b'<html>\n<title> - FDIC DATA BREACHES: CAN AMERICANS TRUST THAT THEIR PRIVATE BANKING INFORMATION IS SECURE?</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                FDIC DATA BREACHES: CAN AMERICANS TRUST\n                       THAT THEIR PRIVATE BANKING\n                         INFORMATION IS SECURE?\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                       SUBCOMMITTEE ON OVERSIGHT\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              May 12, 2016\n\n                               __________\n\n                           Serial No. 114-77\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n \n [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n       Available via the World Wide Web: http://science.house.gov\n\n                                __________\n                                \n                     \n                     U.S. GOVERNMENT PUBLISHING OFFICE\n20-874PDF                     WASHINGTON : 2017                     \n_____________________________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202\xef\xbf\xbd09512\xef\xbf\xbd091800, or 866\xef\xbf\xbd09512\xef\xbf\xbd091800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="eb8c9b84ab889e989f838e879bc5888486c5">[email&#160;protected]</a>  \n             \n              \n              \n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California\n    Wisconsin                        DANIEL LIPINSKI, Illinois\nDANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nMO BROOKS, Alabama                   ALAN GRAYSON, Florida\nRANDY HULTGREN, Illinois             AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut\nTHOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas\nJIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts\nRANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia\nJOHN R. MOOLENAAR, Michigan          ED PERLMUTTER, Colorado\nSTEVE KNIGHT, California             PAUL TONKO, New York\nBRIAN BABIN, Texas                   MARK TAKANO, California\nBRUCE WESTERMAN, Arkansas            BILL FOSTER, Illinois\nBARBARA COMSTOCK, Virginia\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\nRALPH LEE ABRAHAM, Louisiana\nDARIN LaHOOD, Illinois\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                 HON. BARRY LOUDERMILK, Georgia, Chair\nF. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia\n    Wisconsin                        ALAN GRAYSON, Florida\nBILL POSEY, Florida                  ZOE LOFGREN, California\nTHOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas\nDARIN LaHOOD, Illinois\nLAMAR S. SMITH, Texas\n                            C O N T E N T S\n\n                              May 12, 2016\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Barry Loudermilk, Chairman, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     5\n    Written Statement............................................     7\n\nStatement submitted by Representative Donald S. Beyer, Jr., \n  Ranking Minority Member, Subcommittee on Oversight, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    13\n    Written Statement............................................    15\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    17\n    Written Statement............................................    19\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................    26\n    Written Statement............................................    28\n\n                               Witnesses:\n\nMr. Lawrence Gross, Jr., Chief Information Officer and Chief \n  Privacy Officer, FDIC\n    Oral Statement...............................................    30\n    Written Statement............................................    32\n\nMr. Fred W. Gibson, Acting Inspector General, FDIC\n    Oral Statement...............................................    36\n    Written Statement............................................    38\nDiscussion.......................................................    47\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Lawrence Gross, Jr., Chief Information Officer and Chief \n  Privacy Officer, FDIC..........................................    70\n\nMr. Fred W. Gibson, Acting Inspector General, FDIC...............    72\n\n            Appendix II: Additional Material for the Record\n\nDocuments submitted by Representative Darin LaHood, Subcommittee \n  on Oversight, Committee on Science, Space, and Technology, U.S. \n  House of Representatives.......................................    78\n\n \n                   FDIC DATA BREACHES: CAN AMERICANS\n                   TRUST THAT THEIR PRIVATE BANKING      \n                       INFORMATION IS SECURE?\n\n                              ----------                              \n\n\n                         THURSDAY, MAY 12, 2016\n\n                  House of Representatives,\n                  Subcommittee on Oversight\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittee met, pursuant to call, at 10:04 a.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Barry \nLoudermilk [Chairman of the Subcommittee] presiding.\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n    Chairman Loudermilk. The Subcommittee on Oversight will \ncome to order.\n    Without objection, the Chair is authorized to declare a \nrecess of the Subcommittee at any time.\n    Welcome to today\'s hearing entitled ``FDIC Data Breaches: \nCan Americans Trust That Their Private Banking Information is \nSecure?\'\'\n    I recognize myself for five minutes for an opening \nstatement.\n    Good morning. We\'re here today to learn more about \ncybersecurity breaches at the Federal Deposit Insurance \nCorporation. As a former information systems technology company \nowner for over 20 years, I know firsthand the importance of \nsafeguarding sensitive information and private customer data. \nRegrettably, the American people have good reason to question \nwhether their private banking information is properly secured \nby the FDIC.\n    The FDIC is an independent agency established by Congress, \nwith the mission ``to maintain stability and public confidence \nin the nation\'s financial system.\'\' Unfortunately, the FDIC is \nfailing to live up to its mission of maintaining public \nconfidence in the Nation\'s financial system because the Agency \nis failing to safeguard private banking information for \nmillions of Americans who rely on FDIC.\n    During the Committee\'s current investigation, it has become \nclear that FDIC has a long history of cybersecurity incidents. \nAccording to information obtained by the Committee, in 2011, a \nforeign government hacked into the workstations of the former \nFDIC Chairman and other senior officials. It appears that this \nentity had access to senior officials\' workstations for at \nleast one year before the FDIC took remedial action.\n    More recently, in letters dated February 26, 2016, and \nMarch 18, 2016, FDIC notified the Science Committee of two \nmajor security incidents. This notification to the Committee \nwas required in accordance with the Federal Information \nSecurity Modernization Act of 2014, otherwise known as FISMA, \nand Office of Management and Budget guidelines that require \nexecutive branch departments and agencies to report major \nsecurity incidents to Congress within seven days.\n    The security breach reported in FDIC\'s February 26 letter \nto the Committee involved an FDIC employee who copied sensitive \npersonally identifiable information, or PII, over 10,000 \nindividuals onto a portable storage device prior to separating \nfrom employment at the FDIC. The employee also downloaded \nsuspicious activity reports, bank currency transaction reports, \ncustomer data reports and a small subset of personal work and \ntax files. This security incident is particularly troublesome, \ngiven that the FDIC did not ultimately recover the portable \nstorage device from the former employee until nearly two months \nafter the device was removed from FDIC premises.\n    Further, according to the information obtained by the \nCommittee, the FDIC did not report the incident to Congress \nwithin the seven-day time period as required by FISMA. In fact, \nFDIC waited for over four months to report the incident to \nCongress and only did so after being prompted by the FDIC \nOffice of Inspector General.\n    Just as troubling, FDIC continues to maintain that the \nemployee ``accidently\'\' copied sensitive and proprietary \ninformation to a portable storage device, despite the fact that \nthe employee initially told the agency that she ``would never \ndo such a thing,\'\' and even denied ever owning a portable \nstorage device. Ultimately, she retained legal counsel, who \nengaged in protracted negotiations with the agency for the \nreturn of the device.\n    The second security breach reported to the Committee was on \nMarch 18, 2016, involved a disgruntled FDIC employee who \nobtained sensitive data for over 44,000 individuals prior to \nseparating from employment at the agency. When the employee \nleft the FDIC on February 26, 2016, the employee took the \nstorage device from the premises. Upon learning of the incident \nthree days later, FDIC personnel worked to recover the device. \nThe device was ultimately recovered on March 1, 2016. According \nto the FDIC, this was just another case of an employee \n``accidently\'\' leaving the agency with sensitive information.\n    This week, FDIC retroactively reported five additional \nmajor breaches to the Committee. In one of those instances, an \nemployee retired from FDIC and took three portable storage \ndevices containing over 49,000 individuals\' personal data. In \ntotal, over 160,000 individuals have recently been a victim of \nhaving their personal information leave the FDIC by \n``accident.\'\' To date, FDIC has failed to notify any of those \nindividuals that their private information may have been \ncompromised.\n    According to the FDIC, none of the 160,000 individuals has \nanything to worry about because all of the FDIC employees who \nimproperly walked out of the agency with sensitive information \nwere required to sign affidavits stating the information was \nnot disseminated. At best, this is a misleading statement \nbecause apparently all employees who are separating from the \nFDIC are generally required to sign an exit document attesting \nthat they have not removed any FDIC materials from the \npremises. In the recent breaches reported to this Committee, \nall employees who improperly took the data should have already \nsigned exit documents before ever leaving the agency.\n    It is Congress\'s responsibility to shine a light on FDIC\'s \nhistory of cybersecurity breaches. The Committee will continue \nits oversight of FDIC failures to secure Americans\' sensitive \ninformation from apparent foreign entities and disgruntled FDIC \nemployees.\n    I thank the witnesses for being here today and sincerely \nhope that we are able to get answers from the FDIC here this \nmorning.\n    [The prepared statement of Chairman Loudermilk follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. With that, I recognize the Ranking \nMember for his opening statement.\n    Mr. Beyer. Thank you, Chairman Loudermilk, and I appreciate \nyour extensive detailing of these breaches.\n    Defending against cyber threats is a persistent and \nevolving battle, and the cyber hazards that confront the public \nand private sectors come in various forms. Hackers can and have \nwreaked havoc on Hollywood studios, global financial \ninstitutions, retail outlets, and public agencies alike, and no \none seems immune from the various cyber threats that touch \nvirtually everyone.\n    Please forgive a certain amount of redundancy in my \nstatement. It\'s important that we have both parties on record \nhere.\n    In case of the Federal Deposit Insurance Corporation, they \nsuffered from seven major cyber incidents in the past 7 months, \nand these breaches include plugging removable media such as a \nUSB drive into an FDIC computer and removing thousands of \nsensitive financial and other records from the agency as \nemployees walked out the door. We\'ll be focusing on two of \nthese breaches today, as well as the FDIC\'s cybersecurity \npractices.\n    I\'m glad the FDIC has installed new software that allowed \nthem to identify these recent breaches and respond to them. \nWithout that technology, known as data loss prevention tool, \nthese incidents, whether inadvertent or intentional, would have \ngone unnoticed and unaddressed, and we in Congress would have \nremained uninformed. And I believe the FDIC Chairman has taken \nsome positive steps in the wake of these breaches, phasing out \nthe use of removable media such as flash drives and CDs that \npose increased security risks.