-tracking a number of initiatives to show
progress in remedying these cybersecurity breaches, and some of
those have been mentioned. Normally, as the Chairman said, that
would be welcome news, although it appears that some of these
initiatives spearheaded by Mr. Gross are not the fixes needed.
Chairman Gruenberg, are you aware of Mr. Gross's initiative
to replace all desktops at the FDIC with laptops?
Mr. Gruenberg. Yes, Congressman.
Mr. Neugebauer. And do you support that, and do you think
that's a good idea?
Mr. Gruenberg. As presented to me, it seems like a
reasonable step to take. We're going to be implementing that in
a careful and deliberate way. The use of laptops will enhance
both the mobility and the continuity challenges that we face
with our workforce. I think that's been part of the objective
here.
Mr. Neugebauer. Do you know what that's going to cost?
Mr. Gruenberg. I can get that for you. You know, we
provided laptops to our field employees in the previous year,
and so this round is to provide it for our Washington
employees.
Mr. Neugebauer. So are you aware that a number of security
experts at the FDIC strongly believe that replacing the
desktops with laptops increases cybersecurity risk?
Mr. Gruenberg. Look, I understand that there have been some
statements to the Committee, and let me say, I'm sure those
statements were made with good intent, and I appreciate the
points raised. What we will do is, as for the points
Congressman Loudermilk raised in regard to the DLP and DRM, is
look into them, and, if we may, report back to you.
Mr. Neugebauer. Well, just a little side note here. I think
that the plan here has been to keep employees from taking data
offsite, if I'm not mistaken, and if you start furnishing
laptops with that information on there, it looks like to me
we're moving in a different direction here, but----
Mr. Gruenberg. Can I respond to that, Congressman?
Mr. Neugebauer. Yes.
Mr. Gruenberg. For what it's worth, and again, I want to be
pretty cautious about representing myself in regard to
technology, the laptops have value for both mobility and
continuity of operations. If our operations are disrupted,
there's value in our employees having that capability as well
as tele-work. I think the belief is--and again, we'll review
and come back to you on this--that a government-furnished
equipment such as a laptop may be a more secure way to achieve
that objective.
Mr. Neugebauer. Well, I would suggest you look into that
because I know a number of people are telling Mr. Gross that
they don't think that's a good idea, and it appears that he's
not listening, so I would encourage you to do your own due
diligence.
Let me show you some testimony from former Acting Chief
Information Officer and now Deputy CIO when asked about Larry
Gross's laptop initiative. Put the slide up there.
[Slide.]
Question: ``Are you--could you tell us a little bit more
about the laptops. So under this new plan, would it replace the
desktops that employees have at the agency?'' The answer was,
``It's not clear, and this is one of the things that has not
been thought through. Some of the questions are, so is this--
will this replace the desktop. So do you have both? So now I
have a laptop and I have to take that back and forth. Now,
again, I'm looking at it from a security perspective. Our focus
has been security. What is the risk, you know? Why spend $5
million? Is this really going to help security posture for FDIC
in terms of your spending something and you don't know what
you're getting in return from the security perspective. There
are many other things we can be doing to improve security
posture at FDIC, and this is not at the top of the list, but
this is what happens when decisions are made at the top level
without including subject matter experts, folks from divisions,
from business, and there's artificial deadlines imposed by this
July 31st that are supposed to do all of this.''
Mr. Gruenberg, there are other examples of similar
testimony from IT and security experts at FDIC. I mean, I'm
beginning to question Mr. Gross's proficiency in his job. Are
these alarming to you?
Mr. Gruenberg. Let me say, you raised--the points you
raised, I think, are serious ones, and we'll take the
opportunity if we may to review them and perhaps come back to
you.
I would just say in regard to Mr. Gross, I think it's fair
to say our Vice Chairman, Tom Hoenig's, perspective is one we
believe Mr. Gross is a capable professional, and it's fair to
say he assumed his position on November 2nd of last year so
he's been on the job for 9 or 10 months. I think our sense is--
and believe me, we will carefully consider the points you
raised--but I think our sense is, we'd like to give him an
opportunity to do the job and we'll evaluate that and I assure
you we will hold him accountable, but we don't want to--we want
to at least give him a fair chance to see-
Mr. Neugebauer. Well, my parting comment is, as you know,
and you and I both know, is that one of the things that your
agency does is hold the financial institutions that you
regulate under very high data security standards, and as you
should because we're handling very sensitive information. I
think it's extremely important that the FDIC set an example in
that area, and I don't believe we're accomplishing that goal.
Mr. Loudermilk. I thank the gentleman, and Mr. Gruenberg,
it sounds like the issue we're facing at FDIC is data getting
out of the FDIC, and I would think that you would want to make
it more difficult for employees to take data out, not make it
easier with laptops. Maybe you should invest in a set of chains
and locks instead of laptops.
At this point I recognize the gentleman from Illinois, Mr.
Foster, for five minutes.
Mr. Foster. Thank you, Mr. Chairman, and thank you for
everything that the FDIC does to make banking safer.
One of my favorite graphs in the universe is the number of
bank failures as a function of calendar year from the Civil War
to today where you see that banks back in the days of when it
was the Wild West before the FDIC, you saw that hundreds of
banks would fail in a typical year, and when the FDIC and
related regulation came in, before we decided to dismantle it,
we saw essentially zero bank failures and banks became a safe
place. And so I want to thank you for everything that you've
proven capable of.
Now, a couple of specific questions. The laptop thing, are
these thin client laptops or are these full capability laptops
with the data on drives and, you know, Bluetooth ports and all
these sort of potential data leaks?
Mr. Gruenberg. If I may, rather than answering that off the
top, can I come back to you on that point?
Mr. Foster. Okay. Do you know in a general sense how your
security compares to the security, say, at a large,
sophisticated law firm or a large bank where they hold equally
sensitive information. For example, do they allow employees to
telecommute with sensitive data on laptops with what level of
encryption, et cetera? As a very high-level question, could you
sort of compare the fraction of your budget devoted to
cybersecurity compared to, you know, what a large,
sophisticated bank, for example, or large law firm would do?
That would be a very useful comparison to find out whether
you're underinvesting in this or whether it's just a problem
that everyone is wrestling with.
Now, in relation to the removal of the portable storage
devices there is an enormous data leak that everyone carries
around in their pocket, and it's the very simple way of just
taking pictures of screenshot. If you have access to read the
clear text of a document, you can take a picture of it, and
unless you plan to confiscate cell phones, it's very hard.
There's a large class of insider attacks that you can imagine
based on simply the existence of a cell phone in the employee's
possession, and, that is the sort of thing they do. If you're
talking about nuclear bomb designs, you cannot carry cell
phones in. Is that the level of security that you plan on
investing in or is there some intermediate level and you just
live with the risks that are allowed that are intrinsic in that
lower level?
Mr. Gruenberg. You raise an important point. We've
addressed the removable media issue. We're in the process of
addressing paper production and controlling paper production as
well. The issue you raised of snapping of a photograph of a
screen and taking it with you is an issue we need to address
but that's a significant challenge.
Mr. Foster. And a large number of secret ways of streaming
the data out if you're allowed to download an executable on a
laptop you own. There are many ways to communicate with similar
programs on a cell phone that are going to be difficult to
detect.
So I was just was wondering if you see the endpoint here to
be the endpoint comparable to nuclear security or comparable to
best practices at a big bank.
Mr. Gruenberg. That's a--you know, I don't know--I would
like to think we would at a minimum achieve best practices for
both government agencies and the private sector. I think that
would be a reasonable objective for us.
Mr. Foster. And are you looking at the tradeoff between
just cloud-based everything and just thin clients with no real
data storage locally, which is in some people's view the best
practice endpoint for this, versus the dangers of even having
employees with encrypted data that they sometimes can forget to
encrypt on their laptops and carry home and lose the laptop and
that sort of fun class of data breach.
Mr. Gruenberg. That's also a set of issues we have under
review.
Mr. Foster. Okay. Are there conferences where all the
federal agencies and the best and brightest in industry get
together and identify the best practices in this pretty
terrifying environment?
Mr. Gruenberg. There has been an enormous amount of
interaction first among the federal agencies related to
cybersecurity and expanded efforts for interaction with
industry. I think there's an understanding that there needs to
be a level of collaboration between the public and private
sectors to begin to get arms around the cyber issue, and there
are committees that have been established both made up of the
federal agencies and made up of industry that also interact
together in terms of trying to increase cooperation.
Mr. Foster. So you're not really going off in a corner and
inventing something new? You're collaborating with what is
really a government-wide--at least government-wide if not
industry-wide?
Mr. Gruenberg. I think that's fair to say.
Mr. Foster. Okay. Let's see. One last thing if I may, one
last question. Can you contrast your level of security compared
to the very, very large number of state banking regulators?
