Stop Looking at Me: The FDIC’s View of Cybersecurity

Information security is pertinent to all businesses. This also reaches across all industries. At

times, this is fully applied and at other times lacking. An example of the latter has been the

breach with the Office of Personnel Management in 2014 with over 21M personnel records being

stolen (Gordon, 2016). Although devastating for the consumer victims, this is likewise a concern

for the targeted business. As of mid-2016, there was one industry however that was being

targeted more often than not. This recent example was directed at the banking industry globally.

This involved the Swift network.

Another global example familiar to the US involves weak cybersecurity in the banking

system and the Federal Deposit Insurance Corporation (FDIC).

Attack Period

The target for the attacks was rather unique. For the most part, an attacker is seeking data

that could be sold on the dark web or other areas. This may be focused on a business with credit

card numbers, personnel records, or health records. The FDIC in this instance was the target of

the cyber-attack. At times these attacks are a single occurrence as the attacker breaches the

system during one, prolonged attack. In other circumstances, there may be a limited number of

contacts for the attacker to pull the most amount of data for sale later. For this occurrence, the

attacks however occurred in 2010, 2011, and 2014 (Lange & Volz, 2016; Sputnick, 2016,

Gordon, 2016). This was a rather extended attack and allowed the attackers ample time to peruse

through the files and servers at the FDIC.

Perpetrators

Clearly this was a well-researched and planned attack due to the target-a federal entity.

The higher risk and more valuable data involved, the more research may go into the enumeration

of the target. This attack was investigated internally by the FDIC IT department. There was data

left behind by the attackers. The data and research indicated the source of the attack was Beijing

(Lange & Volz, 2016; Sputnik, 2016; Gordon, 2016). This attack has been in the form of an

advanced persistent threat (APT) (Gordon, 2016).

How the Continued Attacks Were Successful

The attacks covered a three year period, which is not the normal attack. In most other

organizations, the attack on some level would have at least been noticed. In this case, there was a

distinct lack of cyber-security efforts (Lange & Volz, 2016) and reporting.

This continued to be an issue due to one glaring issue. The employees at the FDIC

elected to actively hide the breach activities (Lange & Volz, 2016). This was an overt, deceiptful

act (Pagliery, 2016) intended to mislead the remainder of the department and American society.

Hiding this glaring and important issue was inept (Pagliery, 2016). This act was not done by one

person but many people in the department.

What makes this borderline unconscionable, heinous act is the FDIC’s top lawyers told

the employees not to discuss the hacks via email. This directive was handed down by licensed

attorneys who took the oath so there would not be a document trail. This is further exasperated as

the CIO at the time actively misled the FDIC auditors as to the extent of the breach (Elfinger,

2016; Blake, 2016). This was at best ill-advised. This action only served to further expose

confidential information and allow the attackers free reign over their system. This has effectually

eroded any trust that was left in the US government.

Had a business in the US had a breach and series of breaches allowing sensitive,

confidential information to actively be exfiltrated from the business, and the breaches actively

covered up, there would be a decidedly different result. The FTC would probably be diving very

deeply into the business, applying an intense amount of pressure, and threatening legal action.

This inaction, especially when the attacks were clearly known, was not prudent. The main

rationale for this was brought to light much later. This was covered up expressly to protect the

Chairman of the FDIC’s job (Lange & Volz, 2016). At the time the Chairman was Martin

Gruenberg.

The attack itself, over the years, was rather widespread. An attacker in general may look

for one or two areas in an organization to attack. These may hold high profile information or

confidential information, such as being finance or payroll oriented. In this instance though, it was

not the case. The targets were 12 FDIC workstations and 10 servers over the years (Pagliery,

2016). The workstations were also varied in that these were not the usual targets, but included

mainstream and the other executives systems (Sputnick, 2016). Overall during the years, there

were an estimated 100 computers breached over the years since the first attack (Borack, 2016).

Unfortunately, this was not the extent of the issue. There was also backdoors installed on the

workstations and servers (Elfling, 2016; Gallagher, 2016).

Benefits to the Attacker

This was not an attack simply for its own sake or for the person to be curious as to what

was behind the wall. There was a distinct purpose in mind for the time and effort. There was a

distinct purpose in mind for the time and effort. The point of this attack was the perpetrators

apparently looking for “economic intelligence” (Lange & Volz, 2016). This much like earlier

when the Chinese were “allegedly” were hacking the defense contractors for the plans and

schematics.