\n    However, I, along with our Chairman, do have questions \nabout why there was such a long delay in notifying Congress \nabout major cyber incidents, particularly the one that occurred \nlast October and was not reported to Congress until February \n26, 2016. And in that instance, it took a memo from the FDIC \nInspector General\'s Office to the FDIC CIO reminding the agency \nthat they had an obligation to report the incident to Congress.\n    I would add that the IG was not the only one suggesting the \nFDIC notify Congress of the incident. It\'s my understanding \nthat other FDIC employees had also recommended reporting this \nto Congress earlier.\n    In addition, I believe that the new OMB guidance on federal \ninformation security and privacy management requirements, as \ndetailed in the OMB memo 16-03 last October, is very clear. If \nit takes 8 hours or more to recover sensitive data that \ncomprises 10,000 or more records or affects 10,000 or more \npeople, it is considered a major cyber incident.\n    Under these guidelines, once an agency is aware that a \nbreach meets that criteria, the incident should be considered a \nmajor breach and must be reported to Congress within 7 days. \nThis did not happen in either of the two cases this hearing \nwill focus on or the other five that the FDIC just reported to \nthe Committee this week, and I\'m still unclear why.\n    In the October incident, the breach included records from \neight banks, more than 40,000 individuals, and 30,000 entities, \nincluding the sensitive bank currency transaction reports and \nSocial Security numbers. Despite the OMB requirement that \nagencies inform Congress of major incidents within 7 days, FDIC \nnotified Congress nearly 3 months after it had enough data to \ndetermine that this was a major breach.\n    I hope that Mr. Gross, the Chief Information Officer at \nFDIC, can help explain FDIC\'s decision to delay notifying \nCongress in that October incident, and I hope also that you\'ll \nbe able to help us understand the agency\'s characterization of \nthe incident, which appears to be at odds with some of the \ninformation obtained by the Committee. I know the Inspector \nGeneral has looked at the October incident and the FDIC\'s \nresponse, so I look forward to Mr. Gibson\'s testimony as well.\n    As a business owner, we have a very important \nresponsibility to protect our customer data, which includes \nSocial Security numbers, cell phones, emails, personal \naddresses, and we do all we can to protect them, especially \nwhen an employee leaves, because we know that this has value to \nthe employee in a different role. And we\'re just a business. \nWe\'re not the government controlling these really sensitive \ngovernment records. So this is a very important issue.\n    And, Mr. Gross, I understand you just arrived at the FDIC \nin November, and the CIO\'s office has suffered from a lack of \nconsistent leadership. You\'re the fourth CIO in the last four \nyears. I hope that you\'ll be able to bring some stability to \nthis office, and equally important is I hope that you\'ll help \nus establish a solid foundation of reliability and openness \nwith Congress and that you\'ll strive to do that as well.\n    So thank you both for being with us today, and we look \nforward to the questioning.\n    Mr. Chairman, I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. Thank you, Mr. Beyer.\n    I now recognize the Chairman of the Full Committee, the \ngentleman from Texas, Mr. Smith.\n    Chairman Smith. Thank you, Mr. Chairman. And I appreciate \nboth your comments and the Ranking Member\'s comments as well.\n    The recent cybersecurity breaches experienced by the FDIC \ndate back to October 2015 and compromise nearly 160,000 \nindividuals\' sensitive information or personally identifiable \ninformation. The number of individuals whose information was \ncompromised by the agency\'s poor cybersecurity posture could be \nmuch higher. The breaches reported to Congress represent only \nthose that the agency itself called ``major.\'\' In reality, the \nFDIC likely has experienced additional breaches deemed \ninsufficient by the agency to warrant reporting to Congress.\n    On April 8, 2016, the Committee sent a letter to the FDIC \nabout a February 2016 cyber breach. In that case, more than \n44,000 individuals\' sensitive information was breached. Less \nthan two weeks later, the Committee sent an additional letter \nto the FDIC concerning an earlier breach in October 2015, which \ncompromised more than 10,000 individuals\' sensitive \ninformation. The Committee sent the additional letter to the \nFDIC because the FDIC withheld reporting the breach to Congress \nfor more than four months. In fact, the FDIC only reported the \nbreach once the Office of Inspector General urged it to do so.\n    The FDIC\'s attempts to shield information from Congress did \nnot end with its hesitation to report the significant October \nbreach. The Committee has encountered a pattern of obstruction \nfrom the FDIC when responding to Committee requests.\n    In the FDIC\'s response to the Committee\'s letters, the \nagency initially produced documents extensively redacted for \ninformation the agency deemed to be confidential. These \nredactions included public information, such as the names of \nsenior-level agency employees, whose identities were already \nknown to the Committee.\n    The FDIC failed to provide statutory authority or a valid \nprivilege for redacting the information. Still, the agency \nresisted the Committee\'s request for unredacted documents until \nfaced with the threat of the Committee\'s use of the compulsory \nprocess to obtain the information.\n    Additionally, the Committee learned that the agency \nactively obstructed the Committee\'s ongoing investigation by \nlimiting the scope of documents produced in response to the \nCommittee\'s requests. The FDIC responded to the Committee\'s \nsecond letter and certified that it produced all responsive \ndocuments. However, subsequent discussions with the Office of \nInspector General indicated that responsive documents were \nwithheld by the agency.\n    Upon learning of the agency\'s active obstruction, the \nCommittee wrote to the Office of Inspector General to request \nthese documents. If not for the Office of Inspector General\'s \nopenness and transparency with the Committee, we would not have \nbeen aware of the Agency\'s attempts to avoid providing a full \nand complete response to the Committee.\n    The FDIC\'s repeated efforts to conceal information from \nCongress are inexcusable. They raise significant questions \nabout whether the Agency actively attempts to hide potentially \nincriminating information from Congress. As an agency that has \nfaced repeated security breaches, it should focus its resources \non reforming its internal cybersecurity mechanisms instead of \nengaging in efforts to conceal information from this Committee.\n    The Committee will continue to investigate the shortfalls \nin the FDIC\'s cybersecurity posture and why the Agency \ncontinues to withhold certain information from Congress and \nthis Committee. We also will hear what measures the Agency \nshould take to remediate the damage to the tens of thousands of \nAmericans\' whose information was compromised.\n    So, Mr. Chairman, we have a lot to learn this morning and \nlook forward to the testimony of our two witnesses, and I yield \nback.\n    [The prepared statement of Chairman Smith follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. The gentleman yields back.\n    I now recognize the Ranking Member of the Full Committee \nfor a statement.\n    Ms. Johnson. Thank you very much, Chairman Loudermilk, and \nthanks to you, our witnesses, for being here today.\n    All data breaches that expose sensitive personal \ninformation should be taken very seriously. In today\'s digital \nage, our sensitive personal data is everywhere. When we swipe \nour credit cards at the grocery store, renew our driver\'s \nlicense at the Department of Motor Vehicles and passports at \nthe Department of State, or visit the emergency room at the \nlocal hospital or the bank around the corner, our sensitive, \npersonal, and financial data is processed, stored, and \nentrusted to those entities to safeguard it and ensure that it \nis not inadvertently breached or intentionally stolen.\n    But that has happened seven times in the past 7 months in \nmajor cyber breaches at the Federal Deposit Insurance \nCorporation. None of these breaches were the result of \nsophisticated hackers, foreign adversaries, or cyber criminals. \nAnd those that downloaded this data, including Social Security \nnumbers and suspicious activity reports, did not use high-tech \ndigital tools. They simply plugged in their thumb drives and \nother removable media to their FDIC workstations in that office \nand downloaded sensitive, personal, and financial data onto \ntheir personal storage devices. These actions jeopardized the \ndata security of thousands of individuals, multiple banks, and \npotentially criminal investigations.\n    In virtually every--each of these seven instances the FDIC \nhas said the sensitive data was inadvertently downloaded and \nthat there was no malicious intent. In all of these cases the \nFDIC was able to recover the data, and the former FDIC \nemployees signed affidavits saying they had not shared the data \nwith others.\n    However, in at least one case, according to FDIC\'s own \nrecords, a former employee who downloaded such data was evasive \nabout her actions and not cooperative when initially confronted \nby FDIC staff. Some FDIC employees also suggest that it was \nhighly improbable that this former employee\'s actions were \naccidental.\n    In addition, this former employee is now working for a U.S. \nsubsidiary of a non-U.S. financial services company, which \nraises additional concerns. I would remind FDIC that in 2013 an \nInspector General review of another much more serious cyber \naccident at the agency resulted in one senior official in the \nCIO\'s office leaving the agency and another being demoted.\n    My understanding is that this response by these former \nofficials to both the Chairman of the FDIC and the IG\'s office \nand the Government Accountability Office lacked candor in both \nof their descriptions of the extent of this penetration and \npotential consequences to the agency.\n    I hope IG\'s office will be able to clarify whether or not \nall of the recent data breaches were inadvertent, as the FDIC \nhas claimed, when his office completes the two audits they are \ncurrently working on regarding FDIC\'s handling of major \ncybersecurity incidences in the coming weeks. I also hope that \nthe IG\'s office can shed some light on the reasons why the \noffice of the Chief Information Officer and the FDIC failed to \ninform Congress of these major incidences within the 7-day time \nframe required by the guidance from the Office of Management \nand Budget and that issued in the late October 2015.\n    I believe that FDIC has already taken some positive steps \nin responding to the recent data breaches, phasing out the use \nof removable media, for instance. I encourage them to continue \nto ensure that sensitive data is not intentionally or \ninadvertently breached, but I would also request that the new \nCIO, Mr. Lawrence Gross, who is testifying with us today, to \nkeep Congress appropriately and fully informed in a timely \nmanner when major cybersecurity incidences do occur.\n    I thank you, Mr. Chairman, and my time\'s expired. I yield \nback.\n    [The prepared statement of Ms. Johnson follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. I thank the lady. She has yielded \nback.\n    Now, let me introduce our witnesses for today. Our first \nwitness is Mr. Fred Gibson, acting Inspector General of the \nFederal Deposit Insurance Corporation. Mr. Gibson has \npreviously served with the Resolution Trust Corporation Office \nof Inspector General and as Principal Deputy Inspector General \nand counsel to the Inspector General.\n    Mr. Gibson received his bachelor\'s degree in history from \nthe University of Texas at Austin and his master\'s degree in \nRussian Area Studies from Georgetown University. He received \nhis J.D. from the University of Texas Law School.\n    Our second witness today is Mr. Lawrence Gross?\n    Chairman Loudermilk. Gross. Mr. Lawrence Gross, Jr., Chief \nInformation Officer and Chief Privacy Officer of the Federal \nDeposit Insurance Corporation. Mr. Gross previously served as \nthe CIO for the U.S. Department of Agriculture, Farm Service \nAgency and the Deputy CIO at the Department of the Interior.\n    Mr. Gross received his bachelor\'s degree in information \nsystems management from the University of Maryland, University \nCollege, and he received his CIO certification from the \nNational Defense University.\n    I now recognize Mr. Gibson for five minutes to present his \ntestimony.\n\n             TESTIMONY OF MR. LAWRENCE GROSS, JR.,\n\n                   CHIEF INFORMATION OFFICER\n\n                AND CHIEF PRIVACY OFFICER, FDIC\n\n    Mr. Gibson. Thank you, sir.