Would you hazard a guess as to whether there're likely state
bank regulators out there that have comparable vulnerabilities?
Mr. Gruenberg. Well, it's a fair question. I'm not sure I'm
in a position to comment on it.
Mr. Foster. Okay.
Mr. Gruenberg. I would say as a general matter, it wouldn't
surprise me if our level of investment were greater given the
resources, but you'd really have to look into it.
Mr. Foster. All right. Thank you.
Yield back.
Mr. Loudermilk. The Chair recognizes the gentleman from
Oklahoma, Mr. Bridenstine.
Mr. Bridenstine. Thank you, Mr. Chairman.
Mr. Gruenberg, you have said that the FDIC takes seriously
its commitment to improving its cybersecurity posture. Is that
correct?
Mr. Gruenberg. Yes, sir.
Mr. Bridenstine. And you have said that improving the
cybersecurity posture of the FDIC is one of your highest
priorities. Is that correct?
Mr. Gruenberg. Yes, sir.
Mr. Bridenstine. So why is it that you don't do strategic
IT planning?
Mr. Gruenberg. Well, it's my understanding that under the
CIO's direction that that is done, but let me check on that to
be sure that's an accurate answer.
Mr. Bridenstine. Mr. Gibson, do you agree that strategic IT
planning is done at FDIC?
Mr. Gibson. Sir, I've never really looked at that question.
If you could help me out a little bit, what exactly do you mean
by ``strategic IT planning''?
Mr. Bridenstine. Well, the idea that we're not reactionary
but instead we're planning ahead of time and not just reacting
to every individual incidence.
Mr. Gibson. Well, one of the subjects that we intend to
look at in the very near future is the whole question of
enterprise architecture. Enterprise architecture basically is
understanding the design of the FDIC's network and its overall
IT system and its IT structure. We've commented for years that
we thought that more resources or effort needed to be placed in
the enterprise architecture area. We intend to look at it
specifically now because we do place great value on that in
terms of being able to direct the resources and investment that
are being made and understand better the networking and the
security components of the environment that we're looking at.
To the extent that that helps answer the question, it's
something that we'll be looking at very specifically in the
near future.
Mr. Bridenstine. That's perfect.
And Mr. Gruenberg, will you commit to evaluating the entire
IT enterprise architecture and moving forward with strategic IT
planning?
Mr. Gruenberg. Yes, Congressman, I think that's an
excellent suggestion. Thank you.
Mr. Bridenstine. Okay. Mr. Chairman, I yield back.
Mr. Loudermilk. The Chair recognizes the gentleman from
Colorado, Mr. Perlmutter, for five minutes.
Mr. Perlmutter. Thanks, Mr. Chair.
So my first question to you two is, how does Bell's theorem
or the Drake theory apply to the breach? Oops, that was for the
astrophysicist from a couple days ago. I apologize for that.
All right. I'll stop messing around.
Mr. Gruenberg. I was looking over at Fred----
Mr. Perlmutter. I'll stop messing around.
First, like Mr. Foster, I want to thank both of you for the
job that the FDIC does. We came through a very difficult time,
2008, 2009 and 2010, expected a lot--I expected more failures,
a lot of work between the insurance corporation and the banks
to stabilize them and grow the economy. So the big picture,
thank you very much.
All right. So now I'm just going to go back to sort of how
I can understand this, and there's been somebody who's a thief,
he's robbed you, and then the question is, what was taken, and
who and how many people have been robbed or otherwise hurt, and
then what are you going to do about it. So I assume in these
different instances, somebody--the robber, the thief is facing
some criminal liability of some sort or another. Am I wrong?
Mr. Gibson. Sir, we have a number of investigations that
are currently open with regard to a number of the matters that
we're talking about here today. I don't know what the ultimate
outcome of those will be but the goal was to determine whether
there is criminal responsibility that can be imposed on
anybody, and if there is, we'll pursue it with our partners in
the Department of Justice.
Mr. Perlmutter. If I went back to my law firm and one of my
partners or one of the staff took a file how would I respond?
I'd say give it back but the problem you all face is that when
somebody takes a file, they take a million files, and I think
that's the purpose of today's panel, to try to understand how
far and wide these things are, and how you're building your
defenses to that disgruntled employee or somebody who made a
mistake and bang, it's all out there.
So you know, some of the questions, Mr. Chairman, have been
directed to you about reprimands within the organization to the
guy who just took over and is trying to figure out where the
vulnerabilities are and who were the thieves I don't understand
why reprimanding him at this point makes any sense. But I do
understand the Committee's concern that if the FDIC is somehow
robbed, that one, we need to check your defenses, but two,
somebody's going to pay for it, you know, Edward Snowden, so it
isn't like you're all by yourselves getting robbed. I mean, the
NSA, the CIA, the Office of Personnel, Anthem Blue Cross,
Target, Chase, you name it, everybody's been hacked. But you
are the backstop for banks. So what are you doing to try to
build up your defenses?
Mr. Gruenberg. Well, Congressman, in this set of
incidences, for all of these breaches, just from a technology
standpoint, the underlying vulnerability, as I indicated, was
allowing the use of so-called removable media--flash drives,
thumb drives--which allowed an individual to download sensitive
information on to a device like this and basically walk off
with it.
Mr. Perlmutter. All right.
Mr. Gruenberg. That was the--and we've now, it's fair to
say, discontinued the use of those devices.
Mr. Perlmutter. Let me ask you this. The three of us are
lawyers, all right? So how is it--I understand the
investigations are proceeding, but if somebody takes off with a
thumb drive, has any of this been put to nefarious use? Because
if it has, then that guy should be under indictment or in jail.
What really is happening there?
Mr. Gruenberg. On the criminal side, I really should leave
it to the IG because that's the IG's responsibility. I think
in--well, Fred, do you----
Mr. Gibson. So I guess the best way that I can answer that
question is to say that we are pursuing cases where we believe
that there is a basis for bringing them and we're just not at a
point yet where we can disclose publicly exactly what the
status of that case is, but yes, we are pursuing investigations
in the specific areas you're concerned about.
Mr. Perlmutter. All right, well thank you, gentlemen. Thank
you for your service to the country, and I yield back.
Mr. Loudermilk. The Chair recognizes the gentleman from
Alabama, Mr. Palmer.
Mr. Palmer. Thank you, Mr. Chairman. I have a slide, if we
could get that slide up, please?
[Slide.]
Very good. Thank you.
I want to walk through this with you. I'm going to read
this transcript. You can read it if you can see it well enough
on the slide. This was between FDIC personnel in regard to the
breach, and it says, ``Just to be clear here for the record,
there was a penetration of the FDIC network system generally by
an outside party that was malicious, right? Correct?'' and the
answer was, ``Yes.'' And the FBI alerted the FDIC, the
appropriate people within the FDIC, that this was the case, and
one of the potential fixes or appropriate actions was to shut
down or turn off the entire FDIC system to eradicate the
intruder, and the answer was yes, that was recommended. Okay,
now after that, it was--the FDIC employee said, ``Now, after
that, it was kept--I'm out of the loop except for Ned came into
my office to tell me that this incident that Russ Pittman said:
This can't get out here, this breach information. We can't do
anything to jeopardized''--that's their word--''the chairman
getting, when they vote, getting approved for because it's''--
and the questioner, ``A Senate-approved position? Confirmed.''
``Yes.'' You can take down the slide.
Mr. Gruenberg, are you aware that the FDIC employee
attempted to cover up the fact that a foreign nation hacked
into FDIC systems in an effort not to jeopardize your
confirmation as chairman by the U.S. Senate?
Mr. Gruenberg. No, sir.
Mr. Palmer. You are not aware of that?
Mr. Gruenberg. No, sir.
Mr. Palmer. You've never been made aware of it?
Mr. Gruenberg. Never, sir.
Mr. Palmer. Are you concerned that the----
Mr. Gruenberg. There was a report that came out yesterday.
That was the first that I had been made aware.
Mr. Palmer. So no one within the FDIC discussed this with
you even before the hearing that this might come? The first
time you saw it was yesterday in the media?
Mr. Gruenberg. Yes, and when that--the committee interim
report was released and there was a reference to it. That was
the first I became aware of it.
Mr. Palmer. So you testified that you've never--you did not
hear that before yesterday?
Mr. Gruenberg. No, sir.
Mr. Palmer. Okay. Are you concerned that the FDIC officials
attempted to shield details of the incident from knowledge of
the individuals outside the FDIC including the Inspector
General until after your confirmation? Does that concern you?
Mr. Gruenberg. I understand this was represented. I can't
speak to the accuracy----
Mr. Palmer. We can give you a copy of the transcript.
Mr. Gruenberg. I understand, but, you know, it--I can't
speak to the accuracy. If it was accurate, certainly.
Mr. Palmer. When did you first learn that the breach
occurred?
