Report finds FDIC Still Struggling on Security



After a string of high profile breaches, the FDIC is still struggling to implement a security program and control access to its network, GAO found.

After almost a decade of struggles with sophisticated cyber adversaries, the Federal Deposit Insurance Company (FDIC) is still struggling to implement an information security program to prevent future hacks and intrusions, a report from the GAO found.

The FDIC, an independent agency created by the U.S. Congress to insure private bank deposits and supervise financial institutions, made little progress on a wide range of needed information security improvements in 2016 that were designed to protect the agency from hackers. A GAO review found that the FDIC still lacked adequate access controls — including so-called “boundary protection” — and fell short on identification, authentication, and authorization of users and on configuration management controls.

The agency risks exposing sensitive financial information or having FDIC data subject to “inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction,” the GAO warned in its report.

The FDIC is no stranger to cyber-attacks. It was repeatedly targeted by hackers believed to be linked to the Chinese military between 2010 and 2012 and has been targeted since then. The hacks targeted both “backroom servers” operated by the agencies and the personal computers of top officials including the FDIC Chairman and his staff. Agency staff then downplayed the seriousness of the attacks in subsequent reports to Congress, according to the findings of an internal agency audit.

While the FDIC has made improvements in recent years, the GAO found that its response has lagged. For example, the corporation by 2016 still did not sufficiently isolate financial systems from other parts of its network or establish a single, accurate listing of all IT assets in its environment, GAO reported.

At the top of the FDIC’s list of problems are what GAO terms “boundary control” issues. Simply put: the agency is having trouble limiting “unauthorized information flows” between different parts of its networks and systems. A lack of such protections allows attackers who penetrate one part of an organization’s network environment to access and potentially steal information from other, more sensitive systems.

The agency is also struggling mightily to monitor user access to sensitive data and assets. According to the GAO, FDIC still allowed a key, privileged account to be shared among many agency employees, increasing the chances of account misuse and making auditing of user access and incident response difficult.

In a response to GAO, FDIC Chief Financial Officer Steven O. App acknowledged the “opportunities to improve information security” and wrote that the agency “remains dedicated to strengthening this area of its operations.”

The report comes in the wake of President Donald Trump’s Executive Order on cybersecurity, which promises to hold agency heads accountable for adverse events that happen on their watch. The Trump order also mandates that federal agencies manage cyber risk according to guidelines published by the National Institute of Standards and Technology (NIST), a change from the policies of the previous administration, for which adherence to NIST standards was voluntary.

FDIC is not alone in facing severe challenges in securing its networks and data. A GAO report from September 2016 found that cyber incidents affecting federal agencies grew 1,300 percent between 2006 and 2015. Despite guidance and laws requiring the federal government to implement a framework for managing the security of its information technology systems, implementation of that framework has been inconsistent, while agencies struggle to implement risk-based security programs, detect and respond to cyber incidents and hire experienced information security workers, the report found.

Paul Roberts

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.