Federal Insider
  
 
FDIC chief damages effort at damage control
By Joe Davidson

FILE: Martin Gruenberg, chairman of the Federal Deposit Insurance Corp. (FDIC), speaks at the agency’s 2012 open board meeting in Washington. Photo: Rich Clement/Bloomberg

Americans don’t worry about the protection of their bank accounts because the Federal Deposit Insurance Corp. (FDIC) inspires confidence.

Unfortunately, FDIC doesn’t do the same when it comes to protecting sensitive agency data.

Even in the context of a plethora of cyber breaches in and out of government and taking into account the partisan tinge at a House hearing Thursday, FDIC seemed an unsteady guardian of critical information.

It didn’t help when FDIC’s boss couldn’t even say if the agency has an employee handbook.

FDIC insures bank accounts, meaning individual deposits are safe, up to $250,000, even if a bank closes. It also examines financial institutions for “safety and soundness and consumer protection.”

Yet, it has failed to protect its own information. Stories of cyber breaches and agency stumbling dominated the latest in a series of House Science, Space and Technology Committee hearings. Summing up the situation, Chairman Lamar Smith (R-Tex.) said “the FDIC has historically experienced deficiencies related to its cybersecurity posture, and those deficiencies continue to be present.”

The committee’s majority Republicans issued a critical report this week that asked: “Is the FDIC Safeguarding Consumers’ Banking Information?”

If the answer had been yes, they wouldn’t have released the report.

While Republicans seemed intent on demonstrating that the agency and its chief information officer (CIO) had deliberately misled, if not lied to Congress, Democrats also were critical of the agency’s response to its many troubles.

“The agency failed to notify Congress of seven major data breaches within the seven-day timeframe that OMB (Office of Management and Budget) requires from October 2015 through February 2016,” said Rep. Eddie Bernice Johnson (D-Tex.), the top Democrat on the panel. She cited testimony in May from CIO Lawrence Gross, whom she said described the breaches as “inadvertent” and without “malicious intent,” then noted evidence gathered by the FDIC inspector general’s office that “clearly shows that in at least one of the seven breaches the data was not taken accidentally.” 

“I think it’s fair to say that our May hearing yielded bipartisan agreement that the FDIC’s interpretation of the OMB guidance was flawed,” she said. “It is also clear that FDIC did not initially provide all documents responsive to the Committee’s requests.”

So Thursday was a day for FDIC damage control. Unfortunately, there is so much damage that FDIC Chairman Martin Gruenberg could not control it all. In fact, he added to it with responses that did not project certitude.

He tried to paint an improving picture, saying “an effective FDIC information security and privacy program is critical to our mission of maintaining stability and public confidence in the nation’s financial system.” He outlined a “cybersecurity framework” with five prongs: identify, protect, detect, respond, and recover.

It sounded right, yet had the ring of cliché compared to problems, certainly not all of FDIC’s doing, that plague the agency’s cybersecurity efforts.

ADVERTISEMENT
 

FDIC rules didn’t stop a former employee from loading sensitive information on a thumb drive in September before leaving the agency. But Fred Gibson, FDIC’s acting inspector general, identified a number of factors under FDIC’s control that contributed to the breach.

For example, “an insider threat program would have better enabled the FDIC to deter, detect, and mitigate the risks posed by the employee,” Gibson said.  FDIC began developing an insider threat program in 2014, but it stalled and still has not been implemented.

Another program, Gibson said, “designed to prevent employees with access to sensitive … plans from copying electronic information” to removable drives “failed to operate as intended.”

Gruenberg, who has been with FDIC for 11 years and chairman since 2012, agreed with Gibson’s recommendations designed to strengthen information security.

“It is worth noting,” Gruenberg added, “that the FDIC has discontinued individuals’ ability to copy information to removable media such as external hard drives, flash drives, and CDs or DVDs to prevent these types of incidents from occurring in the future.”

Better late than never perhaps, but it had the sound of a door closing on an empty barn.

With his faltering on a number of questions, Gruenberg didn’t impress committee members who questioned his preparation. That was from Republicans, but Democrats didn’t come to his rescue. No point demonstrated his uncertainty more than this exchange about an agency employee manual.

Rep. Gary Palmer (R-Ala.): “Does the FDIC have an employee handbook manual?”

Gruenberg: “I would have to check, but I believe, I assume we have something like that.”

Palmer: “Based on that answer I assume you haven’t read it.”

Gruenberg: “I can’t say I’ve looked at it sir.”

Palmer: “It might be a good idea if you became familiar with it.”

Read more:

[Congress hits FDIC cyber breach that ‘boggles the mind’]

[FDIC cyberattacks included hit on former chairwoman’s computer]

[‘Inadvertent’ cyber breach hits 44,000 FDIC customers]

 

 

 

 

 

 

 

 

 

 

 

Save

 
More from Federal Insider
House conservatives try to force vote to impeach IRS chief
Speaker Ryan says House Republicans will have a "family discussion" about the issue in September.
By Lisa Rein  •  Read more »
  
Interior chief: ‘Culture’ of sexual harassment probably pervades the National Park Service
Interior Secretary Sally Jewell, in her first public comments on a sexual misconduct crisis roiling the National Park Service, says she expects to uncover a culture that must be stopped.
By Lisa Rein  •  Read more »
  
House, Senate at odds over preference for veterans in federal hiring
The House voted 409 to 14 late Thursday in favor an amendment stating that “no funds may be used to revise any policy or directive related to hiring preferences for veterans of the Armed Forces.”
By Eric Yoder  •  Read more »
  
ADVERTISEMENT
 
Recommended for you
 
Wonkbook
Your daily cheat sheet on economic and domestic policy from Wonkblog.
Sign Up »
 
     
 
Share Federal Insider:       Twitter      Facebook
Trouble reading? Click here to view in your browser.
You received this email because you signed up for Federal Insider or because it is included in your subscription. For additional free newsletters or to manage your newsletters, click here.
We respect your privacy. If you believe that this email has been sent to you in error or you no longer wish to receive email from The Washington Post, click here. Contact us for help.
©2016 The Washington Post, 1301 K St NW, Washington DC 20071