Mr. Gruenberg. Well, this goes back to an incident in 2010
and 2011, I believe.
Mr. Palmer. Were you aware of it then?
Mr. Gruenberg. I was made aware of it, I believe, for the
first time in 2011, and as you may be aware, our Inspector
General--undertook an investigation of this and issued a report
in 2013. I believe the finding of the report as I indicated in
my opening statement, is that in regard to this incident, both
myself and other members of the Board and senior executives
were not fully informed.
Mr. Palmer. I've got a couple other questions. Are you
confident that the FDIC's current cybersecurity posture can
prevent a similar breach from occurring? It's a yes or no.
Mr. Gruenberg. If I may, as the--I think we are improving
our systems. I think--I want to say in light of OIG reports--I
think it's fair to say we are working hard to address the
issues identified. So I don't want to----
Mr. Palmer. So you're not totally certain that it's secure?
Mr. Gruenberg. I think----
Mr. Palmer. Let me ask you this----
Mr. Gruenberg. Congressman----
Mr. Palmer. --in the context of how these breaches
occurred, if I may, does the--where the employees taking
information on their way out after they've left employment,
does the FDIC have an employee handbook manual?
Mr. Gruenberg. I would have to check but I believe--I
assume we have something like that.
Mr. Palmer. Based on that answer, I would assume you
haven't read it.
Mr. Gruenberg. I can't say I've looked at it, sir.
Mr. Palmer. I think it might be a good idea if you became
familiar with it and make sure that you have a policy in there
that is clear that it is prohibited for any employee upon
leaving their employment that they cannot take any information
with them, and I think if that had been clearer, that might not
have happened. It may have happened anyway, particularly with a
disgruntled employee.
Mr. Gruenberg. Congressman, if I may say, I do believe
there is such a requirement so that when an employee leaves the
agency, they have to sign a statement to that effect.
Mr. Palmer. They do?
Mr. Gruenberg. Yes.
Mr. Palmer. Well, were these people prosecuted? Because
that's a prosecutable offense.
Mr. Gruenberg. That's what the IG is looking into, I
believe.
Mr. Palmer. Okay. Let me say this, Mr. Chairman, and I'll
wrap it up.
I find it interesting that some at the FDIC apparently
thought your confirmation as Chairman was more important than
taking immediate action to protect almost 31,000 banks and
160,000 individuals, as it turns out the total here. It's as
though these banks and their depositors and customers were
acceptable losses, collateral damage, to ensure that you
would--there would be no obstacles to your confirmation. That
concerns me. That is indicative of some political calculations
within the FDIC that in my opinion were totally inappropriate.
I yield back.
Mr. Loudermilk. I thank the gentleman.
Mr. Gruenberg, as you're aware, this hearing is about
security breaches, cybersecurity breaches, and your efforts to
mitigate future breaches, but I'm growing more concerned of the
lack of preparation because quite often, many times in most
every witness, you've said let me get back to you on that, and
in one case, what really concerns me, you said you may get back
to us with that----
Mr. Gruenberg. I'll get back on every point, sir. I didn't
mean to----
Mr. Loudermilk. Oh, okay. That helps a little bit. But also
getting a little more concerned, we don't expect you to know
the answer to every intricacy in there but not knowing whether
you even have a policy handbook is concerning, and a lack of
staff here as advisors with you is--may lead some to believe
that maybe you weren't as prepared or take this as seriously as
we think you should.
With that, I recognize the gentleman from Virginia, Mr.
Beyer, for five minutes.
Mr. Beyer. Thank you, Mr. Chairman.
I believe we can all agree that the FDIC has suffered from
some serious data breaches and that some of their responses to
the Committee were initially not complete and that the original
analysis of these major data breaches by senior FDIC officials
was not adequate or fully accurate. However, I don't agree that
we can or should infer from the facts that the Committee has
gathered to date as the Majority has clearly done that
individual FDIC employees intentionally lied to this Committee
or have engaged in deliberate obstruction of this Committee's
investigation.
Unfortunately, the Majority appears to have selectively
pulled some information that helps them paint that narrative.
They ignore some records and have intentionally not interviewed
certain witnesses who may have presented a fuller understanding
of the agency's actions that the Majority has called into
question.
As one key example, the Majority staff report refers to one
FDIC official who the report stated, ``deliberately tried to
prevent FDIC attorneys from creating records that would be
responsive to the Committee's request in this investigation.''
But the initial request not to create emails regarding
certain investigations of the agency's investigation was
documented in an email from one FDIC employee on October 29,
2015, which was long before the Science, Space, and Technology
Committee began an investigation, long before we were even
aware of the breach.
So while this email raises legitimate questions about why
FDIC employees were directed not to put certain information in
emails--that's certainly inexcusable--it occurred one day
before the OMB memo 1603 was issued and 4 months before the
Committee even became aware of the data breach at the FDIC. So
to suggest this direction was part of an effort to obstruct the
Committee's investigation makes no sense, is frankly misleading
when you examine all the records the Committee has obtained.
So I'd like to seek unanimous consent to enter this email
of October 29, 2015, into the record.
Mr. Loudermilk. Without objection, so ordered.
[The information appears in Appendix II]
Mr. Beyer. Thank you, Mr. Chairman, and Mr. Chairman
Gruenberg, I read carefully--I listened to you but I also read
the 15-page statement that you submitted for the record, and I
just wanted to thank you for not the disasters before but for
taking full responsibility, for trying to be as clear and
transparent as possible, for coming together with a
comprehensive plan which takes up most of that 15 pages, and
near as I can tell, fulfilling all of the Inspector General's
recommendations. I thought Chairman Smith's opening question,
which is to the Inspector General, are you as the leader of the
FDIC doing everything that they recommended, and let me,
Inspector General, ask you that one more time to make sure that
we're all on the same page.
Mr. Gibson. Sir, they gave us a series of responses to our
recommendations that we consider to be responsive. What we'll
be doing is, we'll be following up to monitor the
implementation of the things that the FDIC has indicated they
will do and to determine whether they've been effective.
Mr. Beyer. Great, great. We would only expect that you
would continue to make sure that the chairman and his team
follows through on the recommendations you've made.
Mr. Chairman, in the back and forth with my good friend
from Alabama, where you were taking some heat about the
employees who were shielding you through the nomination
process, were you aware that they were shielding you, and did
you take any personnel action once you became aware?
Mr. Gruenberg. I certainly was unaware, Congressman, as I
indicated. I learned about it for the first time yesterday, and
I just would be cautious. I understand it was asserted by an
individual in an interview, but there hasn't been a review of
what actually occurred here, so I'd be cautious, you know,
about the accuracy of the representation.
Mr. Beyer. Okay. Good. Thanks. But you certainly would
agree that this is inappropriate?
Mr. Gruenberg. Oh, no question, if indeed it's true.
Mr. Beyer. Yeah. Thanks. Much has been made about the seven
people that took the records out, the excess of 10,000 per
person. What is the long-term follow-up plan to make sure that
the data breaches have no ongoing effort? You know, sometimes
the records are stolen by whomever, and it could be 2, 3, four
years before they try to apply for a credit card or a car loan
or something like that.
Mr. Gruenberg. Well, as a threshold, I think we're
addressing the technological vulnerability related to the
removable media that sort of underlay each of these incidences,
so hopefully as a threshold, that'll be helpful in addressing
it. We'll also be implementing policies and procedures to
carefully monitor any activity and have a very strong system of
controls relating to any employee who may be separating from
the agency.
Mr. Beyer. But I'm specifically concerned about the records
that were already out there, not breaches still to happen but
breaches that already did occur.
Mr. Gruenberg. Yeah. For the ones that have been
identified, and we have recovered the devices, we can't say
with certainty that there was no dissemination. I don't know
that we can ever demonstrate that conclusively. At least thus
far, we haven't had evidence of dissemination.
Mr. Beyer. Okay. Great. Thank you, Mr. Chairman.
Mr. Chairman, I yield back.
Mr. Loudermilk. I thank the gentleman from Virginia, and
Mr. Gruenberg, since you are going to get back with us on some
things, would you please provide this Committee the copy of the
handbook that was mentioned earlier?
Mr. Gruenberg. Yes.
Mr. Loudermilk. Also, notice to the members of the
Committee, we do intend on doing another round of questioning
for those--this is an important matter. We'll make sure
everyone gets their ample opportunity to ask their questions.
With that, I recognize the gentleman from Louisiana, Mr.
Abraham, for five minutes.
Mr. Abraham. Thank you, Mr. Chairman.
Mr. Gruenberg, when did you first become aware of the
Florida incident where 10,000 people's records were
compromised? When did you become aware?
Mr. Gruenberg. I think I was informed in-- the incident
occurred on October 15th. It was identified on October 23rd. I
believe I was notified for the first time in November, I think
November 19th.
Mr. Abraham. So about a month?