\n    Chairman Smith, Ranking Member Johnson, Chairman \nLoudermilk, Ranking Member Beyer, and Members of the \nSubcommittee, my name is Fred Gibson, and I\'m the acting \nInspector General of the Federal Deposit Insurance Corporation. \nThank you for the invitation to speak with the Subcommittee \ntoday regarding recent cybersecurity incidents at the Federal \nDeposit Insurance Corporation.\n    The Federal Government has seen a marked increase in the \nnumber of information security incidents affecting the \nintegrity, confidentiality, and availability of government \ninformation, systems, and services. The charter for this \nhearing is to address two specific security interests and \nconcerns that this Committee has regarding the FDIC\'s \ncybersecurity posture.\n    The FDIC\'s Office of Inspector General carries out two \nprimary functions. The first is to audit and evaluate the \nFDIC\'s programs and operations, including controls designed to \nsafeguard the Corporation\'s data and address and report \nbreaches when they occur. The second function is to investigate \nsuspected criminal activity, including breach incidents where \ncase-specific facts lead us to believe that a crime may have \noccurred.\n    With respect to our first role, we are currently conducting \ntwo audits pertinent to the Committee\'s concerns that we \nanticipate will be completed in the near future. The first \nexamines the FDIC\'s process for identifying and reporting major \nsecurity incidents, as required by applicable federal law and \nrelated guidance. The second audit addresses the FDIC\'s \ncontrols for mitigating the risk of an unauthorized release of \nsensitive information submitted by systemically important \nfinancial institutions.\n    As you are aware, on February 19, 2016, during the planning \nphase of the first of these audits, we issued a memorandum to \nthe FDIC\'s Chief Information Officer regarding a specific \nsecurity incident which we believe warranted Congressional \nreporting. In the memorandum the OIG concluded that the \nCorporation was required under the Federal Information Security \nModernization Act of 2014 and related guidance issued by the \nOffice of Management and Budget--and that\'s OMB Memorandum 16-\n03--to report the security breach as a major incident to the \nappropriate Congressional committees. Ultimately, the FDIC \nreported the major incident to this Committee, which led \nultimately to our testimony today.\n    With respect to our criminal investigative function, the \nFDIC OIG participates as a non-voting member on the FDIC\'s Data \nBreach Management Team, or DBMT, for situational awareness \npurposes. The DBMT, as its name implies, reviews data breach \nincidents. Where the facts of a particular incident, which we \nlearn through our participation in the DBMT or from other \nsources, appear to point to a crime having been committed, we \nopen an investigation. If the results of our investigation \nwarrant, we make referrals to the Department of Justice. I can \nconfirm the existence of one criminal investigation arising out \nof the incidents that formed the basis for today\'s hearing. \nHowever, that case is open. It\'s in a pre-indictment phase, \nwhich limits my ability to discuss it directly.\n    Nevertheless, I hope to be able to provide you with the \ninformation that you need to conduct your oversight activities \nwith regard to these issues, and I look forward to answering \nthe questions that the Committee has. Thank you very much.\n    [The prepared statement of Mr. Gibson follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. I now recognize Mr. Gross for his \nopening statement.\n\n                TESTIMONY OF MR. FRED W. GIBSON,\n\n                 ACTING INSPECTOR GENERAL, FDIC\n\n    Mr. Gross. Chairman Loudermilk, Ranking Member Beyer, and \nMembers of the Subcommittee, thank you for the opportunity to \nappear before you today.\n    At the FDIC, protecting sensitive information is critical \nto our mission of maintaining stability and public confidence \nin the Nation\'s financial system, and we are continually \nenhancing our information security program.\n    My name is Lawrence Gross, and I am FDIC\'s Chief \nInformation Officer and Chief Privacy Officer. I assumed my \nduties at the FDIC in November of 2015, and I have more than 39 \nyears of combined military and federal sector experience in the \ninformation technology, law enforcement, cybersecurity, and \ncritical infrastructure fields. My testimony today will focus \non our program to identify, analyze, report, and remediate \nincidents based on the risk of harm they pose.\n    The FDIC has a strong information security program to \nidentify events that could signal a data security incident, \nincluding mandatory annual training for all employees and \ncontractors to ensure that they will be alert to inadequate \nprotection of sensitive information and know when and how to \nnotify our Computer Security Incident Response Team.\n    We also have automated monitoring tools, including the data \nloss prevention tool, which scans for sensitive information in \noutgoing emails, uploads to Web sites, and any data downloaded \nto portable media from FDIC systems. Our goal is to assess and \ncontinually improve our situational awareness so that we can \nreduce and ultimately eliminate the risk of harm to individuals \nand entities.\n    The FDIC has a security incident response and escalation \nplan to ensure the systemic gathering and analyzing of facts \nrelevant to an event to determine the risk of harm and the \ntaking of appropriate action. We then take steps to mitigate \nthe risk of harm and complete the appropriate reporting and \nnotifications based on the risk of harm.\n    With the passage of FISMA in late 2014 and the subsequent \nissuance in October of OMB guidance on what constitutes a major \nincident, we have further refined our incident reporting \nregime. Notably, the new law and OMB\'s guidance have been \napplied to incidents over the past 6 months where FDIC \nemployees departed employment and were identified by our \nmonitoring tools as having downloaded personally identifiable \ninformation or other FDIC-sensitive information on portable \nmedia not long before their departure.\n    It was my initial judgment, based on several factors, that \nthese incidents did not rise to the level of major incident as \ndefined in the OMB guidance. In each case, the employee had \nlegitimate access to the sensitive data in question while at \nthe FDIC. Further, our analysis indicated the downloading of \nthe PII was inadvertent. The FDIC recovered the data from the \nformer employees, and there was no evidence that the former \nemployee had disseminated the data. And all the former \nemployees assigned affidavits affirming they had not \ndisseminated the data beyond themselves.\n    Lastly, in each case, the circumstances surrounding the \nemployees\' departure were non-adversarial. Under these \ncircumstances, I judged the risk of harm to be very low, \nmeaning that the reporting of these incidents would fall under \nthe annual FISMA-notification-to-Congress requirement.\n    However, our Office of Inspector General reviewed one of \nthese incidents and came to a different conclusion. Although \nour interpretations are different, we nevertheless gave such \nnotification to Congress within seven days, and I further \ndirected my staff to go back through all incidents that had \noccurred since issuance of the OMB guidance, regardless if they \nwere closed, to identify any incidents that had characteristics \nwe thought would meet the OIG\'s interpretation of major \nincident. FDIC has now reported those as well to Congress.\n    Finally, let me touch on changes we have made or are making \nto lower the risk of future incidents. We\'ve implemented a plan \nto eliminate the ability of employees and contractors to \ndownload to portable media. We\'re implementing digital rights \nmanagement software that prevents copying of information. \nFurther, I\'ve directed my staff to begin immediately a top-to-\nbottom review of IT policies and procedures with the focus on \nthose for departing employees to ensure that everyone \nunderstands FDIC policy regarding downloading of data. Also, I \nwill be engaging an independent third party to conduct an end-\nto-end assessment of all the key areas of the IT security and \nprivacy programs.\n    The global interconnected landscape continues to evolve, \nand the threats continue to develop. The FDIC takes very \nseriously cybersecurity incident management and transparency as \nit relates to our reporting requirements and remains committed \nto maintaining a robust IT security program that ensures a \nreal-time current view of our situational awareness.\n    Thank you again for the opportunity to testify, and I would \nbe happy to answer any of your questions.\n    [The prepared statement of Mr. Gross follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Loudermilk. I thank the witnesses for their \ntestimony.\n    And just before we begin our questions, for the witnesses \nand the Members of the Committee, it is the Chair\'s intention \nto be somewhat lenient with the clock because it is important \nthat we do get these questions answered and as many rounds of \nquestioning as we need. The Chair is ready to extend this \nhearing as long as we need to make sure that all the questions \nare adequately answered.\n    And also to our witnesses, we ask that you be very \ntruthful, as well as comprehensive, but also we have had \nincidents of filibustering answers. And again, the Chair will \nmaintain the Subcommittee going as long as we need to, to make \nsure. So we ask that you be as accurate and as brief with your \nanswer.\n    I now recognize myself for five minutes for questioning.\n    Mr. Gross, this Committee wrote the FDIC requesting \ndocuments and communications referring or relating to the \nsecurity breaches we discussed here today. Are you aware of \nthose letters?\n    Mr. Gross. I am.\n    Chairman Loudermilk. The FDIC has certified that all \nresponsive documents pursuant to this Committee\'s request had \nbeen produced. Is that your understanding as of today?\n    Mr. Gross. I believe the office has been responsive to your \ninquiries, sir, yes.\n    Chairman Loudermilk. Mr. Gross, did anyone in your office, \nto your knowledge, voice any concern regarding the manner, \nscope, or have any other concerns about the FDIC\'s response to \nthis Committee\'s request?\n    Mr. Gross. No one in my office had any concern with being \nresponsive----\n    Chairman Loudermilk. No one expressed any concerns about \nthe documents you were providing?\n    Mr. Gross. No one in my office expressed any concerns, sir.\n    Chairman Loudermilk. What about other offices, anyone in \nthe FDIC express concerns about the comprehensiveness of the \ninvestigation or the documents you\'re providing?\n    Mr. Gross. I\'m not aware of anyone expressing any concerns.\n    Chairman Loudermilk. No one in the FDIC. Mr. Gross, are you \naware of any internal FDIC documents responsive to the \nCommittee\'s request that were not produced to this Committee?\n    Mr. Gross. I\'m not aware of any that have not been \nprovided, sir.\n    Chairman Loudermilk. Mr. Gibson, to your knowledge, were \nall responsive documents produced to this Committee?\n    Mr. Gibson. Sir, was that direction--was that question----\n    Chairman Loudermilk. I\'m sorry. Yes, I\'m sorry. Mr. Gibson, \nthat was directed to you. I was looking at Mr. Gross. Sorry.\n    Mr. Gibson, to your knowledge, were all responsive \ndocuments produced to this Committee?\n    Mr. Gibson. Sir, we haven\'t reviewed the FDIC\'s production \nof documents to the Committee. We received a request from the \nCommittee for FDIC documents that were in our possession, and \nwe provided the documents that we collected in the context of \nour audit.\n    Chairman Loudermilk. Okay. So, Mr. Gross, just to summarize \nand make sure we understand, to your knowledge, you provided \nall the documents that were responsive to the Committee\'s \nrequest?\n    Mr. Gross. To my knowledge, sir, we were responsive to the \nrequest. If there\'s a request for additional information, I\'ll \nstand ready to provide that.\n    Chairman Loudermilk. Okay. Thank you.\n    Mr. Gross, what I have here is the stack of documents that \nthe FDIC provided to the Committee in response to our inquiry. \nThis stack of documents, however--I may need a forklift. This \nstack of documents was provided to the Committee by the \nInspector General\'s Office. Why were these documents not \nprovided to the Committee by the FDIC?