FDIC staff tried to cover up a series of internal data breachesand misled Congress on the status of some of those breaches, GOP lawmakers saidat a House Science, Space and Technology Committee hearing July 14.
"There's been a pattern of stonewalling and covering upmistakes and wrongdoing and these things cannot be just shrugged off," saidRep. Dana Rohrabacher, R-Calif.
FDIC Chairman Martin Gruenberg told the committee that the agencyshould have told Congress about the breaches sooner and was working to implementsecurity protocols and changes recommended by the agency's inspector general bythe end of 2016.
"I assure you, we have no higher priority at the FDIC thanaddressing these matters," he said.
Thursday's hearing was the second in response to an investigationinto how the FDIC handled a series of security breaches. The agency has related to employees leaving the agency and downloading data on personal externaldevices, with one incident requiring law enforcement.
The breaches were considered low-risk because the employees werein good standing and had a business reason for having access to the data, the FDIChas stated. The instances were reported once the agency's inspector general toldthem to reconsider the reporting requirements. Two audits on different breaches from the agency's inspectorgeneral found the FDIC had taken steps toward establishing an insider threat programbut halted the program in 2015. The program could have prevented some of the breachesfrom occurring, the audits found.
FDIC Acting Inspector General Fred Gibson told the committeethat he was unaware of exactly why the program was not implemented, but it appearsFDIC management thought the program was going too fast, while staff claimed theywere told to stop the program.
GOP lawmakers claim the agency has deliberately evaded congressionaloversight and misled them on the nature of some of the breaches. For example, inone breach referred to as the Florida incident, FDIC staff told committee staffin a briefing that the former employee who had a USB containing sensitive data wascooperative and nonadversarial. Yet according to a report from the FDIC inspectorgeneral, the former employee denied having the device and refused to meet with formerFDIC colleagues.
An interim staff report from the committee also found that FDICChief Information Officer Larry Gross misled Congress about a series of internalsecurity breaches at the agency and has created a hostile work environment againstwhistleblowers.
FDIC staff described Gross as "vindictive," and saidhe will take employees off of a project if they disagree with him, according tothe report. As a result, employees in the department are leaving, interview transcriptsin the report show.
Some Democratic lawmakers disagreed with Republican staff report.Rep. Eddie Bernice Johnson, D-Texas, said that while the FDIC did not inform Congressof the data breaches in a timely manner, there was little evidence to support allegationsof Gross or FDIC staff misleading Congress.
"I do believe the FDIC chairman takes these issues seriously,"she said at the hearing. "He has a strong track record on responding to cybersecuritychallenges, including holding his staff accountable."