Mr. Gruenberg. Yes, sir.
Mr. Abraham. What was your role in deciding whether to
report that to Congress or not?
Mr. Gruenberg. I didn't. As the IG noted in its report, I
didn't have a role in that.
Mr. Abraham. So I mean, you couldn't have been proactive?
Or could you have been proactive in reporting that to Congress
if you so chose?
Mr. Gruenberg. It was a judgment made by our CIO working
with the data breach management team----
Mr. Abraham. And that was the gentleman that took the hand
on November 2nd?
Mr. Gruenberg. Yes, sir.
Mr. Abraham. And I understand that he was new to the job
and he has been in the job eight or nine months and that he's
learning the job but, you know, I might suggest this is not an
on-the-job training job. He should have come very well vetted
and prepared to do the job on day one. So it does concern me
that, you know, we're taking this type of attitude--well, he's
learning the job, so to speak, and you know, we hate it that he
was thrown into the fire that early. I mean, if he would have
been thrown into the fire the day he got on the job, he should
have been able to do the job.
Mr. Gruenberg. It's a fair point, Congressman. He came, as
you can--if you reviewed his bio--with considerable experience
in this area. I was referring to his learning a new agency.
Mr. Abraham. Well, I understand that, but again, these are
questions you ask in a pre-employment brief, and he knew the
job before he took the job.
Did you ever resist the OIG's suggestion to report the
Florida incident as a major incident to Congress?
Mr. Gruenberg. No, Congressman.
Mr. Abraham. Okay. Mr. Chairman, I yield back.
Mr. Loudermilk. The Chair recognizes the gentleman from
Ohio, Mr. Davidson, for five minutes.
Mr. Davidson. Thank you, Mr. Chairman. Thank you both for
coming here, and I appreciate the work that you do. The FDIC
does have a nice track record of success in securing our
financial institutions. I'm very concerned about the recent
record of securing our data which is at stake, so thank you for
taking that seriously.
And one of the questions I've got going back to this
Florida incident, Mr. Gibson, did your staff find that the
FDIC's representations of the Florida breach were inadvertent,
non-malicious, and the breacher was cooperative? Did you find
those as accurate statements?
Mr. Gibson. No, sir, we wouldn't agree with that.
Mr. Davidson. Mr. Gruenberg, why would your staff provide
that information during the Committee's briefing to Congress
that they were simply trying to understand how it actually
occurred?
Mr. Gruenberg. Congressman, I believe--and I understand the
IG's perspective on this. I think the assessment made rightly
or wrongly by our CIO in conjunction with other staff in the
Legal Division was that it was inadvertent. It may have been a
misjudgment but that was the judgment--the conclusion that was
reached.
Mr. Davidson. And just to restate it, I think it's been
covered, but to be very clear, the individual at the center of
this was not cooperative and was--since it was not inadvertent.
It was therefore advertent. It was non-malicious, therefore, it
was malicious. Has there been any action taken against this
individual?
Mr. Gruenberg. Well----
Mr. Gibson. Sir, she's a former employee, so from the
FDIC's perspective, I assume there really isn't any action that
they're able to take, and again, all I can say with respect to
our ongoing work is that there are a number of matters that
we're looking at that haven't reached the stage where we can
discuss it publicly.
Mr. Davidson. You don't feel that there's a crime that has
been committed here?
Mr. Gibson. Sir, whether I feel there's a crime or not
probably isn't the issue. The question is whether an individual
was engaged in behavior that the Department of Justice would
agree constitutes a crime and they can bring an indictment
against someone.
Mr. Davidson. We've seen that seems to be a pretty high bar
lately.
What would happen--you guys cover our banks and our
financial institutions, and really audit many of these same
transactions. So what would happen if a financial institution
had a similar data breach?
Mr. Gruenberg. I asked that question, Congressman. I
think--a couple of things. They would have to identify the harm
or risk of harm, they would have to notify customers that are
impacted if there is a risk of harm, and there would be an
expectation that they would notify their regulator.
Mr. Davidson. And they would be very clear under Dodd-Frank
in particular that they would notify you, correct?
Mr. Gruenberg. I believe it's actually under the Graham-
Leach-Bliley Act that there was a provision relating to this.
Mr. Davidson. Right. And how would--how would you react if
a financial institution provided patently false information to
you during your investigation? What sort of course of action
would you have in following up with that institution?
Mr. Gruenberg. I think the procedure would be that there
would be a follow-up at the next examination. We would review
the handling of the case. We would review their systems, to see
whether there was, you know, a failure. If there was evidence
of intentionality in terms of not reporting that, that would be
an additional matter we'd have to take into consideration.
Mr. Davidson. What sort of signs would you look for to say
that they were actually taking the matter seriously? Would you
consider it serious if they kept all the same personnel and
practices in place?
Mr. Gruenberg. I think the threshold--and again, I'm not an
examiner, but I'll just try to respond--I think would be what
systems do they have in place and the effectiveness of those
systems to deal with these kinds of issues.
Mr. Davidson. Here's the concern I've got coming into the
meeting, and frankly, only made worse during the conversations,
is that we're focusing on one or two individuals, and really,
the IT department at your agency can't be as strong as one new
employee. You've got a robust staff, and so I'd be curious to
know what sort of recommendations and dialog and, frankly, from
the whistleblower information, it seems like there's really not
a lot of support for some of the direction your new CIO is
going. And that doesn't mean that there's--that it's accurate,
to your point. I appreciate your desire to look into it. But
I'd also ask you to look into the culture because, frankly, it
sounds like this culture is perhaps maybe partisan cover-ups
and maybe just concern that it's impossible to fail. There's a
lot of pressure to perform, and so there's cover-ups there, and
so a culture that doesn't provide the kind of transparency is
not likely to be able to deliver the kind of results that your
mission requires, and so I'm very concerned about that.
Thank you. I yield back, Mr. Chairman.
Mr. Loudermilk. The Chair recognizes the gentleman from
Illinois, Mr. LaHood, for five minutes.
Mr. LaHood. Thank you, Mr. Chairman, and I want to thank
both of you for being here today. I appreciate it very much.
I guess I want to just focus a little bit on some of the
transcript interviews that have been conducted with FDIC
employees seem to indicate that there has been a concerted
effort by the legal department at FDIC on instructing employees
on how to respond when it comes to cybersecurity breaches as it
relates to emails, and it seems like a real effort, Mr.
Gruenberg, to limit the exposure to Congressional and FOIA
requests, and that's really concerning to the Committee and to
us because what that leads us to believe, or me to believe, is
that you're hiding facts or circumstances surrounding these
breaches, and particularly when it comes from the legal
department because that's who your employees rely upon in your
department, and I guess just from a foundational standpoint in
looking at these very serious cybersecurity breaches, Mr.
Gruenberg, do you take transparency seriously at the
department?
Mr. Gruenberg. Yes, Congressman.
Mr. LaHood. And are you committed to working with this
Committee and the Inspector General to prevent breaches in the
future?
Mr. Gruenberg. Yes, very much so.
Mr. LaHood. And as Chairman of the FDIC, you speak on
behalf of the Agency. Is that correct?
Mr. Gruenberg. Yes, but just acknowledging I have a board
that I have to consult and work with as well.
Mr. LaHood. And can you--I want to get into a couple of
these interviews that were done. Can you give us--you're a
lawyer, correct?
Mr. Gruenberg. Yes, sir.
Mr. LaHood. And in fact, you served as Senior Counsel to
the Senate Banking Committee, correct?
Mr. Gruenberg. Yes, sir.
Mr. LaHood. So the legal department instructing FDIC
employees not to discuss matters related to cybersecurity and
breaches, why was that being done?
Mr. Gruenberg. I understand that was represented in the
report. If I may, let us look into it and come back to you on
it.
Mr. LaHood. Well, that's hard to take that answer when your
legal department is giving that advice.
I want to direct your attention to a specific transcript.
It's up on the screen there. This is an excerpt for--these are
questions that were asked, and the nice thing about transcripts
is, it gives us the questions and the answers that were given.
``Are you aware of any instructions given by anyone at the FDIC
to not discuss certain subject matters in an email?'' That's
the question. Answer: ``Yes.'' Question: ``Could you shed a
little light on that?'' That's the question. Answer: ``I
received the same instructions directly from Roberta McInerney,
and Roberta McInerney's instructions to me were, quote, "Do not
discuss deliberations over the applicability or implications of
OMB 1603 in an email.''" Question: ``You mentioned that
instructions from Roberta McInerney gave to you. Was that
directly to you?'' Answer: ``Yes. Roberta McInerney gave those
instructions directly to me.''
So I look at that from employees, and that seems to be a
pattern here. Were you aware that she was giving those
instructions to FDIC employees?
Mr. Gruenberg. No, I wasn't, Congressman.
Mr. LaHood. When you found out she was doing that, what did
you do?
