WASHINGTON — Lawmakers investigating a slew of cybersecurity breaches at the Federal Deposit Insurance Corp. have accused agency staff of purposefully muddying the waters in an effort to evade congressional scrutiny.
In a report released Wednesday, the House Science, Space, and Technology Committee claimed that FDIC employees created a false narrative to describe a cybersecurity incident, retaliated against whistleblowers and purposefully dodged congressional inquiries.
"The FDIC's intent to evade congressional oversight is a serious offense," said Rep. Lamar Smith, R-Texas, the committee's chairman. "Major improvements need to be made to the FDIC's cybersecurity mechanisms."
The report came one day before FDIC Chairman Martin Gruenberg was scheduled to testify at a committee hearing on the issue. An FDIC spokesperson declined to comment on the report Wednesday.
After its investigation, the committee claimed the agency misled lawmakers about the extent of an October 2015 cybersecurity breach that involved a departing employee in Florida who downloaded data on a portable media device.
The employee left with information on more than 40,000 individuals and 30,000 banks, the report said. And yet the agency characterized the breach as affecting more than 10,000 individuals.
"The Committee is very concerned that FDIC knowingly made gross misrepresentations regarding the disparity in the number of affected individuals and entities," the report said.
Committee staff also slammed FDIC employees for allegedly creating a "story" to describe the Florida breach incident.
"Testimony obtained by the committee shows that the FDIC staff created a narrative," the report said, "in an effort to deter the committee from pursuing the issue of the agency's cybersecurity breaches further."
During a May hearing before the committee, FDIC Chief Information Officer Lawrence Gross characterized the incident as an accident caused by the former employee's attempts to download personal data.
But it was later revealed that the former employee denied she had downloaded the data, and pretended she did not know about USB drives despite holding a master's degree in information technology management.
In its report, the committee accused Gross of mismanagement and retaliatory tactics.
Panel staff said they were told by FDIC employees that Gross directed the purchase of more than 3,300 laptops, at a total cost of at least $5 million, for cybersecurity reasons. But the FDIC's former chief information security officer, Chris Farrow, and other employees disagreed with that decision, "stating that the initiative would in fact present even greater security risks," the report said.
Further, the committee said that Gross shared only "a limited set of facts" with Gruenberg and "silenced and ignored those who disagree with his viewpoints." Gross plans to roll out the laptops at the end of the month, and yet has not yet submitted a budget request for the computers, the report said.
"Mr. Gross has created a work environment defined largely by vindictiveness and retaliation," the report said. The committee alleged that the CIO even "removed" Farrow from his former position over a disagreement on the gravity of the Florida breach.
Farrow "was adamant [that] the Florida incident should have been reported" to Congress, his special adviser told the committee, according to an excerpt of the transcript provided in the report. He "was given four hours to find another job," the special adviser told the committee. Farrow is still employed at the agency but is no longer chief of information security.
The FDIC purposefully avoided fully responding to lawmakers' document requests, the committee also claimed. The agency's Office of Legislative Affairs explicitly "directed staff to provide a limited response," according to an anonymous current FDIC employee interviewed by the committee.
An email from an FDIC employee shared in the report indicates that staff were also directed to avoid discussing the importance attributed to cybersecurity incidents in electronic communication.
Instead, employees were asked to correspond through "cloak and dagger," with one person asking for correspondence to be brought "like a piece of roadkill back to his unit," according to the email.
The committee's accusations follow the release of two reports last week by the FDIC's Office of Inspector General, in which the independent watchdog found the agency could have taken several precautionary measures to minimize the risk of breaches at the hand of departing employees.
In statements published in the two reports, which together presented 11 cybersecurity recommendations, the FDIC promised to act on each proposal.
The FDIC, which suffered at least eight cybersecurity breaches in the past year involving the use of a portable media device, has already worked to nearly eradicate the use of such hardware among its employees.
Currently only 79 individuals have permission to use removable media devices on FDIC network computers, the agency said — including 72 inspector general employees.
The report also said that a cyberattack aimed at former FDIC head Sheila Bair, among others, was coordinated by Chinese hackers.
According to an internal FDIC memo at the time, FDIC computers were the target of a "persistent" threat "believed to have been the Chinese government," the report said. The virus apparently affected 12 FDIC workstations in repeated attacks between 2011 and 2013.