\n    Mr. Gross. I had an opportunity to review the material \nprovided by the IG, and in reviewing that material, a lot of it \nis duplicative, so the material that you received from us with \nthe incident response forms that are in there, it includes \ninformation that has been duplicated in the IG\'s response. The \nincident response forms provide a summary of the incident, and \nit\'s--it may in fact provide a more comprehensive review of \neach of the incidents more so than what\'s in the documents.\n    I did note that there were several copies of what we call \nour Data Breach Management Guide that was included in the \nmaterial provided by the Inspector General, and there were \nmultiple copies of that. That document is still currently being \ndeveloped and in review.\n    Chairman Loudermilk. So let me make sure I understand what \nyour statement here is today, that everything that you provided \nis also covered in the IG\'s? There\'s no more information in \nwhat the IG provided to us than what is covered in this stack \nof documents here?\n    Mr. Gross. I can----\n    Chairman Loudermilk. Is that what you\'re telling me?\n    Mr. Gross. I cannot make that as an affirmative statement, \nsir. I had a brief opportunity to review the IG\'s material \nyesterday----\n    Chairman Loudermilk. Okay.\n    Mr. Gross. --so I cannot say that it\'s a one-to-one \ncorrelation.\n    Chairman Loudermilk. Well, you were saying it was \nduplicative----\n    Mr. Gross. I said----\n    Chairman Loudermilk. --but----\n    Mr. Gross. --quite a bit of the material that was in there \nwas duplicative. There was multiple copies, for example, of the \nData Breach Management Guide. There are multiple copies of that \nguide provided in their response to you.\n    Chairman Loudermilk. Okay. There are many emails that were \nprovided to us by the IG that were not included in your \ndocuments. Those are not duplicative.\n    Mr. Gross. I cannot speak to that without looking at the \nexact emails, but what we have in the incident response summary \nmight be--well, I would think it\'s an encapsulation of what may \nbe contained in emails that were transmitted between different \nentities that participated on the DBMT.\n    Chairman Loudermilk. Okay. Okay. But you did say that you \nhad reviewed the materials----\n    Mr. Gross. I did----\n    Chairman Loudermilk. --provided----\n    Mr. Gross. I did a cursory review.\n    Chairman Loudermilk. A cursory review----\n    Mr. Gross. Yes.\n    Chairman Loudermilk. --but you have not looked at them. \nWhen were these--Mr. Gibson, when were these documents \nprovided?\n    Mr. Gibson. Sir, I believe they were provided at ten \no\'clock yesterday morning.\n    Chairman Loudermilk. Okay. Has Mr. Gross received copies of \nthese documents?\n    Mr. Gibson. Yes, sir. We provided a copy of our--I don\'t \nknow if Mr. Gross personally has. We provided a copy of our \nproduction to the Congress to the FDIC so they would be aware \nof what we did.\n    Chairman Loudermilk. And when was that provided?\n    Mr. Gibson. At the same time we provided it to the \nCommittee.\n    Chairman Loudermilk. So ten o\'clock yesterday morning?\n    Mr. Gibson. Yes, sir, about ten o\'clock.\n    Chairman Loudermilk. Okay. Allow me to clear my desk for a \nmoment here. Okay.\n    So, Mr. Gross, you still stand by that--your previous \ntestimony that you did provide this Committee all the documents \nthat we requested?\n    Mr. Gross. That wasn\'t my statement, sir. I said I believe \nwe were responsive to your request. If there is additional \ndocuments that you think are necessary or required, I stand \nready to deliver that.\n    Chairman Loudermilk. Okay. So you\'re acknowledging that \nthere may not be some documents that we requested that the \nFDIC----\n    Mr. Gross. I believe----\n    Chairman Loudermilk. --failed to provide us?\n    Mr. Gross. I believe our response to you was responsive. If \nthere\'s other material or additional material that you deem \nthat\'s warranted, I stand ready to provide that.\n    Chairman Loudermilk. So you will provide every document \nthat we request?\n    Mr. Gross. If there\'s a request for additional information, \nwe stand ready to provide that.\n    Chairman Loudermilk. Okay. Well, we requested the \ninformation the IG has actually provided as well. We\'re just \nasking for it to be comprehensive and all-inclusive.\n    And so who\'s responsible for providing the documents in \nresponse to the Committee\'s request?\n    Mr. Gross. When your letter came in and when the letter \ncame in for the information, that\'s sent to each of the offices \nthat may have relevant information. Each of those offices then \nprovide that information. It\'s a--there\'s a coordination effort \nthat\'s done by our Office of Legal Affairs, and then it\'s put \ntogether as a comprehensive package for submission.\n    Chairman Loudermilk. Were any directions--to your \nknowledge, were any directions given to withhold or not provide \ncertain documents to this Committee?\n    Mr. Gross. No, sir.\n    Chairman Loudermilk. To your knowledge, was anyone in your \noffice or the legal division directed to limit the response to \nthe Committee\'s request?\n    Mr. Gross. I\'m not aware of anyone making such a statement \nor providing any such direction.\n    Chairman Loudermilk. I do have other questions, but I have \nrun over the clock. I was a little more lenient with myself \nthan I intended to be. I do have more questions. The Chair\'s \nintention is to do a second round of questioning.\n    And so at this time I recognize the Ranking Member, Mr. \nBeyer.\n    Mr. Beyer. Thank you, Mr. Chairman. And thanks again to the \nwitnesses.\n    Mr. Gross, are you aware--to follow up on Chairman \nLoudermilk\'s questions--of any documents requested by the \nCommittee that you have not submitted yet?\n    Mr. Gross. No, sir, I\'m not aware of any.\n    Mr. Beyer. So at this point if anything\'s missing, you\'d be \nhappy to provide it?\n    Mr. Gross. Yes, sir, I will.\n    Mr. Beyer. And I hope--are you willing to have your--you \nand your staff carefully go through Mr. Gibson\'s documents to \nmake sure that anything he provided that you didn\'t that you \naffirm its value or its legitimacy? I\'m trying to get--you \npointed out that one reason the stack of documents are so \ndifferent was there\'s many duplications, things provided again \nand again in Mr. Gibson\'s documents. I think what the Chairman \nis concerned about is, is there anything Mr. Gibson provided \nthat you didn\'t?\n    Mr. Gross. I understand. I can go through the material and \nreview that and provide you any additional information that you \nmay need or want. I haven\'t had a full opportunity to review \nthe material, as he\'s indicated. I received it at 10 o\'clock \nyesterday.\n    Mr. Beyer. So we\'re 24 hours away. So--but you\'re willing \nto do the reconciliation?\n    Mr. Gross. Yes, sir, I am.\n    Mr. Beyer. Great. Great.\n    The employee in the October breach reportedly left the FDIC \non good terms. She was seeking new employment at the time, and \nshe currently works for a foreign financial firm. Furthermore, \nshe initially denied that she had downloaded the information. \nShe resisted turning over the device to the FDIC, and we \nunderstand she was having personal problems at home, she was \ngoing through a divorce, she was living in a hotel room. All \nthese factors highlight increased security risks, not \nmitigating factors, especially as outlined by the FBI and the \nU.S. counterintelligence community, as this brochure ``The \nInsider Threat\'\' details.\n    Were these facts known by the Data Breach Management Team \nwhen the incident was being analyzed for risk of harm?\n    Mr. Gross. All the circumstances surrounding the incident \nwas known by the Data Breach Management Team. I\'d like to even \ngo back further and state that we--personally, I make a \nconcerted effort to be very transparent in all the activities \nthat we have within the security realm. This incident, when it \noccurred, it actually occurred prior to the promulgation of the \nOMB guidance, so it was in fact reported in 2015 in our annual \nFISMA report.\n    It was my encouragement to the staff that we knew that the \npolicy had come out as we were reviewing this incident, and I \nasked that they apply the standard of the policy to the \nincident. So we fully understood the circumstances surrounding \nit, yes, and we applied the standard to the incident to ensure \nthat we were being responsive. But it had already been reported \nas part of our FISMA submission.\n    Mr. Beyer. Okay. So let me break these up. On the one hand, \nyou\'re arguing that the 7-day didn\'t apply because the OMB \nguidance didn\'t come out until January, but the greater concern \nis whether it was low risk, moderate risk, or high risk. And we \nknow that this person had gone to work for a foreign bank, had \ninitially denied downloading, refused to turn over the drive, \nand was going through a lot of personal problems. Don\'t all \nthose elevate the sense of risk that your--the breach team \nwould consider and that you would consider as CIO?\n    Mr. Gross. I considered all the factors associated with the \nincident. We weighed all the factors. But I would say even if \nan individual leaves their employment with the Federal \nGovernment, we leave with not only potentially material that on \nremovable media, we leave with corporate knowledge. And we \nstill trust that the individuals leaving federal service is \ngoing to protect not only that digital media that they may \ntake, but the corporate information they may take in their \nhead. So that had to be weighed as to what risk of harm did the \ninformation that this individual inadvertently download pose.\n    And yes, we considered what type of employment she may have \nbeen seeking outside the organization and other factors, and we \ndeemed that the incident was in fact low.\n    Mr. Beyer. In your testimony on page 4 you talk about that \nyour initial judgment in all these incidents didn\'t rise to the \nlevel of the major incident as defined by OMB guidelines. But \nthe OMB guidelines talked about 8 hours to restore the data, \nmore than 10,000 records affected. Weren\'t more than 10,000 \nrecords affected in virtually every one of these cases?\n    Mr. Gross. Yes, sir, they were. Several of these incidents \njust barely met the threshold that we just retroactively \nreported.\n    I think the larger issue is not only does the policy say \nthat there\'s time-specific parameters for reporting, but it \nalso says in the very end of the document that it\'s left to the \ndiscretion of the agency to determine if in fact the agency has \nsufficient information to determine if the incident rises to \nthe level of a major. That was considered as part of the review \nof the policy and the incident.\n    Mr. Beyer. I don\'t want to harp on this too much, but \nyou\'ll forgive us if there\'s a certain amount of skepticism of \nseven different people downloading information just as they\'re \nleaving that affects more than 10,000 records, and none of them \nseem to rise to the level of major incident.\n    Mr. Gross. Well, it\'s--in--from my perspective it\'s not a \nquestion of whether or not we\'re going to report. The agency \nhas no relief in reporting. The issue that we were looking at \nwas what was the time frame that the reporting was required. If \nthere\'s a 7-day notification or a 30-day notification or if \nit\'s included in the annual FISMA report, you\'ll find that the \nFDIC is very responsive. And if you review our FISMA report, \nyou will find that we report all incidents. There is no \nincidents not reported.\n    Mr. Beyer. One more question right on this part of it. You \nsaid that in each of these cases the downloading was \ninadvertent.\n    Mr. Gross. Yes, sir.\n    Mr. Beyer. Once again, I have a hard time understanding how \nyou could inadvertently download 10,000 customer records or \nbank records.\n    Mr. Gross. The individuals involved in these incidents were \nnot computer proficient. We have policies in place that will \nallow the FDIC IT staff to assist you when you\'re departing the \norganization to copy down things that you may have collected \nover your long tenure with the agency, specifically, \nphotographs or your personal resume.\n    The fact that they were not computer proficient, if you go \nin and you don\'t copy the material and do it as a targeted \ncopying of that information, you could in fact inadvertently \ncopy the entire hard drive. So if you insert and you do the \ncopy and not being proficient in the technology, you may take \nmore data than what you intended.\n    Mr. Beyer. I would certainly hope as you--you talked about \nthe many steps going forward. I think a major step going \nforward would be to make sure that all that personal \ninformation isn\'t on their computers and that there isn\'t a way \nto download an entire--I just--I\'m glad you\'re making progress \nbecause all of this sort of boggles the mind that somebody \ncould go in and download an entire disc or all the information \nthat the FDIC has on record about companies and individuals.