Mr. Gruenberg. This was represented, I gather, in an
interview by one of our employees with the Committee, and so it
is now something that we will----
Mr. LaHood. When did you become aware of it?
Mr. Gruenberg. I know it was contained in the report that
was released yesterday. There may have been emails that we
provided, so I'd have to check specifically, but that's
something we will have to----
Mr. LaHood. When did you become aware that she was doing
this?
Mr. Gruenberg. I can't tell you specifically. I'd have to
go back and check the record.
Mr. LaHood. Would you--I mean, just can you give us a time
frame? Would it have been two months ago, a month ago?
Mr. Gruenberg. It would have been--I really have to check
but it would have been--I'd have to look at the production that
we made to the Committee when we----
Mr. LaHood. I'm asking for a time frame when you became
aware that she was instructing employees to do this.
Mr. Gruenberg. I would assume in the last few weeks but I'd
have to check on it.
Mr. LaHood. When you found that out, what did you do?
Mr. Gruenberg. We haven't taken any action on it yet, sir.
Mr. LaHood. So when you found out, you have not done
anything?
Mr. Gruenberg. Not thus far.
Mr. LaHood. Were you complicit in those instructions?
Mr. Gruenberg. No, sir.
Mr. LaHood. Did you ever advise employees in your
department to do what Roberta McInerney did?
Mr. Gruenberg. No, sir.
Mr. LaHood. Does every employee at the FDIC take an oath of
office?
Mr. Gruenberg. I believe so.
Mr. LaHood. I want to put up on the screen there the oath.
I believe this is the oath that's taken by employees. I believe
you took this oath and everybody else there. You're familiar
with that, correct?
Mr. Gruenberg. Yes, sir.
Mr. LaHood. And do you believe that your employees are
abiding by that oath of office?
Mr. Gruenberg. I believe so.
Mr. LaHood. And can you certify to the Committee that all
your employees are abiding by this oath?
Mr. Gruenberg. I don't know that I have the capacity to do
that.
Mr. LaHood. Thank you. Those are all my questions, Mr.
Chairman.
Mr. Loudermilk. I thank the gentleman from Illinois, and I
also may add that the questions by Mr. LaHood is corroborated
by the email that was entered into the official record by Mr.
Beyer that this was indeed happening, so I thank the gentleman
from Virginia for that.
I now recognize the gentleman from Texas, Mr. Weber, for
five minutes.
Mr. Weber. Thank you, Mr. Chairman. That was an interesting
discussion between you and Mr. LaHood, Mr. Gruenberg. I might
give you some unsolicited advice. You can actually download the
manual onto a thumb drive and walk out with it probably as some
other things too if you want.
Did you become aware of that information before the report
was released, you talked about yesterday, you said a few weeks?
Mr. Gruenberg. I'd really need to check just to be sure I
give you accurate information.
Mr. Weber. Well, that's very, very interesting.
You have--you said earlier in a discussion with Randy
Neugebauer in an exchange that you were careful about
representing yourself as being with technology or something to
that effect. So who would--you're aware that the Insider Threat
program is aimed at identifying potential employees. Since
you're not a technology person, who advises you on that
program?
Mr. Gruenberg. The--we have both the CIO and our Division
of Administration is responsible.
Mr. Weber. Okay. Is that program contained in the manual?
You probably don't know because you haven't read the manual.
Mr. Gruenberg. No, that's--I don't believe--it's a program
we're in the process of establishing.
Mr. Weber. So it was established at one point but you
halted it?
Mr. Gruenberg. No, it was in the process of being
developed.
Mr. Weber. So it was being developed and you halted the
development?
Mr. Gruenberg. Well, I believe the term used in the IG's
report was ``stall.'' I think there was a process of developing
the program over a period of time. My understanding of what
occurred is that there was a lack of follow-through in bringing
it to completion.
Mr. Weber. Who advises you on that program's progress or
lack thereof?
Mr. Gruenberg. It would be, I think, both our Division of
Administration and our CIO.
Mr. Weber. Can you give us the name?
Mr. Gruenberg. I can get those for you, sure.
Mr. Weber. So you didn't have any discussion with
individuals that you know the name of that said look, the
program needs to be halted?
Mr. Gruenberg. Oh, no, no. I think there's--no, sir.
Mr. Weber. So you just halted it on your own without
conferring with anybody?
Mr. Gruenberg. No, as I indicated, my understanding is that
the program was in development and it was not brought to
completion in a timely way.
Mr. Weber. So who halted that program?
Mr. Gruenberg. As I said, I don't know that it was halted.
I think the term used in the IG's report----
Mr. Weber. Okay. So who--it quit being developed. Now we're
parsing words.
Mr. Gruenberg. I think it never stopped being developed. I
think it slowed down. It wasn't brought to fruition in a timely
way.
Mr. Weber. But nobody advises you on this program?
Mr. Gruenberg. I think both the Division of Administration
and the CIO----
Mr. Weber. But you'd have to have one person who was an IT
expert, right, that actually knew that program inside and out
and could come report to you?
Mr. Gruenberg. We have a security group in our Division of
Administration that I think is the lead on that.
Mr. Weber. Who do they report to?
Mr. Gruenberg. They would report to the Director of the
Division.
Mr. Weber. And who would that Director of that Division
report to?
Mr. Gruenberg. The Director reports to our Chief Financial
Officer.
Mr. Weber. And who would that Chief Financial Officer
report to?
Mr. Gruenberg. To me.
Mr. Weber. To you. And you had no communication up that
line to talk about that program and it needed to be stopped
being developed or halted or whatever parsed word we want to
use?
Mr. Gruenberg. No, sir.
Mr. Weber. No communication whatsoever?
Mr. Gruenberg. No, I was briefed on the program, and it was
an understanding that we wanted to develop it in a careful way.
Mr. Weber. And you were briefed by who?
Mr. Gruenberg. By the individuals I mentioned.
Mr. Weber. And the names?
Mr. Gruenberg. The Director of our Division of--I'd have
to--I should check, you know, who participated in the briefing
to be sure I----
Mr. Weber. But you did name two, Director of the Division
and the CFO, I think.
Mr. Gruenberg. Yeah, I would want to just check for
accuracy as to who took part in the briefing just to be sure.
Mr. Weber. So you're not sure that either one of those
people briefed you?
Mr. Gruenberg. I believe they did. I just want to check the
record to be sure I'm giving you accurate information.
Mr. Weber. Okay. And you can get back to us in writing with
that?
Mr. Gruenberg. Certainly.
Mr. Weber. Mr. Gibson, do you understand the Insider
Threat--maybe you could brief Mr. Gruenberg. Do you understand
the Insider Threat program?
Mr. Gibson. I try to.
Mr. Weber. Okay.
Mr. Gibson. Do I understand it? Yeah, I mean, the basic
purpose of the program----
Mr. Weber. Do you know why it was halted last fall, or
not--``halt'' is not the right word--no longer developed?
Mr. Gibson. We had a discussion about that a little earlier
in the hearing today, and, you know, basically we've heard two
reasons for that. You know, management believed that the
program was moving too far, too fast, too quickly, that it
needed to, you know, develop some standard operating procedures
and processes and so forth. The people who were a lower level
of the organization believed that they were essentially told
stop, and----
Mr. Weber. Is there communication about that? When you said
they believed they were told to stop, was there communication
about that we can get?
Mr. Gibson. There were a couple of briefings, as I recall.
Mr. Weber. Any emails?
Mr. Gibson. None that I'm aware of, sir.
Mr. Weber. Okay. Would you recommend that it be unhalted or
un--whatever the term you want to use?
Mr. Gibson. I think the most significant recommendation in
one of the audits that we've completed is that the FDIC
establish a formal Insider Threat program.
Mr. Weber. Okay. Chairman, did you say there's going to be
a second round of questioning?
Mr. Loudermilk. Yes, we will, until we get through everyone
or votes are called, which we anticipate is going to be about
40 to 45 minutes.
Mr. Weber. Well, then I'll go ahead and yield back. Thank
you.
Mr. Loudermilk. The Chair recognizes the gentleman from
Illinois, Mr. Hultgren, for five minutes.
Mr. Hultgren. Thank you, Mr. Chairman. Thank you both for
being here.
Mr. Gibson, I want to commend your good work on these audit
reports. Your team has done an outstanding job.
Mr. Gibson. Thank you, sir.
Mr. Hultgren. I want to point out, however, that the FDIC
has been without a Senate-confirmed Inspector General for over
a thousand days. Since September 2013, there's only been an
Acting Inspector General. Congress, the House in particular,
relies on the IGs to be independent watchdogs. To a certain
extent, they are our eyes and ears within the department or
agency.
Mr. Gibson, would having a Senate-confirmed IG empower your
office, and if so, how so?
