WASHINGTON — Hackers believed to be working from China accessed the computer systems of top officials at the Federal Deposit Insurance Corp., according to a top House lawmaker investigating the incident.
The hack was part of a breach that initiated in October 2010 and continued for at least a year, eventually infecting the workstations of then-FDIC Chairman Sheila Bair as well as other top officials with malware.
"It's a national security issue, if a known enemy of the United States has access to that type of information," Rep. Barry Loudermilk, R-Ga., told reporters after a hearing by a House Committee on Science, Space and Technology subcommittee.
While details of the malware attack first emerged Wednesday, the location of the attackers was never disclosed. Loudermilk alleged that the hack came from China, but a FDIC official and Fred Gibson, the agency's inspector general, declined to confirm that during the hearing.
"We're not authorized to make a specific attribution to any particular actor," Gibson said in response to questions from Loudermilk.
The revelation was the latest twist in a case that has already put a spotlight on the FDIC's cybersecurity. The hearing was primarily focused on other incidents in which departing FDIC employees downloaded sensitive data, sometimes concerning tens of thousands of records, on portable media drives.
But news that Chinese hackers were allegedly behind the 2010 malware attack is likely to fuel more criticism of the FDIC's cyber preparedness.
The hearing put the FDIC's chief information officer, Lawrence Gross, on the defensive as to why the agency had allowed its own employees to leave with sensitive data.
Gross said those incidents were accidents. In some cases, the former employees then lied to cover up their mistakes, he said.
"They find themselves in the awkward situation where their closing statement does not reflect the actual facts," he said.
Lawmakers focused on one case in which a departing employee took data, including about 10,000 Social Security numbers, on a zip drive. They said that she denied taking data with her or even owning a flash drive.
"She says she did not know what an external hard drive is," said Rep. Darin LaHood, R-Ill.
But Gross maintained it was an accidental breach.
"I don't believe she realized she took FDIC-specific data," he said.
When asked how such accidents could have happened multiple times, Gross explained that the employees had mistakenly included sensitive data with their personal information when they departed.
"The individuals involved in those incidents were not computer proficient," Gross said. So much so, he added, that they could "inadvertently copy the entire hard drive."
Asked if the FDIC had the technical capacities to use forensics on the recovered removable media devices to determine whether any information had been downloaded to another computer or sent elsewhere, Gross responded that it was not possible to be certain.
The FDIC relies on "employee's assertion." All seven employees involved in incidents were made to sign affidavits saying they would not disseminate the information.
That's "too low a bar," said Rep. Don Beyer, D-Va.
The FDIC was also criticized for not reporting the incidents to Congress fast enough. The agency initially did not categorize the incidents as "major," which means they were required only to be reported in yearly Federal Information Security Modernization Act reports to the Office of Management and Budget.
But after the inspector general's office urged the FDIC to classify the events as "major," the agency started informing Congress.
Gross defended the agency's position, saying, "it's left to the discretion of the agency to determine if, in fact, the specific agency has the information to determine" that the incident is a "major" one.
Gross assured the committee that under his watch, a serious cyberattack — like the one that hit Bair's computer — would immediately be reported to Congress.
"I couldn't care less if they were reading the menu for the FDIC … if it's a bad actor that is in our system today, it falls in the 'major' category," he said.
He also revealed that the phase-out of portable media device among FDIC employees — which the agency said was concluded in April — only affected about half of the agency's staff.
Another half — mainly examiners — still needed the devices to conduct business. "My goal is to get to zero on use of mobile media," he said.
Gibson said the FDIC's determination that the incident was "inadvertent" could make it more difficult for the inspector general's office to pursue its investigation.
"If I was a defense lawyer that would probably be the first document that I would wave around," said Gibson. "We're going to need some facts to get us over that."
But just the accidental nature of the event should not absolve them, he added. "The fact that somebody robs a bank and gives the money back doesn't mean that they didn't actually rob the bank."
Gibson declared at the hearing that the Office of the Inspector General was pursuing one criminal investigation, which was currently at the "pre-indictment stage."
The FDIC was also questioned about its transparency toward the committee, which began an inquiry after the agency first reported one of the seven breaches.
In a dramatic move, Loudermilk, the chairman of the subcommittee, produced two piles of papers, one about a third lower than the other.
"What I have here," he said, pointing to the smaller pile, "is the stack of documents that the FDIC provided to the committee in response to our inquiry."
He pointed to the larger pile of papers and added, "This stack of documents, however — I may need a forklift — was provided to the committee by the inspector general's office."
Loudermilk proceeded to read to Gross an email he had received from the former CIO, which he said was not among the documents provided to the committee by the agency.
"A lot of it is duplicative," Gross said. "I believe we were responsive to your request. If there is request for additional information we stand ready to provide that."
The committee plans to hold another hearing when the OIG releases its next report, scheduled to come out in the coming months.