\n    Mr. Gross. Well, sir, I arrived at FDIC in November. As you \nsee from my resume, I\'ve been in federal service to this \ncountry for 39--actually, it\'ll be 40 years in July. I\'m an IT \nprofessional, and there were several areas that I focused on \nimmediately upon arriving, one of which was removable mobile \nmedia, as well as the elimination of the need for being able to \ndo that as a common business practice.\n    Mr. Beyer. Great. Great. Well, thank you very much, Mr. \nGross. Mr. Chairman, I yield back.\n    Chairman Loudermilk. Thank you, Mr. Beyer.\n    Being 30 years in the IT world, I find it very \ndisheartening that you give someone who is not computer \nproficient access to such sensitive data. Maybe someone will \naddress that.\n    I now recognize Mr. Posey, the gentleman from Florida.\n    Mr. Posey. Thank you very much, Mr. Chairman.\n    Mr. Gross, you and I are just viewing this incident from \ncompletely different perspectives. You make it sound like this \nis a very friendly termination from an employee, she \naccidentally took personal information about 160,000 or more \ncitizens, and then gladly gave it back, just for one example. \nAnd the staff kind of tells me it didn\'t really work out that \nway all the time, that there was some defiance there, some \nrefusal.\n    You mentioned there was no evidence that she kept any of \nthe information. Actually, there\'s no evidence that she didn\'t \nkeep the information. One went to work for a foreign financial \ninstitution that could benefit greatly from mining that kind of \ndata, we know that.\n    And, you know, I\'m amused by the term--the whole issue. We \ncall it a data breach. You know, where I\'m from we\'d call it a \ntheft. If you take something that\'s not yours, that\'s called a \ntheft. We don\'t call it a data breach back home. Maybe just \nbecause we\'re talking about electronic records, we\'re no longer \ngoing to call it a theft, we\'re going to call it a data breach. \nBut the fact is tens of thousands of American citizens are \ncompromised because of this.\n    And my question for you, Mr. Gibson, in your testimony you \nstated that ``If the threshold for criminal investigation is \nnot met, the responsibility lies with the FDIC to pursue the \ncivil and administrative remedies.\'\' Could you expound upon \nwhat these remedies could potentially be? Surely there will be \nclear punitive measures for the perpetrators of such a breach. \nAre there--any of these former employees currently on \nadministrative leave, getting a full paycheck, receiving a \npension like the IRS people were? There needs to be \nconsequences for these actions.\n    Mr. Gibson. Sir, as a former employee, they\'re not on \npayroll, and I do not believe that any of these individuals \nhave retired or are receiving pensions, but I don\'t know for \nsure. I believe that they all left for other employment \nopportunities in other places.\n    With respect to the FDIC\'s remedies, both administratively \nand civilly, the FDIC can pursue the return of information. The \nFDIC could take actions to enjoin an individual from using, \ndisseminating, taking any action with respect to that \ninformation. The FDIC could undertake administrative actions \nwithin the FDIC in order to tighten up its security protocols \nor other situations. There\'s a number of things they can do in \nthe absence of criminal activity, and that\'s what I\'m really \nreferring to.\n    Mr. Posey. Okay. But just on a practical basis, you know, \nsomebody walks into a retail store without the owner\'s \npermission and steals 160,000 items, the store owner comes back \nand figures out somebody stole this, went to them, they say, \noh, okay, well, I\'ll give you back these particular items is \nall I\'m going to admit that I accidentally took from your \nstore. That doesn\'t eliminate the fact that there was a theft \nfrom the store just because they gave back at least some of the \nitems that they illegally took. Do you see any similarity to \nthe example I\'m drawing and what happened here?\n    Mr. Gibson. Well, sir, I understand the example that you\'re \nusing, and I would agree in that particular situation. I mean, \nthe fact that somebody robs a bank and gives the money back \ndoesn\'t mean that they didn\'t rob the bank. That\'s absolutely \nright.\n    For us to pursue a criminal case, however, one of the \nthings that we\'re going to have to be able to establish in \nconnection with our case is specific intent on that person\'s \npart. If the material was removed inadvertently, which is the \nFDIC\'s conclusion with respect to that, we have a bar right up \nfront to being able to pursue a criminal case in the face of \nthat determination. I\'m not saying that we can\'t, but we\'re \ngoing to need some facts that get us over that and allow us to \nbe able to pursue that sort of a case.\n    Mr. Posey. Have you exhausted the questioning of the people \ninvolved? Have they voluntarily come forth? Do you need to \ndepose them? Are you in a position to--you could depose them \nand ask the kind of questions you\'d like to see answers to and \nI\'d like to see answers to?\n    Mr. Gibson. Sir, we--when we conduct a criminal \ninvestigation, we do so when we have probable cause to believe \nthat there\'s been a crime that\'s been committed. Prior to that \ntime, we conduct something called an inquiry. And the methods \nthat we use in conducting that are somewhat less intrusive than \nthe methods that we would use to conduct an investigation.\n    When information comes to us where we are able to open an \ninvestigation, we do. And in one of these cases, we have. If \nadditional information were to come forward to us that would \nenable us to open a case, we certainly would be asking those \nquestions. We try and develop it as best we can, and that\'s the \nway in which we\'re pursuing it.\n    Mr. Posey. Thank you for your frank answers. I see my time \nis up. I thank you, Mr. Chairman.\n    Chairman Loudermilk. The Chair recognizes the gentlewoman \nfrom California, Ms. Lofgren.\n    Ms. Lofgren. Thank you, Mr. Chairman.\n    I understand from your testimony that in some instances the \nData Breach Management Team recommends that individuals or \nfinancial institutions be notified of the breach of personally \nidentifiable information and then credit monitoring can be \noffered and that that has not been done in this case or in the \nfive other major breaches. Mr. Gross, can you explain why that \nhasn\'t happened, what was the thinking here, and are \nindividuals adequately protected without this credit monitoring \nopportunity?\n    Mr. Gross. We evaluated each of the cases and determined \nbecause there was low risk of harm that there were no \nindividuals that were affected or impacted adversely as a \nresult of the downloading of the information. So as a result of \nthe lack of impact to the individuals, it was deemed that \ncredit monitoring was not warranted.\n    We have in other cases where the information has been taken \nand we know it was a known adversary or someone with adverse \nintent where they may break in an employee\'s car and steal \nrecords, we know that that individual had ill intent by \nbreaking in the car. That information, regardless of the number \nof records that may have been exposed, in those cases we would \nhave offered credit monitoring, as we\'ve done in the past.\n    Ms. Lofgren. But we don\'t have digital rights management on \nthese files at this point, do we?\n    Mr. Gross. We don\'t have digital rights management deployed \nacross the FDIC at this moment. It is one of the 60-day \nresponse activities that I\'ve laid out for the IG.\n    Ms. Lofgren. So we don\'t know for sure whether this \ninformation that was taken was not in fact further copied \nbecause there was no DRM to prevent it?\n    Mr. Gross. Well, we have the signed affidavit from the \nemployees a----\n    Ms. Lofgren. Right.\n    Mr. Gross. --and each of these employees----\n    Ms. Lofgren. Well, technologically, we have no assurance of \nthat?\n    Mr. Gross. Technologically, no, ma\'am.\n    Ms. Lofgren. I\'m interested in the DRM response that you\'re \nrecommending. I\'m interested in what is the timeline. And also, \ndid you--what process was used to determine what DRM response \nwould be--did you do an RFP, was it sole-source, did you do \nmarket research? How did you select which DRM solution and \nwhat\'s the timeline for implementation?\n    Mr. Gross. I\'m working very aggressively to implement it. \nThis is something that we\'re just beginning to pursue. I don\'t \nhave the specifics for you at this moment. I could come back to \nyou with a more detailed plan.\n    Ms. Lofgren. Oh, so you haven\'t actually begun that?\n    Mr. Gross. We have begun the process of identifying the \ntechnology from the standpoint that we think that the right \ntool for protecting the data is DRM. What solution set and the \ntimeline for implementing it, we have not identified that as \nyet. We\'ve looked at two technologies. We didn\'t put that in \nthe report. We didn\'t want to advocate for any specific vendor, \nbut we are looking at two right now as the potential tools that \nwe would employ.\n    Ms. Lofgren. Well, I\'m interested in whether you might \nconduct a pilot with different offerings. I mean, this is an \nimportant decision for the agency.\n    Mr. Gross. Absolutely, it is. And one of the things that we \nhave to look at is we want to make sure that we don\'t break the \nbusiness, that means we have to do this focused on the data \nthat is the most sensitive and work our way out. So yes, we are \nnot going to do this as a wholesale change across the \norganization because it\'s--not only do we have to evaluate if \nthere\'s any internal impact, we have to evaluate is this going \nto create an impact with the businesses that we have to work \nwith in the conduct of the mission.\n    Ms. Lofgren. Just a final note, I was interested in your \ncomment that employees that are leaving are permitted to \ndownload their personal information on their computer. And my \nsuggestion would be there shouldn\'t be any personal information \non the government computer.\n    You know, people do dumb things. I--we once had a young \nperson who downloaded BearShare who migrated all kinds of \nsensitive information unwittingly. You should create \ntechnological barriers to doing that, and if someone manages to \nsubvert that, they should lose their personal information.\n    I\'m just sort of interested in what technological methods \nhave you deployed to prevent the migration of potentially \nharmful data from outside of your system.\n    Mr. Gross. Ma\'am, I\'ve arrived at FDIC in November, and I \ncan assure you that there are several things that we\'ve already \nbegun to implement, but there are several other things that \nwe\'ll be looking at implement going forward.\n    One of the messages to my staff is that security is not \nsomething that we bolt on after the fact. It\'s something that \nwe include as part of the process from implementation moving \ntoward. So I\'ve identified a number of things in the 60-day \nplan, but I can assure you that those are immediate actions \nthat we need to take because of these incidents that we\'ve \nseen, but there are others that I\'m fully looking to employ \nbased on the years of experience knowing that it\'s about \nprotecting the data and that we do have individuals that may do \nthings mistakenly and we have to manage that. But we also have \nto manage for external adversarial threats as well. So I can \nassure you this is just the beginning of some of the things \nthat will be implementing.\n    Ms. Lofgren. I see my time is expired, Mr. Chair.\n    Chairman Loudermilk. The Chair recognizes the gentleman \nfrom Illinois, Mr. LaHood.\n    Mr. LaHood. Thank you, Mr. Chairman. And I want to thank \nthe witnesses for being here today.\n    I would just say at the outset, it is troubling to me to \nhear your response to Mr. Beyer\'s questions, almost a \ndismissive nature of these breaches and kind of the nonchalant \nanswers that you\'ve given, particularly with the backdrop of \ncyber attacks on this country.\n    We hear every week in this Committee about the \ncybersecurity and how, at the highest levels of our government \nand in the private sector, computers are compromised every \nsingle day. And you look at--whether it\'s Chinese entities or \nRussian mob or domestic enterprises in the United States, I \ndon\'t think anybody has any confidence that we have this under \ncontrol. And it leads to a lot of uncertainty about how we \ntackle this issue.\n    And so when I hear about an agency, the FDIC, and the \ninformation that you control, it\'s concerning to me that you \ndon\'t highlight this as an important breach and further \ninvestigation to find out what\'s at stake here. That\'s really \nconcerning to me to hear that today.