Remediation

After the report was published, naturally a significant amount of attention was paid to

this. This was especially the case with the persons covering up the breaches. In response to this,

the agency scheduled the policies to be updated. As part of this endeavor, the IT group is

disengaging the users from using the USB drives, CDs, etc. from being used on their systems

(Borak, 2016). The FDIC is also planning on upgrading their software. In addition, the FDIC IT

group is working on a policy for employees who are leaving the FDIC employment. The plan is

to have this done by October 28, 2016.

This may correct inadequacies and vulnerabilities, however it completely misses the

systemic issues with management, a lack of the ability to do the right thing, and licensed

attorneys directing the issue to be covered up.

Troubling

This intentionally deceitful set of acts is troubling and problematic on many levels. The

FDIC intentionally hid the attacks and breaches over several years. This was directed on many

levels. Clearly this was fraught with problems as the public was misled indirectly. Although

there was not a direct lie told to the public, by hiding this, the agency was misleading the

government, people, and institutions.

The attacks went on for years. The extent of the attacks and the data viewed or exfiltrated

may never be known. The FDIC does provide external facing data and statistics for the public to

view. There is however more data that is confidential. The attackers may have accessed this at

their leisure.

This was hidden by all layers of the FDIC, from the C-suite and corporate attorneys

downward. When the leadership is hiding this level of error from the public and all other

agencies to protect one person, there is something inherently and systemically wrong. When the

CIO and FDIC attorneys direct the staff directly and overtly to hide the breach of the system and

confidential information, the problem is not isolated, but is with the organization.

What is the most troubling is that this has not been overly noted in the news. A foreign

country may have confidential data regarding the US banking industry. This is serious yet there

has not been a mass amount of media involved with this. In a short period this may be forgotten

by the public. What has not been brought forward is what could the other nation do with this

information and data? What would happen with the banking industry if the nation used this data

from the breach in a detrimental, persistent manner? This should make people concerned, yet this

has been reduced in focus.

References

Asadorian, P. (Publisher). (2016, July 14). Security Weekly [Podcast]. Retrieved from

https://securityweekly.com

Blake, A. (2016, July 13). FDIC let down its cyber defenses despite being hacked by Chines:

House panel. Retrieved from http://www.washingtontimes.com/news/2016/jul/13/fdic-

let-down- its-cyber- defenses-despite- being-hac/

Borak, D. (2016, July 14). Top FDIC officials weren’t fully informed on computer hacks

chairman says. Retrieved from http://www.wsj.com/articles/top-fdic- officials-werent-

fully-informed- on-computer- hacks-chairman- says-1468514182

Daily Star. (2016, July 14). US banking regulator updates cyber security after data breach:

Chairman. Retrieved from https://www.dailystar.com.1b/News/World/2016/Jul-

14/362070-us- banking-regulator- updates-cyber- security-after- data-breach- chairman.ashx

Elfling. (2016, July 13). FDIC hacked by China, and CIO covered it up. Retrieved from

http://www.dailykosbeta.com/story/2016/07/13/1394681/-- FDIC-was- hacked-by- China-

and-CIO- covered-it- up

Gallagher, S. (2016, July 13). FDIC was hacked by China, and CIO covered it up. Retrieved

from http://arstechnica.com/security/2016/07/fdic-was- hacked-by- china-and- cio-covered-

it-up/

Gordon, M. (2016, July 13). Chinese government suspected of hacking into FDIC computers.

Retrieved from http://phys.org/news/2016-07- chinese-hacking- fdic.html

Lange, J., & Volz, D. (2016). Likely hack of U.S. banking regulator by China covered up: Probe.

Retrieved from http://www.reuters.com/article/us-cyber- fdic-china- idUSKCN0ZT20M

Mimoso, M. (2016, July 13). Congressional report: China hacked FDIC and agency covered it

up. Retrieved from https://threatpost.com/congressional-report- china-hacked- fdic-and-

agency-covered- it-up/119276/

Pagliery, J. (2016, July 13). China hacked the FDIC-and US officials covered it up, report says.

Retrieved from http://money.cnn.com/2016/07/13/technology/china-fdic- hack/index.html

Reuters. (2016, July 14). Why the FDIC is updating its cyber security policy after this data

breach. Retrieved from http://fortune.com/2016/07/14/fdic-data- breach-cyber- security/

Sputnik International. (2016, July 13). China likely behind multiple computer breaches at US

bank insurer. Retrieved from http://sputniknews.com/us/20160713/1042917703/us-cyber-

security.html