Stop Looking at Me: The FDIC’s View of Cybersecurity
Information security is pertinent to all businesses. This also reaches across all industries. At
times, this is fully applied and at other times lacking. An example of the latter has been the
breach with the Office of Personnel Management in 2014 with over 21M personnel records being
stolen (Gordon, 2016). Although devastating for the consumer victims, this is likewise a concern
for the targeted business. As of mid-2016, there was one industry however that was being
targeted more often than not. This recent example was directed at the banking industry globally.
This involved the Swift network.
Another global example familiar to the US involves weak cybersecurity in the banking
system and the Federal Deposit Insurance Corporation (FDIC).
Attack Period
The target for the attacks was rather unique. For the most part, an attacker is seeking data
that could be sold on the dark web or other areas. This may be focused on a business with credit
card numbers, personnel records, or health records. The FDIC in this instance was the target of
the cyber-attack. At times these attacks are a single occurrence as the attacker breaches the
system during one, prolonged attack. In other circumstances, there may be a limited number of
contacts for the attacker to pull the most amount of data for sale later. For this occurrence, the
attacks however occurred in 2010, 2011, and 2014 (Lange & Volz, 2016; Sputnick, 2016,
Gordon, 2016). This was a rather extended attack and allowed the attackers ample time to peruse
through the files and servers at the FDIC.
Perpetrators
Clearly this was a well-researched and planned attack due to the target-a federal entity.
The higher risk and more valuable data involved, the more research may go into the enumeration
of the target. This attack was investigated internally by the FDIC IT department. There was data
left behind by the attackers. The data and research indicated the source of the attack was Beijing
(Lange & Volz, 2016; Sputnik, 2016; Gordon, 2016). This attack has been in the form of an
advanced persistent threat (APT) (Gordon, 2016).
How the Continued Attacks Were Successful
The attacks covered a three year period, which is not the normal attack. In most other
organizations, the attack on some level would have at least been noticed. In this case, there was a
distinct lack of cyber-security efforts (Lange & Volz, 2016) and reporting.
This continued to be an issue due to one glaring issue. The employees at the FDIC
elected to actively hide the breach activities (Lange & Volz, 2016). This was an overt, deceiptful
act (Pagliery, 2016) intended to mislead the remainder of the department and American society.
Hiding this glaring and important issue was inept (Pagliery, 2016). This act was not done by one
person but many people in the department.
What makes this borderline unconscionable, heinous act is the FDIC’s top lawyers told
the employees not to discuss the hacks via email. This directive was handed down by licensed
attorneys who took the oath so there would not be a document trail. This is further exasperated as
the CIO at the time actively misled the FDIC auditors as to the extent of the breach (Elfinger,
2016; Blake, 2016). This was at best ill-advised. This action only served to further expose
confidential information and allow the attackers free reign over their system. This has effectually
eroded any trust that was left in the US government.
Had a business in the US had a breach and series of breaches allowing sensitive,
confidential information to actively be exfiltrated from the business, and the breaches actively
covered up, there would be a decidedly different result. The FTC would probably be diving very
deeply into the business, applying an intense amount of pressure, and threatening legal action.
This inaction, especially when the attacks were clearly known, was not prudent. The main
rationale for this was brought to light much later. This was covered up expressly to protect the
Chairman of the FDIC’s job (Lange & Volz, 2016). At the time the Chairman was Martin
Gruenberg.
The attack itself, over the years, was rather widespread. An attacker in general may look
for one or two areas in an organization to attack. These may hold high profile information or
confidential information, such as being finance or payroll oriented. In this instance though, it was
not the case. The targets were 12 FDIC workstations and 10 servers over the years (Pagliery,
2016). The workstations were also varied in that these were not the usual targets, but included
mainstream and the other executives systems (Sputnick, 2016). Overall during the years, there
were an estimated 100 computers breached over the years since the first attack (Borack, 2016).
Unfortunately, this was not the extent of the issue. There was also backdoors installed on the
workstations and servers (Elfling, 2016; Gallagher, 2016).
Benefits to the Attacker
This was not an attack simply for its own sake or for the person to be curious as to what
was behind the wall. There was a distinct purpose in mind for the time and effort. There was a
distinct purpose in mind for the time and effort. The point of this attack was the perpetrators
apparently looking for “economic intelligence” (Lange & Volz, 2016). This much like earlier
when the Chinese were “allegedly” were hacking the defense contractors for the plans and
schematics.