Mr. Gibson. Sir, I think under the IG Act, the idea of a
Senate-confirmed IG is to create a position with significant
independence within the agency and the ability to handle things
in a totally independent manner. I mean, all I can say is,
we've done our best to preserve our independence through this
period of time, and I believe we have.
Mr. Hultgren. I appreciate that.
The Committee has learned that the Agency has access to
your Office of Inspector General emails in some cases as well
as emails between your office and the informants you may have
within the agency. Does this raise concerns for you? What, if
anything, is the agency doing to remedy the comingling of
emails?
Mr. Gibson. So it raised significant concerns for us when
the subject was brought to our attention. Now, it's not all
email. There are pockets of email that appear to have been
exposed to a program that enables it to be searched. In fact,
it was discovered in the FDIC's search of its email vault in
response to this Committee's request for information. They are
emails that involve certain members of our staff that involve
certain periods of time. We've been working closely with the
Division of Information Technology at the FDIC to identify the
emails that are there, to segregate them, to prevent them from
being found through the course of the use of that. We're
looking at logs to determine who's looked at those emails.
We're conducting a good deal of independent work to provide
ourselves with as much assurance as we can about the security
of that stuff. I'd be happy to describe that in more detail. I
don't want to take all of your time.
Mr. Hultgren. No, I'd like to hear more about it. I mean,
this is really the focus of my question. So I mean, if--and
really, what we can do. I'm concerned about this. Again, I
think is an important service tool, something that we need, and
so I'm concerned of some of the--what I see as negative impact
that could come from this, so I'd love to hear from you
suggestions of what we can do, what you're doing to make sure
that your work is protected and the integrity is strong.
Mr. Gibson. One of the things that we are doing is we're
bringing in an independent group to advise us, you know, and to
provide us with independent assurance that the steps that have
been taken to mitigate this issue are correct, that the search
logic and the search efforts that we have undertaken to be sure
that we know exactly the scope of all of the problems that we
have have been fully identified and again remediated.
I think that on a longer-term basis, what this leads us to
is questioning where our IT environment should be located. We
want to take our time in answering that question because
obviously there are large implications for our office both from
a staffing standpoint and a financial standpoint, if nothing
else but balancing that against the need for at least the
outward aspects of independence that are implicated when the
suggestion can be made that somebody's taking a look at email.
There's a lot of issues for us to balance in this, and we're
trying to do it quickly, but we want to be sure we do it in a
very thoughtful manner.
Mr. Hultgren. I appreciate that. We certainly want that,
but we also want to hear from you as you are coming to
conclusions of how do we do this well, how do we make sure that
we're assisting in this again to make sure that as best as we
can the information we're getting from your office we know
isn't affected, compromised, being seen before we have a chance
to----
Mr. Gibson. Absolutely, sir, and we completely understand
and agree with that, and I'll be more than happy to provide you
or staff with whatever information we can as we move through
this process just to keep you updated on the things that we're
doing and what we think that we need to do.
Mr. Hultgren. Great. Thank you.
With that, I yield back, Chairman. Thank you.
Mr. Loudermilk. I thank the gentleman.
Mr. Gibson, thank you for that. I think that shows
foresight and planning and being proactive, not just reactive
to these types of steps, and I think that's the type of thing
that we would be looking for.
With that, I recognize the gentleman from California, Mr.
Rohrabacher, for five minutes.
Mr. Rohrabacher. Thank you very much, Mr. Chairman, and let
me apologize. Earlier on in the hearing, I was at a markup, and
quite often we have two or three responsibilities happening at
the same time, so maybe I'll try to go to more of a--rather
than go into details, I could get some analysis view of the
actual basis, the fundamental issues of what we're talking
about.
We're discussing computers that were hacked by the Chinese
or other entities between 2010 and 2013 of the Federal Deposit
Insurance Corporation. What harm could come of the fact that
you have other entities and the Chinese hacking into your
computer system? What harm would that cause?
Mr. Gibson. Sir, is that question directed----
Mr. Rohrabacher. Whoever.
Mr. Gibson. It can cause significant harm obviously. I
mean, there's a significant volume of information that's
available in the FDIC's IT environment, a great deal of
sensitive information, whether it's privacy-related information
or information related to----
Mr. Rohrabacher. Maybe you can give me an example of
something harmful that could come from that.
Mr. Gibson. Well, for example, there are large volumes of
information about specific financial institutions. Let's take
just the Dodd-Frank resolution plans. There are non-public
segments of those documents. That information could be
extremely valuable to an adversary, and it may be something
that could be targeted by someone.
Mr. Rohrabacher. So if we have Chinese hacking into our
system, what you're saying is that because they were--this was
happening, perhaps American businesses that are doing business
here and in China who are facing competitors or facing
adversaries, economic adversaries, that the American companies
because we are complying with the information required of us by
the Federal Government could be put in economic jeopardy?
Mr. Gibson. Sir, in theory, there's risk there, yes.
Mr. Rohrabacher. All right. So this really could add up to
very great harm done to Americans financially, both American
companies, perhaps some individuals as well who have invested
in those companies.
Now, we're being told that of course now that the FDIC was
less than forthcoming about this. Now, I seem to remember those
days. We were told over and over and over again about the
importance of not getting--of being hacked into and
cybersecurity was something we talked a lot about, but yet we
now are, from what I've heard even now and read so far about
the hearing is the FDIC was less than forthcoming to Congress
about what was going on, and in fact, we were not informed and
intentionally uninformed of this.
So let me just note for the record, Mr. Chairman, that this
attitude that we're talking about that pervaded, that actually
made people make their decisions based on an attitude that
prevailed at the FDIC is, number one, of course something that
is unacceptable, but I see that as part of a trend in this
Administration.
Listen, I worked in the Reagan White House and it was very,
very clear that what happens at the very highest level of an
administration creates the attitude and the standards that go
right on down to the departments and agencies. So let me just
suggest, and what I've heard so far, and what this indicates is
that there's been a pattern of obfuscation in this
Administration, not only on this issue but others. There's been
a pattern of stonewalling and covering up mistakes and
wrongdoing, and these things cannot be just shrugged off. These
are things that have to be taken seriously, especially when as
we are noting now that there is actual damage to the American
people where actually some people we could have billions of
dollars' worth of financial harm done by information that's
supposed to be secret information, confidential information,
but is now being ignored when our economic enemies actually get
their hands on the information.
I would suggest that we have here is not a culture of
secrecy at your department but instead a disrespect for
Congress's right of oversight, a disrespect for the rights of
the American people to actually get the information during
Congressional hearings, and so what we've had is from the
beginning a cover-up and obfuscation of that cover-up of not
necessarily wrongdoing but covering up the fact that somebody
wasn't maybe able to do their job. You can't expect things to
be corrected if it's done even with a good motive, but if you
have some evil motives going on, that will never be uncovered
unless we have better cooperation between the executive branch
and the legislative branch, especially in oversight
responsibilities.
So thank you very much, Mr. Chairman, for your oversight
responsibilities.
Mr. Loudermilk. I thank the gentleman from California, and
I think it's imperative for us to understand that, you know,
the American people rely upon this government for their safety
and security, from homeland security to even the safety and
security of their financial assets through the FDIC. The
frustration with the American people is that because of
multiple incidences, they rely on the government but their
trust in the government is at an all-time low, and it's because
of situations such that Mr. Rohrabacher has spoken about and
what we're investigating here.
With that, the Chair recognizes the gentleman from
Arkansas, Mr. Westerman, for five minutes.
Mr. Westerman. Thank you, Mr. Chairman. I'd also like to
extend my appreciation to Mr. Gibson for their work. If I could
ask the Committee staff to put a slide up? Okay. Thank you.
[Slide]
I just want to read from the transcript. This is an except,
some questions and answers. The first question was, ``Were
those updates being provided to anyone in the Chairman's office
or the Chairman himself'' and the answer was ``Let's see. At
the time it was Roddy, Brian, myself, Martin, Chris, and Russ
Pittman. The COO was later added.'' The question is, ``Is that
Barbara Ryan?'' and the answer was, ``On December 1st.''
Question: ``Barbara Ryan is the COO and chief of staff to the
chairman. Is that correct?'' The answer is ``Yes.'' The next
question: ``Does she act as the chairman's eyes and ears in
meetings like this?'' and the answer was, ``My understanding--I
don't have direct knowledge of that but yes.''
So Mr. Gruenberg, did you attend meetings regarding the
cybersecurity incidents including the Florida incident to
discuss the agency's response to the breaches?
Mr. Gruenberg. I believe, Congressman, I was briefed on
November 19th by the CIO in regard to the Florida incident, and
I think that was the only briefing I actually had on it.
Mr. Westerman. So you actually didn't attend----
Mr. Gruenberg. No, sir.
Mr. Westerman. Okay. So when you were not present, did your
chief of staff, Barbara Ryan, attend?
