The inspector general at the Federal Deposit Insurance Corp. has opened criminal investigations into “several” data breaches at the agency involving the transfer to removable media by staff of highly sensitive banking data and massive files of personal information, lawmakers were told Thursday.
“We also have open criminal investigations relating to several of the incidents, which have not reached a stage where further public discussion would be appropriate,” acting Inspector General Fred Gibson Jr. told a hearing of the House Science, Space and Technology Committee. He declined to give further details.
The revelation came at a hearing where Republicans cross-examined FDIC Chairman Martin Gruenberg about a series of breaches at the agency last year that were not reported to Congress — as required by a new Office of Management and Budget policy rolled out Oct. 30.
Democrats defended the agency, alleging the charges from their Republican colleagues were premature and based on a selective reading of the evidence
An interim report from GOP committee staff released Wednesday accused officials at the agency — and in particular FDIC CIO Larry Gross — of trying to cover up breaches, deliberately misleading congressional investigators, and retaliating against whistleblowers and anyone else who disagreed with him. The report was based primarily on interviews with a handful of current and former staffers.
The investigation began earlier this year after the FDIC acknowledged that eight breaches had not been reported as they should have under the new OMB policy. Gross gave evidence at a May 12 subcommittee hearing he sought to tamp down members’ concerns about the breaches.
Following the May 12 hearing, agency personnel sent the committee “redacted summaries of responsive documents and a limited set of email communications,” Chairman Lamar Smith, R-Texas, complained. “Whistleblowers and the IG’s staff immediately informed the committee that we were not getting the whole story.
“This has been the over-reaching theme of the committee’s dealings with the FDIC: We’re not getting the whole story. Based on interviews and documents, there is a culture of concealment at the FDIC.”
As an example, Smith cited instructions from the Office of the General Counsel in the agency to staff “not to put certain opinions or analysis in email or other written form, presumably to avoid discovery through the congressional oversight process.”
But Gruenberg said that, rather than any effort to cover up, the inconsistencies and failures of the agency’s responses, first to the breach and then to the committee, were a result of changing policies and a new CIO.
He described a rapid “confluence of developments” that included the identification of the first breach, the issuance of the new OMB guidance and the appointment of the new CIO all of which took place within 10 days.
“Our CIO assumed his new position [Nov. 2] and was sort of presented, if I may say, for a guy just starting the job, with a pretty difficult situation to sort through,” Gruenberg said.
He said the agency decided to “even though the breach occurred before the guidance was issued, it should be assessed in line with the guidance.” The CIO initially decided that the breach did not count as “major” — requiring an immediate report to Congress — but then reversed course after the inspector general weighed in.
“In retrospect, and in light of the [inspector general ‘s] report findings, we should not have considered what we believed to be mitigating factors when applying the OMB guidelines,” he said.
“What I want to suggest,” concluded Gruenberg, “is that while we might have gotten it wrong, while the CIO might have gotten it wrong, there was an honest effort … The judgment may have been wrong but I don’t think there was malintent here.”
And Democrats on the committee said their colleagues were jumping the gun — and jumping to conclusions, saying the agency had made mistakes, but was now fixing its data security problems and cooperating with investigators.
Ranking Democrat and fellow Texan Rep. Eddie Bernice Johnson told the chairman, “I think it’s fair to say that our May hearing yielded bipartisan agreement that the FDIC’s [implementation] of the OMB guidelines was flawed.”
She said there was also agreement that the agency “did not initially provide all documents responsive to the committee’s request. However I do not agree with my majority colleagues as to what constitutes evidence of intent. The majority is likely to allege that the CIO intentionally misled the committee and that the agency attempted to obstruct the committee’s investigation into these events.
“I do not believe that that the committee has uncovered convincing evidence to support these allegations,” she said.
“I’m not dismissing the testimony [of whistleblowers and others] but it is our responsibility to make sure we have all the evidence and have heard from all the parties, before we begin to wave around serious allegations of criminal intent.”
Her Democratic colleague from Virginia, Rep. Don Beyer agreed.
“Some of the responses were incomplete … however I don’t agree we can or should infer from the facts gathered so far by the committee, as the majority has clearly done, that individual FDIC employee intentionally lied to this committee or have engaged in deliberate obstruction of this committee’s investigation,” he said.
He accused Republicans of “selectively pull[ing] some information that helps them paint that narrative.”
As an example, he noted that the advice from the general counsel’s office not to create records was issued “four months before the committee became aware of the data breach, so to paint it as part of an attempt to obstruct our investigation makes no sense.”
Gruenberg pointed out that the agency had taken a series of corrective actions, including having “discontinued individuals’ ability to copy information to removable media such as external hard drives, flash drives, and CDs or DVDs to prevent these types of incidents from occurring in the future.”
Gibson, the agency’s inspector general, agreed that if the corrective actions were implemented properly, they would be “effective” in mitigating the risks the FDIC faced.
He also noted that his office was investigating the role and position of the agency’s chief information security officer — a job currently vacant.
“We believe that the CISO as a matter of principle, should be in a position to speak up and to inform those in the corporation who need to know what the status is of [security] incidents,” Gibson said, adding that, “We obviously haven’t reached any conclusions yet, but the goal is to reach a reasoned assessment as to whether the CISO, in the present structure where the CISO reports to the CIO, is able to provide that independent security-minded voice … or whether its a position that should organizationally and from a governance standpoint be separated so there a degree of independence and a degree of ability to speak up.”