\n    Let me ask some specific questions here. Mr. Gross, in your \nopening statement you state that the downloading of the \npersonal identifiable information in all the breaches FDIC \nreported to Congress was ``inadvertent\'\' and ``non-\nadversarial.\'\' Is that accurate?\n    Mr. Gross. That\'s correct, sir.\n    Mr. LaHood. I want to direct your attention to Exhibit one, \nwhich is a document sent by the FDIC legal department to one of \nthe former FDIC employees who left the agency with unauthorized \nmaterials on a portable storage device. According to this \ndocument, which is dated December 2, 2015, when asked about her \nactions, she said ``she would never do such a thing.\'\' And that \nit would be against FDIC policy and that she knows the policy. \nWhen asked if she owns an external hard drive, she said she did \nnot know what an external hard drive is. And she stated that \n``in any event, she does not own such a device.\'\'\n    Now, Mr. Gross, do you stand by your statement that this \nperson is non-adversarial?\n    Mr. Gross. Sir, if I could, one, I\'d like to draw the scale \nbecause in your opening comment you mentioned the difference \nbetween the current incidents and if we had a third-party bad \nactor in our system. And I don\'t want to be dismissive. Any \nloss of information, regardless of how that information is \nlost, is significant. It\'s important, and we need to pay \nattention to it.\n    I think what we have to do is to draw to scale, though, the \ndifferent incidents that we have. If there was a third-party \nactor in my system today, the way the policy is currently \nconstructed, unless that third-party has taken an amount of \nrecords, it may not meet the criteria of a major, but I can \nassure you, if there was a bad actor in our system today, it \nwould be reported as a major, especially if I know that they\'re \nadversarial in nature and they intend to do harm to the \norganization or the agency. I could care less if they were \nreading the menu for the FDIC. If it\'s a bad actor and they\'re \nin our system today, it is reported, and it falls into the \nmajor category.\n    These incidents where we had employees that left had \nmultiple years of faithful service to the FDIC. These are \ndifferent circumstances.\n    Mr. LaHood. I understand that, Mr. Gross. My specific \nquestion that I asked you, I--the exhibit that\'s up there, I \nmean, do you stand by the statement that this person is non-\nadversarial?\n    Mr. Gross. I do. And let me give some context. When the \nemployee departs the FDIC, they sign a document indicating that \nthey have not taken any information with them. When we go back \nto that employee and we have proof, because of our DLP \ncapabilities, that in fact they have downloaded information, at \nthat instance that conversation is an employee who now realized \nI\'ve made a mistake. And as a result of that, that relationship \nhas to be managed from the standpoint of a trusted employee who \nnow realizes that they inadvertently took information, and now \nthey\'re caught misrepresenting the truth.\n    So I do stand by that from the standpoint is I believe that \nthe employee inadvertently took the material and now they find \nthemselves in an awkward situation where their closing \nstatement doesn\'t match the actual facts.\n    Mr. LaHood. Yes. Well, I understand your statement, what \nyou\'re saying there. I mean, this is not a foolproof system. It \nclearly is not. And the nature of the world we live in now with \ncyber attacks and foreign entities and what\'s out there, that\'s \nwhat\'s, I guess, concerning about the protocol that you went \nthrough here.\n    Let me follow up. So was she telling the truth when she \nsaid ``she would never do such a thing\'\'?\n    Mr. Gross. I believe she, on the surface, was telling the \ntruth, but I don\'t think she really understood that she had \ntaken--one, I think she realized she took her personal data. I \ndon\'t believe she realized she took FDIC-specific data. And in \neach of these cases, these are all referred to the IG\'s office. \nEvery one of these cases we had asked the IG if they were going \nto investigate the case. The response we received is that there \nwas no criminal activity; therefore, it did not warrant any \nfurther action on their part.\n    Mr. LaHood. Mr. Gibson, let me ask you. Do you agree with \nMr. Gross that this person was non-adversarial?\n    Mr. Gibson. So I really need to take a look at this set of \nfacts. Offhand, I\'d say that there are different \ninterpretations of these facts. Non-adversarial, I mean, it \nseems to me that you could interpret these facts to suggest \nthat she is adversarial. You could certainly interpret these \nfacts to suggest that she\'s being less than candid or truthful.\n    Mr. LaHood. And so you don\'t necessarily agree with that \nstatement and they have a different opinion, is that fair to \nsay?\n    Mr. Gibson. Sir, I don\'t agree with that statement, and I \nmay have a different opinion.\n    Mr. LaHood. I see my time is expired. Let me just ask \nanother question here.\n    I\'m going to refer to Exhibit number two. Mr. Gross, this \nis an email dated April 28, 2016, to you from the acting Chief \nInformation Security Officer at the FDIC. The message says, \n``We were notified of the $10,000 record count of these \nincidences on April 27, so the seven-day reporting requirement \nwill be on May 4, 2016.\'\' Mr. Gross, what incidents is the \nacting Chief Information Security Officer referring to?\n    Mr. Gross. I\'m not really sure from just looking at this \ndocument, but I believe what he\'s talking about are one of the \nincidents that we retroactively went back and looked at.\n    Mr. LaHood. And you understood the seven-day reporting \nperiod, correct?\n    Mr. Gross. Actually, this may have been an incident that \nwas reviewed by the DBMT and already deemed as closed. Without \nactually looking closer at the document and getting the other \ninformation, I\'m not sure of that. But we went back \nretroactively, and some of the incidents that we reported, they \nhad already been reviewed by the DBMT and it had been deemed a \nbreach but a low-risk breach.\n    Mr. LaHood. Did you report the incident to Congress by May \n4, as required by the law?\n    Mr. Gross. I don\'t know if this incident was reported by \nMay 4. I believe it was reported in the recent report where we \nprovided five different incidents to the Congress.\n    Mr. LaHood. Yes. I mean, in looking at what the--\ninformation I have, it was not reported within the seven days, \nand actually, it appears on May 9 it was reported, so it was \noutside of that window. Do you disagree with that?\n    Mr. Gross. I don\'t agree or disagree without looking at--\nbut I believe this was included in the report for all of the \nincidents. My question would be is was this incident previously \nclosed by the DBMT and deemed as a low-risk? So therefore, the \nseven-day clock would have actually started long before we \ncompleted the record count. It would have been back when the \nincident may have been initially reviewed.\n    Mr. LaHood. Well, when I look at this document, it looks \nlike this--I mean, clearly, in that quote that I sent to you, \nyou\'re notified of the incidents on April 27 and told that it \nhas to be done by May 4. It appears that it\'s outside that \nwindow. I guess it just as a follow-up, Mr. Gibson, should \nincidents such as this that we\'re discussing today be reported \nto Congress within a timely manner?\n    Mr. Gibson. Sir, I think that when the waterfall \nrequirements of 16-03 are triggered, I think that there\'s an \nobligation to report in 7 days from the time that the agency \nhas a reasonable basis to believe that a major incident has \noccurred. That\'s what the law says.\n    Mr. LaHood. It appears from this document in Exhibit two \nthat that was the case and it wasn\'t done within the seven-day \nperiod.\n    Mr. Gibson. So it could. I haven\'t--I\'m not familiar with \nthe incidents that that\'s referring to and, you know, to answer \nthat conclusively, I want to review that. But, you know, it \ncertainly could indicate that, yes.\n    Mr. LaHood. Thank you. I went over my time.\n    Chairman Loudermilk. The Chair recognizes himself for \nquestions.\n    Mr. Gross, the Florida incident, is that one of the \nincidents that Mr. LaHood was referencing that you believed was \ninadvertent?\n    Mr. Gross. I believe all of the incidents that have been \nreported were identified where the individual inadvertently \ndownloaded the material.\n    Chairman Loudermilk. And how many incidents has that been?\n    Mr. Gross. I believe we\'ve reported seven.\n    Chairman Loudermilk. Seven and they were all accidental?\n    Mr. Gross. Out of the seven, we had--I believe it was five \nindividuals that were retiring, and I believe the other \nindividuals were term employees and they were coming to the end \nof their term.\n    Chairman Loudermilk. Were all seven of these those that you \ndescribed as not very computer literate or----\n    Mr. Gross. Yes, sir, I would say that these individuals \ndownloaded the information in an attempt to take their personal \ninformation prior to departure.\n    Chairman Loudermilk. But they had access to sensitive \ninformation even though they were not ``computer literate\'\'?\n    Mr. Gross. Well, the information they had legitimate access \nto was required for them to perform their day-to-day duties. \nTheir duties continued up until the day they left employment \nwith the FDIC.\n    Chairman Loudermilk. So it\'s common practice to allow \npersonnel to download information from the FDIC official \nserver?\n    Mr. Gross. Prior to my arrival, we did utilize mobile \nmedia, and individuals could download information to those \ndevices. We\'ve since put into place capability to prevent the \ndownloading of information to mobile devices.\n    Chairman Loudermilk. So is it accepted practice to allow \npersonal use of the government computers? If they were taking \npersonal information, then obviously they\'re allowed to use \nthem for personal----\n    Mr. Gross. Policy does allow de minimis use of the personal \ncomputer, yes, sir.\n    Chairman Loudermilk. Does--do any of the employees in the \nFDIC, yourself or any others, use personal email to conduct \nofficial business?\n    Mr. Gross. No, sir, not that I\'m aware of.\n    Chairman Loudermilk. None at all. Regarding the Florida \nincident, the Data Breach Management Team, did they give you a \nrecommendation on whether this was a breach?\n    Mr. Gross. The Data Breach Management Team is a group of \nrepresentatives across the organization. The Inspector General \nsits on that group. It\'s not a voting body. It\'s a consensus \nbody, and they do provide a recommendation. And I believe from \nthe Florida incident that they did recommend that it was a \nbreach, but we did also indicate it was a low-level breach.\n    Chairman Loudermilk. Okay. Well, let me read from you an \nemail which you were just provided a copy. This was from the \nformer CIO Christopher Farrow to you, and--regarding the \nFlorida incident and just item number seven, ``Only you can \ndeclare this incident a breach. You have not done so. The DBMT \nhas only recommended that this is a breach. We\'re waiting on \nyou to declare this a breach.\'\'\n    I\'m bringing attention to this email that was provided to \nus by the IG, and it was sent to you on November 30, 2015. And \nin the subject line it refers to the October 2015 Florida \nincident that you informed this Committee of. And the subject \nline says ``action required, Florida incident.\'\'\n    As we\'ve discussed here, the body of the email concerns the \nhandling of the incident completely within the scope of the \ndocuments requested by this Committee. The IG provided us this \ndocument, but you did not, sir. Now, how is not including this \nemail with the documents you provided us being responsive to \nthe Committee\'s request?\n    Mr. Gross. Sir, I believe every effort was made to be \nresponsive to your request. If there\'s needs for additional \ninformation, as I said, I stand ready to do so. I believe this \ndocument right here is summarized in our response in the \nincident management.\n    Chairman Loudermilk. But, sir, did the Committee\'s request \nask for summaries or did it ask for the documents? I believe \nour request was for all documents, not summaries of documents, \nbut documents.\n    Mr. Gross. Sir, I believe our response to the Committee\'s \nrequest was comprehensive. We made an active effort to provide \na comprehensive response to this Committee.\n    Chairman Loudermilk. But evidence that you have in front of \nyou is that it was not comprehensive.\n    Mr. Gross. I don\'t know for sure if this was included in \nthe overall submission to the Committee, sir.\n    Chairman Loudermilk. It was not, but the IG did provide \nthis to us.