Information security is pertinent to all businesses in all industries and across all levels of government. Some do it well and some do it poorly. All should seek to learn lessons, both from those that do it well and those that fail.
This post dives into an organization that is recovering from the fail side of the equation, the Federal Deposit Insurance Corporation (FDIC).
For this occurrence, the attacks occurred in 2010, 2011, and at least through 2014. This was a rather extended attack and allowed the attackers ample time to peruse through the files and servers at the FDIC. The target for the attacks was rather unique. In this case the target was not data that could be sold on the dark net, but was the type of policy information that would benefit a nation.
How the Continued Attacks Were Successful
The attacks covered a three year period, which is far beyond the norm of attacks. In most other organizations, especially those with good defenses, the attack on some level would have at least been noticed. In this case, there was a distinct lack of cyber-security efforts and reporting.
This continued to be an issue due to leadership and governance issues. The employees at the FDIC elected to actively hide the breach activities. This was an overt, deceitful act intended to mislead the rest of the department, their oversight from Congress, and everyone else. Hiding this glaring and important issue is indefensible and frankly inept. This act was not done by one person but many people in the department.
Investigation revealed that the FDIC’s top lawyers told the employees not to discuss the hacks via email. This directive was handed down by attorneys. Then the CIO at the time actively misled the FDIC auditors as to the extent of the breach. This was not just wrong, it was an action that served to further expose confidential information and allow the attackers free reign over their system. This has significantly eroded any trust that was left in the US government.
Had a business in the US had a breach and series of breaches allowing sensitive, confidential information to actively be exfiltrated from the business, and the breaches actively covered up, there would be a decidedly different result. The FTC would probably be diving very deeply into the business, applying an intense amount of pressure, and threatening legal action. And businesses or consumers that suffered losses due to this would seek legal remedy.
This FDIC inaction, especially when the attacks were clearly known, was inexcusable. The main rationale for this was brought to light much later. This was covered up expressly to protect the Chairman of the FDIC’s job (at the time the Chairman was Martin Gruenberg).
It is hard to know the real extent of the attack. We do know that it was extensive and widespread. While we can safely say that 100’s of systems were probably accessed, the only known information indicates the targets were 12 FDIC workstations and 10 servers over the years . The workstations included executive systems. Unfortunately, this was not the extent of the issue. There were also backdoors installed on the workstations and servers so the adversaries could come and go and jump to other devices.
Benefits to the Attacker
This was not an attack simply for its own sake or for the person to be curious as to what was behind the wall. There was a distinct purpose in mind for the time and effort. The point of this attack was the perpetrators apparently looking for “economic intelligence”. This much like earlier when the Chinese were “allegedly” were hacking the defense contractors for the plans and schematics.
After the report was published, naturally a significant amount of attention was paid to this. This was especially the case with the persons covering up the breaches. In response to this, the agency scheduled for policies to be updated. As part of this endeavor, the IT group is disengaging the users from using the USB drives, CDs, etc. from being used on their systems (for more see WSJ reporting by Borak). The FDIC is also planning on upgrading their software. In addition, the FDIC IT group is working on a policy for employees who are leaving the FDIC employment. The plan is to have this done by October 28, 2016.
These types of steps may help put FDIC on the right path. However, till issues of governance and leadership are addressed it will be hard to really improve.
This intentionally deceitful set of acts is troubling and problematic on many levels. The FDIC intentionally hid the attacks and breaches over several years. This was directed on many levels. Clearly this was fraught with problems as the public and FDIC oversight was misled.
The attacks went on for years. The extent of the attacks and the data viewed or exfiltrated may never be known. The FDIC does provide external facing data and statistics for the public to view. There is however more data that is confidential. The attackers may have accessed this at their leisure.
This was hidden by all layers of the FDIC, from the C-suite and corporate attorneys downward. When the leadership is hiding this level of error from the public and all other agencies to protect one person, there is something inherently and systemically wrong. When the CIO and FDIC attorneys direct the staff directly and overtly to hide the breach of the system and confidential information, the problem is not isolated, but is with the organization.
What is the most troubling is that this is not seeing much treatment in the press. A foreign country has confidential data regarding the US banking industry, and a FDIC leaders intentionally lied. This is serious yet there has not been just about no media involved with this. In a short period this may be forgotten by the public. What has not been brought forward is what could the other nation do with this information and data? What would happen with the banking industry if the nation used this data from the breach in a detrimental, persistent manner? This should make people concerned, yet this has been reduced in focus.
Lessons for all:
- Governance matters most of all. If the governance and leadership issues are not addressed, nothing else matters
- Governance should include strong oversight and transparency
- And those of us in the cybersecurity field should do our part in continuously pushing for relevant facts