Mr. Gruenberg. As indicated in the--I believe so, yes.
Mr. Westerman. And how often did Barbara Ryan brief you on
the status of the breaches?
Mr. Gruenberg. She really didn't brief me, as it were.
There may have been occasions where she gave me a heads up but
not--it wasn't really her role to do the briefings.
Mr. Westerman. Even though the transcript says she was your
eyes and ears?
Mr. Gruenberg. Well----
Mr. Westerman. Maybe she really wasn't your eyes and ears?
Mr. Gruenberg. I don't know how to characterize that but in
terms of an actual briefing on these matters, she wouldn't have
been the one to do it.
Mr. Westerman. Okay. So the Committee understands that
based on the Inspector General's report that the FDIC failed to
notify Fin-Syn that Bank Secrecy Act information was involved
in the Florida breach until prompted to do so by the Inspector
General. Why did the FDIC not notify Fin-Syn of the breach?
Mr. Gruenberg. I think we should have. I think we failed to
do so in that instance, Congressman.
Mr. Westerman. And the Committee now understands that the
FDIC has in fact notified Fin-Syn yet you approved the
notification to Fin-Syn. Why do you have elevated concern when
it comes to notifying another agency within the executive
branch of a breach yet opted not to report the Florida incident
to Congress until prompted by the Inspector General?
Mr. Gruenberg. I think as we discussed earlier, it was a
matter of assessing the incident, and I think what occurred
was, there was an assessment that while the incident was a
breach, the initial assessment was that it didn't rise to a
level of a major incident. When the IG reviewed it and reached
a different conclusion and notified us in February, we then
adopted the IG's approach to the incident and then reported it
as a major incident.
Mr. Westerman. So it took the IG's notification to raise
the level of concern enough to actually make the notification?
Mr. Gruenberg. I think the IG indicated that the approach
the agency was taking to assessing the incident was incorrect,
and we were using--considering factors relating to risk of harm
that weren't appropriate, that weren't really incorporated in
the guidance. When that was made clear, we then adopted the
IG's approach to applying the guidance and then reported it as
a major incident.
Mr. Westerman. Would you say that's an abnormal occurrence
or is that--or have things like that happened before where it
takes notification from the IG to move forward?
Mr. Gruenberg. I don't know that I can generalize. I think
this was an instance in which a breach occurred, new guidance
was issued by OMB, so we were attempting to evaluate and apply
the guidance to the breach. I think we frankly didn't get it
right, and when the IG made us aware of that, we then complied.
Mr. Westerman. So for each of the Agencies' notifications
both to Congress and Fin-Syn regarding the Florida breach, why
did the Inspector General have to prompt your agency to report
you instead of your staff opting to report the incident to
proper entities in real time as it learned of the breach? Are
you saying that your staff just didn't understand the
seriousness of the breach or the level of the breach?
Mr. Gruenberg. I think the assessment was that the incident
was a breach. I think the initial assessment was that it didn't
rise to the level of a major incident, and as I indicated, when
the IG provided us analysis to the contrary, we then adopted
the IG's approach.
Mr. Westerman. So have there been corrective actions taken
so that the staff is trained better or----
Mr. Gruenberg. Yes, that's one of the recommendations of
the IG that we have concurred with and are following through
on.
Mr. Westerman. What kind of steps are you taking to make
sure this doesn't happen again?
Mr. Gruenberg. In addition to as a threshold adopting the
application of the guidance consistent with the IG's approach,
we're incorporating it in policies and procedures to ensure
that any incidents like this are reported in a timely way going
forward.
Mr. Westerman. And what would you say your confidence level
is that if something like this were to happen again that it
would be reported without the IG having to get involved?
Mr. Gruenberg. I think at this point I have a pretty high
confidence level.
Mr. Westerman. Okay. That's all the questions I have, Mr.
Chairman. I yield back.
Mr. Loudermilk. I thank the gentleman from Arkansas, and
we'll begin our second round of questioning, and I recognize
myself for five minutes.
Mr. Gruenberg, your CIO, Larry Gross, as you know,
testified before my Subcommittee, the Oversight Subcommittee,
back in May of this year. At that hearing, Mr. Gross provided
this Committee with false and misleading testimony in multiple
incidents about the cybersecurity breaches reported to
Congress. For example, I asked Mr. Gross about the Florida
cyber breach where an FDIC employee leaving the agency
knowingly downloaded over 71,000 counts of personally
identifiable information and sensitive bank information onto an
external hard drive. She then denied owning the external hard
drive, claimed she did not download the information, and
refused to cooperate with FDIC officials and OIG officials
trying to recover the hard drive.
Ultimately, three months after she took the information,
the breacher hired an attorney to negotiate with the FDIC over
the return of the hard drive with the information on it. Mr.
Gross told the Committee that in his opinion, the breacher was
``telling the truth,'' and Mr. Gross said, ``I don't believe
she realized she took FDIC-specific data.''
We now know that this was not true, and Mr. Gross knew at
the time that this was not true. Mr. Gross also claimed in the
hearing that ``the individuals involved in these instances were
not computer proficient,'' which we also know to be false. In
fact, the Florida incident breacher held two master's degrees
in information technology, which I think any reasonable person
would consider that to be proficient in computer technology.
This Committee wrote to you a letter on May 19, 2016,
articulating these misleading statements and more that Mr.
Gross made at that hearing. Mr. Gibson, can you corroborate of
those statements that were made in the May hearing by Mr. Gross
and their inconsistencies?
Mr. Gibson. Sir, I believe you've described accurately what
was said during the hearing, you know, as well as the facts
that surround the statements themselves.
Mr. Loudermilk. Thank you for that.
Mr. Gruenberg, your response to our letter did not address
any of these inconsistencies. With that, Mr. Gruenberg, do you
condone Mr. Gross, your CIO, lying to Congress?
Mr. Gruenberg. Congressman, I can share with you my
perspective on it for----
Mr. Loudermilk. Please do.
Mr. Gruenberg. As I indicated earlier, I think Mr. Gross
was assessing the facts of the situation relating both to the
inadvertence of the employee taking the information as well as
the issue of her proficiency. It's my understanding and belief
that the conclusions he reached were sincerely reached.
Mr. Loudermilk. But Mr. Gibson was here at that testimony
and just corroborated that Congress was misled and that the
information that Mr. Gross provided this Committee was
inconsistent. Do you--so you do not believe that he
misrepresented the information or misled the Committee through
his testimony in May?
Mr. Gruenberg. That was not my perception of it. I was not
aware that was the IG's perception.
Mr. Loudermilk. Mr. Gibson?
Mr. Gibson. Sir, what I can say is, I can say that the
statements were not--we don't believe the statements were
correct. We don't believe they were accurate. Now, we haven't
looked at his intent in doing that so I can't answer that. But
as far as the accuracy of the statements themselves goes, I
don't believe the statements were accurate.
Mr. Loudermilk. And that's what I was getting at. The
statements were not accurate. All indications are that he knew
different than what he was making a statement to Congress, and
to me, trying--I mean, legally when you try to build a false
perception, is misleading, which is a form of lying, but you do
not believe that that was what Mr. Gross was doing, even with
all the evidence that's being presented here and in the letter
that was provided to you, which you failed to respond to.
Mr. Gruenberg. I think the issue is intentionality, and I
think if I understand it correctly, the IG's view is that Mr.
Gross didn't get it right.
Mr. Loudermilk. But the issue is what he said, not his
intention. I don't know if he intended to lie to Congress but
what he said was not true, and he knew that it wasn't.
Mr. Gruenberg. Well, I believe--for what it's worth--I
believe Mr. Gross thought he was--he was giving you his honest
view of the matters. He may have gotten the--he may have gotten
it wrong. I don't take----
Mr. Loudermilk. So you say that Mr. Gross as the CIO does
not consider someone who has two master's degrees in
information technology to be computer proficient?
Mr. Gruenberg. I don't know that he was aware of that at
the time, Congressman.
Mr. Loudermilk. But then he would make a statement saying
that she wasn't computer proficient without having any--it
sounds like he's trying to cover something.
Mr. Gruenberg. I can't--again, I can't speak to his
intentionality. I think he believed the woman lacked
proficiency.
Mr. Loudermilk. And I pressed him on this because he was
very consistent in saying he did not believe this was
intentionally done. He believed that all instances were not
intentional. But yet there were already facts that we found out
at the time that were well known. She had hired an attorney.
She--I mean, it was obvious that it was intentional, and we
found more evidence since then, but yet he consistently said he
believed it was unintentional. I just don't see how you get
around that he misled Congress.
Mr. Gruenberg. Well, it's hard for me to speak to what was
in Mr. Gross's mind. It was my belief and perception that he
was giving you his sincere testimony. It may have been
incorrect in terms of evaluating the information. I think he
would suggest that there was information on both sides and he
reached a conclusion in good faith. I think that's what Mr.