\n    Are you aware, sir, that actively--by not providing this, \nyou are actively obstructing this Committee\'s investigation?\n    Mr. Gross. Sir, I believe our submission to you was \ncomprehensive. Every effort was made for it to be \ncomprehensive.\n    Chairman Loudermilk. But, sir, it wasn\'t comprehensive if \nwe\'re receiving documents from the Inspector General that are \nclearly relating to these incidents that we are investigating \nbut you did not provide them.\n    Mr. Gross. Well, I didn\'t provide all the documents that \nyou received, sir. These documents came from a variety of \ndifferent offices within the Corporation.\n    Chairman Loudermilk. But, sir, you are the addressee on the \nemail with this document, so clearly you did have this \ndocument. And it would have been your responsibility to provide \nthis in response to our request for all documents.\n    Mr. Gross. I believe that this would have been included in \nthe incident response because this document speaks to what\'s \nsummarized in the incident report.\n    Chairman Loudermilk. But again, sir, the Committee did not \nask for summaries; we asked for documents. And are you aware \nthat obstructing Congress is a violation of federal law?\n    Mr. Gross. I\'m fully aware of that, sir. I\'m a prior law \nenforcement officer.\n    Chairman Loudermilk. Okay.\n    Mr. Gross. As I said, we made every effort to be \nresponsive. I believe what we provided was a representation of \nthe production. We made every effort to be quite exhaustive in \nour response to this Committee. As I said, I--we stand ready to \nprovide any additional information that you deem warranted.\n    Chairman Loudermilk. Well, I thank you for that, but I \nwould prefer that we get these initially and not have to go \nback and get--let me read directly from the correspondence this \nCommittee sent to you. It says, ``All documents and \ncommunications referring or relating to the security \nincident.\'\' All documents and communications. We didn\'t ask for \nsummaries; we asked for all documents and communications, which \nyou failed to provide.\n    Let me ask you another question. We\'ll shift our direction \nof questioning here. Sir, if a bank were to have the incidents \nhappened to them, an employee walks out with a USB drive \ncontaining 10,000 pieces of PII of their customers, and they \nfollowed the same procedure that you followed by not reporting \nit to the FDIC, what would the FDIC\'s actions be to that bank?\n    Mr. Gross. I can\'t speak to that, sir. That\'s speculative. \nI----\n    Chairman Loudermilk. I would like to get the answer to that \nbecause I don\'t think it would be following the same procedures \nthat you\'re holding yourself accountable to.\n    Maybe, Mr. Gibson, do you know what action would be taken \nto a bank?\n    Mr. Gibson. Sir, I think that question would need to be \nanswered by the supervisors.\n    Chairman Loudermilk. Okay.\n    Mr. Gibson. I\'m afraid I can\'t.\n    Chairman Loudermilk. I did pose that to--a question to a \nbanker yesterday, and I will get a formal response of what he \nbelieves would have--the action that would have been taken.\n    Mr. Gross, it appears the FDIC has a history of cyber \nsecurity breaches that goes beyond what has been made public to \ndate. I personally have a problem after 30 years of being in \nthe information systems business that seven repeated incidents \nare all inadvertent.\n    But let\'s move on to other incidents. Is it true that an \n``advanced persistent threat\'\' was able to penetrate the FDIC \ncomputer systems in August 2011?\n    Mr. Gross. I believe that\'s correct, sir.\n    Chairman Loudermilk. Okay. Is it true that FDIC employees\' \ncomputers were accessed by a foreign entity without their \nknowledge?\n    Mr. Gross. I believe you\'re speaking from an Inspector \nGeneral report, sir, and that, I think, would be best discussed \nby the Inspector General. That document has sensitive \ninformation in it.\n    Chairman Loudermilk. Mr. Gibson, do you have any \ninformation that you can share with us?\n    Mr. Gibson. If you want to ask me a question, let\'s see.\n    Chairman Loudermilk. Is it----\n    Mr. Gibson. I don\'t see why not.\n    Chairman Loudermilk. Is it true that FDIC employees\' \ncomputers were accessed by a foreign entity without their \nknowledge----\n    Mr. Gibson. Sir----\n    Chairman Loudermilk. --dating back to August 2011?\n    Mr. Gibson. That is my understanding, yes, sir.\n    Chairman Loudermilk. Okay. Thank you. Mr. Gross, is it true \nthat the Chairman of the FDIC\'s own computer was accessed by \nthis foreign entity?\n    Mr. Gross. Sir, I have reviewed that document. I believe \nwhat you\'re stating is included in the report, but I just \nbecame familiar with that document yesterday. I think Mr. \nGibson would be best positioned to respond.\n    Chairman Loudermilk. Mr. Gibson, can you respond? Is it \ntrue that the Chairman of the FDIC\'s own computer was accessed \nby this foreign entity?\n    Mr. Gibson. Sir, that\'s my understanding.\n    Chairman Loudermilk. That\'s your understanding. And again, \nthis is in an IG report?\n    Mr. Gibson. Sir, there are actually--well, there is--I \nbelieve the document that you\'ve got is an IG report.\n    Chairman Loudermilk. Okay.\n    Mr. Gibson. That document was produced to address the \nFDIC\'s handling of the incident internally. It\'s not a \ntechnical report.\n    Chairman Loudermilk. Okay.\n    Mr. Gibson. The technical reports would have been prepared \nby an FDIC contractor that was brought in to study the specific \nsituation. The question is a technical one. Our report really \ndoesn\'t get to that. It gets more to the issue of reporting of \nthe incident and the FDIC\'s handling of the incident than it \ndoes the technical aspects.\n    Chairman Loudermilk. Okay.\n    Mr. Gibson. But in so far as--you know, yes, the answer to \nthe questions that you\'re asking is yes, but I don\'t know the \ntechnical details----\n    Chairman Loudermilk. Okay.\n    Mr. Gibson. --behind some of that.\n    Chairman Loudermilk. Mr. Gross, is it true that the foreign \nentity was China?\n    Mr. Gross. Sir, I don\'t know that to be correct. I can only \ntell you what I\'ve read in the report. The details surrounding \nthe report, it happened prior to my arrival.\n    Chairman Loudermilk. I understand.\n    Mr. Gross. I can assure you that if that was to happen \ntoday under my watch, I\'m a prior military person and I believe \nin the command structure, so if there\'s an incident that occurs \nin my organization, one, it\'s my boat. I\'m responsible for \nmaking sure it\'s reported and addressed.\n    Chairman Loudermilk. Well, I understand that and I \nappreciate your response there. But in the report, does it \nidentify anywhere--Mr. Gibson, in the report does it identify \nthat the foreign entity was indeed China?\n    Mr. Gibson. No, sir, it is not.\n    Chairman Loudermilk. It does not.\n    Mr. Gibson. We are not authorized to make a specific \nattribution to any particular actor.\n    Chairman Loudermilk. Okay. Thank you.\n    Mr. Gross, regarding this particular incident where \nsupposedly China had access to FDIC computer systems for over a \nyear, which I think would be a very significant issue to maybe \nhave more information on than what we\'re sharing here today, \naccording to the materials provided to the Committee, the FDIC \nchose to intentionally violate its own policies and procedures \nand did not notify CSIRT, the central national authority \nresponsible for tracking, analyzing, and coordinating responses \nto computer security incidents that attack U.S. Government \nsystems. Is this true?\n    Mr. Gross. Sir, as I said, I\'ve reviewed that report, and \nit\'s actually great to kind of draw that to scale. When you \nlook at the APT that you\'re mentioning here versus an incident \nwhere we have trusted employees that left the organization, you \ncan see why we drew the fact that the risk of harm to \nindividuals were low. In this instance, if there was an APT in \nour environment, we would be taking active steps to address it.\n    But I would have to defer to Mr. Gibson on the specifics \nthat might be contained in the report as to who might have been \npenetrated or the extent of the penetration into the \nenvironment.\n    Chairman Loudermilk. Mr. Gibson, can you provide any more \nenlightenment in whether they followed proper procedures by \nnotifying a foreign entity?\n    Mr. Gibson. They did not.\n    Chairman Loudermilk. They did not. Thank you.\n    Mr. Gross, it\'s my understanding that one of the steps \ntaken by the FDIC to prevent further breaches was to shut off \nthe use of USB drives on the computers at the FDIC. What \npercentage of the FDIC employees roughly still have access to \ntheir USB drives?\n    Mr. Gross. I believe we\'ve reduced that number down to \nprobably less than 50 percent. We still have a significant \nnumber. Our goal is zero. As I said, I\'ve come from other \nfederal agencies, so my goal is to reduce that down to zero. \nHowever, we have to work through different business processes \nthat still require the use of that, and what I mean by that is \nour examiners have a need to exchange information with their 50 \ndifferent counterparts that they work with in the field. So I \ncan\'t immediately drive down to zero, but I can assure you and \nthe Committee my goal is to get to zero on use of mobile media \nwithin the organization.\n    Chairman Loudermilk. So with the 50 percent that you have \ndisabled, were those the employees that have access to the type \nof the information that was breached, or are those the 50 \npercent still remaining to be blocked?\n    Mr. Gross. The 50 percent that we had are primarily \nexaminers that work out in the field and other components of \nthe organization that still have an express business \nrequirement for that. The goal, as I said, is zero. In our \nexaminer area, we are actually rolling out technology right now \nwhich we call our ETS system.\n    Chairman Loudermilk. Right.\n    Mr. Gross. As we roll that out, we will begin to be able to \nhave larger numbers of those groups no longer have a need for \nthe use of mobile media. So we\'re going to do this over time in \nspecific business areas to be able to get to that zero \nthreshold.\n    Chairman Loudermilk. So if you had these 50 percent--let me \nask it this way. If the 50 percent you have blocked now was \ndone six months ago, would it have prevented these incidents?\n    Mr. Gross. I can\'t say that for certain, sir, because these \nindividuals were in various different parts of the \norganization. And even, as I said, it was an inadvertent \ndownload of the data.\n    Chairman Loudermilk. What have you done to prevent it from \nhappening other than the USB drives?\n    Mr. Gross. Actually, what we\'ve done to prevent it is \nwe\'ve, one, eliminated the use of mobile media across the \norganization only to those individuals that require it in order \nto complete their business processes. In order for those \nindividuals to be able to use the removable media, it requires \nthe approval of their division director.\n    Chairman Loudermilk. Okay.\n    Mr. Gross. The--in addition to that, what we\'re also \nputting in place is encryption--is that any device that\'s \nplaced into the machines, once that device is placed in the \nmachine, it will automatically be encrypted. So those mobile \ndevices that we do have in the environment would in fact have \nencryption, which would enhance their--the security on those \ndevices if they\'re lost.\n    Chairman Loudermilk. But it would not have prevented these \nactions from taking place?\n    Mr. Gross. I don\'t believe it would have.\n    Chairman Loudermilk. Mr. Gross, it\'s interesting that some \nof these breaches were retroactively reported to Congress. It\'s \nclear that the OMB guidance and FISMA state anything over \n10,000 instances of PII is to be reported to Congress. We have \nsystems in place to trigger awareness at various government \nlevels. If I go to the bank and withdraw $10,000 of my own \nmoney, that is immediately going to be reported, but certain \nemployees at FDIC can download 10,000 individual PIIs and it\'s \nnot flagged. Is that a double standard?\n    Mr. Gross. Well, actually, sir, it is flagged. I think we \nhave a best practice in the fact that we\'re using DLP to \nidentify those instances. Prior to DLP, we would have been \nunaware that the employees were downloading that information.\n    Chairman Loudermilk. But there was 10,000 that were \nbreached that were disclosed or taken but you did not report \nthose within the seven-day window.\n    Mr. Gross. Sir, it\'s--we don\'t have relief in reporting. I \nwant to be--I want to go back to that in that it\'s not a \nquestion of whether or not if it\'s going to be reported. All \nincidents within the FDIC are reported. The question is, is it \nreported within 7 days, 30 days, or is it reported in an annual \nFISMA report.