Remediation
After the report was published, naturally a significant amount of attention was paid to
this. This was especially the case with the persons covering up the breaches. In response to this,
the agency scheduled the policies to be updated. As part of this endeavor, the IT group is
disengaging the users from using the USB drives, CDs, etc. from being used on their systems
(Borak, 2016). The FDIC is also planning on upgrading their software. In addition, the FDIC IT
group is working on a policy for employees who are leaving the FDIC employment. The plan is
to have this done by October 28, 2016.
This may correct inadequacies and vulnerabilities, however it completely misses the
systemic issues with management, a lack of the ability to do the right thing, and licensed
attorneys directing the issue to be covered up.
Troubling
This intentionally deceitful set of acts is troubling and problematic on many levels. The
FDIC intentionally hid the attacks and breaches over several years. This was directed on many
levels. Clearly this was fraught with problems as the public was misled indirectly. Although
there was not a direct lie told to the public, by hiding this, the agency was misleading the
government, people, and institutions.
The attacks went on for years. The extent of the attacks and the data viewed or exfiltrated
may never be known. The FDIC does provide external facing data and statistics for the public to
view. There is however more data that is confidential. The attackers may have accessed this at
their leisure.
This was hidden by all layers of the FDIC, from the C-suite and corporate attorneys
downward. When the leadership is hiding this level of error from the public and all other
agencies to protect one person, there is something inherently and systemically wrong. When the
CIO and FDIC attorneys direct the staff directly and overtly to hide the breach of the system and
confidential information, the problem is not isolated, but is with the organization.
What is the most troubling is that this has not been overly noted in the news. A foreign
country may have confidential data regarding the US banking industry. This is serious yet there
has not been a mass amount of media involved with this. In a short period this may be forgotten
by the public. What has not been brought forward is what could the other nation do with this
information and data? What would happen with the banking industry if the nation used this data
from the breach in a detrimental, persistent manner? This should make people concerned, yet this
has been reduced in focus.
References
Asadorian, P. (Publisher). (2016, July 14). Security Weekly [Podcast]. Retrieved from
https://securityweekly.com
Blake, A. (2016, July 13). FDIC let down its cyber defenses despite being hacked by Chines:
House panel. Retrieved from http://www.washingtontimes.com/news/2016/jul/13/fdic-
let-down- its-cyber- defenses-despite- being-hac/
Borak, D. (2016, July 14). Top FDIC officials weren’t fully informed on computer hacks
chairman says. Retrieved from http://www.wsj.com/articles/top-fdic- officials-werent-
fully-informed- on-computer- hacks-chairman- says-1468514182
Daily Star. (2016, July 14). US banking regulator updates cyber security after data breach:
Chairman. Retrieved from https://www.dailystar.com.1b/News/World/2016/Jul-
14/362070-us- banking-regulator- updates-cyber- security-after- data-breach- chairman.ashx
Elfling. (2016, July 13). FDIC hacked by China, and CIO covered it up. Retrieved from
http://www.dailykosbeta.com/story/2016/07/13/1394681/-- FDIC-was- hacked-by- China-
and-CIO- covered-it- up
Gallagher, S. (2016, July 13). FDIC was hacked by China, and CIO covered it up. Retrieved
from http://arstechnica.com/security/2016/07/fdic-was- hacked-by- china-and- cio-covered-
it-up/
Gordon, M. (2016, July 13). Chinese government suspected of hacking into FDIC computers.
Retrieved from http://phys.org/news/2016-07- chinese-hacking- fdic.html
Lange, J., & Volz, D. (2016). Likely hack of U.S. banking regulator by China covered up: Probe.
Retrieved from http://www.reuters.com/article/us-cyber- fdic-china- idUSKCN0ZT20M
Mimoso, M. (2016, July 13). Congressional report: China hacked FDIC and agency covered it
up. Retrieved from https://threatpost.com/congressional-report- china-hacked- fdic-and-
agency-covered- it-up/119276/
Pagliery, J. (2016, July 13). China hacked the FDIC-and US officials covered it up, report says.
Retrieved from http://money.cnn.com/2016/07/13/technology/china-fdic- hack/index.html
Reuters. (2016, July 14). Why the FDIC is updating its cyber security policy after this data
breach. Retrieved from http://fortune.com/2016/07/14/fdic-data- breach-cyber- security/
Sputnik International. (2016, July 13). China likely behind multiple computer breaches at US
bank insurer. Retrieved from http://sputniknews.com/us/20160713/1042917703/us-cyber-
security.html