Gross would indicate.
Mr. Loudermilk. Mr. Gibson, in your opinion, in your
investigation, was this breach intentional, the Florida?
Mr. Gibson. Well, sir, it was described as inadvertent, and
I certainly don't see it as inadvertent. You know, I would--the
material was downloaded deliberately. The material was
downloaded intentionally. There were file structures that were
created in order to accommodate it independently. I mean, I'm
really not sure how you could--a reasonable person would have
to conclude that it was intentional.
Mr. Loudermilk. So my understanding was, as this was being
downloaded, the lady--the employee created--specifically
created folders that read personal and FDIC information,
created those folders, which would give an intent that they
were intending to download--that's what----
Mr. Gibson. That's would a reasonable--I think a reasonable
person could conclude that, yes.
Mr. Loudermilk. Mr. Gruenberg, I understand defending an
employee, but if I was in your position, I would be gravely
concerned with the testimony that Mr. Gross gave here in light
of the advice that he's giving you may not be consistent as
well. Do you have any intention of disciplining Mr. Gross for
his testimony to Congress?
Mr. Gruenberg. I think, Congressman, in light of the issues
you raised, we will review this situation.
Mr. Loudermilk. Well, I appreciate that.
With that, I recognize my good friend, the gentleman from
Virginia, Mr. Beyer, for five minutes.
Mr. Beyer. Thank you, Mr. Chairman, very much.
Mr. Gruenberg, I built a Land Rover-Range Rover dealership
across the river, and seven, eight years ago, one of my Land
Rover technicians stole all of our customer records, and he
went out and opened his own business, and he had a running
start because he was able to market to all of them. I could
never prove it in a court of law so I just got to be angry
about it. But it did make us go back and think about all of our
password protections and changing it every 30 days and the
like. What was going on in the culture at FDIC that would lead
employees to download records and take them home? They're
clearly not going to start a competing FDIC.
Mr. Gruenberg. I can't, you know--we had a number of these
incidents that were similar in their fact pattern where
employees were leaving the agency, they had utilized removable
media, downloading personal information and downloading in
addition sensitive information from the agency. I don't know if
there was any connecting pattern there. I don't know that I can
speak to that. It did--it does speak obviously to an underlying
technological vulnerability we had relating to permitting
employees to use their removable media, and that's at least
what we've tried to address.
Mr. Beyer. Thank you. There was a slide up earlier about
the transcribed interview with another FDIC employee. It talked
about directions from Roberta McInerney about not creating an
email record. I understand the Majority staff had set up an
interview with Ms. McInerney and then had to cancel it. Are you
aware of any ongoing efforts that will be made to actually
interview Ms. McInerney and try to get to the bottom of why she
did this?
Mr. Gruenberg. It's my understanding that the interview was
postponed. I can't speak to whether it'll be rescheduled or
not.
Mr. Beyer. Any sense of the consequences from the top for
Ms. McInerney for giving these directions?
Mr. Gruenberg. I think we'll have to review the
circumstances here.
Mr. Beyer. Okay. Certainly, from a good government,
transparent government perspective, if true, it's pretty
terrible stuff.
The OIG and some in the CIO's own office disagreed with the
CIO's initial determination that the Florida incident wasn't a
quote, unquote, major incident, but then after the February 19
OIG memo recommending the breach be determined major and
immediately reported to Congress, you did that within 7 days.
In fact, the CIO had said that the FDIC agreed to abide by the
OIG's interpretation of a major incident as defined in OMB memo
1603.
However, one of the recent major incidents, the one on
March 26, 2016, wasn't reported to Congress for 5 weeks until
May 9, 2016, which is well after the 7-day reporting
requirement, well after you'd agreed that the OMB memo made
sense. Can you explain the delay in Congressional notification,
and do we have your assurance that data breaches determined to
be major will be reported within the 7-day time period?
Mr. Gruenberg. Yes, you certainly do, Congressman.
Mr. Beyer. Any idea how to explain the 5-week breach from
March 26 to May 9? Because this is significantly later than the
October incident last year.
Mr. Gruenberg. I think--I have to go back and check for
sure. We were also checking the record for the breaches going
back to October 30, whether other breaches had occurred, and we
were identifying additional breaches, and I think the thought
was to aggregate them and bring them together and report them
at one time to Congress so they'd have the benefit of all of
them. In retrospect, we probably should have just gone ahead
with the 7-day.
Mr. Beyer. Because it's easier to explain the October one
where it was initially identified as not major than to explain
and to justify the later ones.
Mr. Chair, I yield back.
Mr. Loudermilk. I thank the gentleman from Virginia, and
the Chair recognizes the gentleman from Louisiana, Mr. Abraham,
for five minutes.
Mr. Abraham. Thank you, Mr. Chairman.
Mr. Gruenberg, I think in this hearing and the other
hearings that I've attended in Congress, if I had a dollar for
every time I heard the phrase ``I'll review and get back to
you,'' I could significantly pay down the national debt.
I've got a letter that I'll ask to submit for the record,
Mr. Chairman, that Mr. Gruenberg wrote to you and Chairman
Smith May 25, 2016.
Mr. Loudermilk. Without objection, so ordered.
[The information appears in Appendix II]
Mr. Abraham. Mr. Gruenberg, in this letter, you wrote that
Chairman it was discussing the major incidences that you have
not reported to Congress. In your letter, you wrote, and I
quote, ``In each instance, the information was recovered and
there was no evidence of further dissemination or disclosure.''
Do you stand by that statement in the letter?
Mr. Gruenberg. Yeah, I believe we have no evidence of
further dissemination, yes, sir.
Mr. Abraham. Well, I may disagree a little bit. Isn't it
true that at least one of the cases you were only able to
recover a copy of the USB that was taken off premise?
Mr. Gruenberg. Yes, in one case the original----
Mr. Abraham. You didn't get the original back?
Mr. Gruenberg. Correct. It had been destroyed.
Mr. Abraham. So really, you didn't recover all the
evidence?
Mr. Gruenberg. Oh, we recovered--there was a copy made and
we did----
Mr. Abraham. But we still got something out there possibly?
Mr. Gruenberg. We do. That's--you know, that's why you
can't say with certainty that there was no dissemination. We
just haven't identified any.
Mr. Abraham. Mr. Gibson, what's your take on this?
Mr. Gibson. Well, sir, in--I have to think through the
incidents themselves. In at least----
Mr. Abraham. Well, let's just take this one case.
Mr. Gibson. In that one case, you know, the individual took
the USB drive when they left the agency. They copied the data
off of it at some point in time, destroyed the original USB
drive----
Mr. Abraham. Do we know that it was destroyed?
Mr. Gibson. No, we don't. There's no assurance----
Mr. Abraham. That's a major concern to me. I mean, I can
tell you one thing, but doing something is a whole different--
--
Mr. Gibson. Yeah. No, it was done in a manner where there
really isn't any assurance of what happened to it. I mean,
there was no receipt for it. It was given to a third party to
destroy. There was no receipt. There's no record at the company
of the destruction. There's no way for us to verify
independently that it was done.
Mr. Abraham. And clarify for me, has it now been stopped, a
development of a program that would detect these insider
threats? Is that where we're at now that we are not developing
a program? Where does that stand?
Mr. Gruenberg. That's one of the recommendations of the
IG's report, and we've concurred with it and are in the--we
have been developing the program and we anticipate bringing it
to a conclusion and implementation by the end of this year, I
believe, Congressman.
Mr. Abraham. I mean, it just--it's beyond the pale that we
wouldn't want to detect an insider threat.
Mr. Gruenberg. Right. No, no it's----
Mr. Abraham. Certainly after Mr. Snowden's major episode.
I yield back, Mr. Chairman. Thank you, sir.
Mr. Loudermilk. I thank the gentleman, and also I would
like to thank the Office of the Inspector General for the two
reports recently issued on this, the FDIC's control for
mitigating the risk of unauthorized release of sensitive
resolution plans and also the FDIC's process for identifying
and reporting major information security incidents. We thank
you for your work on that, and without objection, I would like
to submit these for the record.
Without objection, so ordered.
[The information appears in Appendix II]
Mr. Loudermilk. I also look forward to Mr. Gruenberg
responding to the numerous questions and requests in a timely
manner to the Committee because this is an ongoing
investigation and we'll continue to investigate and research
the facts in this matter in the coming weeks and months, and I
thank both witnesses, Mr. Gibson and Mr. Gruenberg, for being
with us today. I thank our Members of the Committee for their
very important questions.
And just a reminder that the record will remain open for
two weeks for additional comments and written questions from
Members.
Mr. Loudermilk. And with that, this meeting is adjourned.
[Whereupon, at 12:17 p.m., the Committee was adjourned.]
Appendix I
----------
Answers to Post-Hearing Questions
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Appendix II
----------
Additional Material for the Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]