\n    So I want to make sure that it\'s understood is that there\'s \nno question about our transparency in reporting. It was in \nwhich time frame. And we wanted to draw to scale--we wanted to \nfocus on, is this major? Is this an APT? Is this someone in our \nsystem? If we report on incidents that we have deemed as non-\nmajor, then we\'re reporting on everything. And then when we \nhave an APT or a significant event, the risk you run is that \nthese incidents are then lost in the noise. And I would hate to \nclassify any incident as just noise. But we want to make sure \nthat we\'re focusing our energies and our time around those \nincidents that pose significant risk of harm to individuals or \nthe organization.\n    Chairman Loudermilk. Okay. I have been very lenient with my \ntime, and I will do the same to my good friend from Virginia, \nMr. Beyer, who is now recognized.\n    Mr. Beyer. Thank you, Mr. Chairman.\n    Mr. Gibson, in your testimony you said that the memorandum \nthat you had prepared on February 19 this year to the Chief \nInformation Officer was marked privileged and for official use \nonly, and it was later leaked, which is how come we know about \nit. Why wasn\'t it public in the first place? And what\'s the \nargument for keeping something like that from the public?\n    Mr. Gibson. Sir, it\'s not our responsibility to report; \nit\'s the FDIC\'s responsibility. We prepared that document in \nthe middle of an audit, actually planning for an audit. We had \nnot completed our work at that point in time. At the time that \nour work is completed, we would have made some public \ndisclosure of it. There are other points at which public \ndisclosure might have occurred, depending upon the FDIC\'s \nresponse to that memorandum. When they responded by determining \nthat they would disclose the incident, then there was no need \nfor us to make it public ourselves.\n    Mr. Beyer. In the seven incidents we\'re talking about that \nthe FDIC and the CIO have all determined were inadvertent, does \nthe decision--or the determination of inadvertency make it more \ndifficult for you to pursue criminal charges?\n    Mr. Gibson. Well, sir, it could. It\'s a fact that you\'d \nhave to consider as you evaluate the case. When we have a \nstatement from the government that says that something\'s \ninadvertent then you have to establish that there\'s specific \nintent to violate the law. Now, if I was a defense lawyer, \nthat\'s probably the first document that I would wave around. \nThat doesn\'t mean we can\'t, but it does mean that it can \nincrease the bar; it can increase the level of difficulty that \nwe have.\n    Mr. Beyer. Great. Thank you.\n    Mr. Gross, one of the things I want to be clear about, too, \nbecause you\'ve mentioned a number of times your distinguished \n39-year career in the military and the federal office, and we \nthank you for that and thank you for your service. But I just \nwant to also clarify that the hearing is not about your \nremarkable career but rather about what\'s going on with the \nFDIC right now.\n    In your attempt to remove the mobile media devices down to \n50 percent and rolling out ETS, how then will examiners share \ndata if the mobile devices are gone?\n    Mr. Gross. We\'re identifying technology solutions that will \nallow them to exchange information. As I said, since arriving, \nI\'ve been looking at the business practices that we have within \nthe organization trying to identify other solutions that will \nallow us to conduct our business without exposing the data.\n    Mr. Beyer. Which will include not being able to email the \ndata back and forth?\n    Mr. Gross. That\'s correct. We currently monitor email, and \nwe have the ability to manage or prevent email exchange. But in \nthe case of mobile media, it--just as it says, the ability for \na person to move it from point A to point B is quite easy.\n    Mr. Beyer. I want to clarify one thing you said earlier, \nand I\'m confused. So in the OMB guidance, on the one hand, if \nit affects more than 10,000 records, it triggers the 7-day \nresponse. You also said that it\'s your classification, major, \nminor, intermediate, that determines 7-day, 30-day, annual \ndisclosure. Are those in conflict? Do you really have the \ndiscretion as CIO to determine what\'s major and what\'s not \nmajor and therefore what--or, to be specific--because something \nreleased 11,000 records and you still determine it not major?\n    Mr. Gross. Actually, sir, in the incidents that we\'ve \nreported, we have several in there that just barely meets the \nbar. I believe there\'s a couple that are 13,000 records. The \npolicy is a--it provides some guidance to the agency to \nconsider in making a determination of, one, the significance of \nan event. So you can have an incident and it\'s not considered a \nmajor in that the surrounding issues around the incident \ndoesn\'t warrant the 7-day reporting.\n    Mr. Beyer. Even though it has more than 10,000 records?\n    Mr. Gross. In----\n    Mr. Beyer. Is the 10,000 records threshold not de facto \nsufficient----\n    Mr. Gross. I----\n    Mr. Beyer. --for the 7-day reporting?\n    Mr. Gross. I believe it draws a bright line, and that \nbright line is that--is what we\'re following now. But I believe \nwhat happens is it creates an environment where you\'re \nreporting everything and--as a major, and then you run the risk \nthat if you have a significant event, it would be--it may be \noverlooked. But the policy clearly says it leaves to the \ndiscretion of the agency if there\'s significant enough \ninformation to warrant reporting as a major.\n    Mr. Beyer. Okay.\n    Mr. Gross. But I want to be clear, there\'s not a question \nof if the incident is reported. It is reported. The question is \nin what time frame is it reported.\n    Mr. Beyer. Well, and I--I\'d ask you, please, to listen \ncarefully to this, too, because if anything over 10,000 \nconstitutes so many reports that it\'s noise, we have a much \nbigger problem. We should have very few incidents ever that \nhave more than 10,000 records.\n    Mr. Gross. I would hope, sir, that we get to zero. My goal \nby removing the mobile media where we have seen these incidents \noccur is that we have better management of control of our data. \nBut as you--if you read through the incidents, our employees \nare fully aware of their requirements of reporting, so we\'re \nfocused today on removable media.\n    But on a day-to-day basis, you may have employees that may \ninadvertently have access to information that was unintended. \nThat could be they saw--they looked at a file share that was \nonline where the permissions may not have been removed. Is that \na major? Well, there may be 10,000 records in that file share \nthat they inadvertently saw during that period of time, but was \nit during the normal course of their business so it\'s not \nreported as a major, but we still report it as an incident in \nour FISMA report.\n    Mr. Beyer. You say that in determining whether major, minor \nincident, that you used their signed statements, their \naffidavits to determine that the information has not been \ndisseminated. That seemed to put an awful lot of trust into one \nsigned statement. Are there any other steps you did, tests to \nsee whether any of these records had leaked out, had been sold, \nhad been contacted? For example, the FEC assaults its FEC \nreports with fake names so they can determine whether somebody \nelse has pulled it off the internet and used it \ninappropriately.\n    Mr. Gross. We do have a forensic review that we conduct on \nthe device once it\'s returned. One, we can identify if the \ndevice that was returned is in fact the device that was used to \nmake the copy. We can also examine the files that are on the \ndocument to ensure that we\'ve in fact recovered all of the \ninformation that was exfiltrated onto the device originally. \nBut in addition to that, we can determine the last time the \nfiles were opened or accessed.\n    There are limitations to what we can do with the forensics, \nbut it gives us a better perspective as to what happened to the \ndata from the time it was downloaded to the device to the time \nthe device was returned to the organization.\n    Mr. Beyer. Is there any way to determine whether that data \nwas downloaded into another computer or sent to someone else?\n    Mr. Gross. We have limited capabilities in our forensic \nthat we can determine some things but we have to rely on the \nfact that the employee\'s assertion that it has not been \ndisseminated beyond themselves is important.\n    Mr. Beyer. Yes. Once again, I fear that that\'s going to be \ntoo low a bar. But let me move on.\n    Is the--on the personal information, Ms. Lofgren from \nCalifornia pointed out how probably important it is that the \npersonal information be in fact de minimis, and if it\'s de \nminimis, there should be very little that needs to be taken \noff.\n    I served four years in State Department, and at the end \ndidn\'t need to download a single thing. I did have to go delete \nemails to my wife as to what time I was coming home for dinner \nbut nothing else beyond that. And it\'s sort of hard to imagine \nthat I would need it--after serving four years that there--or \neven 30 years that there\'s much that you\'d need to take off the \ncomputer.\n    Mr. Gross. By implementing the procedures that we have in \nplace for preventing the downloading of the material to mobile \nmedia, what that does is put us in a position that if an \nemployee in fact does want to download information, we in fact \nhave to intervene and do that with them on their behalf. So I \nbelieve we\'ll be able to meet that bar that she\'s indicated \nwhere we should be.\n    We want to make sure that if the employee does have \ninformation that they may have created through de minimis use \nof the device, creating of a resume or other material, that in \nfact they can take that. But by eliminating their ability to \ndownload it, I believe we\'re in a better position to manage \nthat.\n    Mr. Beyer. Okay. One last question. On the October breach \nyou made the determination that it couldn\'t be classified as a \nmajor incident, but you have the DBMT, the Data Breach \nManagement Team. And they all have a--are they simply advisory \nor do they have a vote in determining what\'s a major and what\'s \na minor event?\n    Mr. Gross. It\'s not a voting body. All of the \nrepresentatives on the group--as I said, the Inspector General \nsits on the group. We have a representative from each of the \nprogram areas where the incident may have occurred. They \nprovide a recommendation based on the information to the CIO of \nwhether or not it\'s a breach, but they also make other \nrecommendations of things that should be considered as part of \nthe review process.\n    Mr. Beyer. Do you remember whether the--what recommendation \nthe DBMT made in response to the October incident?\n    Mr. Gross. I\'m not sure the--when you say October incident, \nis that the Florida incident? That\'s the one we refer to as----\n    Mr. Beyer. The original one, yes.\n    Mr. Gross. --the Florida incident. I believe it was \nrecommended that it was a breach but it was low risk.\n    Mr. Beyer. Okay. Have you been in the position yet of \nhaving to make a determination that differed from what the DBMT \nrecommended?\n    Mr. Gross. No, I don\'t believe so. And I want to be clear \nis that the DBMT doesn\'t meet once. So on the surface it may \nappear that these incidents may have lingered on or we were \nnonresponsive. In fact, the DBMT meets on a number of different \ntimes during an incident as additional information becomes \navailable, but I don\'t know of any incidents where I have been \nin--I\'ve had a difference of opinion of what came out of the \nDBMT.\n    Mr. Beyer. All right. Thank you, Mr. Gross. Thank you, Mr. \nGibson.\n    Mr. Chairman, I yield back.\n    Chairman Loudermilk. I thank the Ranking Member for the \nline of questioning, and I thank the witnesses for their \ntestimony and the other Members who were here with questions.\n    We\'ve identified several inconsistencies here today by the \nFDIC, and the Committee will continue its oversight and looking \nforward to having the FDIC Chairman here once the Inspector \nGeneral completes its audits. We will continue looking into \nthis. This is a very critical issue.\n    And the record will remain open for two weeks for \nadditional comment and written questions from the members.\n    The hearing is adjourned.\n    [Whereupon, at 11:40 a.m., the Subcommittee was adjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n\n                              Appendix II\n\n                              ----------                              \n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'